Set up cert-manager cluster role for pod security policies

This commit adds a helm chart that deploys a rolebinding to the cert-manager
application to allow deployments to the cert-manager namespace after
PodSecurityPolicy plugin is enabled on the Kubernetes cluster.

Partial-bug: 1878900
Depends-On: https://review.opendev.org/#/c/734408/
Depends-On: https://review.opendev.org/#/c/735998/

Change-Id: I73f91d94d341511b8e43c21d6f01b1cf3e7ad054
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

python-k8sapp-cert-manager/k8sapp_cert_manager/k8sapp_cert_manager/common/constants.py

@@ -7,3 +7,4 @@
 # Helm: Supported charts:
 # These values match the names in the chart package's Chart.yaml
 HELM_CHART_CERT_MANAGER = 'cert-manager'
+HELM_CHART_PSP_ROLEBINDING = 'psp-rolebinding'

python-k8sapp-cert-manager/k8sapp_cert_manager/k8sapp_cert_manager/helm/psp_rolebinding.py

@@ -0,0 +1,43 @@
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from k8sapp_cert_manager.common import constants as app_constants
+
+from sysinv.common import constants
+from sysinv.common import exception
+
+from sysinv.helm import base
+from sysinv.helm import common
+
+
+class PSPRolebindingHelm(base.BaseHelm):
+    """Class to encapsulate helm operations for the psp rolebinding chart"""
+
+    SUPPORTED_NAMESPACES = base.BaseHelm.SUPPORTED_NAMESPACES + \
+        [common.HELM_NS_CERT_MANAGER]
+    SUPPORTED_APP_NAMESPACES = {
+        constants.HELM_APP_CERT_MANAGER:
+            base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_CERT_MANAGER],
+    }
+
+    CHART = app_constants.HELM_CHART_PSP_ROLEBINDING
+    SERVICE_NAME = 'psp-rolebinding'
+
+    def get_namespaces(self):
+        return self.SUPPORTED_NAMESPACES
+
+    def get_overrides(self, namespace=None):
+        overrides = {
+            common.HELM_NS_CERT_MANAGER: {}
+        }
+
+        if namespace in self.SUPPORTED_NAMESPACES:
+            return overrides[namespace]
+        elif namespace:
+            raise exception.InvalidHelmNamespace(chart=self.CHART,
+                                                 namespace=namespace)
+        else:
+            return overrides

python-k8sapp-cert-manager/k8sapp_cert_manager/setup.cfg

@@ -34,6 +34,7 @@ systemconfig.helm_applications =
 
 systemconfig.helm_plugins.cert_manager =
     001_cert-manager = k8sapp_cert_manager.helm.cert_manager:CertMgrHelm
+    002_psp-rolebinding = k8sapp_cert_manager.helm.psp_rolebinding:PSPRolebindingHelm
 
 [wheel]
 universal = 1

stx-cert-manager-helm/centos/build_srpm.data

@@ -5,3 +5,7 @@ SRC_DIR="stx-cert-manager-helm"
 TIS_BASE_SRCREV=94d4c26f982e2e8c222517900c504580d1e3a09d
 TIS_PATCH_VER=GITREVCOUNT
 
+COPY_LIST_TO_TAR="\
+    $STX_BASE/helm-charts/psp-rolebinding/psp-rolebinding/helm-charts \
+"
+

stx-cert-manager-helm/centos/stx-cert-manager-helm.spec

@@ -40,6 +40,11 @@ chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" --sto
 sleep 2
 helm repo add local http://localhost:8879/charts
 
+# Make the charts. These produce a tgz file
+cd helm-charts
+make psp-rolebinding
+cd -
+
 # terminate helm server (the last backgrounded task)
 kill %1
 
@@ -52,6 +57,7 @@ mkdir -p %{app_staging}
 cp files/metadata.yaml %{app_staging}
 cp manifests/*.yaml %{app_staging}
 mkdir -p %{app_staging}/charts
+cp helm-charts/*.tgz %{app_staging}/charts
 cp %{helm_folder}/cert*.tgz %{app_staging}/charts
 cd %{app_staging}
 

stx-cert-manager-helm/stx-cert-manager-helm/helm-charts/Makefile

@@ -0,0 +1,43 @@
+#
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Copyright (c) 2018 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# It's necessary to set this because some environments don't link sh -> bash.
+SHELL := /bin/bash
+TASK  := build
+
+EXCLUDES := helm-toolkit doc tests tools logs tmp
+CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
+
+.PHONY: $(EXCLUDES) $(CHARTS)
+
+all: $(CHARTS)
+
+$(CHARTS):
+	@if [ -d $@ ]; then \
+		echo; \
+		echo "===== Processing [$@] chart ====="; \
+		make $(TASK)-$@; \
+	fi
+
+init-%:
+	if [ -f $*/Makefile ]; then make -C $*; fi
+	if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
+
+lint-%: init-%
+	if [ -d $* ]; then helm lint $*; fi
+
+build-%: lint-%
+	if [ -d $* ]; then helm package $*; fi
+
+clean:
+	@echo "Clean all build artifacts"
+	rm -f */templates/_partials.tpl */templates/_globals.tpl
+	rm -f *tgz */charts/*tgz */requirements.lock
+	rm -rf */charts */tmpcharts
+
+%:
+	@:

stx-cert-manager-helm/stx-cert-manager-helm/manifests/certmanager-manifest.yaml

@@ -1,5 +1,35 @@
 ---
 schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: cert-manager-psp-rolebinding
+data:
+  chart_name: psp-rolebinding
+  release: cert-manager-psp-rolebinding
+  namespace: cert-manager
+  values:
+    rolebindingNamespace: cert-manager
+    serviceAccount: cert-manager
+  source:
+    location: http://172.17.0.1:8080/helm_charts/stx-platform/psp-rolebinding-0.1.0.tgz
+    subpath: psp-rolebinding
+    type: tar
+    reference: master
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+      - labels:
+          release_group: cert-manager-psp-rolebinding
+        type: job
+  wait:
+    labels:
+      release_group: cert-manager-psp-rolebinding
+    resources: []
+    timeout: 1800
+  dependencies: []
+---
+schema: armada/Chart/v1
 metadata:
   schema: metadata/Document/v1
   name: cert-manager
@@ -95,6 +125,7 @@ data:
   sequenced: true
   chart_group:
     - cert-manager
+    - cert-manager-psp-rolebinding
 ---
 schema: armada/Manifest/v1
 metadata: