Merge pull request #71 from ibm-hyper-protect/sample-paynow

Add PayNow Terraform example

Author: Timo-1

terraform-hpvs/sample-paynow/README.md

@@ -0,0 +1,41 @@
+## Contract generation example for the PayNow sample application
+
+This sample creates an encrypted and signed contract and stores it locally in a file. You can later use the contract to provision a HPVS for VPC instance.
+The contract will define the container image, the container registry and the credentials for pulling your workload container image, as well as a server certificate and server key.
+
+For more information, see this [tutorial](https://cloud.ibm.com/docs/vpc?topic=vpc-financial-transaction-confidential-computing-on-hyper-protect-virtual-server-for-vpc) and the [PayNow sample application](https://github.com/ibm-hyper-protect/paynow-website).
+
+### Prerequisite
+
+Prepare your local environment according to [these steps](../README.md)
+
+### Define your settings
+
+In file `compose\pod.yml` adapt the value for `image` to reference your container registry and your container image including the digest.
+
+Define your settings:
+- logdna_ingestion_hostname: The ingestion host name of your Log instance which you provisioned previously
+- logdna_ingestion_key: The ingestion key of your Log instance
+- registry: The container registry where the workload container image is pulled from, e.g. `us.icr.io`
+- pull_username: The container registry username for pulling your workload container image
+- pull_password: The container registry password for pulling your workload container image
+- server_cert: The base64-encoded SSL server certificate
+- server_key: The base64-encoded SSL server key
+
+The settings are defined in form of Terraform variables in a template file:
+
+1. `cp my-settings.auto.tfvars-template my-settings.auto.tfvars`
+2. Fill the values in `my-settings.auto.tfvars`
+
+### Create the contract
+
+```bash
+terraform init
+terraform apply
+```
+
+### Further steps
+
+The contract will be written to the file `build/contract.yml` and can now be used for e.g. provisining a HPVS for VPC instance.
+
+Note that you will need to create a public gateway in your VPC before creating the HPVS for VPC instance. This is necessary to allow the HPVS for VPC instance to reach your Log instance through the public gateway. Also assign a floating IP to your HPVS for VPC instance.

terraform-hpvs/sample-paynow/compose/pod.yml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: paynow
+spec:
+  containers:
+  - name: main
+    image: ghcr.io/ibm-hyper-protect/paynow-website@sha256:ddba7d52d058f46b184d67783e8c55999a8d439a1eb11d3d5314cd787a928bc3
+    ports:
+    - containerPort: 8080
+      hostPort: 8080
+      protocol: tcp
+    - containerPort: 8443
+      hostPort: 8443
+      protocol: tcp
+    envFrom:
+    - configMapRef:
+        name: contract.config.map
+        optional: false
+    volumeMounts:
+    - name: hyperprotect
+      mountPath: /var/hyperprotect/
+  restartPolicy: Never
+  volumes:
+  - name: hyperprotect
+    hostPath:
+      path: /var/hyperprotect/

terraform-hpvs/sample-paynow/my-settings.auto.tfvars-template

@@ -0,0 +1,7 @@
+logdna_ingestion_key="Your LogDNA ingestion key"   # You can find this in "Linux/ubuntu" section of `Logging sources` tab of "IBM Log Analysis" instance in [cloud.ibm.com](https://cloud.ibm.com)
+logdna_ingestion_hostname="rsyslog endpoint of IBM Log Analysis instance"     # Example: "syslog-a.<log_region>.logging.cloud.ibm.com". Where <log_region> is the region on which IBM Log Analysis is deployed
+registry="Prefix for the dynamic registry" # e.g. docker.io/library or us.icr.io
+pull_username="Username for registry" # Username with read access to the container registry
+pull_password="Password for registry" # Password with read access to the container registry
+server_cert="Base64-encoded server certificate"
+server_key="Base64-encoded server key"

terraform-hpvs/sample-paynow/terraform.tf

@@ -0,0 +1,58 @@
+terraform {
+  required_providers {
+    hpcr = {
+      source  = "ibm-hyper-protect/hpcr"
+      version = ">= 0.1.6"
+    }
+  }
+}
+
+# archive of the folder containing the pod.yml file. This folder could create additional resources such as files 
+# to be mounted into containers, environment files etc. This is why all of these files get bundled in a tgz file (base64 encoded)
+resource "hpcr_tgz" "contract" {
+  folder = "compose"
+}
+
+locals {
+  # contract in clear text
+ contract = yamlencode({
+    "env" : {
+      "type" : "env",
+      "logging" : {
+        "logDNA" : {
+          "ingestionKey" : var.logdna_ingestion_key,
+          "hostname" : var.logdna_ingestion_hostname,
+        }
+      },
+      "auths" : {
+        (var.registry) : {
+          "username" : var.pull_username,
+          "password" : var.pull_password
+        }
+      },
+      "env" : {
+        "REGISTRY" : var.registry,
+        "CERT": var.server_cert,
+        "KEY": var.server_key
+      }
+    },
+    "workload" : {
+      "type" : "workload",
+      "play" : {
+        "archive" : hpcr_tgz.contract.rendered
+      }
+    }
+  })
+}
+
+# In this step we encrypt the fields of the contract and sign the env and workload field. The certificate to execute the 
+# encryption it built into the provider and matches the latest HPCR image. If required it can be overridden. 
+# We use a temporary, random keypair to execute the signature. This could also be overriden. 
+resource "hpcr_contract_encrypted" "contract" {
+  contract = local.contract
+}
+
+resource "local_file" "contract" {
+  content  = hpcr_contract_encrypted.contract.rendered
+  filename = "${path.module}/build/contract.yml"
+}

terraform-hpvs/sample-paynow/variables.tf

@@ -0,0 +1,54 @@
+variable "logdna_ingestion_key" {
+  type        = string
+  sensitive   = true
+  description = <<-DESC
+                  Ingestion key for IBM Log Analysis instance. This can be 
+                  obtained from "Linux/Ubuntu" section of "Logging resource" 
+                  tab of IBM Log Analysis instance
+                DESC
+}
+
+variable "logdna_ingestion_hostname" {
+  type        = string
+  description = <<-DESC
+                  rsyslog endpoint of IBM Log Analysis instance. 
+                  Don't include the port. Example: 
+                  syslog-a.<log_region>.logging.cloud.ibm.com
+                  log_region is the region where IBM Log Analysis is deployed
+                DESC
+}
+
+variable "registry" {
+  type        = string
+  description = <<-DESC
+                  Prefix of the container registry used to pull the image
+                DESC
+}
+
+variable "pull_username" {
+  type        = string
+  description = <<-DESC
+                  Username to pull from the above registry
+                DESC
+}
+
+variable "pull_password" {
+  type        = string
+  description = <<-DESC
+                  Password to pull from the above registry
+                DESC
+}
+
+variable "server_cert" {
+  type        = string
+  description = <<-DESC
+                  Base64-encoded server certificate
+                DESC
+}
+
+variable "server_key" {
+  type        = string
+  description = <<-DESC
+                  Base64-encoded server key
+                DESC
+}