diff --git a/charts/incubator/hyperswitch-keymanager/.helmignore b/charts/incubator/hyperswitch-keymanager/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/incubator/hyperswitch-keymanager/Chart.yaml b/charts/incubator/hyperswitch-keymanager/Chart.yaml new file mode 100644 index 0000000..63604f0 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/Chart.yaml @@ -0,0 +1,30 @@ +apiVersion: v2 +name: hyperswitch-keymanager +description: A Helm chart for deploying Hyperswitch Keymanager + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" + +dependency: + - name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 13.2.27 + condition: postgresql.enabled diff --git a/charts/incubator/hyperswitch-keymanager/hyperswitch-keymanager-0.1.0.tgz b/charts/incubator/hyperswitch-keymanager/hyperswitch-keymanager-0.1.0.tgz new file mode 100644 index 0000000..b1a4738 Binary files /dev/null and b/charts/incubator/hyperswitch-keymanager/hyperswitch-keymanager-0.1.0.tgz differ diff --git a/charts/incubator/hyperswitch-keymanager/index.yaml b/charts/incubator/hyperswitch-keymanager/index.yaml new file mode 100644 index 0000000..267bc7b --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/index.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +entries: + hyperswitch-keymanager: + - apiVersion: v2 + appVersion: 1.16.0 + created: "2024-07-22T18:33:26.987138+05:30" + description: A Helm chart for deploying Hyperswitch Keymanager + digest: 8a626f63af94b8d8dfdf485f02eedcf5d305056f6dc931a63363ded8509fa942 + name: hyperswitch-keymanager + type: application + urls: + - https://juspay.github.io/hyperswitch-helm/charts/incubator/hyperswitch-keymanager/hyperswitch-keymanager-0.1.0.tgz + version: 0.1.0 +generated: "2024-07-22T18:33:26.986603+05:30" diff --git a/charts/incubator/hyperswitch-keymanager/templates/NOTES.txt b/charts/incubator/hyperswitch-keymanager/templates/NOTES.txt new file mode 100644 index 0000000..7d790da --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/NOTES.txt @@ -0,0 +1 @@ +1. Get the application URL by running these commands: diff --git a/charts/incubator/hyperswitch-keymanager/templates/_helpers.tpl b/charts/incubator/hyperswitch-keymanager/templates/_helpers.tpl new file mode 100644 index 0000000..c260366 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/_helpers.tpl @@ -0,0 +1,127 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "hyperswitch-keymanager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hyperswitch-keymanager.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hyperswitch-keymanager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "hyperswitch-keymanager.labels" -}} +helm.sh/chart: {{ include "hyperswitch-keymanager.chart" . }} +{{ include "hyperswitch-keymanager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "hyperswitch-keymanager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "hyperswitch-keymanager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "hyperswitch-keymanager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "hyperswitch-keymanager.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* validation */}} +{{- define "validate.keymanager-psql.config" -}} + {{- if not (or .Values.postgresql.enabled .Values.external.postgresql.enabled) }} + {{- fail + "Both postgresql.enabled and external.postgresql.enabled cannot be 'false' at the same time. Please, onfigure at least one Redis." + }} + {{- else if and .Values.postgresql.enabled .Values.external.postgresql.enabled }} + {{- fail + "Both postgresql.enabled and external.postgresql.enabled cannot be 'true' at the same time. Select only once please" + }} + {{- end }} +{{- end }} + + +{{/* Select PostgreSQL host Internal or External */}} +{{- define "keymanager-psql.host" -}} +{{- $test_db := include "validate.keymanager-psql.config" . }} + {{- if .Values.postgresql.enabled }} + {{- printf "%s-keymanager-db" .Release.Name | replace "+" "_" | trunc 63 | trimSuffix "-" }} + {{- else -}} + {{- printf "%s" .Values.external.postgresql.config.host -}} + {{- end -}} +{{- end -}} + + +{{/* Select PostgreSQL port Internal or External */}} +{{- define "keymanager-psql.port" -}} +{{- $test_db := include "validate.keymanager-psql.config" . }} + {{- printf "\"5432\"" }} +{{- end -}} + + +{{/* Select PostgreSQL host Internal or External */}} +{{- define "keymanager-psql.username" -}} +{{- $test_db := include "validate.keymanager-psql.config" . }} + {{- if .Values.postgresql.enabled }} + {{- printf "%s" .Values.postgresql.global.postgresql.auth.username -}} + {{- else -}} + {{- printf "%s" .Values.external.postgresql.config.username -}} + {{- end -}} +{{- end -}} + + +{{/* Select PostgreSQL host Internal or External */}} +{{- define "keymanager-psql.name" -}} +{{- $test_db := include "validate.keymanager-psql.config" . }} + {{- if .Values.postgresql.enabled }} + {{- printf "%s" .Values.postgresql.global.postgresql.auth.database -}} + {{- else if .Values.external.enabled -}} + {{- printf "%s" .Values.external.postgresql.config.database -}} + {{- end -}} +{{- end -}} + + +{{/* Select PostgreSQL host Internal or External */}} +{{- define "keymanager-psql.password" -}} +{{- $test_db := include "validate.keymanager-psql.config" . }} + {{- if .Values.postgresql.enabled }} + {{- printf "%s" .Values.postgresql.global.postgresql.auth.password -}} + {{- else if .Values.external.enabled -}} + {{- printf "%s" .Values.external.postgresql.config.password -}} + {{- end -}} +{{- end -}} + diff --git a/charts/incubator/hyperswitch-keymanager/templates/_init.tpl b/charts/incubator/hyperswitch-keymanager/templates/_init.tpl new file mode 100644 index 0000000..b73d4b8 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/_init.tpl @@ -0,0 +1,22 @@ +{{/*Ensure postgres database is up and running */}} +{{- define "keymanager-psql.initContainer.check.ready" -}} +- name: check-postgres + image: {{ .Values.initDB.checkPGisUp.image }} + command: [ "/bin/sh", "-c" ] + #language=sh + args: + - > + MAX_ATTEMPTS=10 + SLEEP_SECONDS=10; + attempt=0; + while ! pg_isready -U {{ include "keymanager-psql.username" . }} -d {{ include "keymanager-psql.name" . }} -h {{ include "keymanager-psql.host" . }} -p {{ include "keymanager-psql.port" . }}; do + if [ $attempt -ge $MAX_ATTEMPTS ]; then + echo "PostgreSQL did not become ready in time"; + exit 1; + fi; + attempt=$((attempt+1)); + echo "Waiting for PostgreSQL to be ready... Attempt: $attempt"; + sleep $SLEEP_SECONDS; + done; + echo "PostgreSQL is ready."; +{{- end -}} diff --git a/charts/incubator/hyperswitch-keymanager/templates/configmap.yaml b/charts/incubator/hyperswitch-keymanager/templates/configmap.yaml new file mode 100644 index 0000000..b0b76b8 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/configmap.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +data: + production.toml: | + [server] + port = 5000 + host = "0.0.0.0" + + [metrics_server] + host = "0.0.0.0" + port = 6128 + + [pool_config] + pool = 2 + + [log] + log_format = "json" + log_level = "debug" + + [database] + user = {{ quote .Values.external.postgresql.config.username }} + password = {{ quote .Values.external.postgresql.config.password }} + host = {{ quote .Values.external.postgresql.config.host }} + port = 5432 + dbname = {{ quote .Values.external.postgresql.config.database }} + pool_size = 5 + min_idle = 2 + + +kind: ConfigMap +metadata: + name: keymanager-config-{{ .Release.Name }} + namespace: {{ .Release.Namespace }} diff --git a/charts/incubator/hyperswitch-keymanager/templates/deployment.yaml b/charts/incubator/hyperswitch-keymanager/templates/deployment.yaml new file mode 100644 index 0000000..0761b3c --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- with (default .Values.global.annotations .Values.server.annotations) }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: keymanager-{{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: keymanager + version: {{ .Release.Name }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + labels: + app: keymanager + version: {{ .Release.Name }} + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-type + operator: In + values: + - keymanager-ng + containers: + - env: + - name: CRIPTA__SECRETS__KMS_CONFIG__KEY_ID + valueFrom: + secretKeyRef: + name: keymanager-secrets-{{ .Release.Name }} + key: CRIPTA__SECRETS__KMS_CONFIG__KEY_ID + - name: CRIPTA__SECRETS__KMS_CONFIG__REGION + valueFrom: + secretKeyRef: + name: keymanager-secrets-{{ .Release.Name }} + key: CRIPTA__SECRETS__KMS_CONFIG__REGION + - name: CRIPTA__CERTS__TLS_CERT + valueFrom: + secretKeyRef: + name: keymanager-secrets-{{ .Release.Name }} + key: CRIPTA__CERTS__TLS_CERT + - name: CRIPTA__CERTS__TLS_KEY + valueFrom: + secretKeyRef: + name: keymanager-secrets-{{ .Release.Name }} + key: CRIPTA__CERTS__TLS_KEY + - name: CRIPTA__CERTS__ROOT_CA + valueFrom: + secretKeyRef: + name: keymanager-secrets-{{ .Release.Name }} + key: CRIPTA__CERTS__ROOT_CA + image: {{ .Values.server.image }} + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - pkill -15 node + name: keymanager + ports: + - containerPort: 5000 + name: http + protocol: TCP + resources: + requests: + cpu: 400m + memory: 400Mi + securityContext: + privileged: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /local/config/production.toml + name: keymanager-config + subPath: production.toml + dnsConfig: + options: + - name: ndots + value: "1" + - name: single-request-reopen + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: keymanager-role + serviceAccountName: keymanager-role + terminationGracePeriodSeconds: 90 + volumes: + - configMap: + defaultMode: 420 + name: keymanager-config-{{ .Release.Name }} + name: keymanager-config diff --git a/charts/incubator/hyperswitch-keymanager/templates/hpa.yaml b/charts/incubator/hyperswitch-keymanager/templates/hpa.yaml new file mode 100644 index 0000000..407f92b --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "hyperswitch-keymanager.fullname" . }} + labels: + {{- include "hyperswitch-keymanager.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "hyperswitch-keymanager.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/incubator/hyperswitch-keymanager/templates/migration.yaml b/charts/incubator/hyperswitch-keymanager/templates/migration.yaml new file mode 100644 index 0000000..e8a68d4 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/migration.yaml @@ -0,0 +1,51 @@ +{{- if .Values.initDB.enable }} +apiVersion: batch/v1 +kind: Job +metadata: + name: create-keymanager-db + labels: + app: create-keymanager-db + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + {{- include "keymanager-psql.initContainer.check.ready" . | nindent 8 }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-type + operator: In + values: + - keymanager-ng + containers: + - name: run-keymanager-db-migration + image: {{ .Values.initDB.migration.image }} + command: [ '/bin/sh', '-c' ] + #language=sh + args: + - |- + apt update + apt install -y git + git clone --single-branch --branch main https://github.com/juspay/hyperswitch-encryption-service.git + cd hyperswitch-encryption-service + diesel migration --database-url postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:5432/$DBNAME run + echo "Completed hyperswitch database migration" + env: + - name: POSTGRES_HOST + value: {{ include "keymanager-psql.host" . }} + - name: DBNAME + value: {{ include "keymanager-psql.name" . }} + - name: POSTGRES_USER + value: {{ include "keymanager-psql.username" . }} + - name: POSTGRES_PASSWORD + value: {{ include "keymanager-psql.password" . }} +{{- end }} + + diff --git a/charts/incubator/hyperswitch-keymanager/templates/secrets.yaml b/charts/incubator/hyperswitch-keymanager/templates/secrets.yaml new file mode 100644 index 0000000..ea11007 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +data: + CRIPTA__SECRETS__KMS_CONFIG__KEY_ID: {{ .Values.server.secrets.key_id | b64enc }} + CRIPTA__SECRETS__KMS_CONFIG__REGION: {{ .Values.server.secrets.region | b64enc }} + CRIPTA__CERTS__TLS_CERT: {{ .Values.server.secrets.tls_cert | b64enc }} + CRIPTA__CERTS__ROOT_CA: {{ .Values.server.secrets.ca_cert | b64enc }} + CRIPTA__CERTS__TLS_KEY: {{ .Values.server.secrets.tls_key | b64enc }} +kind: Secret +metadata: + name: keymanager-secrets-{{ .Release.Name }} + namespace: {{ .Release.Namespace }} +type: Opaque diff --git a/charts/incubator/hyperswitch-keymanager/templates/service.yaml b/charts/incubator/hyperswitch-keymanager/templates/service.yaml new file mode 100644 index 0000000..92e5342 --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: keymanager + name: keymanager + namespace: {{ .Release.Namespace }} +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: https + port: 443 + protocol: TCP + targetPort: http + selector: + app: keymanager + sessionAffinity: None + type: ClusterIP diff --git a/charts/incubator/hyperswitch-keymanager/templates/serviceaccount.yaml b/charts/incubator/hyperswitch-keymanager/templates/serviceaccount.yaml new file mode 100644 index 0000000..710168e --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + eks.amazonaws.com/role-arn: {{ .Values.server.secrets.iam_role }} + name: keymanager-role + namespace: {{ .Release.Namespace }} diff --git a/charts/incubator/hyperswitch-keymanager/values.yaml b/charts/incubator/hyperswitch-keymanager/values.yaml new file mode 100644 index 0000000..c4fbf7b --- /dev/null +++ b/charts/incubator/hyperswitch-keymanager/values.yaml @@ -0,0 +1,60 @@ +# Default values for hyperswitch-keymanager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +global: + image: juspaydotin/hyperswitch-encryption-service:v0.1.3 + annotations: {} + +autoscaling: + enabled: false + +server: + image: juspaydotin/hyperswitch-encryption-service:v0.1.3 + secrets: + key_id: sample_key_id + iam_role: iam_role + region: us-east-1 + ca_cert: sample_cert + tls_key: sample_cert + tls_cert: sample_cert + annotations: {} + +# Values for database (postgresql). +postgresql: + enabled: false + nameOverride: locker-db + global: + postgresql: + auth: + username: db_user + password: V2tkS1ptTkhSbnBqZDI4OUNnPT0K + database: locker-db + architecture: standalone + primary: + name: "" + resources: + requests: + cpu: 100m + +external: + postgresql: + enabled: false + config: + host: # + port: # + username: # + password: # + database: # + +# Values for the database migration job +initDB: + # Should we run the migrations on the database + enable: true + checkPGisUp: + image: postgres:16-alpine3.19 + maxAttempt: 30 + migration: + image: christophwurst/diesel-cli:latest