From 56984b2f3087ee108ec9bffde5ab807c4d2c2229 Mon Sep 17 00:00:00 2001 From: Jerry Sun Date: Fri, 20 Dec 2019 09:32:23 -0500 Subject: [PATCH] Add Dex as a platform managed application Add an application to deploy dex as a container for Kubernetes authentication. This application will be packaged into an RPM and automatically uploaded on controller-0 unlock. Story: 2006711 Task: 37856 Change-Id: I75aeeb2f73e2119994205f54361fee939c7aca25 Signed-off-by: Jerry Sun --- .zuul.yaml | 8 ++ centos_iso_image.inc | 1 + centos_pkg_dirs | 1 + requirements.txt | 1 + stx-oidc-auth-helm/centos/build_srpm.data | 7 ++ .../centos/stx-oidc-auth-helm.spec | 110 ++++++++++++++++++ ...te-Dex-chart-for-Kubernetes-API-1.16.patch | 25 ++++ .../files/0002-add-image-pull-secrets.patch | 53 +++++++++ stx-oidc-auth-helm/files/Makefile | 43 +++++++ stx-oidc-auth-helm/files/index.yaml | 3 + stx-oidc-auth-helm/files/manifest.yaml | 47 ++++++++ stx-oidc-auth-helm/files/metadata.yaml | 3 + stx-oidc-auth-helm/files/repositories.yaml | 12 ++ test-requirements.txt | 3 + tox.ini | 35 ++++++ 15 files changed, 352 insertions(+) create mode 100644 .zuul.yaml create mode 100644 centos_iso_image.inc create mode 100644 centos_pkg_dirs create mode 100644 requirements.txt create mode 100644 stx-oidc-auth-helm/centos/build_srpm.data create mode 100644 stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec create mode 100644 stx-oidc-auth-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch create mode 100644 stx-oidc-auth-helm/files/0002-add-image-pull-secrets.patch create mode 100644 stx-oidc-auth-helm/files/Makefile create mode 100644 stx-oidc-auth-helm/files/index.yaml create mode 100644 stx-oidc-auth-helm/files/manifest.yaml create mode 100644 stx-oidc-auth-helm/files/metadata.yaml create mode 100644 stx-oidc-auth-helm/files/repositories.yaml create mode 100644 test-requirements.txt create mode 100644 tox.ini diff --git a/.zuul.yaml b/.zuul.yaml new file mode 100644 index 0000000..7ccbd0a --- /dev/null +++ b/.zuul.yaml @@ -0,0 +1,8 @@ +--- +- project: + check: + jobs: + - openstack-tox-linters + gate: + jobs: + - openstack-tox-linters diff --git a/centos_iso_image.inc b/centos_iso_image.inc new file mode 100644 index 0000000..ac9a328 --- /dev/null +++ b/centos_iso_image.inc @@ -0,0 +1 @@ +stx-oidc-auth-helm diff --git a/centos_pkg_dirs b/centos_pkg_dirs new file mode 100644 index 0000000..ac9a328 --- /dev/null +++ b/centos_pkg_dirs @@ -0,0 +1 @@ +stx-oidc-auth-helm diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..c01ade2 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +# Nothing diff --git a/stx-oidc-auth-helm/centos/build_srpm.data b/stx-oidc-auth-helm/centos/build_srpm.data new file mode 100644 index 0000000..5a70bd5 --- /dev/null +++ b/stx-oidc-auth-helm/centos/build_srpm.data @@ -0,0 +1,7 @@ +TAR_NAME=helm-charts +SHA=92b6289ae93816717a8453cfe62bad51cbdb8ad0 +VERSION=1.0.0 +TAR="$TAR_NAME-$SHA.tar.gz" + +COPY_LIST="${CGCS_BASE}/downloads/helm-charts-92b6289ae93816717a8453cfe62bad51cbdb8ad0.tar.gz $PKG_BASE/files/* " +TIS_PATCH_VER=0 diff --git a/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec b/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec new file mode 100644 index 0000000..340db04 --- /dev/null +++ b/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec @@ -0,0 +1,110 @@ +# Application tunables (maps to metadata) +%global app_name oidc-auth-apps +%global helm_repo stx-platform + +# Install location +%global app_folder /usr/local/share/applications/helm + +# Build variables +%global helm_folder /usr/lib/helm + +%global sha 92b6289ae93816717a8453cfe62bad51cbdb8ad0 + +Summary: StarlingX OIDC auth Helm charts +Name: stx-oidc-auth-helm +Version: 1.0 +Release: %{tis_patch_ver}%{?_tis_dist} +License: Apache-2.0 +Group: base +Packager: Wind River +URL: unknown + +#Source0: %{name}-%{version}.tar.gz +Source0: helm-charts-%{sha}.tar.gz +Source1: repositories.yaml +Source2: index.yaml +Source3: metadata.yaml +Source4: manifest.yaml +Source5: Makefile + +Patch01: 0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch +Patch02: 0002-add-image-pull-secrets.patch + +BuildArch: noarch + +BuildRequires: helm + +%description +StarlingX OIDC auth Helm charts + +%prep +#%setup +%setup -n helm-charts +%patch01 -p1 +%patch02 -p1 + +%build +# initialize helm +# helm init --client-only does not work if there is no networking +# The following commands do essentially the same as: helm init +%define helm_home %{getenv:HOME}/.helm +mkdir %{helm_home} +mkdir %{helm_home}/repository +mkdir %{helm_home}/repository/cache +mkdir %{helm_home}/repository/local +mkdir %{helm_home}/plugins +mkdir %{helm_home}/starters +mkdir %{helm_home}/cache +mkdir %{helm_home}/cache/archive + +# Stage a repository file that only has a local repo +cp %{SOURCE1} %{helm_home}/repository/repositories.yaml + +# Stage a local repo index that can be updated by the build +cp %{SOURCE2} %{helm_home}/repository/local/index.yaml + +# Host a server for the charts +helm serve --repo-path . & +helm repo rm local +helm repo add local http://localhost:8879/charts + +# Make the charts. These produce a tgz file +cp %{SOURCE5} stable +cd stable +make dex +cd - + +# Terminate helm server (the last backgrounded task) +kill %1 + +# Create a chart tarball compliant with sysinv kube-app.py +%define app_staging %{_builddir}/staging +%define app_tarball %{app_name}-%{version}-%{tis_patch_ver}.tgz + +# Setup staging +mkdir -p %{app_staging} +cp %{SOURCE3} %{app_staging} +cp %{SOURCE4} %{app_staging} +mkdir -p %{app_staging}/charts +cp stable/*.tgz %{app_staging}/charts +cd %{app_staging} + +# Populate metadata +sed -i 's/@APP_NAME@/%{app_name}/g' %{app_staging}/metadata.yaml +sed -i 's/@APP_VERSION@/%{version}-%{tis_patch_ver}/g' %{app_staging}/metadata.yaml +sed -i 's/@HELM_REPO@/%{helm_repo}/g' %{app_staging}/metadata.yaml + +# package it up +find . -type f ! -name '*.md5' -print0 | xargs -0 md5sum > checksum.md5 +tar -zcf %{_builddir}/%{app_tarball} -C %{app_staging}/ . + +# Cleanup staging +rm -fr %{app_staging} + +%install +install -d -m 755 %{buildroot}/%{app_folder} +install -p -D -m 755 %{_builddir}/%{app_tarball} %{buildroot}/%{app_folder} + +%files +%defattr(-,root,root,-) +%{app_folder}/* diff --git a/stx-oidc-auth-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch b/stx-oidc-auth-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch new file mode 100644 index 0000000..4d5e884 --- /dev/null +++ b/stx-oidc-auth-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch @@ -0,0 +1,25 @@ +From aa367b5e0a1012560b4b573a5d101307bd3dbd1a Mon Sep 17 00:00:00 2001 +From: Jerry Sun +Date: Mon, 4 Nov 2019 15:23:08 -0500 +Subject: [PATCH 1/1] Update Dex chart for Kubernetes API 1.16 + +--- + stable/dex/templates/deployment.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml +index a088188..e46b748 100644 +--- a/stable/dex/templates/deployment.yaml ++++ b/stable/dex/templates/deployment.yaml +@@ -6,7 +6,7 @@ + {{ $grpcCaBuiltName := printf "%s-ca" $fullname }} + {{ $grpcCaSecretName := default $grpcCaBuiltName .Values.certs.grpc.secret.caName }} + +-apiVersion: apps/v1beta2 ++apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ template "dex.fullname" . }} +-- +2.7.4 + diff --git a/stx-oidc-auth-helm/files/0002-add-image-pull-secrets.patch b/stx-oidc-auth-helm/files/0002-add-image-pull-secrets.patch new file mode 100644 index 0000000..7b79270 --- /dev/null +++ b/stx-oidc-auth-helm/files/0002-add-image-pull-secrets.patch @@ -0,0 +1,53 @@ +From 99cdaab485e18af1d8bba5f24f7612de96f87039 Mon Sep 17 00:00:00 2001 +From: Jerry Sun +Date: Mon, 16 Dec 2019 13:58:37 -0500 +Subject: [PATCH 1/1] add image pull secrets to images + +--- + stable/dex/templates/deployment.yaml | 2 ++ + stable/dex/templates/job-grpc-certs.yaml | 2 ++ + stable/dex/templates/job-web-certs.yaml | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml +index a088188..40f1935 100644 +--- a/stable/dex/templates/deployment.yaml ++++ b/stable/dex/templates/deployment.yaml +@@ -35,6 +35,8 @@ spec: + serviceAccountName: {{ template "dex.serviceAccountName" . }} + nodeSelector: + {{ toYaml .Values.nodeSelector | indent 10 }} ++ imagePullSecrets: ++ - name: default-registry-key + containers: + - name: main + image: "{{ .Values.image }}:{{ .Values.imageTag }}" +diff --git a/stable/dex/templates/job-grpc-certs.yaml b/stable/dex/templates/job-grpc-certs.yaml +index 95e23a7..90514d8 100644 +--- a/stable/dex/templates/job-grpc-certs.yaml ++++ b/stable/dex/templates/job-grpc-certs.yaml +@@ -33,6 +33,8 @@ spec: + spec: + serviceAccountName: {{ template "dex.serviceAccountName" . }} + restartPolicy: OnFailure ++ imagePullSecrets: ++ - name: default-registry-key + containers: + - name: main + image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}" +diff --git a/stable/dex/templates/job-web-certs.yaml b/stable/dex/templates/job-web-certs.yaml +index c2e56af..7c0c1f3 100644 +--- a/stable/dex/templates/job-web-certs.yaml ++++ b/stable/dex/templates/job-web-certs.yaml +@@ -30,6 +30,8 @@ spec: + spec: + serviceAccountName: {{ template "dex.serviceAccountName" . }} + restartPolicy: OnFailure ++ imagePullSecrets: ++ - name: default-registry-key + containers: + - name: main + image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}" +-- +2.7.4 + diff --git a/stx-oidc-auth-helm/files/Makefile b/stx-oidc-auth-helm/files/Makefile new file mode 100644 index 0000000..eff605d --- /dev/null +++ b/stx-oidc-auth-helm/files/Makefile @@ -0,0 +1,43 @@ +# +# Copyright 2017 The Openstack-Helm Authors. +# +# Copyright (c) 2019 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# It's necessary to set this because some environments don't link sh -> bash. +SHELL := /bin/bash +TASK := build + +EXCLUDES := helm-toolkit doc tests tools logs tmp +CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) + +.PHONY: $(EXCLUDES) $(CHARTS) + +all: $(CHARTS) + +$(CHARTS): + @if [ -d $@ ]; then \ + echo; \ + echo "===== Processing [$@] chart ====="; \ + make $(TASK)-$@; \ + fi + +init-%: + if [ -f $*/Makefile ]; then make -C $*; fi + if [ -f $*/requirements.yaml ]; then helm dep up $*; fi + +lint-%: init-% + if [ -d $* ]; then helm lint $*; fi + +build-%: lint-% + if [ -d $* ]; then helm package $*; fi + +clean: + @echo "Clean all build artifacts" + rm -f */templates/_partials.tpl */templates/_globals.tpl + rm -f *tgz */charts/*tgz */requirements.lock + rm -rf */charts */tmpcharts + +%: + @: diff --git a/stx-oidc-auth-helm/files/index.yaml b/stx-oidc-auth-helm/files/index.yaml new file mode 100644 index 0000000..36db709 --- /dev/null +++ b/stx-oidc-auth-helm/files/index.yaml @@ -0,0 +1,3 @@ +apiVersion: v1 +entries: {} +generated: 2019-01-07T12:33:46.098166523-06:00 diff --git a/stx-oidc-auth-helm/files/manifest.yaml b/stx-oidc-auth-helm/files/manifest.yaml new file mode 100644 index 0000000..7bf9bef --- /dev/null +++ b/stx-oidc-auth-helm/files/manifest.yaml @@ -0,0 +1,47 @@ +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: kube-system-dex +data: + chart_name: dex + release: dex + namespace: kube-system + wait: + timeout: 1800 + labels: + app: dex + install: + no_hooks: false + upgrade: + no_hooks: false + pre: + delete: + - type: job + labels: + app: dex + source: + type: tar + location: http://172.17.0.1:8080/helm_charts/stx-platform/dex-0.8.0.tgz + subpath: dex + reference: master + dependencies: [] +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: starlingx-dex-charts +data: + description: StarlingX Dex Charts + sequenced: true + chart_group: + - kube-system-dex +--- +schema: armada/Manifest/v1 +metadata: + schema: metadata/Document/v1 + name: oidc-auth-manifest +data: + release_prefix: oidc + chart_groups: + - starlingx-dex-charts diff --git a/stx-oidc-auth-helm/files/metadata.yaml b/stx-oidc-auth-helm/files/metadata.yaml new file mode 100644 index 0000000..49f72b5 --- /dev/null +++ b/stx-oidc-auth-helm/files/metadata.yaml @@ -0,0 +1,3 @@ +app_name: @APP_NAME@ +app_version: @APP_VERSION@ +helm_repo: @HELM_REPO@ diff --git a/stx-oidc-auth-helm/files/repositories.yaml b/stx-oidc-auth-helm/files/repositories.yaml new file mode 100644 index 0000000..e613b63 --- /dev/null +++ b/stx-oidc-auth-helm/files/repositories.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +generated: 2019-01-02T15:19:36.215111369-06:00 +repositories: +- caFile: "" + cache: /builddir/.helm/repository/cache/local-index.yaml + certFile: "" + keyFile: "" + name: local + password: "" + url: http://127.0.0.1:8879/charts + username: "" + diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 0000000..8ae3e22 --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1,3 @@ +# hacking pulls in flake8 +hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +bashate >= 0.2 diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..cede375 --- /dev/null +++ b/tox.ini @@ -0,0 +1,35 @@ +[tox] +envlist = linters +minversion = 2.3 +skipsdist = True +sitepackages=False + +[testenv] +install_command = pip install -U {opts} {packages} +setenv = + VIRTUAL_ENV={envdir} + OS_STDOUT_CAPTURE=1 + OS_STDERR_CAPTURE=1 + OS_DEBUG=1 + OS_LOG_CAPTURE=1 +deps = + -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt +whitelist_externals = + bash + +[testenv:bashate] +# Treat all E* codes as Errors rather than warnings using: -e 'E*' +commands = + bash -c "find {toxinidir} \ + -not \( -type d -name .?\* -prune \) \ + -type f \ + -not -name \*~ \ + -not -name \*.md \ + -name \*.sh \ + -print0 | xargs -r -n 1 -0 bashate -v \ + -e 'E*'" + +[testenv:linters] +commands = + {[testenv:bashate]commands}