diff --git a/instance-applications/130-ibm-mas-suite/templates/07-postsync-set_welcome_messsage_Job.yaml b/instance-applications/130-ibm-mas-suite/templates/07-postsync-set_welcome_messsage_Job.yaml new file mode 100644 index 000000000..ff3868c65 --- /dev/null +++ b/instance-applications/130-ibm-mas-suite/templates/07-postsync-set_welcome_messsage_Job.yaml @@ -0,0 +1,313 @@ +{{- if .Values.welcome_message }} + +{{- /* +Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. +*/}} +{{- $_job_name_prefix := "set-welcome-message" }} + +{{- /* +Use the build/bin/set-cli-image-digest.sh script to update this value across all charts. +Included in $_job_hash (see below). +*/}} +{{- $_cli_image_digest := "sha256:1b88f88a1a719d006ea1f4b8dcfd1c2625fa7ecc529c3267e7b4b6afaa1c8da0" }} + +{{- /* +A dict of values that influence the behaviour of the job in some way. +Any changes to values in this dict will trigger a rerun of the job. +Since jobs must be idemopotent, it's generally safe to pass in values here that are not +strictly necessary (i.e. including some values that don't actually influence job behaviour). +We may want to refine this further though for jobs that can take a long time to complete. +Included in $_job_hash (see below). +*/}} +{{- $_job_config_values := omit .Values "junitreporter" }} + +{{- /* +Increment this value whenever you make a change to an immutable field of the Job resource. +E.g. passing in a new environment variable. +Included in $_job_hash (see below). +*/}} +{{- $_job_version := "v3" }} + +{{- /* +10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest +This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an +immutable field of any existing Job resource. +*/}} +{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }} + +{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}} + +{{- /* +Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource. + +When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label +to identify old Job resources that should be pruned on behalf of ArgoCD. + +Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value +will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp") +Jobs will be automatically deleted. + +$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases +where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators +must be added to $_job_cleanup_group. + +By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators +are required here. + +*/}} +{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} + +{{ $ns := printf "mas-%s-core" .Values.instance_id }} +{{ $np_name := printf "%s-np" $_job_name_prefix }} +{{ $role_name := printf "%s-r" $_job_name_prefix }} +{{ $sa_name := printf "%s-sa" $_job_name_prefix }} +{{ $rb_name := printf "%s-rb-core" $_job_name_prefix }} +{{ $job_label := printf "%s-l" $_job_name_prefix }} + +{{ $cm_name := printf "%s-state" $_job_name_prefix}} +{{ $internalapi_tls_secret_name := printf "%s-internalapi-cert-internal" .Values.instance_id}} + + +--- +# Permit outbound communication by the Job pods +# (Needed to communicate internalapi) +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $np_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "144" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: + app: {{ $job_label }} + egress: + - {} + policyTypes: + - Egress + + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ $sa_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "144" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} + + + +--- +# Job needs to be able to create and read a configmap to hold state about its +# execution status +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $role_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "144" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +rules: + - verbs: + - get + - create + - patch + apiGroups: + - "" + resources: + - configmaps + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $rb_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "145" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ $sa_name }} + namespace: {{ $ns }} +roleRef: + kind: Role + name: {{ $role_name }} + apiGroup: rbac.authorization.k8s.io + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $_job_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "146" + labels: + mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + parallelism: 1 + completions: 1 + backoffLimit: 4 + + template: + metadata: + labels: + app: {{ $job_label }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} +{{- end }} + spec: + restartPolicy: Never + serviceAccountName: "{{ $sa_name }}" + volumes: + - name: "tls" + secret: + secretName: "{{ $internalapi_tls_secret_name }}" + defaultMode: 420 + optional: false + + containers: + - name: {{ $_job_name_prefix }} + image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }} + imagePullPolicy: IfNotPresent + + env: + - name: MAS_INSTANCE_ID + value: "{{ .Values.instance_id }}" + + - name: WELCOME_MESSAGE + value: "{{ .Values.welcome_message }}" + + - name: STATE_CONFIGMAP_NAME + value: "{{ $cm_name }}" + + - name: MAS_CORE_NAMESPACE + value: "{{ $ns }}" + + volumeMounts: + - name: "tls" + mountPath: /etc/mas/tls + + command: + - /bin/sh + - -c + - | + INTERNAL_API_URL="https://internalapi.mas-${MAS_INSTANCE_ID}-core.svc:443" + WELCOME_MESSAGES_API_URL="${INTERNAL_API_URL}/v1/messages/welcome" + CA_FILE="/etc/mas/tls/ca.crt" + CERT_FILE="/etc/mas/tls/tls.crt" + KEY_FILE="/etc/mas/tls/tls.key" + + echo "MAS Welcome Message Setup" + echo "===============================" + echo "" + + echo "This Job will ensure that the MAS welcome message (i.e. that shown at the bottom of the login screen)" + echo "is set to the value defined in gitops configuration." + echo "The welcome message will only be updated if one of the following are true:" + echo " - This Job has never been run before (i.e. after the Suite is installed for the first time)" + echo " - The welcome message defined in the gitops configuration has changed since the last time this Job ran" + echo "If the welcome message is changed via the MAS UI/API, this Job will NOT revert the change - this is intentional." + echo "" + + # Escape any characters that may interfere with JSON + WELCOME_MESSAGE_ESCAPED=$(echo ${WELCOME_MESSAGE} | jq -Ra .) + + echo "Fetch Welcome Message last set by this Job from ConfigMap ${STATE_CONFIGMAP_NAME}" + echo "------------------------------------------------" + LAST_APPLIED_WELCOME_MESSAGE_ESCAPED=$(oc get configmap ${STATE_CONFIGMAP_NAME} -ojsonpath='{.data.last-applied}' -n "${MAS_CORE_NAMESPACE}") + rc=$? + LAST_APPLIED_WELCOME_MESSAGE_ESCAPED='"'${LAST_APPLIED_WELCOME_MESSAGE_ESCAPED}'"' + + if [[ "$rc" != 0 ]]; then + echo "ConfigMap ${STATE_CONFIGMAP_NAME} was not found, Job has never been run, so proceed ..." + elif [[ "${WELCOME_MESSAGE_ESCAPED}" != "${LAST_APPLIED_WELCOME_MESSAGE_ESCAPED}" ]]; then + echo "Gitops configuration contains a different welcome message than that last applied by this Job, so proceed ... " + else + echo "Gitops configuration and the welcome message last applied by this Job are the same, so abort ..." + exit 0 + fi + echo "" + + + echo "Setting MAS Welcome Message" + echo "---------------------------" + + + PAYLOAD_FILE="payload.json" + echo '{"message": '${WELCOME_MESSAGE_ESCAPED}'}' > ${PAYLOAD_FILE} + + curl -X PUT "${WELCOME_MESSAGES_API_URL}" \ + -f \ + --cert "${CERT_FILE}" \ + --key "${KEY_FILE}" \ + --cacert "${CA_FILE}" \ + -H 'Content-Type: application/json' \ + -d @${PAYLOAD_FILE} + + rc=$? + + echo "" + echo "Result" + echo "---------------------------" + + if [[ "$rc" == "0" ]]; then + # establish the state configmap + echo "Successfully set welcome message" + echo "" + + + echo "Updating ConfigMap ${STATE_CONFIGMAP_NAME}" + echo "---------------------------" + + CONFIGMAP_YAML_FILE="configmap.yaml" + + echo ' + apiVersion: v1 + kind: ConfigMap + metadata: + name: '${STATE_CONFIGMAP_NAME}' + namespace: '${MAS_CORE_NAMESPACE}' + data: + last-applied: '${WELCOME_MESSAGE_ESCAPED} > ${CONFIGMAP_YAML_FILE} + + oc apply -f ${CONFIGMAP_YAML_FILE} + cm_rc=$? + + if [[ "${cm_rc}" != "0" ]]; then + echo "" + echo "Failed to update ConfigMap ${STATE_CONFIGMAP_NAME} (rc ${cm_rc})" + echo "Failing Job execution; this needs to be rectified otherwise the Job may revert future changes" + echo "made to the Welcome message by the customer via the MAS UI/API." + exit $cm_rc + fi + + else + echo "Failed with to set Welcome Message (rc $rc)" + fi + + exit $rc + +{{- end }} diff --git a/root-applications/ibm-mas-instance-root/templates/130-ibm-mas-suite-app.yaml b/root-applications/ibm-mas-instance-root/templates/130-ibm-mas-suite-app.yaml index ab3a191fc..27be6e5d2 100644 --- a/root-applications/ibm-mas-instance-root/templates/130-ibm-mas-suite-app.yaml +++ b/root-applications/ibm-mas-instance-root/templates/130-ibm-mas-suite-app.yaml @@ -135,6 +135,11 @@ spec: {{- if .Values.ibm_mas_suite.internal_certificate_authority }} internal_certificate_authority: "{{ .Values.ibm_mas_suite.internal_certificate_authority }}" {{- end }} + + {{- if .Values.ibm_mas_suite.welcome_message }} + welcome_message: | + {{ .Values.ibm_mas_suite.welcome_message | nindent 14 }} + {{- end }} - name: ARGOCD_APP_NAME value: suiteapp {{- if not (empty .Values.avp.secret) }}