Merge branch 'develop' into feature/CLD-278

Author: pengzhouml

README.md

@@ -1,5 +1,6 @@
 # MarkLogic Kubernetes Helm Chart
 
+- [MarkLogic Kubernetes Helm Chart](#marklogic-kubernetes-helm-chart)
 - [Introduction](#introduction)
 - [Prerequisites](#prerequisites)
   - [Set Up the Required Tools](#set-up-the-required-tools)
@@ -17,6 +18,13 @@
   - [Configuration Options](#configuration-options)
     - [--values](#--values)
     - [--set](#--set)
+    - [Setting MarkLogic admin password](#setting-marklogic-admin-password)
+    - [Log Collection](#log-collection)
+  - [Adding and Removing Hosts from Clusters](#adding-and-removing-hosts-from-clusters)
+    - [Adding Hosts](#adding-hosts)
+    - [Removing Hosts](#removing-hosts)
+    - [Enabling SSL over XDQP](#enabling-ssl-over-xdqp)
+- [Deploying a MarkLogic Cluster with Multiple Groups](#deploying-a-marklogic-cluster-with-multiple-groups)
 - [Access the MarkLogic Server](#access-the-marklogic-server)
   - [Service](#service)
     - [Get the ClusterIP Service Name](#get-the-clusterip-service-name)
@@ -221,6 +229,22 @@ helm install my-release marklogic/marklogic --version=1.0.0-ea1 \
 
 We recommend that you use the `values.yaml` file for configuring your installation.
 
+### Setting MarkLogic admin password
+
+If the password does not provided when installing the MarkLogic Chart, a randomly generated aphanumeric value will be set for MarkLogic admin password. This value is stored in Kuberenetes secrets. 
+User can also set a custom password by setting auth.adminPassword value during installation.
+To retrieve the randomly generated admin password, use the following commands:
+
+1. List the secrets for MarkLogic deployment:
+```
+kubectl get secrets
+```
+Identify the name of the secret.
+
+2. Save the secret name from step 1 and get the admin password using the following script:
+```
+kubectl get secret SECRET_NAME -o jsonpath='{.data.marklogic-password}' | base64 --decode
+```
 ### Log Collection
 
 To enable log collection for all Marklogic logs set logCollection.enabled to true. Set each option in logCollection.files to true of false depending on if you want to track each type of Marklogic log file.
@@ -272,13 +296,27 @@ kubectl logs pod/terminated-host-pod-name
 ```
 
 If you are permanently removing the host from the MarkLogic cluster, once the pod is terminated, follow standard MarkLogic administrative procedures using the administrative UI or APIs to remove the MarkLogic host from the cluster. Also, because Kubernetes keeps the Persistent Volume Claims and Persistent Volumes around until they are explicitly deleted, you must manually delete them using the Kubernetes APIs before attempting to scale the hosts in the StatefulSet back up again.
-
 ### Enabling SSL over XDQP
 
 To enable SSL over XDQP, set the `enableXdqpSsl` to true either in the values.yaml file or using the `--set` flag. All communications to and from hosts in the cluster will be secured. When this setting is on, default SSL certificates will be used for XDQP encryption.
 
 Note: To enable other XDQP/SSL settings like `xdqp ssl allow sslv3`, `xdqp ssl allow tls`, `xdqp ssl ciphers`, use MarkLogic REST Management API. See the MarkLogic documentation [here](https://docs.marklogic.com/REST/management).
 
+# Deploying a MarkLogic Cluster with Multiple Groups
+
+To deploy a MarkLogic cluster with multiple groups (separate E and D nodes for example) the `bootstrapHostName` and `group.name` must be configured in values.yaml or set the values provided for these configurations using the `--set` flag while installing helm charts.
+For example, if you want to create a MarkLogic cluster with three nodes in a "dnode" group and two nodes in an "enode" group, start with the following helm command:
+
+```
+helm install dnode-group ./charts/ --set group.name=dnode --set replicaCount=3
+```
+Once this deployment is complete, a MarkLogic cluster with three hosts should be running.
+To add the "enode" group and nodes to the cluster, the `bootstrapHostName` must be set to join the existing MarkLogic cluster. The first host in the other group can be used. For this example, set `bootstrapHostName` to `dnode-group-marklogic-0.dnode-group-marklogic-headless.default.svc.cluster.local` with the following command:
+
+```
+helm install enode-group ./charts/ --set group.name=enode --set replicaCount=2 --set bootstrapHostName=dnode-group-marklogic-0.dnode-group-marklogic-headless.default.svc.cluster.local
+```
+Once this deployment is complete, there will be a new "enode" group with two hosts in the MarkLogic cluster.
 
 # Access the MarkLogic Server
 

charts/templates/secret.yaml

@@ -1,11 +1,18 @@
+{{- $adminPassword := (default (randAlphaNum 10) .Values.auth.adminPassword) | b64enc | quote }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-admin" (include "marklogic.fullname" .))) }}
+{{- if $secret }}
+{{- $adminPassword = index $secret.data "password" }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "marklogic.fullname" . }}
+  name: {{ include "marklogic.fullname" . }}-admin
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "marklogic.labels" . | nindent 4 }}
 type: kubernetes.io/basic-auth
-stringData:
-  username: {{ .Values.auth.adminUsername}}
-  password: {{ .Values.auth.adminPassword}}
+data:
+    password: {{ $adminPassword }}
+    username: {{ .Values.auth.adminUsername | b64enc | quote }}
+

charts/templates/statefulset.yaml

@@ -51,28 +51,31 @@ spec:
               exit 0
             fi
             log "Info: [initContainer] Group $MARKLOGIC_GROUP does not exist, configuring group $MARKLOGIC_GROUP on the MarkLogic cluster."
-            for i in $(seq 1 5); do
-              res_code=`curl --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} -m 20 -s -w '%{http_code}' -X POST -d "${GROUP_CFG}" -H "Content-type: application/json" http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups`
-              if [[ ${res_code} -eq 201 ]]; then
-                log "Info: [initContainer] Successfully configured group $MARKLOGIC_GROUP on the MarkLogic cluster."
-                break
-              else
-                log "Info: [initContainer] Configure group $MARKLOGIC_GROUP retry attempt $i "
-                log "Info: [initContainer] Expected response code 202, got $res_code"
-                sleep 10s
-              fi
-              [ $i -eq 5 ] && exit 1
-            done
+            res_code=`curl --retry 5 --retry-all-errors --retry-max-time 60 --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} -m 20 -s -w '%{http_code}' -X POST -d "${GROUP_CFG}" -H "Content-type: application/json" http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups`
+            if [[ ${res_code} -eq 201 ]]; then
+              log "Info: [initContainer] Successfully configured group $MARKLOGIC_GROUP on the MarkLogic cluster."
+            else
+              log "Info: [initContainer] Expected response code 201, got $res_code"
+              exit 1
+            fi
+            log "Info: [initContainer] Group $MARKLOGIC_GROUP has been created, configuring App-server App-Services in group $MARKLOGIC_GROUP on the MarkLogic cluster."
+            res_code=`curl --retry 5 --retry-all-errors --retry-max-time 60 --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} -m 20 -s -w '%{http_code}' -X POST -d '{"server-name":"App-Services", "root":"/", "port":8000,"modules-database":"Modules", "content-database":"Documents", "error-handler":"/MarkLogic/rest-api/8000-error-handler.xqy", "url-rewriter":"/MarkLogic/rest-api/8000-rewriter.xml"}' -H "Content-type: application/json" "http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/servers?group-id=${MARKLOGIC_GROUP}&server-type=http"`
+            if [[ ${res_code} -eq 201 ]]; then
+              log "Info: [initContainer] Successfully configured App-server App-Services into group $MARKLOGIC_GROUP on the MarkLogic cluster."
+            else
+              log "Info: [initContainer] Expected response code 201, got $res_code"
+              exit 1
+            fi                      
         env: 
         - name: MARKLOGIC_ADMIN_USERNAME
           valueFrom:
             secretKeyRef:
-              name: {{ include "marklogic.fullname" . }}
+              name: {{ include "marklogic.fullname" . }}-admin
               key: username
         - name: MARKLOGIC_ADMIN_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ include "marklogic.fullname" . }}
+              name: {{ include "marklogic.fullname" . }}-admin
               key: password
         - name: POD_NAME
           valueFrom:
@@ -95,13 +98,13 @@ spec:
           env:
             - name: MARKLOGIC_ADMIN_USERNAME
               valueFrom:
-                secretKeyRef:
-                  name: {{ include "marklogic.fullname" . }}
-                  key: username
+                  secretKeyRef:
+                    name: {{ include "marklogic.fullname" . }}-admin
+                    key: username
             - name: MARKLOGIC_ADMIN_PASSWORD
               valueFrom:
                   secretKeyRef:
-                    name: {{ include "marklogic.fullname" . }}
+                    name: {{ include "marklogic.fullname" . }}-admin
                     key: password
             - name: POD_NAME
               valueFrom:

charts/values.yaml

@@ -51,7 +51,7 @@ fullnameOverride: ""
 # Configure Marklogic Admin Username and Password
 auth:
   adminUsername: admin
-  adminPassword: admin
+  adminPassword: ""
 
 # Configure Affinity property for scheduling pods to nodes
 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
@@ -137,7 +137,7 @@ startupProbe:
 # Log collection will collect all logs for each file type enabled, parse them, 
 # And export them to a logging backend specified in the outputs section below
 logCollection:
-  enabled: true
+  enabled: false
   image: fluent/fluent-bit:1.9.7
   resources:
     requests:

test/e2e/install_test.go

@@ -3,6 +3,8 @@ package e2e
 import (
 	"crypto/tls"
 	"fmt"
+	"io/ioutil"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -13,6 +15,9 @@ import (
 	http_helper "github.com/gruntwork-io/terratest/modules/http-helper"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/stretchr/testify/assert"
+	"github.com/tidwall/gjson"
+	digestAuth "github.com/xinsnake/go-http-digest-auth-client"
 )
 
 func TestHelmInstall(t *testing.T) {
@@ -23,6 +28,9 @@ func TestHelmInstall(t *testing.T) {
 	}
 	imageRepo, repoPres := os.LookupEnv("dockerRepository")
 	imageTag, tagPres := os.LookupEnv("dockerVersion")
+	var resp *http.Response
+	var body []byte
+	var err error
 
 	if !repoPres {
 		imageRepo = "marklogic-centos/marklogic-server-centos"
@@ -40,7 +48,7 @@ func TestHelmInstall(t *testing.T) {
 		KubectlOptions: kubectlOptions,
 		SetValues: map[string]string{
 			"persistence.enabled":   "false",
-			"replicaCount":          "1",
+			"replicaCount":          "2",
 			"image.repository":      imageRepo,
 			"image.tag":             imageTag,
 			"logCollection.enabled": "false",
@@ -61,21 +69,65 @@ func TestHelmInstall(t *testing.T) {
 	podName := releaseName + "-marklogic-0"
 	// wait until the pod is in Ready status
 	k8s.WaitUntilPodAvailable(t, kubectlOptions, podName, 10, 15*time.Second)
-	tunnel := k8s.NewTunnel(
-		kubectlOptions, k8s.ResourceTypePod, podName, 7997, 7997)
-	defer tunnel.Close()
-	tunnel.ForwardPort(t)
-	endpoint := fmt.Sprintf("http://%s", tunnel.Endpoint())
-	t.Logf(`Endpoint: %s`, endpoint)
+	tunnel7997 := k8s.NewTunnel(kubectlOptions, k8s.ResourceTypePod, podName, 7997, 7997)
+	defer tunnel7997.Close()
+	tunnel7997.ForwardPort(t)
+	endpoint7997 := fmt.Sprintf("http://%s", tunnel7997.Endpoint())
 
+	// verify if 7997 health check endpoint returns 200
 	http_helper.HttpGetWithRetryWithCustomValidation(
 		t,
-		endpoint,
+		endpoint7997,
 		&tlsConfig,
 		10,
 		15*time.Second,
 		func(statusCode int, body string) bool {
 			return statusCode == 200
 		},
 	)
+
+	t.Log("====Testing Generated Random Password====")
+	secretName := releaseName + "-marklogic-admin"
+	secret := k8s.GetSecret(t, kubectlOptions, secretName)
+	passwordArr := secret.Data["password"]
+	password := string(passwordArr[:])
+	// the generated random password should have length of 10
+	assert.Equal(t, 10, len(password))
+	usernameArr := secret.Data["username"]
+	username := string(usernameArr[:])
+	expectedUsername := "admin"
+	// the username from secret expected to be "admin"
+	assert.Equal(t, expectedUsername, username)
+
+	tunnel8002 := k8s.NewTunnel(kubectlOptions, k8s.ResourceTypePod, podName, 8002, 8002)
+	defer tunnel8002.Close()
+	tunnel8002.ForwardPort(t)
+	endpointManage := fmt.Sprintf("http://%s/manage/v2", tunnel8002.Endpoint())
+
+	request := digestAuth.NewRequest(username, password, "GET", endpointManage, "")
+	response, err := request.Execute()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer response.Body.Close()
+	// the generated password should be able to access the manage endpoint
+	assert.Equal(t, 200, response.StatusCode)
+
+	t.Log("====Verify no groups beyond enode were created/modified====")
+	groupStatusEndpoint := fmt.Sprintf("http://%s/manage/v2/groups?format=json", tunnel8002.Endpoint())
+	groupStatus := digestAuth.NewRequest(username, password, "GET", groupStatusEndpoint, "")
+	t.Logf(`groupStatusEndpoint: %s`, groupStatusEndpoint)
+	if resp, err = groupStatus.Execute(); err != nil {
+		t.Fatalf(err.Error())
+	}
+	if body, err = ioutil.ReadAll(resp.Body); err != nil {
+		t.Fatalf(err.Error())
+	}
+	groupQuantityJSON := gjson.Get(string(body), "group-default-list.list-items.list-count.value")
+
+	if groupQuantityJSON.Num != 1 {
+		t.Errorf("Only one group should exist, instead %v groups exist", groupQuantityJSON.Num)
+	}
+
+	t.Logf("Groups status response:\n" + string(body))
 }