From 7dfa1ec57095c13d691a4a36e5208bf7d971d67d Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Wed, 28 Jan 2026 16:32:54 +0200 Subject: [PATCH] testing migration --- .github/workflows/deploy-dependencies.yml | 6 +- .github/workflows/deploy-opencrvs.yml | 6 +- .github/workflows/github-to-k8s-sync-env.yml | 4 + .github/workflows/k8s-reindex.yml | 6 +- .github/workflows/k8s-reset-data.yml | 6 +- .github/workflows/k8s-seed-data.yml | 6 +- .github/workflows/provision.yml | 6 +- .github/workflows/reset-2fa.yml | 6 +- .../development/dependencies/values.yaml | 41 +++++++++ .../development/mosip-api/values.yaml | 2 + .../development/opencrvs-services/values.yaml | 53 ++++++++++++ environments/development/traefik/values.yaml | 85 +++++++++++++++++++ .../production/dependencies/values.yaml | 41 +++++++++ environments/production/mosip-api/values.yaml | 2 + .../production/opencrvs-services/values.yaml | 53 ++++++++++++ environments/production/traefik/values.yaml | 85 +++++++++++++++++++ environments/qa/dependencies/values.yaml | 41 +++++++++ environments/qa/mosip-api/values.yaml | 2 + environments/qa/opencrvs-services/values.yaml | 53 ++++++++++++ environments/qa/traefik/values.yaml | 85 +++++++++++++++++++ environments/staging/dependencies/values.yaml | 41 +++++++++ environments/staging/mosip-api/values.yaml | 2 + .../staging/opencrvs-services/values.yaml | 53 ++++++++++++ environments/staging/traefik/values.yaml | 85 +++++++++++++++++++ .../swarm-to-k8s/dependencies/values.yaml | 41 +++++++++ .../swarm-to-k8s/mosip-api/values.yaml | 2 + .../opencrvs-services/values.yaml | 53 ++++++++++++ environments/swarm-to-k8s/traefik/values.yaml | 85 +++++++++++++++++++ .../server-setup/inventory/development.yml | 56 ++++++++++++ .../server-setup/inventory/production.yml | 56 ++++++++++++ infrastructure/server-setup/inventory/qa.yml | 56 ++++++++++++ .../server-setup/inventory/staging.yml | 56 ++++++++++++ .../server-setup/inventory/swarm-to-k8s.yml | 56 ++++++++++++ 33 files changed, 1224 insertions(+), 7 deletions(-) create mode 100644 environments/development/dependencies/values.yaml create mode 100644 environments/development/mosip-api/values.yaml create mode 100644 environments/development/opencrvs-services/values.yaml create mode 100644 environments/development/traefik/values.yaml create mode 100644 environments/production/dependencies/values.yaml create mode 100644 environments/production/mosip-api/values.yaml create mode 100644 environments/production/opencrvs-services/values.yaml create mode 100644 environments/production/traefik/values.yaml create mode 100644 environments/qa/dependencies/values.yaml create mode 100644 environments/qa/mosip-api/values.yaml create mode 100644 environments/qa/opencrvs-services/values.yaml create mode 100644 environments/qa/traefik/values.yaml create mode 100644 environments/staging/dependencies/values.yaml create mode 100644 environments/staging/mosip-api/values.yaml create mode 100644 environments/staging/opencrvs-services/values.yaml create mode 100644 environments/staging/traefik/values.yaml create mode 100644 environments/swarm-to-k8s/dependencies/values.yaml create mode 100644 environments/swarm-to-k8s/mosip-api/values.yaml create mode 100644 environments/swarm-to-k8s/opencrvs-services/values.yaml create mode 100644 environments/swarm-to-k8s/traefik/values.yaml create mode 100644 infrastructure/server-setup/inventory/development.yml create mode 100644 infrastructure/server-setup/inventory/production.yml create mode 100644 infrastructure/server-setup/inventory/qa.yml create mode 100644 infrastructure/server-setup/inventory/staging.yml create mode 100644 infrastructure/server-setup/inventory/swarm-to-k8s.yml diff --git a/.github/workflows/deploy-dependencies.yml b/.github/workflows/deploy-dependencies.yml index c7567d48..23da397e 100644 --- a/.github/workflows/deploy-dependencies.yml +++ b/.github/workflows/deploy-dependencies.yml @@ -9,7 +9,11 @@ on: default: "dev" type: choice options: - - "" + - development + - production + - qa + - staging + - swarm-to-k8s jobs: approve: environment: ${{ inputs.environment }} diff --git a/.github/workflows/deploy-opencrvs.yml b/.github/workflows/deploy-opencrvs.yml index 52c2c737..5efc2cff 100644 --- a/.github/workflows/deploy-opencrvs.yml +++ b/.github/workflows/deploy-opencrvs.yml @@ -32,7 +32,11 @@ on: default: "dev" type: choice options: - - "" + - development + - production + - qa + - staging + - swarm-to-k8s jobs: approve: diff --git a/.github/workflows/github-to-k8s-sync-env.yml b/.github/workflows/github-to-k8s-sync-env.yml index e288aced..fdaed9cb 100644 --- a/.github/workflows/github-to-k8s-sync-env.yml +++ b/.github/workflows/github-to-k8s-sync-env.yml @@ -11,6 +11,10 @@ on: type: choice options: - development + - production + - qa + - staging + - swarm-to-k8s namespace_template: description: "Secrets mapping template" default: "opencrvs" diff --git a/.github/workflows/k8s-reindex.yml b/.github/workflows/k8s-reindex.yml index cf4dfb9e..fb4b4fca 100644 --- a/.github/workflows/k8s-reindex.yml +++ b/.github/workflows/k8s-reindex.yml @@ -9,7 +9,11 @@ on: default: "dev" type: choice options: - - "" + - development + - production + - qa + - staging + - swarm-to-k8s workflow_call: inputs: environment: diff --git a/.github/workflows/k8s-reset-data.yml b/.github/workflows/k8s-reset-data.yml index 78a8528f..e2be2b1c 100644 --- a/.github/workflows/k8s-reset-data.yml +++ b/.github/workflows/k8s-reset-data.yml @@ -9,7 +9,11 @@ on: default: "dev" type: choice options: - - "" + - development + - production + - qa + - staging + - swarm-to-k8s workflow_call: inputs: environment: diff --git a/.github/workflows/k8s-seed-data.yml b/.github/workflows/k8s-seed-data.yml index 7e8fe4d7..2242d90a 100644 --- a/.github/workflows/k8s-seed-data.yml +++ b/.github/workflows/k8s-seed-data.yml @@ -9,7 +9,11 @@ on: default: "dev" type: choice options: - - "" + - development + - production + - qa + - staging + - swarm-to-k8s workflow_call: inputs: environment: diff --git a/.github/workflows/provision.yml b/.github/workflows/provision.yml index c4b872d5..20196957 100644 --- a/.github/workflows/provision.yml +++ b/.github/workflows/provision.yml @@ -9,7 +9,11 @@ on: default: 'dev' type: choice options: - - "" + - swarm-to-k8s + - staging + - qa + - production + - development tags: description: 'Tags to apply to the provisioned resources' required: true diff --git a/.github/workflows/reset-2fa.yml b/.github/workflows/reset-2fa.yml index a67f0737..dbe2ee7f 100644 --- a/.github/workflows/reset-2fa.yml +++ b/.github/workflows/reset-2fa.yml @@ -13,7 +13,11 @@ on: default: required: true options: - - "" + - swarm-to-k8s + - staging + - qa + - production + - development jobs: approve: diff --git a/environments/development/dependencies/values.yaml b/environments/development/dependencies/values.yaml new file mode 100644 index 00000000..a5e117ca --- /dev/null +++ b/environments/development/dependencies/values.yaml @@ -0,0 +1,41 @@ +storage_type: host_path + +environment_type: production + +minio: + use_default_credentials: false + +elasticsearch: + use_default_credentials: false + +mongodb: + use_default_credentials: false + +postgres: + use_default_credentials: false + +redis: + auth_mode: acl + +monitoring: + enabled: true + +elastalert: + env: + HTTP_POST2_ALERT_URL: http://countryconfig.opencrvs-development.svc.cluster.local:3040/email + +# Backup configuration +backup: + enabled: false + schedule: "0 1 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/development + + +# Restore configuration +restore: + enabled: false + schedule: "0 0 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/ + backup_encryption_secret: restore-encryption-secret \ No newline at end of file diff --git a/environments/development/mosip-api/values.yaml b/environments/development/mosip-api/values.yaml new file mode 100644 index 00000000..442be8ee --- /dev/null +++ b/environments/development/mosip-api/values.yaml @@ -0,0 +1,2 @@ +ingress: + ssl_enabled: true \ No newline at end of file diff --git a/environments/development/opencrvs-services/values.yaml b/environments/development/opencrvs-services/values.yaml new file mode 100644 index 00000000..37bf5de7 --- /dev/null +++ b/environments/development/opencrvs-services/values.yaml @@ -0,0 +1,53 @@ +######################################################################################## +# Initial configuration file for OpenCRVS installation +######################################################################################## +# Some properties are not defined in this file and should be provided as key/value at +# installation time: +# - hostname: valid DNS name for opencrvs +# - countryconfig.image.name: Countryconfig image repository +# - countryconfig.image.tag: Countryconfig image tag +environment_type: production + +hpa: + enabled: false + +env: + APN_SERVICE_URL: "http://apm-server.opencrvs-deps-development.svc.cluster.local:8200" + QA_ENV: true +influxdb: + host: influxdb-0.influxdb.opencrvs-deps-development.svc.cluster.local +elasticsearch: + auth_mode: auto + host: elasticsearch.opencrvs-deps-development.svc.cluster.local + + +minio: + auth_mode: use_secret + host: minio-0.minio.opencrvs-deps-development.svc.cluster.local + +mongodb: + auth_mode: auto + host: mongodb-0.mongodb.opencrvs-deps-development.svc.cluster.local + +redis: + auth_mode: use_secret + host: redis-0.redis.opencrvs-deps-development.svc.cluster.local + +postgres: + auth_mode: auto + host: postgres-0.postgres.opencrvs-deps-development.svc.cluster.local + +imagePullSecrets: + # Default value for credentials created while yarn environment:init + - name: dockerhub-credentials + +countryconfig: + secrets: + smtp-config: + - ALERT_EMAIL + - SENDER_EMAIL_ADDRESS + - SMTP_HOST + - SMTP_PASSWORD + - SMTP_PORT + - SMTP_SECURE + - SMTP_USERNAME diff --git a/environments/development/traefik/values.yaml b/environments/development/traefik/values.yaml new file mode 100644 index 00000000..1023b70e --- /dev/null +++ b/environments/development/traefik/values.yaml @@ -0,0 +1,85 @@ +# Overwriting https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml +namespaceOverride: "traefik" +logs: + general: + # "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" + level: "INFO" + # format: "common" # For local environment + format: "json" # For server environment + access: + # -- To enable access logs + enabled: true + format: "json" + +ingressRoute: + dashboard: + enabled: false + +# Be explicit that we only use CRDs, not ingress/gw support +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: false + +service: + enabled: true + single: false + type: NodePort + +ports: + web: + port: 8000 + hostPort: 80 + protocol: TCP + nodePort: 30080 + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + + websecure: + port: 8443 + hostPort: 443 + protocol: TCP + nodePort: 30443 + http: + tls: + enabled: true + certResolver: letsencrypt + +# 👇 Adjust this section if needed +certificatesResolvers: + letsencrypt: + acme: + tlsChallenge: false + httpChallenge: + entryPoint: web + # 👇 Provide admin email address + email: admin@opencrvs.org + # Storage for certificates: + storage: /certificates/acme.json + # NOTE: Sometimes Let's Encrypt hit production SSL certificate issuing limits + # If you are having issues, switch to staging + # Staging server + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + # Production server + caServer: https://acme-v02.api.letsencrypt.org/directory + +deployment: + hostNetwork: true + additionalVolumes: + - name: acme + hostPath: + path: /data/traefik + +additionalVolumeMounts: + - name: acme + mountPath: /certificates + +nodeSelector: + traefik-role: ingress diff --git a/environments/production/dependencies/values.yaml b/environments/production/dependencies/values.yaml new file mode 100644 index 00000000..9a762fb4 --- /dev/null +++ b/environments/production/dependencies/values.yaml @@ -0,0 +1,41 @@ +storage_type: host_path + +environment_type: production + +minio: + use_default_credentials: false + +elasticsearch: + use_default_credentials: false + +mongodb: + use_default_credentials: false + +postgres: + use_default_credentials: false + +redis: + auth_mode: acl + +monitoring: + enabled: true + +elastalert: + env: + HTTP_POST2_ALERT_URL: http://countryconfig.opencrvs-production.svc.cluster.local:3040/email + +# Backup configuration +backup: + enabled: true + schedule: "0 1 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/production + + +# Restore configuration +restore: + enabled: false + schedule: "0 0 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/ + backup_encryption_secret: restore-encryption-secret \ No newline at end of file diff --git a/environments/production/mosip-api/values.yaml b/environments/production/mosip-api/values.yaml new file mode 100644 index 00000000..442be8ee --- /dev/null +++ b/environments/production/mosip-api/values.yaml @@ -0,0 +1,2 @@ +ingress: + ssl_enabled: true \ No newline at end of file diff --git a/environments/production/opencrvs-services/values.yaml b/environments/production/opencrvs-services/values.yaml new file mode 100644 index 00000000..08fb97e2 --- /dev/null +++ b/environments/production/opencrvs-services/values.yaml @@ -0,0 +1,53 @@ +######################################################################################## +# Initial configuration file for OpenCRVS installation +######################################################################################## +# Some properties are not defined in this file and should be provided as key/value at +# installation time: +# - hostname: valid DNS name for opencrvs +# - countryconfig.image.name: Countryconfig image repository +# - countryconfig.image.tag: Countryconfig image tag +environment_type: production + +hpa: + enabled: false + +env: + APN_SERVICE_URL: "http://apm-server.opencrvs-deps-production.svc.cluster.local:8200" + QA_ENV: false +influxdb: + host: influxdb-0.influxdb.opencrvs-deps-production.svc.cluster.local +elasticsearch: + auth_mode: auto + host: elasticsearch.opencrvs-deps-production.svc.cluster.local + + +minio: + auth_mode: use_secret + host: minio-0.minio.opencrvs-deps-production.svc.cluster.local + +mongodb: + auth_mode: auto + host: mongodb-0.mongodb.opencrvs-deps-production.svc.cluster.local + +redis: + auth_mode: use_secret + host: redis-0.redis.opencrvs-deps-production.svc.cluster.local + +postgres: + auth_mode: auto + host: postgres-0.postgres.opencrvs-deps-production.svc.cluster.local + +imagePullSecrets: + # Default value for credentials created while yarn environment:init + - name: dockerhub-credentials + +countryconfig: + secrets: + smtp-config: + - ALERT_EMAIL + - SENDER_EMAIL_ADDRESS + - SMTP_HOST + - SMTP_PASSWORD + - SMTP_PORT + - SMTP_SECURE + - SMTP_USERNAME diff --git a/environments/production/traefik/values.yaml b/environments/production/traefik/values.yaml new file mode 100644 index 00000000..1023b70e --- /dev/null +++ b/environments/production/traefik/values.yaml @@ -0,0 +1,85 @@ +# Overwriting https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml +namespaceOverride: "traefik" +logs: + general: + # "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" + level: "INFO" + # format: "common" # For local environment + format: "json" # For server environment + access: + # -- To enable access logs + enabled: true + format: "json" + +ingressRoute: + dashboard: + enabled: false + +# Be explicit that we only use CRDs, not ingress/gw support +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: false + +service: + enabled: true + single: false + type: NodePort + +ports: + web: + port: 8000 + hostPort: 80 + protocol: TCP + nodePort: 30080 + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + + websecure: + port: 8443 + hostPort: 443 + protocol: TCP + nodePort: 30443 + http: + tls: + enabled: true + certResolver: letsencrypt + +# 👇 Adjust this section if needed +certificatesResolvers: + letsencrypt: + acme: + tlsChallenge: false + httpChallenge: + entryPoint: web + # 👇 Provide admin email address + email: admin@opencrvs.org + # Storage for certificates: + storage: /certificates/acme.json + # NOTE: Sometimes Let's Encrypt hit production SSL certificate issuing limits + # If you are having issues, switch to staging + # Staging server + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + # Production server + caServer: https://acme-v02.api.letsencrypt.org/directory + +deployment: + hostNetwork: true + additionalVolumes: + - name: acme + hostPath: + path: /data/traefik + +additionalVolumeMounts: + - name: acme + mountPath: /certificates + +nodeSelector: + traefik-role: ingress diff --git a/environments/qa/dependencies/values.yaml b/environments/qa/dependencies/values.yaml new file mode 100644 index 00000000..a35269c0 --- /dev/null +++ b/environments/qa/dependencies/values.yaml @@ -0,0 +1,41 @@ +storage_type: host_path + +environment_type: production + +minio: + use_default_credentials: false + +elasticsearch: + use_default_credentials: false + +mongodb: + use_default_credentials: false + +postgres: + use_default_credentials: false + +redis: + auth_mode: acl + +monitoring: + enabled: true + +elastalert: + env: + HTTP_POST2_ALERT_URL: http://countryconfig.opencrvs-qa.svc.cluster.local:3040/email + +# Backup configuration +backup: + enabled: false + schedule: "0 1 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/qa + + +# Restore configuration +restore: + enabled: false + schedule: "0 0 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/ + backup_encryption_secret: restore-encryption-secret \ No newline at end of file diff --git a/environments/qa/mosip-api/values.yaml b/environments/qa/mosip-api/values.yaml new file mode 100644 index 00000000..442be8ee --- /dev/null +++ b/environments/qa/mosip-api/values.yaml @@ -0,0 +1,2 @@ +ingress: + ssl_enabled: true \ No newline at end of file diff --git a/environments/qa/opencrvs-services/values.yaml b/environments/qa/opencrvs-services/values.yaml new file mode 100644 index 00000000..6d0e8916 --- /dev/null +++ b/environments/qa/opencrvs-services/values.yaml @@ -0,0 +1,53 @@ +######################################################################################## +# Initial configuration file for OpenCRVS installation +######################################################################################## +# Some properties are not defined in this file and should be provided as key/value at +# installation time: +# - hostname: valid DNS name for opencrvs +# - countryconfig.image.name: Countryconfig image repository +# - countryconfig.image.tag: Countryconfig image tag +environment_type: production + +hpa: + enabled: false + +env: + APN_SERVICE_URL: "http://apm-server.opencrvs-deps-qa.svc.cluster.local:8200" + QA_ENV: true +influxdb: + host: influxdb-0.influxdb.opencrvs-deps-qa.svc.cluster.local +elasticsearch: + auth_mode: auto + host: elasticsearch.opencrvs-deps-qa.svc.cluster.local + + +minio: + auth_mode: use_secret + host: minio-0.minio.opencrvs-deps-qa.svc.cluster.local + +mongodb: + auth_mode: auto + host: mongodb-0.mongodb.opencrvs-deps-qa.svc.cluster.local + +redis: + auth_mode: use_secret + host: redis-0.redis.opencrvs-deps-qa.svc.cluster.local + +postgres: + auth_mode: auto + host: postgres-0.postgres.opencrvs-deps-qa.svc.cluster.local + +imagePullSecrets: + # Default value for credentials created while yarn environment:init + - name: dockerhub-credentials + +countryconfig: + secrets: + smtp-config: + - ALERT_EMAIL + - SENDER_EMAIL_ADDRESS + - SMTP_HOST + - SMTP_PASSWORD + - SMTP_PORT + - SMTP_SECURE + - SMTP_USERNAME diff --git a/environments/qa/traefik/values.yaml b/environments/qa/traefik/values.yaml new file mode 100644 index 00000000..1023b70e --- /dev/null +++ b/environments/qa/traefik/values.yaml @@ -0,0 +1,85 @@ +# Overwriting https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml +namespaceOverride: "traefik" +logs: + general: + # "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" + level: "INFO" + # format: "common" # For local environment + format: "json" # For server environment + access: + # -- To enable access logs + enabled: true + format: "json" + +ingressRoute: + dashboard: + enabled: false + +# Be explicit that we only use CRDs, not ingress/gw support +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: false + +service: + enabled: true + single: false + type: NodePort + +ports: + web: + port: 8000 + hostPort: 80 + protocol: TCP + nodePort: 30080 + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + + websecure: + port: 8443 + hostPort: 443 + protocol: TCP + nodePort: 30443 + http: + tls: + enabled: true + certResolver: letsencrypt + +# 👇 Adjust this section if needed +certificatesResolvers: + letsencrypt: + acme: + tlsChallenge: false + httpChallenge: + entryPoint: web + # 👇 Provide admin email address + email: admin@opencrvs.org + # Storage for certificates: + storage: /certificates/acme.json + # NOTE: Sometimes Let's Encrypt hit production SSL certificate issuing limits + # If you are having issues, switch to staging + # Staging server + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + # Production server + caServer: https://acme-v02.api.letsencrypt.org/directory + +deployment: + hostNetwork: true + additionalVolumes: + - name: acme + hostPath: + path: /data/traefik + +additionalVolumeMounts: + - name: acme + mountPath: /certificates + +nodeSelector: + traefik-role: ingress diff --git a/environments/staging/dependencies/values.yaml b/environments/staging/dependencies/values.yaml new file mode 100644 index 00000000..7a02092d --- /dev/null +++ b/environments/staging/dependencies/values.yaml @@ -0,0 +1,41 @@ +storage_type: host_path + +environment_type: production + +minio: + use_default_credentials: false + +elasticsearch: + use_default_credentials: false + +mongodb: + use_default_credentials: false + +postgres: + use_default_credentials: false + +redis: + auth_mode: acl + +monitoring: + enabled: true + +elastalert: + env: + HTTP_POST2_ALERT_URL: http://countryconfig.opencrvs-staging.svc.cluster.local:3040/email + +# Backup configuration +backup: + enabled: false + schedule: "0 1 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/staging + + +# Restore configuration +restore: + enabled: true + schedule: "0 0 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/production + backup_encryption_secret: restore-encryption-secret \ No newline at end of file diff --git a/environments/staging/mosip-api/values.yaml b/environments/staging/mosip-api/values.yaml new file mode 100644 index 00000000..442be8ee --- /dev/null +++ b/environments/staging/mosip-api/values.yaml @@ -0,0 +1,2 @@ +ingress: + ssl_enabled: true \ No newline at end of file diff --git a/environments/staging/opencrvs-services/values.yaml b/environments/staging/opencrvs-services/values.yaml new file mode 100644 index 00000000..cb0cda16 --- /dev/null +++ b/environments/staging/opencrvs-services/values.yaml @@ -0,0 +1,53 @@ +######################################################################################## +# Initial configuration file for OpenCRVS installation +######################################################################################## +# Some properties are not defined in this file and should be provided as key/value at +# installation time: +# - hostname: valid DNS name for opencrvs +# - countryconfig.image.name: Countryconfig image repository +# - countryconfig.image.tag: Countryconfig image tag +environment_type: production + +hpa: + enabled: false + +env: + APN_SERVICE_URL: "http://apm-server.opencrvs-deps-staging.svc.cluster.local:8200" + QA_ENV: true +influxdb: + host: influxdb-0.influxdb.opencrvs-deps-staging.svc.cluster.local +elasticsearch: + auth_mode: auto + host: elasticsearch.opencrvs-deps-staging.svc.cluster.local + + +minio: + auth_mode: use_secret + host: minio-0.minio.opencrvs-deps-staging.svc.cluster.local + +mongodb: + auth_mode: auto + host: mongodb-0.mongodb.opencrvs-deps-staging.svc.cluster.local + +redis: + auth_mode: use_secret + host: redis-0.redis.opencrvs-deps-staging.svc.cluster.local + +postgres: + auth_mode: auto + host: postgres-0.postgres.opencrvs-deps-staging.svc.cluster.local + +imagePullSecrets: + # Default value for credentials created while yarn environment:init + - name: dockerhub-credentials + +countryconfig: + secrets: + smtp-config: + - ALERT_EMAIL + - SENDER_EMAIL_ADDRESS + - SMTP_HOST + - SMTP_PASSWORD + - SMTP_PORT + - SMTP_SECURE + - SMTP_USERNAME diff --git a/environments/staging/traefik/values.yaml b/environments/staging/traefik/values.yaml new file mode 100644 index 00000000..1023b70e --- /dev/null +++ b/environments/staging/traefik/values.yaml @@ -0,0 +1,85 @@ +# Overwriting https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml +namespaceOverride: "traefik" +logs: + general: + # "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" + level: "INFO" + # format: "common" # For local environment + format: "json" # For server environment + access: + # -- To enable access logs + enabled: true + format: "json" + +ingressRoute: + dashboard: + enabled: false + +# Be explicit that we only use CRDs, not ingress/gw support +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: false + +service: + enabled: true + single: false + type: NodePort + +ports: + web: + port: 8000 + hostPort: 80 + protocol: TCP + nodePort: 30080 + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + + websecure: + port: 8443 + hostPort: 443 + protocol: TCP + nodePort: 30443 + http: + tls: + enabled: true + certResolver: letsencrypt + +# 👇 Adjust this section if needed +certificatesResolvers: + letsencrypt: + acme: + tlsChallenge: false + httpChallenge: + entryPoint: web + # 👇 Provide admin email address + email: admin@opencrvs.org + # Storage for certificates: + storage: /certificates/acme.json + # NOTE: Sometimes Let's Encrypt hit production SSL certificate issuing limits + # If you are having issues, switch to staging + # Staging server + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + # Production server + caServer: https://acme-v02.api.letsencrypt.org/directory + +deployment: + hostNetwork: true + additionalVolumes: + - name: acme + hostPath: + path: /data/traefik + +additionalVolumeMounts: + - name: acme + mountPath: /certificates + +nodeSelector: + traefik-role: ingress diff --git a/environments/swarm-to-k8s/dependencies/values.yaml b/environments/swarm-to-k8s/dependencies/values.yaml new file mode 100644 index 00000000..4e534b3f --- /dev/null +++ b/environments/swarm-to-k8s/dependencies/values.yaml @@ -0,0 +1,41 @@ +storage_type: host_path + +environment_type: production + +minio: + use_default_credentials: false + +elasticsearch: + use_default_credentials: false + +mongodb: + use_default_credentials: false + +postgres: + use_default_credentials: false + +redis: + auth_mode: acl + +monitoring: + enabled: true + +elastalert: + env: + HTTP_POST2_ALERT_URL: http://countryconfig.opencrvs-swarm-to-k8s.svc.cluster.local:3040/email + +# Backup configuration +backup: + enabled: false + schedule: "0 1 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/swarm-to-k8s + + +# Restore configuration +restore: + enabled: false + schedule: "0 0 * * *" + backup_server_secret: backup-server-ssh-credentials + backup_server_dir: /home/backup/ + backup_encryption_secret: restore-encryption-secret \ No newline at end of file diff --git a/environments/swarm-to-k8s/mosip-api/values.yaml b/environments/swarm-to-k8s/mosip-api/values.yaml new file mode 100644 index 00000000..442be8ee --- /dev/null +++ b/environments/swarm-to-k8s/mosip-api/values.yaml @@ -0,0 +1,2 @@ +ingress: + ssl_enabled: true \ No newline at end of file diff --git a/environments/swarm-to-k8s/opencrvs-services/values.yaml b/environments/swarm-to-k8s/opencrvs-services/values.yaml new file mode 100644 index 00000000..39f50531 --- /dev/null +++ b/environments/swarm-to-k8s/opencrvs-services/values.yaml @@ -0,0 +1,53 @@ +######################################################################################## +# Initial configuration file for OpenCRVS installation +######################################################################################## +# Some properties are not defined in this file and should be provided as key/value at +# installation time: +# - hostname: valid DNS name for opencrvs +# - countryconfig.image.name: Countryconfig image repository +# - countryconfig.image.tag: Countryconfig image tag +environment_type: production + +hpa: + enabled: false + +env: + APN_SERVICE_URL: "http://apm-server.opencrvs-deps-swarm-to-k8s.svc.cluster.local:8200" + QA_ENV: true +influxdb: + host: influxdb-0.influxdb.opencrvs-deps-swarm-to-k8s.svc.cluster.local +elasticsearch: + auth_mode: auto + host: elasticsearch.opencrvs-deps-swarm-to-k8s.svc.cluster.local + + +minio: + auth_mode: use_secret + host: minio-0.minio.opencrvs-deps-swarm-to-k8s.svc.cluster.local + +mongodb: + auth_mode: auto + host: mongodb-0.mongodb.opencrvs-deps-swarm-to-k8s.svc.cluster.local + +redis: + auth_mode: use_secret + host: redis-0.redis.opencrvs-deps-swarm-to-k8s.svc.cluster.local + +postgres: + auth_mode: auto + host: postgres-0.postgres.opencrvs-deps-swarm-to-k8s.svc.cluster.local + +imagePullSecrets: + # Default value for credentials created while yarn environment:init + - name: dockerhub-credentials + +countryconfig: + secrets: + smtp-config: + - ALERT_EMAIL + - SENDER_EMAIL_ADDRESS + - SMTP_HOST + - SMTP_PASSWORD + - SMTP_PORT + - SMTP_SECURE + - SMTP_USERNAME diff --git a/environments/swarm-to-k8s/traefik/values.yaml b/environments/swarm-to-k8s/traefik/values.yaml new file mode 100644 index 00000000..1023b70e --- /dev/null +++ b/environments/swarm-to-k8s/traefik/values.yaml @@ -0,0 +1,85 @@ +# Overwriting https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml +namespaceOverride: "traefik" +logs: + general: + # "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" + level: "INFO" + # format: "common" # For local environment + format: "json" # For server environment + access: + # -- To enable access logs + enabled: true + format: "json" + +ingressRoute: + dashboard: + enabled: false + +# Be explicit that we only use CRDs, not ingress/gw support +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: false + +service: + enabled: true + single: false + type: NodePort + +ports: + web: + port: 8000 + hostPort: 80 + protocol: TCP + nodePort: 30080 + http: + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true + + websecure: + port: 8443 + hostPort: 443 + protocol: TCP + nodePort: 30443 + http: + tls: + enabled: true + certResolver: letsencrypt + +# 👇 Adjust this section if needed +certificatesResolvers: + letsencrypt: + acme: + tlsChallenge: false + httpChallenge: + entryPoint: web + # 👇 Provide admin email address + email: admin@opencrvs.org + # Storage for certificates: + storage: /certificates/acme.json + # NOTE: Sometimes Let's Encrypt hit production SSL certificate issuing limits + # If you are having issues, switch to staging + # Staging server + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + # Production server + caServer: https://acme-v02.api.letsencrypt.org/directory + +deployment: + hostNetwork: true + additionalVolumes: + - name: acme + hostPath: + path: /data/traefik + +additionalVolumeMounts: + - name: acme + mountPath: /certificates + +nodeSelector: + traefik-role: ingress diff --git a/infrastructure/server-setup/inventory/development.yml b/infrastructure/server-setup/inventory/development.yml new file mode 100644 index 00000000..48b69a6c --- /dev/null +++ b/infrastructure/server-setup/inventory/development.yml @@ -0,0 +1,56 @@ +all: + vars: + + # Domain/IP address for remote access to your cluster API + # Domain/IP address will be added as main endpoint to your ~/.kube/config + # - If you are behind VPN, use private IP address + # - If your server is exposed (not recommeded), use public IP address + # - If you would like to run kubectl commands from the remote server, leave this field empty + # kube_api_endpoint: '' + + # IMPORTANT: If master VM has multiple ethernet interfaces, put private IP address at kube_api_address + # kube_api_host: 10.10.10.10 + kube_api_host: 37.27.182.181 + + # Default ansible provision user, keep as is + ansible_user: provision + # single_node: + # For development/qa/testing/staging keep true + # For production keep false + # Defaults production configuration: + # - master node + # - 2 worker nodes + single_node: true + + # users: Add as many users as you wish + # Configuration example + # - name: + # ssh_keys: + # - + # - + # state: present + # role: admin + # Allowed roles: + # - operator: grant read only access to OS and full access to kubernetes cluster + # - admin: grant full access to OS and kubernetes cluster + # Allowed states: + # - present: user is allowed to login + # - absent: user account is disabled + users: [] + + children: + master: + hosts: + # Replace master with value returned by command: hostname + master: + # Keep values (ansible_host, ansible_connection) as is + # Ansible is executed on master node + ansible_host: localhost + ansible_connection: local + labels: + # traefik-role label is used to identify where to deploy traefik + traefik-role: ingress + + + + diff --git a/infrastructure/server-setup/inventory/production.yml b/infrastructure/server-setup/inventory/production.yml new file mode 100644 index 00000000..724fd5c9 --- /dev/null +++ b/infrastructure/server-setup/inventory/production.yml @@ -0,0 +1,56 @@ +all: + vars: + + # Domain/IP address for remote access to your cluster API + # Domain/IP address will be added as main endpoint to your ~/.kube/config + # - If you are behind VPN, use private IP address + # - If your server is exposed (not recommeded), use public IP address + # - If you would like to run kubectl commands from the remote server, leave this field empty + # kube_api_endpoint: '' + + # IMPORTANT: If master VM has multiple ethernet interfaces, put private IP address at kube_api_address + # kube_api_host: 10.10.10.10 + kube_api_host: 188.245.160.165 + + # Default ansible provision user, keep as is + ansible_user: provision + # single_node: + # For development/qa/testing/staging keep true + # For production keep false + # Defaults production configuration: + # - master node + # - 2 worker nodes + single_node: false + + # users: Add as many users as you wish + # Configuration example + # - name: + # ssh_keys: + # - + # - + # state: present + # role: admin + # Allowed roles: + # - operator: grant read only access to OS and full access to kubernetes cluster + # - admin: grant full access to OS and kubernetes cluster + # Allowed states: + # - present: user is allowed to login + # - absent: user account is disabled + users: [] + + children: + master: + hosts: + # Replace master with value returned by command: hostname + master: + # Keep values (ansible_host, ansible_connection) as is + # Ansible is executed on master node + ansible_host: localhost + ansible_connection: local + labels: + # traefik-role label is used to identify where to deploy traefik + traefik-role: ingress + + + + diff --git a/infrastructure/server-setup/inventory/qa.yml b/infrastructure/server-setup/inventory/qa.yml new file mode 100644 index 00000000..66f30020 --- /dev/null +++ b/infrastructure/server-setup/inventory/qa.yml @@ -0,0 +1,56 @@ +all: + vars: + + # Domain/IP address for remote access to your cluster API + # Domain/IP address will be added as main endpoint to your ~/.kube/config + # - If you are behind VPN, use private IP address + # - If your server is exposed (not recommeded), use public IP address + # - If you would like to run kubectl commands from the remote server, leave this field empty + # kube_api_endpoint: '' + + # IMPORTANT: If master VM has multiple ethernet interfaces, put private IP address at kube_api_address + # kube_api_host: 10.10.10.10 + kube_api_host: 5.223.46.129 + + # Default ansible provision user, keep as is + ansible_user: provision + # single_node: + # For development/qa/testing/staging keep true + # For production keep false + # Defaults production configuration: + # - master node + # - 2 worker nodes + single_node: true + + # users: Add as many users as you wish + # Configuration example + # - name: + # ssh_keys: + # - + # - + # state: present + # role: admin + # Allowed roles: + # - operator: grant read only access to OS and full access to kubernetes cluster + # - admin: grant full access to OS and kubernetes cluster + # Allowed states: + # - present: user is allowed to login + # - absent: user account is disabled + users: [] + + children: + master: + hosts: + # Replace master with value returned by command: hostname + master: + # Keep values (ansible_host, ansible_connection) as is + # Ansible is executed on master node + ansible_host: localhost + ansible_connection: local + labels: + # traefik-role label is used to identify where to deploy traefik + traefik-role: ingress + + + + diff --git a/infrastructure/server-setup/inventory/staging.yml b/infrastructure/server-setup/inventory/staging.yml new file mode 100644 index 00000000..19a214d1 --- /dev/null +++ b/infrastructure/server-setup/inventory/staging.yml @@ -0,0 +1,56 @@ +all: + vars: + + # Domain/IP address for remote access to your cluster API + # Domain/IP address will be added as main endpoint to your ~/.kube/config + # - If you are behind VPN, use private IP address + # - If your server is exposed (not recommeded), use public IP address + # - If you would like to run kubectl commands from the remote server, leave this field empty + # kube_api_endpoint: '' + + # IMPORTANT: If master VM has multiple ethernet interfaces, put private IP address at kube_api_address + # kube_api_host: 10.10.10.10 + kube_api_host: 5.223.47.53 + + # Default ansible provision user, keep as is + ansible_user: provision + # single_node: + # For development/qa/testing/staging keep true + # For production keep false + # Defaults production configuration: + # - master node + # - 2 worker nodes + single_node: false + + # users: Add as many users as you wish + # Configuration example + # - name: + # ssh_keys: + # - + # - + # state: present + # role: admin + # Allowed roles: + # - operator: grant read only access to OS and full access to kubernetes cluster + # - admin: grant full access to OS and kubernetes cluster + # Allowed states: + # - present: user is allowed to login + # - absent: user account is disabled + users: [] + + children: + master: + hosts: + # Replace master with value returned by command: hostname + master: + # Keep values (ansible_host, ansible_connection) as is + # Ansible is executed on master node + ansible_host: localhost + ansible_connection: local + labels: + # traefik-role label is used to identify where to deploy traefik + traefik-role: ingress + + + + diff --git a/infrastructure/server-setup/inventory/swarm-to-k8s.yml b/infrastructure/server-setup/inventory/swarm-to-k8s.yml new file mode 100644 index 00000000..373e95c3 --- /dev/null +++ b/infrastructure/server-setup/inventory/swarm-to-k8s.yml @@ -0,0 +1,56 @@ +all: + vars: + + # Domain/IP address for remote access to your cluster API + # Domain/IP address will be added as main endpoint to your ~/.kube/config + # - If you are behind VPN, use private IP address + # - If your server is exposed (not recommeded), use public IP address + # - If you would like to run kubectl commands from the remote server, leave this field empty + # kube_api_endpoint: '' + + # IMPORTANT: If master VM has multiple ethernet interfaces, put private IP address at kube_api_address + # kube_api_host: 10.10.10.10 + kube_api_host: 46.224.251.95 + + # Default ansible provision user, keep as is + ansible_user: provision + # single_node: + # For development/qa/testing/staging keep true + # For production keep false + # Defaults production configuration: + # - master node + # - 2 worker nodes + single_node: false + + # users: Add as many users as you wish + # Configuration example + # - name: + # ssh_keys: + # - + # - + # state: present + # role: admin + # Allowed roles: + # - operator: grant read only access to OS and full access to kubernetes cluster + # - admin: grant full access to OS and kubernetes cluster + # Allowed states: + # - present: user is allowed to login + # - absent: user account is disabled + users: [] + + children: + master: + hosts: + # Replace master with value returned by command: hostname + master: + # Keep values (ansible_host, ansible_connection) as is + # Ansible is executed on master node + ansible_host: localhost + ansible_connection: local + labels: + # traefik-role label is used to identify where to deploy traefik + traefik-role: ingress + + + +