11.0.0.9-r3 update

Author: IBMRob

Jenkinsfile

@@ -0,0 +1,123 @@
+pipeline {
+    agent any
+        environment {
+            BUILD_TIMESTAMP = sh(script: ' date +"%Y%m%d-%H%M%S"', , returnStdout: true).trim()
+        }
+        options {
+            timestamps ()
+        }
+    stages {
+        stage('amd64 image build') {
+            when {
+                expression { params.BUILD_PLATFORM == 'amd64-only' || params.BUILD_PLATFORM == 'both' }
+            }
+            agent { label 'cf_slave' }
+            steps {
+                echo BRANCH_TO_BUILD
+                deleteDir()
+                checkout scm
+                dir('ot4i-ace-docker') {
+                    git credentialsId: 'ffbld01_git_key', poll: false, url: '[email protected]:Cloud-Integration/ot4i-ace-docker.git', branch: "${params.BRANCH_TO_BUILD}"
+                }
+                dir('hip-pipeline-common') {
+                    git credentialsId: 'ffbld01_git_key', poll: false, url: '[email protected]:Cloud-Integration/hip-pipeline-common.git', branch: 'master'
+                }
+                dir('firefly-software-build-scripts') {
+                    git credentialsId: 'ffbld01_git_key', poll: false, url: '[email protected]:Cloud-Integration/firefly-software-build-scripts.git', branch: "${params.FIREFLY_SOFTWARE_BUILD_SCRIPTS_BRANCH}"
+                }
+                withCredentials([usernamePassword(credentialsId: 'cf78bbfd-e303-4969-8cfd-cd57c3902f12', passwordVariable: 'ARTIFACTORY_PASS', usernameVariable: 'ARTIFACTORY_USER'), usernamePassword(credentialsId: '37361c4d-f3f7-4bf4-97a0-48463a5d2091', passwordVariable: 'GITHUB_API_TOKEN', usernameVariable: 'GITHUB_API_USER'), usernamePassword(credentialsId: 'cf78bbfd-e303-4969-8cfd-cd57c3902f12', passwordVariable: 'NPM_PASS', usernameVariable: 'NPM_USER'), string(credentialsId: 'APPCONNECT_NPM_AUTH', variable: 'NPM_AUTH')]) {
+                  sh '''
+                    bash -c "
+                    pwd
+                    ls -l
+                    ls -l ${WORKSPACE}/jenkins-build-scripts
+                    ${WORKSPACE}/jenkins-build-scripts/jenkins-build-script.sh
+                    "
+                  '''
+                }
+            }
+        }
+        stage('s390x image build') {
+            when {
+                expression { params.BUILD_PLATFORM == 's390x-only' || params.BUILD_PLATFORM == 'both' }
+            }
+            agent { label 'zlinux-ACEcc' }
+            steps {
+                echo BRANCH_TO_BUILD
+                deleteDir()
+                checkout scm
+                dir('ot4i-ace-docker') {
+                    git credentialsId: 'ffbld01_git_key', poll: false, url: '[email protected]:Cloud-Integration/ot4i-ace-docker.git', branch: "${params.BRANCH_TO_BUILD}"
+                }
+                dir('hip-pipeline-common') {
+                    git credentialsId: 'ffbld01_git_key', poll: false, url: '[email protected]:Cloud-Integration/hip-pipeline-common.git', branch: 'master'
+                }
+                dir('firefly-software-build-scripts') {
+                    git credentialsId: 'ffbld01_git_key', poll: false, url: '[email protected]:Cloud-Integration/firefly-software-build-scripts.git', branch: "${params.FIREFLY_SOFTWARE_BUILD_SCRIPTS_BRANCH}"
+                }
+                withCredentials([usernamePassword(credentialsId: 'cf78bbfd-e303-4969-8cfd-cd57c3902f12', passwordVariable: 'ARTIFACTORY_PASS', usernameVariable: 'ARTIFACTORY_USER'), usernamePassword(credentialsId: '37361c4d-f3f7-4bf4-97a0-48463a5d2091', passwordVariable: 'GITHUB_API_TOKEN', usernameVariable: 'GITHUB_API_USER'), usernamePassword(credentialsId: 'cf78bbfd-e303-4969-8cfd-cd57c3902f12', passwordVariable: 'NPM_PASS', usernameVariable: 'NPM_USER'), string(credentialsId: 'APPCONNECT_NPM_AUTH', variable: 'NPM_AUTH')]) {
+                  sh '''
+                    bash -c "
+                    pwd
+                    ls -l
+                    ls -l ${WORKSPACE}/jenkins-build-scripts
+                    ${WORKSPACE}/jenkins-build-scripts/jenkins-build-script.sh
+                    "
+                  '''
+                }
+            }
+        }
+        stage('Create Docker Manifests') {
+            agent { label 'cf_slave' }
+            steps {
+                echo BRANCH_TO_BUILD
+                deleteDir()
+                checkout scm
+                withCredentials([usernamePassword(credentialsId: 'cf78bbfd-e303-4969-8cfd-cd57c3902f12', passwordVariable: 'ARTIFACTORY_PASS', usernameVariable: 'ARTIFACTORY_USER')]) {
+                    sh '''
+                        # the docker manifest command is an experimental feature
+                        # so need to enable the docker client side experimental feature
+                        mkdir /home/jenkins/.docker
+                        echo '
+                        {
+                            "experimental": "enabled"
+                        }
+                        ' > /home/jenkins/.docker/config.json
+                        bash -c "
+                        pwd
+                        ls -la
+                        ${WORKSPACE}/jenkins-build-scripts/create-docker-manifests.sh
+                        "
+                    '''
+                }
+            }
+        }
+        stage ('Trigger Image Promotion Build') {
+            steps {
+                script {
+                        echo "Triggering image promotion build "
+                        def ImageName = "ace-server"
+                        def tag = "${TAG_VERSION}-${BUILD_TIMESTAMP}"
+                        def updateJSON = "false"
+                        if (env.BRANCH_TO_BUILD == 'master') {
+                            echo "Master branch so updating JSON doc"
+                            updateJSON = "true"
+                        }
+                        build job: 'ibm-appconnect-operator-test-images', wait: true, parameters: [
+                            [$class: 'StringParameterValue', name: "IMAGE_NAME", value: ImageName],
+                            [$class: 'StringParameterValue', name: "UPDATE_GOOD_IMAGES_JSON", value: updateJSON],
+                            [$class: 'StringParameterValue', name: 'IMAGE_TAG', value: tag]
+                        ]
+                }
+            }
+        }
+    }
+    post {
+        fixed {
+            slackSend channel: '#appcon-monza-feed', message: '*' + JOB_NAME + '*\n Successfully built branch - ' + BRANCH_TO_BUILD + '\nSee - ' + BUILD_URL, color: 'good'
+        }
+        failure {
+            slackSend channel: '#appcon-monza-feed', message: '*' + JOB_NAME + '*:\n Failed to build branch - ' + BRANCH_TO_BUILD + '\nSee - ' + BUILD_URL, color: '#AA0114'
+        }
+    }
+}

README.md

@@ -81,26 +81,7 @@ In order to use the image, it is necessary to accept the terms of the IBM App Co
 
 ### Red Hat OpenShift SecurityContextConstraints Requirements
 
-This chart requires a SecurityContextConstraints to be bound to the target namespace prior to installation. To meet this requirement there may be cluster scoped as well as namespace scoped pre and post actions that need to occur.
-
-
-#### Running an ACE Only Integration Server
-
-The predefined SecurityContextConstraints name: [`ibm-anyuid-scc`](https://ibm.biz/cpkspec-scc) has been verified for this chart when creating an ACE & MQ integration server, if your target namespace is bound to this SecurityContextConstraints resource you can proceed to install the chart.
-
-Run the following command to add the service account of the Integration server to the anyuid scc - `oc adm policy add-scc-to-user ibm-anyuid-scc system:serviceaccount:<namespace>:<releaseName>-ibm-ace-server-prod-serviceaccount` i.e.
-``` 
-oc adm policy add-scc-to-user ibm-anyuid-scc system:serviceaccount:default:ace-nomq-ibm-ace-server-rhel-prod-serviceaccount
-```
-
-#### Running an ACE & MQ Integration Server
-
-The predefined SecurityContextConstraints name: [`ibm-anyuid-scc`](https://ibm.biz/cpkspec-scc) has been verified for this chart when creating an ACE & MQ integration server, if your target namespace is bound to this SecurityContextConstraints resource you can proceed to install the chart.
-
-Run the following command to add the service account of the Integration server to the anyuid scc. - `oc adm policy add-scc-to-user ibm-anyuid-scc system:serviceaccount:<namespace>:<releaseName>-ibm-ace-server-mq-prod-serviceaccount` i.e.
-```
-oc adm policy add-scc-to-user ibm-anyuid-scc system:serviceaccount:ace:ace-mq-ibm-ace-server-mq-prod-serviceaccount
-```
+The predefined SecurityContextConstraint (SCC) `restricted` has been verified with the image when being run in a Red Hat OpenShift environment.
 
 ### ACE & MQ image
 
@@ -145,7 +126,7 @@ In the `sample` folder there is an example on how to build a server image with a
 
 - **ACE_ADMIN_SERVER_SECURITY** - Set to `true` if you intend to secure your Integration Server using SSL.
 - **ACE_ADMIN_SERVER_NAME** - Set this to the DNS name of your Integration Server for SSL SAN checking.
-- **ACE_ADMIN_SERVER_CA** - Set this to your Integration Server SSL CA certificate.
+- **ACE_ADMIN_SERVER_CA** - Set this to your Integration Server SSL CA certificates folder.
 - **ACE_ADMIN_SERVER_CERT** - Set this to your Integration Server SSL certificate.
 - **ACE_ADMIN_SERVER_KEY** - Set this to your Integration Server SSL key certificate.
 

cmd/runaceserver/integrationserver.go

@@ -129,6 +129,15 @@ func initialIntegrationServerConfig() error {
 		}
 	}
 
+	enableAdminssl := os.Getenv("ACE_ADMIN_SERVER_SECURITY")
+	if enableAdminssl == "true" || enableAdminssl == "1" {
+		enableAdminsslError := enableAdminsslInServerConf()
+		if enableAdminsslError != nil {
+			log.Errorf("Error enabling admin server security in server.conf.yaml: %v", enableAdminsslError)
+			return enableAdminsslError
+		}
+	}
+
 	log.Printf("Initial configuration of integration server complete")
 
 	log.Println("Discovering override ports")
@@ -203,6 +212,37 @@ func enableOpenTracingInServerConf() error {
 	return nil
 }
 
+// enableAdminsslInServerConf adds RestAdminListener configuration fields to the server.conf.yaml in overrides
+// based on the env vars ACE_ADMIN_SERVER_KEY, ACE_ADMIN_SERVER_CERT, ACE_ADMIN_SERVER_CA
+// If the file does not exist already it gets created.
+func enableAdminsslInServerConf() error {
+
+	log.Println("Enabling Admin Server Security in server.conf.yaml")
+
+	serverconfContent, readError := readServerConfFile()
+	if readError != nil {
+		if !os.IsNotExist(readError) {
+			// Error is different from file not existing (if the file does not exist we will create it ourselves)
+			log.Errorf("Error reading server.conf.yaml: %v", readError)
+			return readError
+		}
+	}
+
+	serverconfYaml, manipulationError := addAdminsslToServerConf(serverconfContent)
+	if manipulationError != nil {
+		return manipulationError
+	}
+
+	writeError := writeServerConfFile(serverconfYaml)
+	if writeError != nil {
+		return writeError
+	}
+
+	log.Println("Admin Server Security enabled in server.conf.yaml")
+
+	return nil
+}
+
 // readServerConfFile returns the content of the server.conf.yaml file in the overrides folder
 func readServerConfFile() ([]byte, error) {
 	content, err := ioutil.ReadFile("/home/aceuser/ace-server/overrides/server.conf.yaml")
@@ -305,6 +345,70 @@ func addOpenTracingToServerConf(serverconfContent []byte) ([]byte, error) {
 	return serverconfYaml, nil
 }
 
+// addAdminsslToServerConf gets the content of the server.conf.yaml and adds the Admin Server Security fields to it
+// It returns the updated server.conf.yaml content
+func addAdminsslToServerConf(serverconfContent []byte) ([]byte, error) {
+	serverconfMap := make(map[interface{}]interface{})
+	unmarshallError := yaml.Unmarshal([]byte(serverconfContent), &serverconfMap)
+	if unmarshallError != nil {
+		log.Errorf("Error unmarshalling server.conf.yaml: %v", unmarshallError)
+		return nil, unmarshallError
+	}
+
+	// Get the keys, certs location and default if not found
+	cert := os.Getenv("ACE_ADMIN_SERVER_CERT")
+	if cert == "" {
+		cert = "/home/aceuser/adminssl/tls.crt.pem"
+	}
+
+	key := os.Getenv("ACE_ADMIN_SERVER_KEY")
+	if key == "" {
+		key = "/home/aceuser/adminssl/tls.key.pem"
+	}
+
+	cacert := os.Getenv("ACE_ADMIN_SERVER_CA")
+	if cacert == "" {
+		cacert = "/home/aceuser/adminssl"
+	}
+
+	isTrue := true
+	// Only update if there is not an existing entry in the override server.conf.yaml
+	// so we don't overwrite any customer provided configuration
+	if serverconfMap["RestAdminListener"] == nil {
+		serverconfMap["RestAdminListener"] = map[string]interface{}{
+			"sslCertificate" : cert,
+			"sslPassword" : key,
+			"requireClientCert" : isTrue,
+			"caPath" : cacert,
+		}
+		log.Printf("Admin Server Security updating RestAdminListener using ACE_ADMIN_SERVER environment variables")
+	} else {
+		restAdminListener := serverconfMap["RestAdminListener"].(map[interface{}]interface{})
+
+    	if restAdminListener["sslCertificate"] == nil {
+    		restAdminListener["sslCertificate"] =  cert
+    	}
+    	if restAdminListener["sslPassword"] == nil {
+    		restAdminListener["sslPassword"] =  key
+    	}
+    	if restAdminListener["requireClientCert"] == nil {
+    		restAdminListener["requireClientCert"] = isTrue
+    	}
+    	if restAdminListener["caPath"] == nil {
+    		restAdminListener["caPath"] = cacert
+    	}
+		log.Printf("Admin Server Security merging RestAdminListener using ACE_ADMIN_SERVER environment variables")
+	}
+
+	serverconfYaml, marshallError := yaml.Marshal(&serverconfMap)
+	if marshallError != nil {
+		log.Errorf("Error marshalling server.conf.yaml: %v", marshallError)
+		return nil, marshallError
+	}
+
+	return serverconfYaml, nil
+}
+
 // getConfigurationFromContentServer checks if ACE_CONTENT_SERVER_URL exists.  If so then it pulls
 // a bar file from that URL
 func getConfigurationFromContentServer() error {

cmd/runaceserver/integrationserver_internal_test.go

@@ -122,3 +122,88 @@ func TestCheckLogs(t *testing.T) {
 		t.Error(err)
 	}
 }
+
+
+var yamlAdminTests = []struct {
+	in  string
+	out string
+}{
+	{ // User's yaml does not have a ResourceAdminListener section, so it is added
+`Defaults:
+ defaultApplication: ''
+ policyProject: 'DefaultPolicies'
+ Policies:
+  HTTPSConnector: 'HTTPS'`,
+`Defaults:
+  Policies:
+    HTTPSConnector: HTTPS
+  defaultApplication: ""
+  policyProject: DefaultPolicies
+RestAdminListener:
+  caPath: /home/aceuser/adminssl
+  requireClientCert: true
+  sslCertificate: /home/aceuser/adminssl/tls.crt.pem
+  sslPassword: /home/aceuser/adminssl/tls.key.pem
+`},
+	{ // User's yaml has RestAdminListener in don't alter.
+`Defaults:
+ defaultApplication: ''
+ policyProject: 'DefaultPolicies'
+ Policies:
+  HTTPSConnector: 'HTTPS'
+RestAdminListener:
+  caPath: "test"
+  requireClientCert: false
+  sslCertificate: "test"
+  sslPassword: "test"`,
+`Defaults:
+  Policies:
+    HTTPSConnector: HTTPS
+  defaultApplication: ""
+  policyProject: DefaultPolicies
+RestAdminListener:
+  caPath: test
+  requireClientCert: false
+  sslCertificate: test
+  sslPassword: test
+`},
+	{ // User's yaml has a ResourceAdminListener section, so ours is merged with users taking precedence
+`Defaults:
+ defaultApplication: ''
+ policyProject: 'DefaultPolicies'
+ Policies:
+  HTTPSConnector: 'HTTPS'
+RestAdminListener:
+  authorizationEnabled: true
+  requireClientCert: false
+  authorizationMode: file
+  sslPassword: "test"
+`,
+`Defaults:
+  Policies:
+    HTTPSConnector: HTTPS
+  defaultApplication: ""
+  policyProject: DefaultPolicies
+RestAdminListener:
+  authorizationEnabled: true
+  authorizationMode: file
+  caPath: /home/aceuser/adminssl
+  requireClientCert: false
+  sslCertificate: /home/aceuser/adminssl/tls.crt.pem
+  sslPassword: test
+`},
+}
+
+
+func TestAddAdminsslToServerConf(t *testing.T) {
+	for _, table := range yamlAdminTests {
+		out, err := addAdminsslToServerConf([]byte(table.in))
+		if err != nil {
+			t.Error(err)
+		}
+		stringOut := string(out)
+		if stringOut != table.out {
+			t.Errorf("addAdminsslToServerConf expected \n%v, got \n%v", table.out, stringOut)
+		}
+	}
+}