Initial checkin for OID on kubernetes (#80)

Author: pratdash-orcl

CODEOWNERS

@@ -4,6 +4,7 @@
 *                           @rdas0405
 /OracleAccessManagement/    @pratdash-orcl
 /OracleIdentityGovernance/  @rishiagarwal-oracle
+/OracleInternetDirectory/   @pratdash-orcl @kuldeepbshah
 /OracleSOASuite/            @sbattagi
 /OracleUnifiedDirectory/    @kuldeepbshah @surya902 @pratdash-orcl
 /OracleUnifiedDirectorySM/  @kuldeepbshah @surya902 @pratdash-orcl

OracleInternetDirectory/kubernetes/README.md

@@ -0,0 +1,24 @@
+## Oracle Internet Directory (OID) on Kubernetes
+
+Oracle Internet Directory provides a comprehensive Directory Solution for robust Identity Management.
+Oracle Internet Directory is an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities. While unifying the approach, it provides all the services required for high-performance Enterprise and carrier-grade environments. Oracle Internet Directory ensures scalability to billions of entries, ease of installation, elastic deployments, enterprise manageability and effective monitoring.
+
+This project supports deployment of Oracle Internet Directory (OID) Docker images based on the 12cPS4 (12.2.1.4.0) release within a Kubernetes environment. The OID Docker Image refers to binaries for OID Release 12.2.1.4.0.
+
+This project has several key features to assist you with deploying and managing Oracle Internet Directory in a Kubernetes environment. You can:
+
+* Create Oracle Internet Directory instances in a Kubernetes persistent volume (PV). This PV can reside in an NFS file system or other Kubernetes volume types.
+* Start servers based on declarative startup parameters and desired states.
+* Expose the Oracle Internet Directory services for external access.
+* Scale Oracle Internet Directory by starting and stopping servers on demand.
+
+Follow the instructions in this guide to set up Oracle Internet Directory on Kubernetes.
+
+### Getting started
+
+For detailed information about deploying OID on Kubernetes refer to the [Oracle Internet Directory on Kubernetes](https://oracle.github.io/fmw-kubernetes/oid/) documentation.
+
+### Current release
+
+The current supported release of Oracle Internet Directory is OID 12c PS4 (12.2.1.4.0)
+

OracleInternetDirectory/kubernetes/helm/.helmignore

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+.#*

OracleInternetDirectory/kubernetes/helm/oid/Chart.yaml

@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+apiVersion: v2
+name: oid
+description: A Helm chart for deployment of OID instances on Kubernetes. This chart will deploy an OID instance as base with configured sample entries and multiple OID instances/pods/services based on the specified replicaCount.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: 12.2.1.4.0

OracleInternetDirectory/kubernetes/helm/oid/templates/_helpers.tpl

@@ -0,0 +1,81 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "oid.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "oid.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "oid.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "oid.labels" -}}
+helm.sh/chart: {{ include "oid.chart" . }}
+{{ include "oid.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "oid.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "oid.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "oid.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "oid.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate Self-signed Certificates for oid
+Ref: sprig's crypto
+*/}}
+{{- define "oid.gen-selfsigned-certs" -}}
+{{- $altNames := list ( printf "%s.%s" (include "oid.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "oid.name" .) .Release.Namespace ) -}}
+{{- $certCN := default ( include "oid.fullname" . ) (.Values.ingress.certCN) -}}
+{{- $cert := genSelfSignedCert $certCN nil $altNames (.Values.ingress.certValidityDays | int) -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end -}}

OracleInternetDirectory/kubernetes/helm/oid/templates/cluster-rolebinding.yaml

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+{{- if .Values.serviceAccount.create -}}
+#
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "oid.fullname" . }}-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "oid.fullname" . }}-cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: {{ include "oid.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

OracleInternetDirectory/kubernetes/helm/oid/templates/clusterrole.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+{{- if .Values.serviceAccount.create -}}
+#
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "oid.fullname" . }}-cluster-admin
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end -}}

OracleInternetDirectory/kubernetes/helm/oid/templates/ingress-nginx.yaml

@@ -0,0 +1,49 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+{{- if and (.Values.ingress.enabled) (eq .Values.ingress.type "nginx") -}}
+{{- $fullName := include "oid.fullname" . -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
+apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-ingress-nginx
+  labels:
+    {{- include "oid.labels" . | nindent 4 }}
+  annotations:
+{{- if (.Values.ingress.tlsEnabled) }}
+  {{- with .Values.ingress.admin.nginxAnnotationsTLS }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- else }}
+  {{- with .Values.ingress.admin.nginxAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+spec:
+  tls:
+{{- if (.Values.ingress.tlsSecret) }}
+  - secretName: {{ .Values.ingress.tlsSecret }}
+{{- else }}
+  - secretName: {{ include "oid.fullname" . }}-tls-cert
+{{- end }}
+    hosts:
+    - {{ include "oid.fullname" . }}
+  rules:
+  - http:
+      paths:
+      - path: /odsm
+        backend:
+          serviceName: {{ include "oid.fullname" . }}host1
+          servicePort: {{ .Values.ingress.http.backendPort }}
+      - path: /console
+        backend:
+          serviceName: {{ include "oid.fullname" . }}host1
+          servicePort: {{ .Values.ingress.http.backendPort }}
+{{- end }}

OracleInternetDirectory/kubernetes/helm/oid/templates/ingress-voyager.yaml

@@ -0,0 +1,109 @@
+#
+# Copyright (c) 2021, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at 
+# https://oss.oracle.com/licenses/upl
+#
+{{- $root := . -}}
+{{- if and (.Values.ingress.enabled) (eq .Values.ingress.type "voyager") -}}
+{{- $fullName := include "oid.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- $svcSslPort := .Values.service.sslPort -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
+# apiVersion: networking.k8s.io/v1beta1
+apiVersion: voyager.appscode.com/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-ingress-voyager
+  labels:
+    {{- include "oid.labels" . | nindent 4 }}
+  annotations:
+{{- if (.Values.ingress.tlsEnabled) }}
+  {{- with .Values.ingress.voyagerAnnotationsTLS }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- else }}
+  {{- with .Values.ingress.voyagerAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+spec:
+  frontendRules:
+  - port: {{ .Values.ingress.voyagerHttpsPort }}
+    rules:
+    - http-request del-header WL-Proxy-Client-IP
+    - http-request del-header WL-Proxy-SSL
+    - http-request set-header WL-Proxy-SSL true
+  tls:
+{{- if (.Values.ingress.tlsSecret) }}
+  - secretName: {{ .Values.ingress.tlsSecret }}
+    hosts:
+    -  '*'
+{{- else }}
+  - secretName: {{ include "oid.fullname" . }}-tls-cert
+    hosts:
+    -  '*'
+{{- end }}
+  rules:
+  - host: '*'
+    http:
+      paths:
+      - path: /odsm
+        backend:
+          serviceName: {{ include "oid.fullname" . }}host1
+          servicePort: {{ .Values.ingress.http.backendPort }}
+      - path: /console
+        backend:
+          serviceName: {{ include "oid.fullname" . }}host1
+          servicePort: {{ .Values.ingress.http.backendPort }}
+  - host: '{{ include "oid.fullname" . }}*'
+    tcp:
+      port: {{ .Values.oidPorts.ldap }}
+      noTLS: true
+      backend:
+        serviceName: {{ include "oid.fullname" . }}-lbr-ldap
+        servicePort: {{ .Values.oidPorts.ldap }}
+  - host: '{{ include "oid.fullname" . }}*'
+    tcp:
+      port: {{ .Values.oidPorts.ldaps }}
+      backend:
+        serviceName: {{ include "oid.fullname" . }}-lbr-ldap
+        servicePort: {{ .Values.oidPorts.ldaps }}
+
+{{- $ldapPort := .Values.ingress.voyagerTcpPortPrefix.ldap }}
+{{- $ldapsPort := .Values.ingress.voyagerTcpPortPrefix.ldaps }}
+
+  - host: {{ include "oid.fullname" . }}host1
+    tcp:
+      port: {{ $ldapPort }}1
+      noTLS: true
+      backend:
+        serviceName: {{ include "oid.fullname" . }}host1
+        servicePort: ldap
+  - host: {{ include "oid.fullname" . }}host1
+    tcp:
+      port: {{ $ldapsPort }}1
+      backend:
+        serviceName: {{ include "oid.fullname" . }}host1
+        servicePort: ldaps
+
+{{- range $replicaIndex, $replicaN := until (.Values.replicaCount|int) }}
+{{- $replicaIndx := (add $replicaIndex 2) }}
+  - host: {{ include "oid.fullname" $root }}host{{ $replicaIndx }}
+    tcp:
+      port: {{ $ldapPort }}{{ $replicaIndx }}
+      noTLS: true
+      backend:
+        serviceName: {{ include "oid.fullname" $root }}host{{ $replicaIndx }}
+        servicePort: ldap
+  - host: {{ include "oid.fullname" $root }}host{{ $replicaIndx }}
+    tcp:
+      port: {{ $ldapsPort }}{{ $replicaIndx }}
+      backend:
+        serviceName: {{ include "oid.fullname" $root }}host{{ $replicaIndx }}
+        servicePort: ldaps
+{{- end }}
+{{- end }}