chore: add official helm chart (#621)

* feat: move main installation

https://github.com/GluuFederation/cloud-native-edition/tree/master

* ci: add iromli as a CODEOWNER

* docs:  fix paths

.github/CODEOWNERS

@@ -4,7 +4,7 @@
 # These owners will be the default owners for everything in this branch of
 # the repo. Unless a later match takes precedence
 
-/docker-jans-*/ @moabu
+/docker-jans-*/ @moabu @iromli
 /automation/ @moabu
 /charts/ @moabu
 /.github/ @moabu

.github/workflows/microk8s_couchbase.yml

@@ -5,13 +5,13 @@ on:
       - master
       - main
     paths:
-      - "charts/**"
+      - "helm/**"
   pull_request:
     branches:
       - master
       - main
     paths:
-      - "charts/**"
+      - "helm/**"
   workflow_dispatch:
 jobs:
   build:

.github/workflows/microk8s_mysql.yml

@@ -5,13 +5,13 @@ on:
       - master
       - main
     paths:
-      - "charts/**"
+      - "helm/**"
   pull_request:
     branches:
       - master
       - main
     paths:
-      - "charts/**"
+      - "helm/**"
   workflow_dispatch:
 jobs:
   build:

.github/workflows/microk8s_opendj.yml

@@ -5,13 +5,13 @@ on:
       - master
       - main
     paths:
-      - "charts/**"
+      - "helm/**"
   pull_request:
     branches:
       - master
       - main
     paths:
-      - "charts/**"
+      - "helm/**"
   workflow_dispatch:
 jobs:
   build:

.github/workflows/release.yaml

@@ -35,7 +35,7 @@ jobs:
         git config user.email "54212639+mo-auto@users.noreply.github.com"
         git config --global user.signingkey "${{ steps.import_gpg.outputs.keyid }}"
 
-    - uses: google-github-actions/release-please-action@v3
+    - uses: google-github-actions/release-please-action@v3.0.1
       id: release-please
       with:
          path: ${{ matrix.docker-images }}
@@ -48,7 +48,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-projects: ["jans-pycloudlib"]
+        python-projects: ["jans-pycloudlib", "jans-cli"]
     steps:
     - name: Checkout
       uses: actions/checkout@v2
@@ -70,7 +70,7 @@ jobs:
         git config user.email "54212639+mo-auto@users.noreply.github.com"
         git config --global user.signingkey "${{ steps.import_gpg.outputs.keyid }}"
 
-    - uses: google-github-actions/release-please-action@v3
+    - uses: google-github-actions/release-please-action@v3.0.1
       id: release-please
       with:
          path: ${{ matrix.python-projects }}

README.md

@@ -34,15 +34,17 @@ Start a fresh ubuntu `18.04` or `20.04` and execute the following
 
 ```bash
 sudo su -
-wget https://raw.githubusercontent.com/JanssenProject/jans-cloud-native/master/automation/startdemo.sh && chmod u+x startdemo.sh && ./startdemo.sh
+wget https://raw.githubusercontent.com/JanssenProject/jans/master/automation/startopenbankingdemo.sh && chmod u+x startopenbankingdemo.sh && ./startopenbankingdemo.sh
 ```
 
-This will install docker, microk8s, helm and Janssen with the default settings the can be found inside [values.yaml](charts/jans/values.yaml). Please map the `ip` of the instance running ubuntu to `demoexample.jans.io` and then access the endpoints at your browser such in the example in the table below.
+This will install docker, microk8s, helm and Janssen with the default settings the can be found inside [values.yaml](helm/pygluu/kubernetes/templates/gluu/values.yaml). Please map the `ip` of the instance running ubuntu to `demoexample.jans.io` and then access the endpoints at your browser such in the example in the table below.
 
 | Service     | Example endpoint                                               |
 | ----------- | -------------------------------------------------------------- |
 | Auth server | `https://demoexample.jans.io/.well-known/openid-configuration` |
 | fido2       | `https://demoexample.jans.io/.well-known/fido2-configuration`  |
 | scim        | `https://demoexample.jans.io/.well-known/scim-configuration`   |
 
-For more information follow [here](charts/jans/README.md).
+For more information follow [here](helm/README.md).
+
+Helm charts are located 

_config.yml

@@ -7,7 +7,7 @@ buttons:
     href: /jans-cloud-native
   - b1:
     text: Helm Chart
-    href: /jans-cloud-native/charts/jans
+    href: /jans-cloud-native/helm/pygluu/kubernetes/helm
   - b2:
     text: Debugging Interception scripts
     href: /jans-cloud-native/docs/interception-script-debug

automation/startopenabankingdemo.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+set -e
+sudo apt-get update
+sudo apt-get install python3-pip -y
+sudo pip3 install pip --upgrade
+sudo pip3 install setuptools --upgrade
+sudo pip3 install pyOpenSSL --upgrade
+sudo apt-get update
+sudo apt-get install build-essential unzip -y
+sudo pip3 install requests --upgrade
+sudo pip3 install shiv
+sudo snap install microk8s --classic
+sudo microk8s.status --wait-ready
+sudo microk8s.enable dns registry ingress
+sudo microk8s kubectl get daemonset.apps/nginx-ingress-microk8s-controller -n ingress -o yaml | sed -s "s@ingress-class=public@ingress-class=nginx@g" | microk8s kubectl apply -f -
+sudo apt-get update
+sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install net-tools
+curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+chmod 700 get_helm.sh
+./get_helm.sh
+sudo apt-get install docker-ce docker-ce-cli containerd.io -y
+sudo microk8s config > config
+KUBECONFIG="$PWD"/config
+sudo microk8s.kubectl create namespace gluu --kubeconfig="$KUBECONFIG" || echo "namespace exists"
+sudo helm repo add bitnami https://charts.bitnami.com/bitnami
+sudo microk8s.kubectl get po --kubeconfig="$KUBECONFIG"
+sudo helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu --kubeconfig="$KUBECONFIG"
+EXT_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
+sudo echo "$EXT_IP demoexample.gluu.org" >> /etc/hosts
+cat << EOF > override.yaml
+config:
+  configmap:
+    cnSqlDbHost: my-release-mysql.gluu.svc
+    cnSqlDbUser: root
+nginx-ingress:
+  ingress:
+    #/jans-auth/restv1/token
+    authServerProtectedToken: true
+    #/jans-auth/restv1/register
+    authServerProtectedRegister: true
+      # in the format of {cert-manager.io/cluster-issuer: nameOfClusterIssuer, kubernetes.io/tls-acme: "true"}
+    additionalAnnotations:
+      # Enable client certificate authentication
+      nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional"
+      # Create the secret containing the trusted ca certificates
+      nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/ca-secret"
+      # Specify the verification depth in the client certificates chain
+      nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
+      # Specify if certificates are passed to upstream server
+      nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
+global:
+  isFqdnRegistered: false
+  lbIp: $EXT_IP
+EOF
+sudo helm repo add gluu https://gluufederation.github.io/cloud-native-edition/pygluu/kubernetes/templates/helm
+sudo helm repo update
+sudo helm install gluu gluu/gluu -n gluu --version=5.0.2 -f override.yaml --kubeconfig="$KUBECONFIG"
+echo "Waiting for auth-server to come up....Please do not cancel out...This will wait for the auth-server to be ready.."
+sleep 120
+cat << EOF > testendpoints.sh
+# get certs and keys. This will also generate the client crt and key to be used to access protected endpoints
+mkdir quicktestcerts || echo "directory exists"
+cd quicktestcerts
+sudo microk8s config > config
+KUBECONFIG="$PWD"/config
+rm ca.crt ca.key server.crt server.key client.csr client.crt client.key
+sudo microk8s.kubectl delete secret generic ca-secret -n gluu --kubeconfig="$KUBECONFIG" || echo "secret ca-secret does not exist and will be created."
+sudo microk8s.kubectl get secret cn -o json -n gluu --kubeconfig="$KUBECONFIG" | grep '"ssl_ca_cert":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > ca.crt
+sudo microk8s.kubectl get secret cn -o json -n gluu --kubeconfig="$KUBECONFIG" | grep '"ssl_ca_key":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > ca.key
+sudo microk8s.kubectl get secret cn -o json -n gluu --kubeconfig="$KUBECONFIG" | grep '"ssl_cert":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > server.crt
+sudo microk8s.kubectl get secret cn -o json -n gluu --kubeconfig="$KUBECONFIG" | grep '"ssl_key":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d > server.key
+openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking'
+openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
+sudo microk8s.kubectl create secret generic ca-secret -n gluu --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
+echo -e "Starting simple test to endpoints. \n"
+sleep 10
+echo -e "Testing openid-configuration endpoint.. \n"
+curl -k https://demoexample.gluu.org/.well-known/openid-configuration
+TESTCLIENT=$(microk8s.kubectl get cm cn -o json -n gluu --kubeconfig="$KUBECONFIG" | grep '"jca_client_id":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]')
+TESTCLIENTSECRET=$(microk8s.kubectl get secret cn -o json -n gluu --kubeconfig="$KUBECONFIG" | grep '"jca_client_pw":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' | base64 -d)
+echo -e "Testing protected endpoint /token without client crt and key. This should show a 403, showing mTLS works \n"
+curl -X POST -k -u $TESTCLIENT:$TESTCLIENTSECRET https://demoexample.gluu.org/jans-auth/restv1/token -d grant_type=client_credentials
+echo -e "Testing protected endpoint /token with client crt and key. This should recieve a token, showing mTLS works \n"
+curl -X POST -k --cert client.crt --key client.key -u $TESTCLIENT:$TESTCLIENTSECRET https://demoexample.gluu.org/jans-auth/restv1/token -d grant_type=client_credentials
+echo -e "Testing protected endpoint /register without client crt and key. This should show a 403, showing mTLS works \n"
+curl -X POST -k -u $TESTCLIENT:$TESTCLIENTSECRET https://demoexample.gluu.org/jans-auth/restv1/register
+echo -e "Testing protected endpoint /register with client crt and key. This should still recieve an error but from the AS showing mTLS works \n"
+curl -X POST -k --cert client.crt --key client.key -u $TESTCLIENT:$TESTCLIENTSECRET https://demoexample.gluu.org/jans-auth/restv1/register
+cd ..
+EOF
+sudo microk8s.kubectl -n gluu wait --for=condition=available --timeout=600s deploy/gluu-auth-server --kubeconfig="$KUBECONFIG"
+sudo bash testendpoints.sh
+echo -e "You may re-execute bash testendpoints.sh to do a quick test to protected endpoints and openid-configuration endpoint."