From 3f5c0fa146e4aa49ec2e4a1212ae0dceb73f726e Mon Sep 17 00:00:00 2001 From: Kara Date: Tue, 12 Aug 2025 12:20:07 +0100 Subject: [PATCH 01/20] Init mtls-staging --- .github/workflows/python-app.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 29fbd06..a21bec7 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -2,9 +2,9 @@ name: Pylint and Pytest on: push: - branches: [ "main" ] + branches: [ "main", "mtls-staging" ] pull_request: - branches: [ "main" ] + branches: [ "main", "mtls-staging" ] permissions: contents: read From 233b1c56326d7aa622de23530b694250c5142af8 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Wed, 20 Aug 2025 12:14:25 +0100 Subject: [PATCH 02/20] SEF Implementation changeswq --- Dockerfile => Dockerfile.app | 6 +- Dockerfile.envoy | 13 +++ README.md | 11 ++- .../eric-product-info.yaml | 7 ++ .../templates/configmap/envoy-configmap.yaml | 91 ++++++++++++++++++ .../templates/deployment/deployment.yaml | 96 +++++++++++++++++++ .../templates/ingress/ingress.yaml | 43 --------- .../templates/service/service.yaml | 10 +- .../values.yaml | 19 +++- docker-compose.yaml | 27 ++++++ 10 files changed, 271 insertions(+), 52 deletions(-) rename Dockerfile => Dockerfile.app (70%) create mode 100644 Dockerfile.envoy create mode 100644 charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml delete mode 100644 charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml create mode 100644 docker-compose.yaml diff --git a/Dockerfile b/Dockerfile.app similarity index 70% rename from Dockerfile rename to Dockerfile.app index 6dca988..b5523ed 100644 --- a/Dockerfile +++ b/Dockerfile.app @@ -8,10 +8,10 @@ LABEL \ WORKDIR /code -COPY ./eric-oss-hello-world-python-app ./eric-oss-hello-world-python-app +COPY ./hello-world-pysa ./hello-world-pysa COPY requirements.txt . -RUN chmod +x ./eric-oss-hello-world-python-app/main.py +RUN chmod +x ./hello-world-pysa/main.py RUN pip install --upgrade pip @@ -22,4 +22,4 @@ RUN echo "$USER_ID:!::0:::::" >>/etc/shadow USER $USER_ID -CMD ["./eric-oss-hello-world-python-app/main.py"] \ No newline at end of file +CMD ["./hello-world-pysa/main.py"] \ No newline at end of file diff --git a/Dockerfile.envoy b/Dockerfile.envoy new file mode 100644 index 0000000..6795947 --- /dev/null +++ b/Dockerfile.envoy @@ -0,0 +1,13 @@ +FROM envoyproxy/envoy:v1.35.0 + +USER root + +RUN mkdir -p /etc/envoy + +RUN groupmod -g 1000 envoy && usermod -u 1000 -g 1000 envoy + +USER 1000 + +EXPOSE 8080 8443 + +CMD ["envoy", "-c", "/etc/envoy/envoy.yaml", "--log-level", "info"] diff --git a/README.md b/README.md index 4ffd17f..53ab215 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,10 @@ Refer to: [Python on Dockerâ„¢ Hub](https://hub.docker.com/_/python) Run the following command to build the image. ```bash -docker build . -t proj-eric-oss-drop/eric-oss-hello-world-python-app: --build-arg APP_VERSION= +APP_VERSION= \ +APP_IMAGE=proj-eric-oss-drop/eric-oss-hello-world-python-app: \ +ENVOY_IMAGE=proj-eric-oss-drop/eric-oss-hello-world-python-app-envoy: \ +docker compose build --no-cache ``` ## Run Docker Image @@ -57,6 +60,7 @@ A port binding on port 8050 is done to expose the endpoints. ```bash docker run -p 8050:8050 --rm --name python-sample-app proj-eric-oss-drop/eric-oss-hello-world-python-app: +docker run -d --name envoy --link python-sample-app -p 8080:8080 -p 8443:8443 proj-eric-oss-drop/eric-oss-hello-world-python-app-envoy: ``` Run a curl request to the /sample-app/python/hello endpoint of the app. @@ -122,7 +126,10 @@ Generate an archive of the Docker image and store it temporarily in the `csar-ou directory. ```bash -docker save proj-eric-oss-drop/eric-oss-hello-world-python-app: -o csar-output/docker.tar +docker save \ + proj-eric-oss-drop/eric-oss-hello-world-python-app: \ + proj-eric-oss-drop/eric-oss-hello-world-python-app-envoy: \ + -o ./csar-output/docker.tar ``` Run the following command locally to create a CSAR App package using the diff --git a/charts/eric-oss-hello-world-python-app/eric-product-info.yaml b/charts/eric-oss-hello-world-python-app/eric-product-info.yaml index ecd4eb7..4e13db1 100644 --- a/charts/eric-oss-hello-world-python-app/eric-product-info.yaml +++ b/charts/eric-oss-hello-world-python-app/eric-product-info.yaml @@ -8,3 +8,10 @@ images: repoPath: "REPO_PATH" name: "eric-oss-hello-world-python-app" tag: "VERSION" + eric-oss-hello-world-python-app-envoy: + productName: "Envoy for hello world sample app" + productNumber: "" + registry: "armdocker.rnd.ericsson.se" + repoPath: "REPO_PATH" + name: "eric-oss-hello-world-python-app-envoy" + tag: "VERSION" diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml new file mode 100644 index 0000000..757d2c6 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-template +data: + ENVOY_CONFIG_FILE: |- + static_resources: + listeners: + # TLS listener for mTLS endpoint + - name: listener_https + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http_secure + route_config: + virtual_hosts: + - name: secure_service + domains: ["*"] + routes: + - match: + path: "/sample-app/python/hello" + route: + cluster: eric-oss-hello-world-python-app-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + require_client_certificate: true + common_tls_context: + tls_certificates: + - certificate_chain: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.envoyAppCertMountPath $.Values.envoyAppCertMountPath) (default $.Values.instantiationDefaults.envoyAppCertFileName $.Values.envoyAppCertFileName) | quote }} + private_key: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.envoyAppCertMountPath $.Values.envoyAppCertMountPath) (default $.Values.instantiationDefaults.envoyAppKeyFileName $.Values.envoyAppKeyFileName) | quote }} + validation_context: + trusted_ca: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.envoyPlatformCaCertMountPath $.Values.envoyPlatformCaCertMountPath) (default $.Values.instantiationDefaults.envoyPlatformCaCertFileName $.Values.envoyPlatformCaCertFileName) | quote }} + + # Plain HTTP listener for other endpoints + - name: listener_http + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http_plain + route_config: + virtual_hosts: + - name: plain_service + domains: ["*"] + routes: + - match: + path: "/sample-app/python/health" + route: + cluster: eric-oss-hello-world-python-app-cluster + - match: + path: "/sample-app/python/metrics" + route: + cluster: eric-oss-hello-world-python-app-cluster + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + + clusters: + - name: eric-oss-hello-world-python-app-cluster + type: STATIC + load_assignment: + cluster_name: eric-oss-hello-world-python-app-service + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 8050 diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 4aaea3c..54aadbb 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -55,6 +55,14 @@ spec: items: - key: LOG_CTRL_FILE path: logcontrol.json + - name: envoy-config + configMap: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-template + items: + - key: ENVOY_CONFIG_FILE + path: envoy.yaml + - name: envoy-config-dir + emptyDir: {} - name: platform-cacerts secret: secretName: {{ index .Values "platformCaCertSecretName" | quote }} @@ -67,6 +75,14 @@ spec: secret: secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 + - name: envoy-platform-cacerts + secret: + secretName: {{ index .Values "envoyPlatformCaCertSecretName" | quote }} + defaultMode: 420 + - name: envoy-app-certs + secret: + secretName: {{ index .Values "envoyAppSecretName" | quote }} + defaultMode: 420 containers: - name: eric-oss-hello-world-python-app image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }} @@ -182,6 +198,86 @@ spec: {{- end }} resources: {{- toYaml .Values.resources.helloWorld | nindent 12 }} + - name: envoy + image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app-envoy" "values" .Values "files" .Files) }} + imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }} + securityContext: + {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} + appArmorProfile: + type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} + {{- end }} + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} + command: ["/bin/sh", "-c"] + args: + - | + echo "==== Dumping envoy config ====" + cat /etc/envoy/envoy.yaml + echo "==== Starting Envoy ====" + exec envoy -c /etc/envoy/envoy.yaml --log-level info --base-id 1 + ports: + - name: envoy-http + containerPort: 8080 + protocol: TCP + - name: envoy-https + containerPort: 8443 + protocol: TCP + livenessProbe: + tcpSocket: + port: 8443 + {{- if (index .Values "probes" "envoy" "livenessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "livenessProbe" "initialDelaySeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "livenessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "envoy" "livenessProbe" "failureThreshold") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "livenessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "envoy" "livenessProbe" "periodSeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "livenessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "livenessProbe" "timeoutSeconds") }} + {{- end }} + readinessProbe: + tcpSocket: + port: 8443 + {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{- end }} + {{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{- end }} + env: + - name: ENVOY_APP_CERT_FULL_PATH + value: {{ printf "%s/%s" (default .Values.instantiationDefaults.envoyAppCertMountPath .Values.envoyAppCertMountPath) .Values.envoyAppCertFileName }} + - name: ENVOY_APP_KEY_FULL_PATH + value: {{ printf "%s/%s" (default .Values.instantiationDefaults.envoyAppCertMountPath .Values.envoyAppCertMountPath) .Values.envoyAppKeyFileName }} + - name: ENVOY_CA_CERT_FULL_PATH + value: {{ printf "%s/%s" (default .Values.instantiationDefaults.envoyPlatformCaCertMountPath .Values.envoyPlatformCaCertMountPath) .Values.envoyPlatformCaCertFileName }} + volumeMounts: + - name: envoy-config + mountPath: /etc/envoy + readOnly: true + - name: envoy-platform-cacerts + mountPath: {{ index .Values "envoyPlatformCaCertMountPath" | default .Values.instantiationDefaults.envoyPlatformCaCertMountPath | quote }} + readOnly: true + - name: envoy-app-certs + mountPath: {{ index .Values "envoyAppCertMountPath" | default .Values.instantiationDefaults.envoyAppCertMountPath | quote }} + readOnly: true {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: - name: {{ template "eric-oss-hello-world-python-app.pullSecrets" . }} diff --git a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml b/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml deleted file mode 100644 index ca297c9..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "eric-oss-hello-world-python-app.name" . -}} -{{- $servicePort := .Values.service.port -}} ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} - {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} - {{- end }} - {{- with .Values.ingress }} - annotations: - {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} - {{- if .annotations }} - {{ .annotations | toYaml | indent 4 }} - {{- end }} - {{- if .ingressClass }} - kubernetes.io/ingress.class: {{.ingressClass }} - {{- end -}} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - backend: - serviceName: {{ $fullName }} - servicePort: {{ $servicePort }} -{{- end }} diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index d90cef5..0188b1c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -15,10 +15,14 @@ spec: ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.port }} - targetPort: 8050 + - port: {{ .Values.service.httpport }} + targetPort: 8080 protocol: TCP - name: http + name: envoy-http + - port: {{ .Values.service.httpsport }} + targetPort: 8443 + protocol: TCP + name: envoy-https selector: app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 2c4b392..0cf4cc7 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -43,7 +43,8 @@ seccompProfile: service: type: ClusterIP - port: 8050 + httpport: 8080 + httpsport: 8443 ingress: enabled: false @@ -116,6 +117,17 @@ probes: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 10 + envoy: + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 10 # Pod priority configuration for deployments podPriority: @@ -127,6 +139,11 @@ instantiationDefaults: platformCaCertMountPath: "/etc/tls-ca/platform/" appCertMountPath: "/etc/tls/log/" clientCredsMountPath: "/etc/client-creds/" + envoyPlatformCaCertMountPath: "/etc/certs/ca" + envoyAppCertMountPath: "/etc/certs/app" + #envoyPlatformCaCertFileName: "dummy1.crt" + #envoyAppCertFileName: "dummy2.crt" + #envoyAppKeyFileName: "dummy3.key" global: clientCredentials: diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..6a35154 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,27 @@ +version: "3.9" + +services: + app: + build: + context: . + dockerfile: Dockerfile.app + args: + APP_VERSION: ${APP_VERSION} + image: ${APP_IMAGE} + container_name: eric-oss-hello-world-python-app + ports: + - "8050:8050" + restart: unless-stopped + + envoy: + build: + context: . + dockerfile: Dockerfile.envoy + image: ${ENVOY_IMAGE} + container_name: envoy + depends_on: + - app + ports: + - "8080:8080" + - "8443:8443" + restart: unless-stopped \ No newline at end of file From 6a54c447de835ee9125bcb769e7ae60f83ee2be4 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Wed, 20 Aug 2025 12:48:35 +0100 Subject: [PATCH 03/20] Update Dockerfile.app for SEF implementation --- Dockerfile.app | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile.app b/Dockerfile.app index b5523ed..84d3c44 100644 --- a/Dockerfile.app +++ b/Dockerfile.app @@ -8,10 +8,10 @@ LABEL \ WORKDIR /code -COPY ./hello-world-pysa ./hello-world-pysa +COPY ./eric-oss-hello-world-python-app ./eric-oss-hello-world-python-app COPY requirements.txt . -RUN chmod +x ./hello-world-pysa/main.py +RUN chmod +x ./eric-oss-hello-world-python-app/main.py RUN pip install --upgrade pip @@ -22,4 +22,6 @@ RUN echo "$USER_ID:!::0:::::" >>/etc/shadow USER $USER_ID -CMD ["./hello-world-pysa/main.py"] \ No newline at end of file +CMD ["./eric-oss-hello-world-python-app/main.py"] + + From 5e0ebcc704a4495cc65625f4360cc7c572d27625 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Wed, 20 Aug 2025 15:53:43 +0100 Subject: [PATCH 04/20] App name renamed to original name 'eric-oss-hello-world-python-app' This change will replace the app name to original namewq --- Dockerfile.app | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile.app b/Dockerfile.app index 84d3c44..6dca988 100644 --- a/Dockerfile.app +++ b/Dockerfile.app @@ -22,6 +22,4 @@ RUN echo "$USER_ID:!::0:::::" >>/etc/shadow USER $USER_ID -CMD ["./eric-oss-hello-world-python-app/main.py"] - - +CMD ["./eric-oss-hello-world-python-app/main.py"] \ No newline at end of file From f057ea6837fb7f44c9264f981dd7dd296ea135f9 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Wed, 20 Aug 2025 17:07:05 +0100 Subject: [PATCH 05/20] Review comments addressed Configmap name changed httpport -> http-port httpsport -> https-port e --- .../templates/configmap/envoy-configmap.yaml | 2 +- .../templates/service/service.yaml | 4 ++-- charts/eric-oss-hello-world-python-app/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index 757d2c6..618297d 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-template + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-configmap data: ENVOY_CONFIG_FILE: |- static_resources: diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index 0188b1c..969f93a 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -15,11 +15,11 @@ spec: ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.httpport }} + - port: {{ .Values.service.http-port }} targetPort: 8080 protocol: TCP name: envoy-http - - port: {{ .Values.service.httpsport }} + - port: {{ .Values.service.https-port }} targetPort: 8443 protocol: TCP name: envoy-https diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 0cf4cc7..425d452 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -43,8 +43,8 @@ seccompProfile: service: type: ClusterIP - httpport: 8080 - httpsport: 8443 + http-port: 8080 + https-port: 8443 ingress: enabled: false From a76e1fdd4c5fe03b59e45da78b643e8552d7ae7c Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Thu, 21 Aug 2025 14:28:08 +0100 Subject: [PATCH 06/20] Review comments addressedwq --- .../templates/deployment/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 54aadbb..01731eb 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -57,7 +57,7 @@ spec: path: logcontrol.json - name: envoy-config configMap: - name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-template + name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-configmap items: - key: ENVOY_CONFIG_FILE path: envoy.yaml From 8ab7948300924cdbfacfe452013551c260ad7115 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 22 Aug 2025 23:50:38 +0100 Subject: [PATCH 07/20] New review comments and improvements --- .../templates/configmap/envoy-configmap.yaml | 6 +- .../templates/deployment/deployment.yaml | 57 ++++++++----------- .../templates/service/service.yaml | 14 ++--- .../values.yaml | 21 +------ 4 files changed, 37 insertions(+), 61 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index 618297d..e4c094c 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -40,12 +40,12 @@ data: common_tls_context: tls_certificates: - certificate_chain: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.envoyAppCertMountPath $.Values.envoyAppCertMountPath) (default $.Values.instantiationDefaults.envoyAppCertFileName $.Values.envoyAppCertFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.proxyAppCertFileName $.Values.proxyAppCertFileName) | quote }} private_key: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.envoyAppCertMountPath $.Values.envoyAppCertMountPath) (default $.Values.instantiationDefaults.envoyAppKeyFileName $.Values.envoyAppKeyFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.proxyAppKeyFileName $.Values.proxyAppKeyFileName) | quote }} validation_context: trusted_ca: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.envoyPlatformCaCertMountPath $.Values.envoyPlatformCaCertMountPath) (default $.Values.instantiationDefaults.envoyPlatformCaCertFileName $.Values.envoyPlatformCaCertFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyCaCertMountPath $.Values.proxyCaCertMountPath) (default $.Values.instantiationDefaults.proxyCaCertFileName $.Values.proxyCaCertFileName) | quote }} # Plain HTTP listener for other endpoints - name: listener_http diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 01731eb..b90de8d 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -75,13 +75,13 @@ spec: secret: secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 - - name: envoy-platform-cacerts + - name: proxy-platform-cacerts secret: - secretName: {{ index .Values "envoyPlatformCaCertSecretName" | quote }} + secretName: {{ index .Values "proxyCaCertSecretName" | quote }} defaultMode: 420 - - name: envoy-app-certs + - name: proxy-app-certs secret: - secretName: {{ index .Values "envoyAppSecretName" | quote }} + secretName: {{ index .Values "proxyAppSecretName" | quote }} defaultMode: 420 containers: - name: eric-oss-hello-world-python-app @@ -220,8 +220,6 @@ spec: command: ["/bin/sh", "-c"] args: - | - echo "==== Dumping envoy config ====" - cat /etc/envoy/envoy.yaml echo "==== Starting Envoy ====" exec envoy -c /etc/envoy/envoy.yaml --log-level info --base-id 1 ports: @@ -234,49 +232,42 @@ spec: livenessProbe: tcpSocket: port: 8443 - {{- if (index .Values "probes" "envoy" "livenessProbe" "initialDelaySeconds") }} - {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "livenessProbe" "initialDelaySeconds") }} + {{- if (index .Values "probes" "proxy" "livenessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "proxy" "livenessProbe" "initialDelaySeconds") }} {{- end }} - {{- if (index .Values "probes" "envoy" "livenessProbe" "failureThreshold") }} - {{ print "failureThreshold: " (index .Values "probes" "envoy" "livenessProbe" "failureThreshold") }} + {{- if (index .Values "probes" "proxy" "livenessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "proxy" "livenessProbe" "failureThreshold") }} {{- end }} - {{- if (index .Values "probes" "envoy" "livenessProbe" "periodSeconds") }} - {{ print "periodSeconds: " (index .Values "probes" "envoy" "livenessProbe" "periodSeconds") }} + {{- if (index .Values "probes" "proxy" "livenessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "proxy" "livenessProbe" "periodSeconds") }} {{- end }} - {{- if (index .Values "probes" "envoy" "livenessProbe" "timeoutSeconds") }} - {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "livenessProbe" "timeoutSeconds") }} + {{- if (index .Values "probes" "proxy" "livenessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "proxy" "livenessProbe" "timeoutSeconds") }} {{- end }} readinessProbe: tcpSocket: port: 8443 - {{- if (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} - {{ print "initialDelaySeconds: " (index .Values "probes" "envoy" "readinessProbe" "initialDelaySeconds") }} + {{- if (index .Values "probes" "proxy" "readinessProbe" "initialDelaySeconds") }} + {{ print "initialDelaySeconds: " (index .Values "probes" "proxy" "readinessProbe" "initialDelaySeconds") }} {{- end }} - {{- if (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} - {{ print "failureThreshold: " (index .Values "probes" "envoy" "readinessProbe" "failureThreshold") }} + {{- if (index .Values "probes" "proxy" "readinessProbe" "failureThreshold") }} + {{ print "failureThreshold: " (index .Values "probes" "proxy" "readinessProbe" "failureThreshold") }} {{- end }} - {{- if (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} - {{ print "periodSeconds: " (index .Values "probes" "envoy" "readinessProbe" "periodSeconds") }} + {{- if (index .Values "probes" "proxy" "readinessProbe" "periodSeconds") }} + {{ print "periodSeconds: " (index .Values "probes" "proxy" "readinessProbe" "periodSeconds") }} {{- end }} - {{- if (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} - {{ print "timeoutSeconds: " (index .Values "probes" "envoy" "readinessProbe" "timeoutSeconds") }} + {{- if (index .Values "probes" "proxy" "readinessProbe" "timeoutSeconds") }} + {{ print "timeoutSeconds: " (index .Values "probes" "proxy" "readinessProbe" "timeoutSeconds") }} {{- end }} - env: - - name: ENVOY_APP_CERT_FULL_PATH - value: {{ printf "%s/%s" (default .Values.instantiationDefaults.envoyAppCertMountPath .Values.envoyAppCertMountPath) .Values.envoyAppCertFileName }} - - name: ENVOY_APP_KEY_FULL_PATH - value: {{ printf "%s/%s" (default .Values.instantiationDefaults.envoyAppCertMountPath .Values.envoyAppCertMountPath) .Values.envoyAppKeyFileName }} - - name: ENVOY_CA_CERT_FULL_PATH - value: {{ printf "%s/%s" (default .Values.instantiationDefaults.envoyPlatformCaCertMountPath .Values.envoyPlatformCaCertMountPath) .Values.envoyPlatformCaCertFileName }} volumeMounts: - name: envoy-config mountPath: /etc/envoy readOnly: true - - name: envoy-platform-cacerts - mountPath: {{ index .Values "envoyPlatformCaCertMountPath" | default .Values.instantiationDefaults.envoyPlatformCaCertMountPath | quote }} + - name: proxy-platform-cacerts + mountPath: {{ index .Values "proxyCaCertMountPath" | default .Values.instantiationDefaults.proxyCaCertMountPath | quote }} readOnly: true - - name: envoy-app-certs - mountPath: {{ index .Values "envoyAppCertMountPath" | default .Values.instantiationDefaults.envoyAppCertMountPath | quote }} + - name: proxy-app-certs + mountPath: {{ index .Values "proxyAppCertMountPath" | default .Values.instantiationDefaults.proxyAppCertMountPath | quote }} readOnly: true {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index 969f93a..b1f5b80 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -3,24 +3,24 @@ kind: Service metadata: name: {{ include "eric-oss-hello-world-python-app.name" . }} labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- include "eric-oss-hello-world-python-app.labels" . | nindent 4 }} {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} + {{- toYaml .Values.labels | nindent 4 }} {{- end }} annotations: -{{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} + {{- include "eric-oss-hello-world-python-app.product-info" . | nindent 4 }} spec: type: {{ .Values.service.type }} {{- if .Values.global.internalIPFamily }} ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.http-port }} - targetPort: 8080 + - port: {{ index .Values.service "http-port" }} + targetPort: {{ .Values.service.httpTargetPort | default 8080 }} protocol: TCP name: envoy-http - - port: {{ .Values.service.https-port }} - targetPort: 8443 + - port: {{ index .Values.service "https-port" }} + targetPort: {{ .Values.service.httpsTargetPort | default 8443 }} protocol: TCP name: envoy-https selector: diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 425d452..3615f3a 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -46,18 +46,6 @@ service: http-port: 8080 https-port: 8443 -ingress: - enabled: false - ingressClass: OAM-IngressClass - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - host: "" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: helloWorld: limits: @@ -117,7 +105,7 @@ probes: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 10 - envoy: + proxy: livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 @@ -139,11 +127,8 @@ instantiationDefaults: platformCaCertMountPath: "/etc/tls-ca/platform/" appCertMountPath: "/etc/tls/log/" clientCredsMountPath: "/etc/client-creds/" - envoyPlatformCaCertMountPath: "/etc/certs/ca" - envoyAppCertMountPath: "/etc/certs/app" - #envoyPlatformCaCertFileName: "dummy1.crt" - #envoyAppCertFileName: "dummy2.crt" - #envoyAppKeyFileName: "dummy3.key" + proxyCaCertMountPath: "/etc/certs/ca" + proxyAppCertMountPath: "/etc/certs/app" global: clientCredentials: From 9bf7e348926f0b4f1e8e276f0bcd6a3bb5257fc8 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 22 Aug 2025 23:54:22 +0100 Subject: [PATCH 08/20] Removed unused volumeswq --- .../templates/deployment/deployment.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index b90de8d..eb221e9 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -61,8 +61,6 @@ spec: items: - key: ENVOY_CONFIG_FILE path: envoy.yaml - - name: envoy-config-dir - emptyDir: {} - name: platform-cacerts secret: secretName: {{ index .Values "platformCaCertSecretName" | quote }} From cb701c6a41f5e7fa345c88823da692e02e12ba45 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Sun, 24 Aug 2025 10:09:53 +0100 Subject: [PATCH 09/20] Changes TODO :: OA out of scope --- .../templates/deployment/deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index eb221e9..fa7e9d2 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -73,6 +73,7 @@ spec: secret: secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 + #TODO point the below two secret to platformCaCertSecretName and appSecretName :: OA of scope - name: proxy-platform-cacerts secret: secretName: {{ index .Values "proxyCaCertSecretName" | quote }} From 14b982680ee15dd472f229cb1ebe99593b8cb0d6 Mon Sep 17 00:00:00 2001 From: Vincent Kiely Date: Thu, 4 Sep 2025 10:43:21 +0100 Subject: [PATCH 10/20] Removed tutorial commands from README --- README.md | 809 +----------------------------------------------------- 1 file changed, 2 insertions(+), 807 deletions(-) diff --git a/README.md b/README.md index 4ffd17f..f653fdb 100644 --- a/README.md +++ b/README.md @@ -7,813 +7,8 @@ > **already have full access** to the EIAP Ecosystem. > If you do not have this access, **please do not proceed.** +Python Hello World Sample App Documentation [Here](https://developer.intelligentautomationplatform.ericsson.net/#tutorials/sample-app-in-python). + **Note:** If you need help accessing the EIAP Ecosystem, contact support at this **email address:** - -## Introduction - -This is a simple Hello World Python App with the following three endpoints: - -- **/sample-app/python/hello** is a sample endpoint. - -- **/sample-app/python/health** is an endpoint for an external agent to - monitor the App liveliness. - -- **/sample-app/python/metrics** is an endpoint that presents - the number of successful and failed invocations of - the '/sample-app/python/hello' endpoint. - -**Note:** X.509 certificates are used for authentication, and - mTLS uses them to secure communication between the App and the platform. - -## Build Docker - -Extract the downloaded sample App package. Using a command line tool, - go inside the extracted `eric-oss-hello-world-python-app-` directory. - -```bash -cd /eric-oss-hello-world-python-app- -``` - -Rename the `Dockerfile-template` file to `Dockerfile`. - -```bash -mv Dockerfile-template Dockerfile -``` - -Replace `` in the Dockerfile with a slim Python base image. -Refer to: [Python on Dockerâ„¢ Hub](https://hub.docker.com/_/python) - -Run the following command to build the image. - -```bash -docker build . -t proj-eric-oss-drop/eric-oss-hello-world-python-app: --build-arg APP_VERSION= -``` - -## Run Docker Image - -A port binding on port 8050 is done to expose the endpoints. - -```bash -docker run -p 8050:8050 --rm --name python-sample-app proj-eric-oss-drop/eric-oss-hello-world-python-app: -``` - -Run a curl request to the /sample-app/python/hello endpoint of the app. -The request should return a "Hello World!!" response. - -```bash -curl -is localhost:8050/sample-app/python/hello -``` - -Example Output: - -```http -HTTP/1.1 200 OK -Date: Thu, 17 Jun 2021 14:46:46 GMT -Content-Length: 13 -Content-Type: text/plain; charset=utf-8 - -Hello World!! -``` - -## Build the CSAR package - -For this step, install the [App Package Tool](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/app-administration/tutorial-package-app). - -Once installed, the tool will be available as a Docker image -named `armdocker.rnd.ericsson.se/proj-eric-oss-dev-test/releases/eric-oss-app-package-tool:latest` - -**Note:** In the commands below, make sure to replace `` -with the correct Python Sample App version. Run the following commands -from within your project directory -`eric-oss-hello-world-python-app-`. - -```bash -mkdir -p helloworldAppPackage -``` - -The zip file includes a `csar` directory, which has the structure of the -CSAR package. - -```bash -cp -r ./csar/* ./helloworldAppPackage/ -``` - -Run the following command to generate an archive of the chart. - -```bash -helm package ./charts/eric-oss-hello-world-python-app/ -``` - -Move the created .tgz file to the OtherDefinitions/ASD directory. - -```bash -mv eric-oss-hello-world-python-app-.tgz ./helloworldAppPackage/OtherDefinitions/ASD/ -``` - -Create a folder where the CSAR App package will be stored into. - -```bash -mkdir csar-output -``` - -Generate an archive of the Docker image and store it temporarily in the `csar-output` -directory. - -```bash -docker save proj-eric-oss-drop/eric-oss-hello-world-python-app: -o csar-output/docker.tar -``` - -Run the following command locally to create a CSAR App package using the -eric-oss-app-package-tool. - -```bash -docker run --init --rm \ - --volume $PWD/csar-output/:/tmp/csar/ \ - --volume $HOME/.docker:/root/.docker \ - --volume /var/run/docker.sock:/var/run/docker.sock \ - --workdir /target \ - --volume $PWD/helloworldAppPackage:/target \ - armdocker.rnd.ericsson.se/proj-eric-oss-dev-test/releases/eric-oss-app-package-tool:latest \ - generate --tosca /target/Metadata/Tosca.meta \ - --name helloworldAppPackage \ - --images /tmp/csar/docker.tar \ - --helm3 \ - --output /tmp/csar -``` - -Run the following command to verify if the CSAR Package was created successfully. - -```bash -ls ./csar-output -``` - -`helloworldAppPackage.csar` is visible in the directory. - -## Onboard the App - -### Prerequisites for Onboarding - -Contact the platform administrator to request the following: - -- A Client certificate, Client key and platform CA certificate, - needed for secure communication with the platform APIs. -- Client ID to access the platform with the required roles, needed for authorized -communication with the platform APIs used to *onboard and instantiate* the -Hello World App. Include the required roles listed below in the request. - -| Role | Role Description | -| --------------------------------------------------------------- | ----------------------------------------------------------------------------- | -| AppMgr_Application_Administrator | Administrator access to App Administration onboarding and instantiating Apps. | -| AppMgr_Application_Operator | Operator access to App Administration onboarding and instantiating Apps. | -| Exposure_Application_Administrator | Access to Service Exposure Onboarding APIs for the Apps. | -| UserAdministration_ExtAppRbac_Application_SecurityAdministrator | Access to Service Exposure Access control APIs for the Apps. | - -See [Client Access to REST APIs](https://developer.intelligentautomationplatform.ericsson.net/#tutorials/client-access) - for further details on client authentication. - -**Note:** Replace `` with the valid `R1 host` provided by platform administrator. - -Use the following command to generate a valid access token: - -```bash -curl --cert --key --cacert --request POST \ -https:///auth/realms/master/protocol/openid-connect/token \ ---header 'content-type: application/x-www-form-urlencoded' \ ---data "grant_type=client_credentials&client_id=" -``` - -This command returns an access token, which is used in the commands in the -following steps. See the following example of a response containing the -access token: - -```bash - "access_token": "eyJhbGciOiJSUze168rQBwD4....", - "expires_in": 300, - "refresh_expires_in": 0, - "token_type": "Bearer", - "not-before-policy": 0, - "scope": "profile" -``` - -### Steps for Onboarding - -Onboard the **Hello World CSAR App Package** using [App Administration](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/app-administration/developer-guide-manage?chapter=onboard). - -Run the following command. - -```bash -curl --cert --key --cacert --location --request POST 'https:///app-onboarding/v2/app-packages' \ ---header 'Authorization: Bearer ' \ ---header 'accept: application/json' \ ---form 'file=@"/helloworldAppPackage.csar"' -``` - -Example of command result: - -```json -{ - "fileName": "helloworldAppPackage.csar", - "onboardingJob": { - "id": "af036040-a732-4af9-b65a-8103da56c35c", - "href": "/onboarding-jobs/af036040-a732-4af9-b65a-8103da56c35c" - } -} -``` - -An onboarding-job `id` is shown in the command result -(af036040-a732-4af9-b65a-8103da56c35c in the example). -This is the `JOB_ID`. Use the `JOB_ID` to get the -status of the onboarding process in the following commands: - -```bash -curl --cert --key --cacert --location --request GET 'https:///app-onboarding/v2/onboarding-jobs/' \ ---header 'Authorization: Bearer ' \ ---header 'accept: application/json' -``` - -It can take several minutes for the status to change to `ONBOARDED`. -Repeat the command until the status is changed to `ONBOARDED`. - -Example of command result: - -```json -{ - "id": "af036040-a732-4af9-b65a-8103da56c35c", - "fileName": "helloworldAppPackage.csar", - "packageVersion": "4.0.0-0", - "packageSize": "51.7659MiB", - "vendor": "Ericsson", - "type": "rApp", - "onboardStartedAt": "2025-05-31T13:51:56.616Z", - "status": "ONBOARDED", - "onboardEndedAt": "2025-05-31T13:51:59.955Z", - "events": [ - { - "type": "INFO", - "title": "Stored 1 out of 4 artifacts", - "detail": "Uploaded eric-oss-hello-world-python-appASD.yaml", - "occurredAt": "2025-05-31T13:51:58.042Z" - }, - { - "type": "INFO", - "title": "Stored 2 out of 4 artifacts", - "detail": "Uploaded eric-oss-hello-world-python-app", - "occurredAt": "2025-05-31T13:51:58.043Z" - }, - { - "type": "INFO", - "title": "Stored 3 out of 4 artifacts", - "detail": "Uploaded docker.tar", - "occurredAt": "2025-05-31T13:51:59.792Z" - }, - { - "type": "INFO", - "title": "Stored 4 out of 4 artifacts", - "detail": "Uploaded security-metadata.json", - "occurredAt": "2025-05-31T13:51:59.812Z" - } - ], - "self": { - "href": "/onboarding-jobs/af036040-a732-4af9-b65a-8103da56c35c" - }, - "app": { - "id": "rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0", - "href": "app-lifecycle-management/v3/apps/rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0" - } -} -``` - -The `APP_ID` is the `id` of the `app` returned in the previous -command (rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0 in the example). -Run the following command to initialize the App. - -```bash -curl --cert --key --cacert --location --request POST 'https:///app-lifecycle-management/v3/apps//initialization-actions' \ ---header 'Content-Type: application/json' \ ---header 'Authorization: Bearer ' \ --d '{"action": "INITIALIZE"}' -``` - -Example of command result: - -```json -{ - "app": { - "status": "INITIALIZING", - "id": "rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0", - "href": "/apps/rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0" - } -} -``` - -Repeat the following command until the status is changed to `INITIALIZED`. - -```shell -curl --cert --key --cacert --location --request GET 'https:///app-lifecycle-management/v3/apps/' \ ---header 'Content-Type: application/json' \ ---header 'Authorization: Bearer ' -``` - -Example of command result: - -```json -{ - "id": "rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0", - "type": "rApp", - "provider": "Ericsson", - "name": "eric-oss-hello-world-python-app", - "version": "4.0.0-0", - "mode": "DISABLED", - "status": "INITIALIZED", - "createdAt": "2025-05-31T13:51:59.931Z", - "components": [ - { - "type": "ASD", - "name": "eric-oss-hello-world-python-app", - "version": "4.0.0-0", - "artifacts": [ - { - "name": "docker.tar", - "type": "IMAGE" - }, - { - "name": "eric-oss-hello-world-python-appASD.yaml", - "type": "OPAQUE" - }, - { - "name": "eric-oss-hello-world-python-app", - "type": "HELM" - } - ] - }, - { - "type": "SECURITYMANAGEMENT", - "name": "security-mgmt", - "version": "1.0.0", - "artifacts": [ - { - "name": "security-metadata.json", - "type": "OPAQUE" - } - ] - } - ], - "permissions": [ - { - "resource": "kafka", - "scope": "GLOBAL" - } - ], - "roles": [], - "events": [ - { - "type": "INITIALIZE", - "title": "SUCCEEDED", - "detail": "INITIALIZE has successfully completed", - "createdAt": "2025-05-31T13:55:50.421Z" - }, - { - "type": "INITIALIZE", - "title": "STARTED", - "detail": "INITIALIZE has started", - "createdAt": "2025-05-31T13:55:34.171Z" - }, - { - "type": "CREATE", - "title": "SUCCEEDED", - "detail": "CREATE has successfully completed", - "createdAt": "2025-05-31T13:51:59.945Z" - } - ], - "self": { - "href": "/apps/rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0" - } -} -``` - -Run the following command to switch the App mode from 'DISABLED' to 'ENABLED'. - -```bash -curl --cert --key --cacert --location --request PUT 'https:///app-lifecycle-management/v3/apps//mode' \ ---header 'Content-Type: application/json' \ ---header 'Authorization: Bearer ' \ --d '{"mode": "ENABLED"}' -``` - -Example of command result: - -```json -{ - "mode": "ENABLED", - "app": { - "id": "rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0", - "href": "/apps/rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0" - } -} -``` - -## Instantiate the App - -This section describes how the App can communicate with IAM and produce logs to - the platform. The App is instantiated using App Administration and the API is - exposed and secured by the Service Exposure capability. - -### Prerequisites for Instantiation - -- You need the access token generated in **Onboard the App** prerequisite to - access the App Manager for instantiating the Hello World CSAR App Package. -- Contact your platform administrator to generate the required App key, - certificates key, certificates, and the secrets which store them. The - details of the secrets, keys, certs and EIC endpoint details will be passed - to App Administration through the `userDefinedHelmParameters` when - instantiating the App. Refer to - [App Certificate Provisioning Developer Guide](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/app-cert-provisioning/developer-guide) - to understand how certificates are loaded into the App during - instantiation for secure communication. The required parameters are: - - - The `iamBaseUrl` must point to the `R1 host`, as the `/sample-app/python/hello` - endpoint in this sample app first communicates with IAM to obtain a - client token (login) before returning the "Hello World!!" string response. - - The`appSecretName`, `appKeyFileName`, `appCertFileName`, - `platformCaCertSecretName` and `platformCaCertFileName` to enable - secure communication between the App and the platform. - - The `logEndpoint` which facilitates streaming App logs to platform, - supports only mTLS communication. For more information on the variable - values required, see [App Logging Developer Guide to Produce logs](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/app-logging/how-to-produce-logs?chapter=identify-environment-and-secret-variables-names). - -### Steps for Instantiation - -Use the App Administration capability to instantiate the - **Hello World CSAR App**. For more details on instantiating an App, see - [App Administration](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/app-administration/developer-guide-manage?chapter=instantiate). -Run the following commands to start the instantiation process using the - `APP_ID` from **Onboard the App**. - -#### Create App Instance - -```shell -curl --cert --key --cacert --location --request POST 'https:///app-lifecycle-management/v3/app-instances' \ ---header 'accept: application/json' \ ---header 'Content-Type: application/json' \ ---header 'Authorization: Bearer ' \ --d '{ - "appId": "" -}' -``` - -Example command result: - -```json -{ - "id": "rapp-ericsson-eric-oss-hello-world-python-app-68129972", - "appId": "rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0", - "status": "UNDEPLOYED", - "credentials": { - "clientId": "rapp-ericsson-eric-oss-hello-world-python-app-68129972" - }, - "componentInstances": [ - { - "name": "eric-oss-hello-world-python-app", - "version": "4.0.0-0", - "type": "ASD", - "deployState": "UNDEPLOYED", - "properties": { - "userDefinedHelmParameters": {}, - "namespace": "", - "timeout": 5 - } - }, - { - "name": "security-mgmt", - "version": "1.0.0", - "type": "SECURITYMANAGEMENT", - "properties": { - "authenticatorType": "client-x509" - } - } - ], - "self": { - "href": "/app-instances/rapp-ericsson-eric-oss-hello-world-python-app-68129972" - }, - "app": { - "href": "/apps/rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0" - } -} -``` - -An app-instance `id` is shown in the command result - (rapp-ericsson-eric-oss-hello-world-python-app-68129972 in the example). This - is the `APP_INSTANCE_ID` used in the following commands. - -#### Deploy App Instance - -> All `userDefinedHelmParameters` are required for successful instantiation - of your App. - -```shell -curl --cert --key --cacert --location --request POST 'https:///app-lifecycle-management/v3/app-instances//deployment-actions' \ - --header 'accept: application/json' \ - --header 'Content-Type: application/json' \ - --header 'Authorization: Bearer ' \ - -d '{ - "type": "DEPLOY", - "additionalData": { - "componentInstances": [ - { - "name": "eric-oss-hello-world-python-app", - "properties": { - "timeout": 5, - "userDefinedHelmParameters": { - "iamBaseUrl": "https://", - "logEndpoint": "", - "platformCaCertSecretName": "", - "appSecretName": "", - "platformCaCertFileName": "", - "appKeyFileName": "", - "appCertFileName": "", - } - } - } - ] - } -}' -``` - -See the following example command result: - -```json -{ - "type": "DEPLOY", - "additionalData": { - "componentInstances": [ - { - "name": "eric-oss-hello-world-python-app", - "properties": { - "timeout": 5, - "userDefinedHelmParameters": { - "platformCaCertSecretName": "", - "platformCaCertFileName": "", - "iamBaseUrl": "https://", - "appSecretName": "", - "logEndpoint": "", - "appKeyFileName": "", - "appCertFileName": "", - } - } - } - ] - }, - "appInstance": { - "status": "DEPLOYING", - "href": "/app-instances/rapp-ericsson-eric-oss-hello-world-python-app-68129972" - } -} -``` - -Use the App instance ID in the following command to check the instantiation - status. Repeat the command until the health status is changed - to `"status":"DEPLOYED"`. - -```shell -curl --cert --key --cacert --location --request GET 'https:///app-lifecycle-management/v3/app-instances/' \ ---header 'accept: application/json' \ ---header 'Content-Type: application/json' \ ---header 'Authorization: Bearer ' -``` - -```json -{ - "id": "rapp-ericsson-eric-oss-hello-world-python-app-68129972", - "appId": "rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0", - "status": "DEPLOYED", - "createdAt": "2025-05-31T14:01:01.741Z", - "updatedAt": "2025-05-31T14:04:16.300Z", - "credentials": { - "clientId": "rapp-ericsson-eric-oss-hello-world-python-app-68129972" - }, - "componentInstances": [ - { - "name": "eric-oss-hello-world-python-app", - "version": "4.0.0-0", - "type": "ASD", - "deployState": "DEPLOYED", - "properties": { - "userDefinedHelmParameters": { - "iamBaseUrl": "https://", - "logEndpoint": "", - "platformCaCertSecretName": "", - "appSecretName": "", - "platformCaCertFileName": "", - "appKeyFileName": "", - "appCertFileName": "", - }, - "namespace": "", - "timeout": 5 - } - }, - { - "name": "security-mgmt", - "version": "1.0.0", - "type": "SECURITYMANAGEMENT", - "properties": { - "authenticatorType": "client-x509" - } - } - ], - "events": [ - { - "type": "DEPLOY", - "title": "SUCCEEDED", - "detail": "DEPLOY has successfully completed", - "createdAt": "2025-05-31T14:04:16.297Z" - }, - { - "type": "DEPLOY", - "title": "STARTED", - "detail": "DEPLOY has started", - "createdAt": "2025-05-31T14:04:15.609Z" - }, - { - "type": "CREATE", - "title": "SUCCEEDED", - "detail": "CREATE has successfully completed", - "createdAt": "2025-05-31T14:01:01.753Z" - } - ], - "self": { - "href": "/app-instances/rapp-ericsson-eric-oss-hello-world-python-app-68129972" - }, - "app": { - "href": "/apps/rapp-ericsson-eric-oss-hello-world-python-app-4-0-0-0" - } -} -``` - -To view your logs, access EIC and open your log viewer. -Within the log viewer, you can filter for App Logging and view the results. - -#### Onboard the Hello World Python App APIs - -Use Service Exposure to expose the Hello World App API. -For details, see [Service Exposure - Developer Guide](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/service-exposure/api-exposure-developer-guide). - -To create an API to be onboarded, run the following commands: - -```bash -curl --cert --key --cacert --location --request POST 'https:///hub/apiprovisioning/v1/admin/v3/apis' \ ---header 'Authorization: Bearer ' \ ---header 'Content-Type: application/json' \ ---data '{ - "serviceCapabilityId": "hello-world-python-route-001", - "status": "active", - "apiPrefix": "/app/ericsson-helloWorldPythonApp", - "apiName": "hello-world-python-route", - "apiVersion": "v1", - "apiCategory": "/APIGM/category/api", - "apiDefinition": [ - { - "operationName": "/sample-app/python/hello/GET", - "urlPattern": "/sample-app/python/hello", - "methods": [ - "GET" - ] - } - ] -}' -``` - -To create an endpoint for the previously generated API, run the -following command: - -```bash -curl --cert --key --cacert --location --request POST 'https:///hub/apiprovisioning/v1/admin/v3/apis/hello-world-python-route-001/endpoints' \ ---header 'Authorization: Bearer ' \ ---header 'Content-Type: application/json' \ ---data '{ - "endpointId": "python-hello-001", - "serverUrl": "http://eric-oss-hello-world-python-app:8050" -}' -``` - -To bind the plugin for authorization of the previously -generated API, run the following command: - -```bash -curl --cert --key --cacert --location --request PUT 'https:///hub/apiprovisioning/v1/admin/v3/apis/hello-world-python-route-001/phases/auth/plugin-list' \ ---header 'Authorization: Bearer ' \ ---header 'Content-Type: application/json' \ ---data '[ - { - "name": "requestPartyTokenInterceptor" - } -]' -``` - -To configure the binded plugin for authorization, -run the following command: - -```bash -curl --cert --key --cacert --location --request PUT 'https:///hub/apiprovisioning/v1/admin/v3/apis/hello-world-python-route-001/plugins/requestPartyTokenInterceptor/configuration' \ ---header 'Authorization: Bearer ' \ ---header 'Content-Type: application/json' \ ---data '{ - "configurationSchemaVersion": "v0", - "configuration": { - "defaultResourceServer": "eo" - } -}' -``` - -#### Manage access control for the Hello World Python App APIs - -To allow access to the API endpoints provided by the 'Hello World' App, -Role-Based Access Control (RBAC) configuration is required. To add the -RBAC policy run the following curl command: - -```bash -curl --cert --key --cacert --location --request POST 'https:///idm/rolemgmt/v1/extapp/rbac' \ ---header 'Content-Type: application/json' \ ---header 'Authorization: Bearer ' \ ---data '{ - "tenant": "master", - "roles": [ - { - "name": "Python_SampleApp_Application_Administrator" - } - ], - "authorization": { - "resources": [ - { - "name": "python_sample_app_hello", - "type": "urn:eo:resources:extrapp", - "ownerManagedAccess": false, - "uris": [ - "/app/ericsson-helloWorldPythonApp/hello-world-python-route/v1/sample-app/python/hello" - ], - "scopes": [ - { - "name": "PATCH" - }, - { - "name": "DELETE" - }, - { - "name": "GET" - }, - { - "name": "POST" - }, - { - "name": "PUT" - } - ] - } - ], - "policies": [ - { - "name": "Python Sample App Hello Policy", - "type": "role", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "roles": "[{\"id\":\"Python_SampleApp_Application_Administrator\",\"required\":false}]" - } - }, - { - "name": "Python Sample App Hello Permission", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "AFFIRMATIVE", - "config": { - "resources": "[\"python_sample_app_hello\"]", - "scopes": "[\"GET\",\"PUT\",\"POST\",\"DELETE\",\"PATCH\"]", - "applyPolicies": "[\"Python Sample App Hello Policy\"]" - } - } - ], - "scopes": [ - { - "name": "GET" - }, - { - "name": "POST" - }, - { - "name": "DELETE" - }, - { - "name": "PUT" - }, - { - "name": "PATCH" - } - ] - } -}' -``` - -To access the `/sample-app/python/hello` endpoint, the new role -`Python_SampleApp_Application_Administrator` must be assigned to any -client accessing the endpoint. From 4a46691873c828c38fdf506a0bbe6f3e12c05b6d Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 12 Sep 2025 14:09:21 +0100 Subject: [PATCH 11/20] Fixed review comments --- Dockerfile.envoy | 13 ------- README.md | 36 ++++++++++--------- Dockerfile.app => app.Dockerfile | 8 ++--- .../templates/configmap/envoy-configmap.yaml | 6 ++-- .../templates/deployment/deployment.yaml | 11 +++--- .../templates/service/service.yaml | 4 +-- .../values.yaml | 9 ++--- docker-compose.yaml | 12 ++----- envoy.Dockerfile | 6 ++++ 9 files changed, 46 insertions(+), 59 deletions(-) delete mode 100644 Dockerfile.envoy rename Dockerfile.app => app.Dockerfile (66%) create mode 100644 envoy.Dockerfile diff --git a/Dockerfile.envoy b/Dockerfile.envoy deleted file mode 100644 index 6795947..0000000 --- a/Dockerfile.envoy +++ /dev/null @@ -1,13 +0,0 @@ -FROM envoyproxy/envoy:v1.35.0 - -USER root - -RUN mkdir -p /etc/envoy - -RUN groupmod -g 1000 envoy && usermod -u 1000 -g 1000 envoy - -USER 1000 - -EXPOSE 8080 8443 - -CMD ["envoy", "-c", "/etc/envoy/envoy.yaml", "--log-level", "info"] diff --git a/README.md b/README.md index 53ab215..b27bd6d 100644 --- a/README.md +++ b/README.md @@ -15,14 +15,14 @@ at this **email address:** This is a simple Hello World Python App with the following three endpoints: -- **/sample-app/python/hello** is a sample endpoint. +- **/sample-app/python/hello** is a sample secured (uses https) endpoint. -- **/sample-app/python/health** is an endpoint for an external agent to - monitor the App liveliness. +- **/sample-app/python/health** is an unsecured (uses http) endpoint for an + external agent to monitor the App liveliness. -- **/sample-app/python/metrics** is an endpoint that presents - the number of successful and failed invocations of - the '/sample-app/python/hello' endpoint. +- **/sample-app/python/metrics** is an unsecured endpoint (uses http) that + presents the number of successful and failed invocations of the + '/sample-app/python/hello' endpoint. **Note:** X.509 certificates are used for authentication, and mTLS uses them to secure communication between the App and the platform. @@ -51,7 +51,7 @@ Run the following command to build the image. APP_VERSION= \ APP_IMAGE=proj-eric-oss-drop/eric-oss-hello-world-python-app: \ ENVOY_IMAGE=proj-eric-oss-drop/eric-oss-hello-world-python-app-envoy: \ -docker compose build --no-cache +docker compose build ``` ## Run Docker Image @@ -60,7 +60,6 @@ A port binding on port 8050 is done to expose the endpoints. ```bash docker run -p 8050:8050 --rm --name python-sample-app proj-eric-oss-drop/eric-oss-hello-world-python-app: -docker run -d --name envoy --link python-sample-app -p 8080:8080 -p 8443:8443 proj-eric-oss-drop/eric-oss-hello-world-python-app-envoy: ``` Run a curl request to the /sample-app/python/hello endpoint of the app. @@ -124,7 +123,7 @@ mkdir csar-output Generate an archive of the Docker image and store it temporarily in the `csar-output` directory. - +#TODO::REWORK HERE with Proper paths ```bash docker save \ proj-eric-oss-drop/eric-oss-hello-world-python-app: \ @@ -250,7 +249,7 @@ Example of command result: "id": "af036040-a732-4af9-b65a-8103da56c35c", "fileName": "helloworldAppPackage.csar", "packageVersion": "4.0.0-0", - "packageSize": "51.7659MiB", + "packageSize": "103.4983MiB", "vendor": "Ericsson", "type": "rApp", "onboardStartedAt": "2025-05-31T13:51:56.616Z", @@ -431,11 +430,11 @@ This section describes how the App can communicate with IAM and produce logs to - You need the access token generated in **Onboard the App** prerequisite to access the App Manager for instantiating the Hello World CSAR App Package. -- Contact your platform administrator to generate the required App key, - certificates key, certificates, and the secrets which store them. The - details of the secrets, keys, certs and EIC endpoint details will be passed - to App Administration through the `userDefinedHelmParameters` when - instantiating the App. Refer to +- Contact your platform administrator and provide the `Service Name of your App` + to generate the required App key, certificates key, certificates, and + the secrets which store them. The details of the secrets, keys, certs and + EIC endpoint details will be passed to App Administration through the + `userDefinedHelmParameters` when instantiating the App. Refer to [App Certificate Provisioning Developer Guide](https://developer.intelligentautomationplatform.ericsson.net/#capabilities/app-cert-provisioning/developer-guide) to understand how certificates are loaded into the App during instantiation for secure communication. The required parameters are: @@ -691,16 +690,19 @@ curl --cert --key --key --cacert --location --request POST 'https:///hub/apiprovisioning/v1/admin/v3/apis/hello-world-python-route-001/endpoints' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "endpointId": "python-hello-001", - "serverUrl": "http://eric-oss-hello-world-python-app:8050" + "serverUrl": "https://..:8050" }' ``` diff --git a/Dockerfile.app b/app.Dockerfile similarity index 66% rename from Dockerfile.app rename to app.Dockerfile index 6dca988..8e4c2e3 100644 --- a/Dockerfile.app +++ b/app.Dockerfile @@ -1,4 +1,4 @@ -FROM +FROM python:3.13-slim ARG USER_ID=60577 ARG USER_NAME="eric-sdk" @@ -8,10 +8,10 @@ LABEL \ WORKDIR /code -COPY ./eric-oss-hello-world-python-app ./eric-oss-hello-world-python-app +COPY ./hello-world-pysa ./hello-world-pysa COPY requirements.txt . -RUN chmod +x ./eric-oss-hello-world-python-app/main.py +RUN chmod +x ./hello-world-pysa/main.py RUN pip install --upgrade pip @@ -22,4 +22,4 @@ RUN echo "$USER_ID:!::0:::::" >>/etc/shadow USER $USER_ID -CMD ["./eric-oss-hello-world-python-app/main.py"] \ No newline at end of file +CMD ["./hello-world-pysa/main.py"] \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index e4c094c..ae22ab4 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -40,12 +40,12 @@ data: common_tls_context: tls_certificates: - certificate_chain: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.proxyAppCertFileName $.Values.proxyAppCertFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.appCertFileName $.Values.appCertFileName) | quote }} private_key: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.proxyAppKeyFileName $.Values.proxyAppKeyFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.appKeyFileName $.Values.appKeyFileName) | quote }} validation_context: trusted_ca: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyCaCertMountPath $.Values.proxyCaCertMountPath) (default $.Values.instantiationDefaults.proxyCaCertFileName $.Values.proxyCaCertFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyCaCertMountPath $.Values.proxyCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} # Plain HTTP listener for other endpoints - name: listener_http diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index fa7e9d2..2514874 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -76,11 +76,11 @@ spec: #TODO point the below two secret to platformCaCertSecretName and appSecretName :: OA of scope - name: proxy-platform-cacerts secret: - secretName: {{ index .Values "proxyCaCertSecretName" | quote }} + secretName: {{ index .Values "platformCaCertSecretName" | quote }} defaultMode: 420 - name: proxy-app-certs secret: - secretName: {{ index .Values "proxyAppSecretName" | quote }} + secretName: {{ index .Values "appSecretName" | quote }} defaultMode: 420 containers: - name: eric-oss-hello-world-python-app @@ -216,11 +216,8 @@ spec: drop: - all {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }} - command: ["/bin/sh", "-c"] - args: - - | - echo "==== Starting Envoy ====" - exec envoy -c /etc/envoy/envoy.yaml --log-level info --base-id 1 + command: ["envoy"] + args: ["-c", "/etc/envoy/envoy.yaml", "--base-id", "1"] ports: - name: envoy-http containerPort: 8080 diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index b1f5b80..6abedc8 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "eric-oss-hello-world-python-app.name" . }} + name: {{ default .Values.instantiationDefaults.serviceName .Values.serviceName }} labels: {{- include "eric-oss-hello-world-python-app.labels" . | nindent 4 }} {{- if .Values.labels }} @@ -24,5 +24,5 @@ spec: protocol: TCP name: envoy-https selector: - app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} + app.kubernetes.io/name: {{ default .Values.instantiationDefaults.serviceName .Values.serviceName }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 3615f3a..5ccb091 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -97,23 +97,23 @@ probes: eric-oss-hello-world-python-app: livenessProbe: failureThreshold: 3 - initialDelaySeconds: 60 + initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 - initialDelaySeconds: 60 + initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 10 proxy: livenessProbe: failureThreshold: 3 - initialDelaySeconds: 60 + initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 - initialDelaySeconds: 60 + initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 10 @@ -129,6 +129,7 @@ instantiationDefaults: clientCredsMountPath: "/etc/client-creds/" proxyCaCertMountPath: "/etc/certs/ca" proxyAppCertMountPath: "/etc/certs/app" + serviceName: "eric-oss-hello-world-python-app" global: clientCredentials: diff --git a/docker-compose.yaml b/docker-compose.yaml index 6a35154..12f5b2c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,27 +1,21 @@ -version: "3.9" - services: app: build: context: . - dockerfile: Dockerfile.app + dockerfile: app.Dockerfile args: APP_VERSION: ${APP_VERSION} image: ${APP_IMAGE} - container_name: eric-oss-hello-world-python-app ports: - "8050:8050" - restart: unless-stopped envoy: build: context: . - dockerfile: Dockerfile.envoy + dockerfile: envoy.Dockerfile image: ${ENVOY_IMAGE} - container_name: envoy depends_on: - app ports: - "8080:8080" - - "8443:8443" - restart: unless-stopped \ No newline at end of file + - "8443:8443" \ No newline at end of file diff --git a/envoy.Dockerfile b/envoy.Dockerfile new file mode 100644 index 0000000..f0db53f --- /dev/null +++ b/envoy.Dockerfile @@ -0,0 +1,6 @@ +FROM envoyproxy/envoy:distroless-v1.35.0 + +USER 1000 +EXPOSE 8080 8443 + +CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"] From e7eb4aa73eae4f8732766e157c49840e0d2ab1a9 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 12 Sep 2025 15:14:12 +0100 Subject: [PATCH 12/20] Fixed README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b27bd6d..d5e8803 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ mkdir csar-output Generate an archive of the Docker image and store it temporarily in the `csar-output` directory. -#TODO::REWORK HERE with Proper paths + ```bash docker save \ proj-eric-oss-drop/eric-oss-hello-world-python-app: \ From 7917b2d451c7fc2c057e0acb0ff032d238e5dd2c Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 12 Sep 2025 15:22:02 +0100 Subject: [PATCH 13/20] Fixed App name issues --- app.Dockerfile | 8 ++++---- eric-oss-hello-world-python-app/main.py | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app.Dockerfile b/app.Dockerfile index 8e4c2e3..6dca988 100644 --- a/app.Dockerfile +++ b/app.Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.13-slim +FROM ARG USER_ID=60577 ARG USER_NAME="eric-sdk" @@ -8,10 +8,10 @@ LABEL \ WORKDIR /code -COPY ./hello-world-pysa ./hello-world-pysa +COPY ./eric-oss-hello-world-python-app ./eric-oss-hello-world-python-app COPY requirements.txt . -RUN chmod +x ./hello-world-pysa/main.py +RUN chmod +x ./eric-oss-hello-world-python-app/main.py RUN pip install --upgrade pip @@ -22,4 +22,4 @@ RUN echo "$USER_ID:!::0:::::" >>/etc/shadow USER $USER_ID -CMD ["./hello-world-pysa/main.py"] \ No newline at end of file +CMD ["./eric-oss-hello-world-python-app/main.py"] \ No newline at end of file diff --git a/eric-oss-hello-world-python-app/main.py b/eric-oss-hello-world-python-app/main.py index eda2a0d..acd3adb 100755 --- a/eric-oss-hello-world-python-app/main.py +++ b/eric-oss-hello-world-python-app/main.py @@ -62,7 +62,7 @@ def health(): indicate that the application is healthy. """ self.update_session() - self.logger.log("200 OK: Health check", Severity.DEBUG) + self.logger.log("200 OK: Health check", Severity.INFO) return "Ok\n" def update_session(self): From e514c01d0ad284799008c9fc5dd8d02cf70d6279 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Sun, 14 Sep 2025 15:06:18 +0100 Subject: [PATCH 14/20] Updated values.yaml and service.yaml --- .../templates/service/service.yaml | 4 ++-- charts/eric-oss-hello-world-python-app/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index 6abedc8..9cc2cf3 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ default .Values.instantiationDefaults.serviceName .Values.serviceName }} + name: {{ .Values.service.serviceName }} labels: {{- include "eric-oss-hello-world-python-app.labels" . | nindent 4 }} {{- if .Values.labels }} @@ -24,5 +24,5 @@ spec: protocol: TCP name: envoy-https selector: - app.kubernetes.io/name: {{ default .Values.instantiationDefaults.serviceName .Values.serviceName }} + app.kubernetes.io/name: {{ .Values.service.serviceName }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 5ccb091..3e5cb20 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -42,6 +42,7 @@ seccompProfile: localhostProfile: service: + serviceName: "eric-oss-hello-world-python-app" type: ClusterIP http-port: 8080 https-port: 8443 @@ -129,7 +130,6 @@ instantiationDefaults: clientCredsMountPath: "/etc/client-creds/" proxyCaCertMountPath: "/etc/certs/ca" proxyAppCertMountPath: "/etc/certs/app" - serviceName: "eric-oss-hello-world-python-app" global: clientCredentials: From 2a39759a6519fcc0e9b34ba20050b1a63ea1160a Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Sun, 14 Sep 2025 15:10:16 +0100 Subject: [PATCH 15/20] Updated Values.yaml and service.yaml --- .../templates/service/service.yaml | 4 ++-- charts/eric-oss-hello-world-python-app/values.yaml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index 9cc2cf3..b1f5b80 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Values.service.serviceName }} + name: {{ include "eric-oss-hello-world-python-app.name" . }} labels: {{- include "eric-oss-hello-world-python-app.labels" . | nindent 4 }} {{- if .Values.labels }} @@ -24,5 +24,5 @@ spec: protocol: TCP name: envoy-https selector: - app.kubernetes.io/name: {{ .Values.service.serviceName }} + app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 3e5cb20..1428873 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -42,7 +42,6 @@ seccompProfile: localhostProfile: service: - serviceName: "eric-oss-hello-world-python-app" type: ClusterIP http-port: 8080 https-port: 8443 From 761eb34a87ab1c0f900a34ef9355c51d445e6c5e Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Mon, 15 Sep 2025 19:03:00 +0100 Subject: [PATCH 16/20] Added label and annotation to envoy config map. This details is required to identify the product rather envoy itself --- .../templates/configmap/envoy-configmap.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index ae22ab4..5ac9453 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -3,6 +3,13 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "eric-oss-hello-world-python-app.name" . }}-envoy-configmap + labels: + {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- if .Values.labels }} + {{ .Values.labels | toYaml | indent 4 }} + {{- end }} + annotations: + {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} data: ENVOY_CONFIG_FILE: |- static_resources: From c0bf4ca9c0edbff005d65386692b9c4b07299fe4 Mon Sep 17 00:00:00 2001 From: Vincent Kiely Date: Wed, 17 Sep 2025 15:26:55 +0100 Subject: [PATCH 17/20] Updated name of App in README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f653fdb..45a66ee 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Hello World Python App +# Python Hello World App ## Disclaimer @@ -7,7 +7,7 @@ > **already have full access** to the EIAP Ecosystem. > If you do not have this access, **please do not proceed.** -Python Hello World Sample App Documentation [Here](https://developer.intelligentautomationplatform.ericsson.net/#tutorials/sample-app-in-python). +Python Hello World App Documentation [Here](https://developer.intelligentautomationplatform.ericsson.net/#tutorials/sample-app-in-python). **Note:** If you need help accessing the EIAP Ecosystem, contact support From 73129270bcbdfa58e57f2d82c6e5b89ff810aaec Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Thu, 18 Sep 2025 08:43:09 +0100 Subject: [PATCH 18/20] Updated envoy container name to envoy-proxy --- .../templates/deployment/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 2514874..bd2e373 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -197,7 +197,7 @@ spec: {{- end }} resources: {{- toYaml .Values.resources.helloWorld | nindent 12 }} - - name: envoy + - name: envoy-proxy image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app-envoy" "values" .Values "files" .Files) }} imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }} securityContext: From fdc8e4c0c1149da21b61e8c1af2b7d087a8642b2 Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Thu, 18 Sep 2025 12:17:18 +0100 Subject: [PATCH 19/20] Updated envoy user and removed env varaible in docker compose --- docker-compose.yaml | 2 +- envoy.Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 12f5b2c..7c662aa 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -4,7 +4,7 @@ services: context: . dockerfile: app.Dockerfile args: - APP_VERSION: ${APP_VERSION} + APP_VERSION: ${VERSION} image: ${APP_IMAGE} ports: - "8050:8050" diff --git a/envoy.Dockerfile b/envoy.Dockerfile index f0db53f..7d37bd4 100644 --- a/envoy.Dockerfile +++ b/envoy.Dockerfile @@ -1,6 +1,6 @@ FROM envoyproxy/envoy:distroless-v1.35.0 -USER 1000 +USER 60577:60577 EXPOSE 8080 8443 CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"] From 2a444f891da0130c18ef95317a71bd857d7a057f Mon Sep 17 00:00:00 2001 From: erjxsrn Date: Fri, 19 Sep 2025 08:53:16 +0100 Subject: [PATCH 20/20] Updated the product name for the envoy --- charts/eric-oss-hello-world-python-app/eric-product-info.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/eric-oss-hello-world-python-app/eric-product-info.yaml b/charts/eric-oss-hello-world-python-app/eric-product-info.yaml index 4e13db1..a18d153 100644 --- a/charts/eric-oss-hello-world-python-app/eric-product-info.yaml +++ b/charts/eric-oss-hello-world-python-app/eric-product-info.yaml @@ -9,7 +9,7 @@ images: name: "eric-oss-hello-world-python-app" tag: "VERSION" eric-oss-hello-world-python-app-envoy: - productName: "Envoy for hello world sample app" + productName: "Envoy for Python Hello World App" productNumber: "" registry: "armdocker.rnd.ericsson.se" repoPath: "REPO_PATH"