Merge pull request #70 from ibm-hyper-protect/sample-daytrader

Daytrader sample

Author: Timo-1

terraform-hpvs/sample-daytrader/README.md

@@ -0,0 +1,73 @@
+## Contract generation example for the Daytrader sample application
+
+This sample creates an encrypted and signed contract and stores it locally in a file. You can later use the contract to provision a HPVS for VPC instance.
+The contract will define the container image, the container registry and the credentials for pulling your workload container image.
+
+### Build the daytrader sample application
+On LinuxONE, e.g. a virtual server for VPC with s390x architecture, build the container image for the DayTrader sample application.
+
+To do so, clone or [download](https://github.com/OpenLiberty/sample.daytrader8/archive/master.zip) this [repository](https://github.com/OpenLiberty/sample.daytrader8/).
+
+From inside the sample.daytrader8 directory, build the application with the following commands:
+```
+mvn clean package
+docker build . -t daytrader:s390x
+```
+
+Then tag and push the resulting container image to your container registry.
+
+### Prerequisite
+
+Prepare your local environment according to [these steps](../README.md)
+
+### Define your settings
+
+Define your settings:
+- logdna_ingestion_hostname: The ingestion host name of your Log instance which you provisioned previously
+- logdna_ingestion_key: The ingestion key of your Log instance
+- registry: The container registry where the workload container image is pulled from, e.g. `us.icr.io`
+- pull_username: The container registry username for pulling your workload container image
+- pull_password: The container registry password for pulling your workload container image
+
+The settings are defined in form of Terraform variables.
+
+Define the variables in a template file:
+
+1. `cp my-settings.auto.tfvars-template my-settings.auto.tfvars`
+2. Fill the values in `my-settings.auto.tfvars`
+
+### Define your workload
+
+Create the file `compose\pod.yml` for your workload. Adapt the value for `image` to reference your container registry and your container image including the digest, e.g.:
+
+```
+apiVersion: v1
+kind: Pod
+metadata:
+  name: daytrader
+spec:
+  containers:
+  - name: daytrader
+    image: us.icr.io/sample/daytrader@sha256:5f4f20aee41e27858a8ed320faed6c2eb8b62dd4bf3e1737f54575a756c7a5da
+    ports:
+    - containerPort: 9080
+      hostPort: 9080
+      protocol: tcp
+```
+
+### Create the contract
+
+```bash
+terraform init
+terraform apply
+```
+
+### Further steps
+
+The contract will be written to the file `build/contract.yml` and can now be used for e.g. provisining a HPVS for VPC instance.
+
+Note that you will need to create a public gateway in your VPC before creating the HPVS for VPC instance. This is necessary to allow the HPVS for VPC instance to reach your Log instance through the public gateway. Also assign a floating IP to your HPVS for VPC instance.
+
+Once the instance is started, you can access the application at: `http://<floatingip>:9080/daytrader`
+
+After provisioning the HPVS for VPC instance you can use JMeter to test your daytrader application. To do so follow [these instructions](https://github.com/OpenLiberty/sample.daytrader8/blob/main/README_LOAD_TEST.md).

terraform-hpvs/sample-daytrader/compose/pod.yml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: daytrader
+spec:
+  containers:
+  - name: daytrader10
+    image: us.icr.io/sample/daytrader@sha256:5f4f20aee41e27858a8ed320faed6c2eb8b62dd4bf3e1737f54575a756c7a5da
+    ports:
+    - containerPort: 9080
+      hostPort: 9080
+      protocol: tcp

terraform-hpvs/sample-daytrader/my-settings.auto.tfvars-template

@@ -0,0 +1,5 @@
+logdna_ingestion_key="Your LogDNA ingestion key"   # You can find this in "Linux/ubuntu" section of `Logging sources` tab of "IBM Log Analysis" instance in [cloud.ibm.com](https://cloud.ibm.com)
+logdna_ingestion_hostname="rsyslog endpoint of IBM Log Analysis instance"     # Example: "syslog-a.<log_region>.logging.cloud.ibm.com". Where <log_region> is the region on which IBM Log Analysis is deployed
+registry="Prefix for the dynamic registry" # e.g. docker.io/library or us.icr.io
+pull_username="Username for registry" # Username with read access to the container registry
+pull_password="Password for registry" # Password with read access to the container registry

terraform-hpvs/sample-daytrader/terraform.tf

@@ -0,0 +1,56 @@
+terraform {
+  required_providers {
+    hpcr = {
+      source  = "ibm-hyper-protect/hpcr"
+      version = ">= 0.1.6"
+    }
+  }
+}
+
+# archive of the folder containing the pod.yml file. This folder could create additional resources such as files 
+# to be mounted into containers, environment files etc. This is why all of these files get bundled in a tgz file (base64 encoded)
+resource "hpcr_tgz" "contract" {
+  folder = "compose"
+}
+
+locals {
+  # contract in clear text
+ contract = yamlencode({
+    "env" : {
+      "type" : "env",
+      "logging" : {
+        "logDNA" : {
+          "ingestionKey" : var.logdna_ingestion_key,
+          "hostname" : var.logdna_ingestion_hostname,
+        }
+      },
+      "auths" : {
+        (var.registry) : {
+          "username" : var.pull_username,
+          "password" : var.pull_password
+        }
+      },
+      "env" : {
+        "REGISTRY" : var.registry
+      }
+    },
+    "workload" : {
+      "type" : "workload",
+      "play" : {
+        "archive" : hpcr_tgz.contract.rendered
+      }
+    }
+  })
+}
+
+# In this step we encrypt the fields of the contract and sign the env and workload field. The certificate to execute the 
+# encryption it built into the provider and matches the latest HPCR image. If required it can be overridden. 
+# We use a temporary, random keypair to execute the signature. This could also be overriden. 
+resource "hpcr_contract_encrypted" "contract" {
+  contract = local.contract
+}
+
+resource "local_file" "contract" {
+  content  = hpcr_contract_encrypted.contract.rendered
+  filename = "${path.module}/build/contract.yml"
+}

terraform-hpvs/sample-daytrader/variables.tf

@@ -0,0 +1,40 @@
+variable "logdna_ingestion_key" {
+  type        = string
+  sensitive   = true
+  description = <<-DESC
+                  Ingestion key for IBM Log Analysis instance. This can be 
+                  obtained from "Linux/Ubuntu" section of "Logging resource" 
+                  tab of IBM Log Analysis instance
+                DESC
+}
+
+variable "logdna_ingestion_hostname" {
+  type        = string
+  description = <<-DESC
+                  rsyslog endpoint of IBM Log Analysis instance. 
+                  Don't include the port. Example: 
+                  syslog-a.<log_region>.logging.cloud.ibm.com
+                  log_region is the region where IBM Log Analysis is deployed
+                DESC
+}
+
+variable "registry" {
+  type        = string
+  description = <<-DESC
+                  Prefix of the container registry used to pull the image
+                DESC
+}
+
+variable "pull_username" {
+  type        = string
+  description = <<-DESC
+                  Username to pull from the above registry
+                DESC
+}
+
+variable "pull_password" {
+  type        = string
+  description = <<-DESC
+                  Password to pull from the above registry
+                DESC
+}