Merge remote-tracking branch 'origin/kubernetes'

Conflicts:
	README.md

apps/whoami/001-deployment.yml

@@ -0,0 +1,25 @@
+# Deployment
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  namespace: default
+  name: whoami
+  labels: 
+    app: whoami
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+      - name: whoami-container
+        image: containous/whoami
+        ports: 
+          - name: web
+            containerPort: 80

apps/whoami/002-service.yml

@@ -0,0 +1,16 @@
+# Service
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: whoami
+
+spec:
+#  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 80
+    name: web
+  selector:
+    app: whoami
+

apps/whoami/003-ingress.yml

@@ -0,0 +1,43 @@
+# IngresRoute http
+---
+kind: IngressRoute
+apiVersion: traefik.containo.us/v1alpha1
+metadata:
+  name: whoami-notls
+  namespace: default
+
+spec:
+  entryPoints: 
+    - web
+  routes:
+  - match: Host(`{YOUR-DNS-NAME}`) 
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+    # redirect http to https
+    middlewares: 
+    - name: redirect
+
+
+
+# IngresRoute https
+---
+kind: IngressRoute
+apiVersion: traefik.containo.us/v1alpha1
+metadata:
+  name: whoami-tls
+  namespace: default
+
+spec:
+  entryPoints: 
+    - websecure
+  routes:
+  - match: Host(`{YOUR-DNS-NAME}`) 
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+  tls:
+    certResolver: default
+

apps/whoami/README.md

@@ -2,10 +2,9 @@
 
 The [whoami service](https://github.com/EmileVauge/whoamI) is a tiny Go webserver that responses with os information and HTTP request data.
 
-The docker-compose.yml file can be used to start this service in the imixs-cloud. 
+To start this service in the imixs-cloud: 
 
-**Note:** change the label 'traefik.frontend.rule=Host' to a valid DNS name.
 
-To start the service run:
+	$ kubectl apply -f whoami/
 
-	docker stack deploy -c apps/whoami/docker-compose.yml whoami
+

doc/INGRESS.md

@@ -0,0 +1,104 @@
+# Ingress Configuration with Traefik.io
+
+Imixs-Cloud provides a Ingress Configuration based on [Traefik.io](http://traefik.io).
+Traefik.io is a reverse proxy and load balancer to be used within a kubernetes cluster. Traefik provides Custom Resource Definitions (CRD) for routing HTTP/HTTPS requests from outside of your cluster to particular services. 
+
+To deploy traefik.io within the imixs-cloud run:
+
+	$ kubectl apply -f management/traefik/
+
+to undeploy traefik.io run:
+
+	$ kubectl delete -f management/traefik/
+
+
+
+## Configuration
+
+The traefik setup consists of three resource yaml files.
+
+### Deployment Configuration
+
+The 002-deployment.yaml file contains the deployment configuration for Traefik.io. This also includes Let's Encrypt setup. 
+
+Before your apply the traefik configuration please replace the place holder _{YOUR-E-MAIL}_ with the e-mail address of your organisation.
+
+Also comment the ACM Staging server from the Let's Encrypt setup after you have tested your cluster setup. 
+
+        # comment staging server for production
+        - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+        - --certificatesresolvers.default.acme.email={YOUR-E-MAIL}
+
+
+### Ingress Configuration  
+
+The 003-ingressroute.yaml file contains the ingress configuration for the Taefik.io service.  
+The spec defines a external IP address which is used to route external requests to one cluster node. Traffic that ingresses into the cluster with the external IP (as destination IP), on the Service port, will be routed to one of the Service endpoints. externalIPs are not managed by Kubernetes and are the responsibility of the cluster administrator. Find more details [here](https://kubernetes.io/docs/concepts/services-networking/service/#external-ips).
+
+So before you apply the traefik configuration please replace the _{MASTER-NODE-IP}_ with the Node IP address of one of your kubernetes cluster nodes used to ingress external traefik. This should typically be the IP address from your master node.
+
+	spec:
+	  externalIPs:
+	  - {MASTER-NODE-IP} 
+	  
+	  
+### Apply Configuration
+	  
+After you have configured the resource yaml files you can apply your changes to the kubernetes cluster:
+
+	$ kubectl apply -f management/traefik/
+
+
+
+## Adding Basic Authentication
+
+The BasicAuth middleware is a quick way to restrict access to your services to known users. Passwords must be encoded using MD5, SHA1, or BCrypt.
+You can use _htpasswd_ to generate the passwords.
+
+
+See also [here](https://docs.traefik.io/middlewares/basicauth/).
+
+
+
+## HTTP to HTTPS Redirect
+
+For redirection from HTTP to HTTPS a router middleware is configured in the 003-ingress.yaml file:
+
+
+	# Redirect http -> https
+	---
+	apiVersion: traefik.containo.us/v1alpha1
+	kind: Middleware
+	metadata:
+	  name: redirect
+	spec:
+	  redirectScheme:
+	    scheme: https
+
+This middleware can be used to redirect a service automatically form http to https. You just need to add the redirect to the routes definition of your ingressRoute:
+
+	...
+	  routes:
+	  - kind: Rule
+	    match: Host(`{YOUR-INTERNET-DNS-NAME}`)
+	    services:
+	    - name: your-service
+	      port: 80
+	    # apply auto redirect
+	    middlewares: 
+	    - name: redirect
+    ....
+
+
+
+More information about redirection and redirection on domain can be found [here](https://docs.traefik.io/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers).
+
+
+
+
+## Find more....
+
+Find out more about Ingress and Traefik:
+
+ - https://docs.traefik.io
+ - https://ralph.blog.imixs.com/2020/02/01/kubernetes-setup-traefik-2-1/

doc/REGISTRY.md

@@ -3,99 +3,91 @@
 Docker images are available on docker registries. Most public docker images are available on [Docker Hub](https://hub.docker.com/). In the _Imixs-Cloud_  you can also setup your own private docker registry.
 A private registry can be used to push locally build docker images to be used in the cloud infrastructure. Images can be pulled and started as services without the need to build the images from a Docker file.
 
-# Setup a Private Registry 
-
-The _Imixs-Cloud_ already includes a configuration to run a private registry. The registry stores its data into a [data volume](https://docs.docker.com/engine/admin/volumes/), so the registry data is stored within a directory on the Docker management node. 
-
-### Create a Self Signed Certificate
-The private registry in the _Imixs-Cloud_ is secured with a TLS (Transport Layer Security). This guaranties that only authorized clients can push or pull an image from the registry.  To secure the registry, a self signed certificate for the manager-node is needed. 
-
-To create the certificate a DNS host name for the manager-node is needed. The following example registers the DNS name '_manager-node.com_'. The keys are stored in the directory _registry/_:
-
-
-	mkdir -p ./management/registry/certs && cd ./management/registry/certs
-	openssl req -newkey rsa:4096 -nodes -sha256 \
-	            -keyout domain.key -x509 -days 356 \
-	            -out domain.cert 
-	            
-	Generating a 4096 bit RSA private key
-	................................................++
-	writing new private key to 'registry_certs/domain.key'
-	-----
-	You are about to be asked to enter information that will be incorporated
-	into your certificate request.
-	What you are about to enter is what is called a Distinguished Name or a DN.
-	There are quite a few fields but you can leave some blank
-	For some fields there will be a default value,
-	If you enter '.', the field will be left blank.
-	-----
-	Country Name (2 letter code) [AU]:DE
-	State or Province Name (full name) [Some-State]:
-	Locality Name (eg, city) []: 
-	Organization Name (eg, company) [Internet Widgits Pty Ltd]: 
-	Organizational Unit Name (eg, section) []:
-	Common Name (e.g. server FQDN or YOUR name) []:manager-node.com
-	Email Address []:
-
-In this example a x509 certificate and a private RSA key is created with the DNS name (‘Common Name’) _manager-node.com_.
-openssl creates two files in the folder 'management/registry/certs/':
-
-* domain.cert – this file can be handled to the client using the private registry
-* domain.key – this is the private key which is necessary to run the private registry with TLS
-
-The configuration of the registry service is defined by docker-compose.yml located in the folder 'registry/'
-Create a docker-compose.yml file. (See /registry/docker-compose.yml). 
-
-Now the registry-service can be started with :
-
-	docker stack deploy -c management/registry/docker-compose.yml registry
-
-The registry will be available under port 8300 of the manager-node.
 
-You can check the registry API via the Rest API:
+## Habor
+
+The _Imixs-Cloud_ already includes a configuration to run the registry [Habor](https://goharbor.io/).
+_Habor_ is a secure, performant, scalable, and available cloud native repository for Kubernetes. It can be installed useing heml.
+
+
+## Installation
+
+Habor consists of several services. To make it easy to install Habor the right way you can use `helm`. Make sure that you have installed helm (see the install script `scripts/get_helm.sh`)
+
+### Add the harbor helm repository
+
+First add the Helm repository for Harbor
+
+	$ helm repo add harbor https://helm.goharbor.io
+
+Now you can install Harbor using the corresponding chart. 
 
-	https://manager-node.com:8300/v2/
 
+### Install Harbor 
 
+The Harbor Helm chart comes with a lot of parameters which can be applied during installation using the `--set` parameter. See the [Habor Helm Installer](https://github.com/goharbor/harbor-helm) for more information.
 
-### Add the registry into your Swarm UI
+The following command installs harbor into the _Imixs-Cloud_. 
+
+	$ helm install registry harbor/harbor --set persistence.enabled=false\
+	  --set expose.type=nodePort --set expose.tls.enabled=true\
+	  --set externalURL=https://{MASTER-NODE}:30003\
+	  --set expose.tls.commonName={MASTER-NODE}
 
-If you have installed a docker swarm-ui you can add the prived registry. 
-Add the registry by the URL “https://manager-node-com:8300/”
+replace the `{MASTER-NODE}` with the DNS name of your master node. 
 
+After a few seconds you can access harbor from your web browser via https:
 
+	https://{MASTER-NODE}:30003
+
+The default User/Password is:
 
+	admin/Harbor12345
+
+<img src="./images/harbor.png" />
+
+### Uninstall Harbor	
 
+To uninstall/delete the registry deployment:
 
+	$ helm uninstall registry
 
-# How to grant a Client
+	
 
-After you setup the private registry you can upload custom Docker images to be used by services running in the Imixs-Cloud. 
 
-To grant your local client to be allowed to push/pull images from the private docker registry hosted in your Imixs-Cloud, a copy of the certificate need to be copied into the docker certs.d directory of your local client and the docker service must be restarted once:
+# How to grant a Docker Client
 
-	mkdir -p /etc/docker/certs.d/manager-node.com:8300
-	cp domain.cert /etc/docker/certs.d/manager-node.com:8300/ca.crt
-	service docker restart
+After you setup the harbor registry you can upload custom Docker images to be used by services running in the Imixs-Cloud. 
 
-# How to Push a Docker Image into the Registry
+To  be allowed to push/pull images from the private docker registry hosted in your Imixs-Cloud, a copy of the certificate need to be copied into the docker certs.d directory of your local client and the docker service must be restarted once:
 
-To push a local image from a client into the Imixs-Cloud registry, the image must be tagged first. The following example pushes an image name 'apps/my-app' into the registry with the version numer '1.0.0':
+You can download the Harbor certificate from the Habor web frontend from your web browser or via command line :
 
-	docker tag apps/my-app manager-node.com:8300/apps/my-app:1.0.0
-	docker push manager-node.com:8300/apps/my-app:1.0.0
+	$ wget -O ca.crt --no-check-certificate https://{MASTER-NODE}:30003/api/systeminfo/getcert
 
-The push refers to a Imixs-Cloud repository on the host [manager-node.com:8300]
+replace {MASTER-NODE} with your cluster master node name.
 
+now create a new directly in your local docker/certs.d directory and copy the certificate:
+
+	$ mkdir -p /etc/docker/certs.d/{MASTER-NODE}:30003
+	$ cp ca.crt /etc/docker/certs.d/{MASTER-NODE}:30003/ca.crt
+	$ service docker restart
+
+Now you need to first login to your registry with docker:
+
+	$ docker login -u admin {MASTER-NODE}:30003
+
 
+# Push a local docker image
 
+To push a local docker image into the registry you first need to tag the image with the repository uri
 
-### Authentication
+	$ docker tag SOURCE_IMAGE[:TAG] {MASTER-NODE}:30003/library/IMAGE[:TAG]
 
-If you already have defined a HTTPs Basic authentication layer as described in the section [How to secure Imixs-Cloud](SETUP.md), you need to first login to your docker registry:
+**Note:** '/library/' is the project library name defined in Harbor!
 
-	 docker login -u admin https://manager-node.com:8300
+next you can push the image:
 
-After the successful login, you can push the image.
 
-**Note:** This is also true for the master-node itself if a service need to pull a image from the private registry. 
+	$ docker push {MASTER-NODE}:30003/library/IMAGE[:TAG]	
+