Add Dex as a platform managed application

Add an application to deploy dex as a container for Kubernetes
authentication. This application will be packaged into an RPM and
automatically uploaded on controller-0 unlock.

Story: 2006711
Task: 37856

Change-Id: I75aeeb2f73e2119994205f54361fee939c7aca25
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

.zuul.yaml

@@ -0,0 +1,8 @@
+---
+- project:
+    check:
+      jobs:
+        - openstack-tox-linters
+    gate:
+      jobs:
+        - openstack-tox-linters

centos_iso_image.inc

@@ -0,0 +1 @@
+stx-oidc-auth-helm

centos_pkg_dirs

@@ -0,0 +1 @@
+stx-oidc-auth-helm

requirements.txt

@@ -0,0 +1 @@
+# Nothing

stx-oidc-auth-helm/centos/build_srpm.data

@@ -0,0 +1,7 @@
+TAR_NAME=helm-charts
+SHA=92b6289ae93816717a8453cfe62bad51cbdb8ad0
+VERSION=1.0.0
+TAR="$TAR_NAME-$SHA.tar.gz"
+
+COPY_LIST="${CGCS_BASE}/downloads/helm-charts-92b6289ae93816717a8453cfe62bad51cbdb8ad0.tar.gz $PKG_BASE/files/* "
+TIS_PATCH_VER=0

stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec

@@ -0,0 +1,110 @@
+# Application tunables (maps to metadata)
+%global app_name oidc-auth-apps
+%global helm_repo stx-platform
+
+# Install location
+%global app_folder /usr/local/share/applications/helm
+
+# Build variables
+%global helm_folder /usr/lib/helm
+
+%global sha 92b6289ae93816717a8453cfe62bad51cbdb8ad0
+
+Summary: StarlingX OIDC auth Helm charts
+Name: stx-oidc-auth-helm
+Version: 1.0
+Release: %{tis_patch_ver}%{?_tis_dist}
+License: Apache-2.0
+Group: base
+Packager: Wind River <info@windriver.com>
+URL: unknown
+
+#Source0: %{name}-%{version}.tar.gz
+Source0: helm-charts-%{sha}.tar.gz
+Source1: repositories.yaml
+Source2: index.yaml
+Source3: metadata.yaml
+Source4: manifest.yaml
+Source5: Makefile
+
+Patch01: 0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch
+Patch02: 0002-add-image-pull-secrets.patch
+
+BuildArch: noarch
+
+BuildRequires: helm
+
+%description
+StarlingX OIDC auth Helm charts
+
+%prep
+#%setup
+%setup -n helm-charts
+%patch01 -p1
+%patch02 -p1
+
+%build
+# initialize helm
+# helm init --client-only does not work if there is no networking
+# The following commands do essentially the same as: helm init
+%define helm_home  %{getenv:HOME}/.helm
+mkdir  %{helm_home}
+mkdir  %{helm_home}/repository
+mkdir  %{helm_home}/repository/cache
+mkdir  %{helm_home}/repository/local
+mkdir  %{helm_home}/plugins
+mkdir  %{helm_home}/starters
+mkdir  %{helm_home}/cache
+mkdir  %{helm_home}/cache/archive
+
+# Stage a repository file that only has a local repo
+cp %{SOURCE1} %{helm_home}/repository/repositories.yaml
+
+# Stage a local repo index that can be updated by the build
+cp %{SOURCE2} %{helm_home}/repository/local/index.yaml
+
+# Host a server for the charts
+helm serve --repo-path . &
+helm repo rm local
+helm repo add local http://localhost:8879/charts
+
+# Make the charts. These produce a tgz file
+cp %{SOURCE5} stable
+cd stable
+make dex
+cd -
+
+# Terminate helm server (the last backgrounded task)
+kill %1
+
+# Create a chart tarball compliant with sysinv kube-app.py
+%define app_staging %{_builddir}/staging
+%define app_tarball %{app_name}-%{version}-%{tis_patch_ver}.tgz
+
+# Setup staging
+mkdir -p %{app_staging}
+cp %{SOURCE3} %{app_staging}
+cp %{SOURCE4} %{app_staging}
+mkdir -p %{app_staging}/charts
+cp stable/*.tgz %{app_staging}/charts
+cd %{app_staging}
+
+# Populate metadata
+sed -i 's/@APP_NAME@/%{app_name}/g' %{app_staging}/metadata.yaml
+sed -i 's/@APP_VERSION@/%{version}-%{tis_patch_ver}/g' %{app_staging}/metadata.yaml
+sed -i 's/@HELM_REPO@/%{helm_repo}/g' %{app_staging}/metadata.yaml
+
+# package it up
+find . -type f ! -name '*.md5' -print0 | xargs -0 md5sum > checksum.md5
+tar -zcf %{_builddir}/%{app_tarball} -C %{app_staging}/ .
+
+# Cleanup staging
+rm -fr %{app_staging}
+
+%install
+install -d -m 755 %{buildroot}/%{app_folder}
+install -p -D -m 755 %{_builddir}/%{app_tarball} %{buildroot}/%{app_folder}
+
+%files
+%defattr(-,root,root,-)
+%{app_folder}/*

stx-oidc-auth-helm/files/0001-Update-Dex-chart-for-Kubernetes-API-1.16.patch

@@ -0,0 +1,25 @@
+From aa367b5e0a1012560b4b573a5d101307bd3dbd1a Mon Sep 17 00:00:00 2001
+From: Jerry Sun <jerry.sun@windriver.com>
+Date: Mon, 4 Nov 2019 15:23:08 -0500
+Subject: [PATCH 1/1] Update Dex chart for Kubernetes API 1.16
+
+---
+ stable/dex/templates/deployment.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
+index a088188..e46b748 100644
+--- a/stable/dex/templates/deployment.yaml
++++ b/stable/dex/templates/deployment.yaml
+@@ -6,7 +6,7 @@
+ {{ $grpcCaBuiltName := printf "%s-ca" $fullname }}
+ {{ $grpcCaSecretName := default $grpcCaBuiltName .Values.certs.grpc.secret.caName }}
+ 
+-apiVersion: apps/v1beta2
++apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+   name: {{ template "dex.fullname" . }}
+-- 
+2.7.4
+

stx-oidc-auth-helm/files/0002-add-image-pull-secrets.patch

@@ -0,0 +1,53 @@
+From 99cdaab485e18af1d8bba5f24f7612de96f87039 Mon Sep 17 00:00:00 2001
+From: Jerry Sun <jerry.sun@windriver.com>
+Date: Mon, 16 Dec 2019 13:58:37 -0500
+Subject: [PATCH 1/1] add image pull secrets to images
+
+---
+ stable/dex/templates/deployment.yaml     | 2 ++
+ stable/dex/templates/job-grpc-certs.yaml | 2 ++
+ stable/dex/templates/job-web-certs.yaml  | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
+index a088188..40f1935 100644
+--- a/stable/dex/templates/deployment.yaml
++++ b/stable/dex/templates/deployment.yaml
+@@ -35,6 +35,8 @@ spec:
+       serviceAccountName: {{ template "dex.serviceAccountName" . }}
+       nodeSelector:
+ {{ toYaml .Values.nodeSelector | indent 10 }}
++      imagePullSecrets:
++      - name: default-registry-key
+       containers:
+       - name: main
+         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+diff --git a/stable/dex/templates/job-grpc-certs.yaml b/stable/dex/templates/job-grpc-certs.yaml
+index 95e23a7..90514d8 100644
+--- a/stable/dex/templates/job-grpc-certs.yaml
++++ b/stable/dex/templates/job-grpc-certs.yaml
+@@ -33,6 +33,8 @@ spec:
+     spec:
+       serviceAccountName: {{ template "dex.serviceAccountName" . }}
+       restartPolicy: OnFailure
++      imagePullSecrets:
++      - name: default-registry-key
+       containers:
+       - name: main
+         image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}"
+diff --git a/stable/dex/templates/job-web-certs.yaml b/stable/dex/templates/job-web-certs.yaml
+index c2e56af..7c0c1f3 100644
+--- a/stable/dex/templates/job-web-certs.yaml
++++ b/stable/dex/templates/job-web-certs.yaml
+@@ -30,6 +30,8 @@ spec:
+     spec:
+       serviceAccountName: {{ template "dex.serviceAccountName" . }}
+       restartPolicy: OnFailure
++      imagePullSecrets:
++      - name: default-registry-key
+       containers:
+       - name: main
+         image: "{{ .Values.certs.image }}:{{ .Values.certs.imageTag }}"
+-- 
+2.7.4
+

stx-oidc-auth-helm/files/Makefile

@@ -0,0 +1,43 @@
+#
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# It's necessary to set this because some environments don't link sh -> bash.
+SHELL := /bin/bash
+TASK  := build
+
+EXCLUDES := helm-toolkit doc tests tools logs tmp
+CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
+
+.PHONY: $(EXCLUDES) $(CHARTS)
+
+all: $(CHARTS)
+
+$(CHARTS):
+	@if [ -d $@ ]; then \
+		echo; \
+		echo "===== Processing [$@] chart ====="; \
+		make $(TASK)-$@; \
+	fi
+
+init-%:
+	if [ -f $*/Makefile ]; then make -C $*; fi
+	if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
+
+lint-%: init-%
+	if [ -d $* ]; then helm lint $*; fi
+
+build-%: lint-%
+	if [ -d $* ]; then helm package $*; fi
+
+clean:
+	@echo "Clean all build artifacts"
+	rm -f */templates/_partials.tpl */templates/_globals.tpl
+	rm -f *tgz */charts/*tgz */requirements.lock
+	rm -rf */charts */tmpcharts
+
+%:
+	@:

stx-oidc-auth-helm/files/index.yaml

@@ -0,0 +1,3 @@
+apiVersion: v1
+entries: {}
+generated: 2019-01-07T12:33:46.098166523-06:00

stx-oidc-auth-helm/files/manifest.yaml

@@ -0,0 +1,47 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kube-system-dex
+data:
+  chart_name: dex
+  release: dex
+  namespace: kube-system
+  wait:
+    timeout: 1800
+    labels:
+      app: dex
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            app: dex
+  source:
+    type: tar
+    location: http://172.17.0.1:8080/helm_charts/stx-platform/dex-0.8.0.tgz
+    subpath: dex
+    reference: master
+  dependencies: []
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: starlingx-dex-charts
+data:
+  description: StarlingX Dex Charts
+  sequenced: true
+  chart_group:
+  - kube-system-dex
+---
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  name: oidc-auth-manifest
+data:
+  release_prefix: oidc
+  chart_groups:
+  - starlingx-dex-charts

stx-oidc-auth-helm/files/metadata.yaml

@@ -0,0 +1,3 @@
+app_name: @APP_NAME@
+app_version: @APP_VERSION@
+helm_repo: @HELM_REPO@

stx-oidc-auth-helm/files/repositories.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+generated: 2019-01-02T15:19:36.215111369-06:00
+repositories:
+- caFile: ""
+  cache: /builddir/.helm/repository/cache/local-index.yaml
+  certFile: ""
+  keyFile: ""
+  name: local
+  password: ""
+  url: http://127.0.0.1:8879/charts
+  username: ""
+

test-requirements.txt

@@ -0,0 +1,3 @@
+# hacking pulls in flake8
+hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+bashate >= 0.2

tox.ini

@@ -0,0 +1,35 @@
+[tox]
+envlist = linters
+minversion = 2.3
+skipsdist = True
+sitepackages=False
+
+[testenv]
+install_command = pip install -U {opts} {packages}
+setenv =
+   VIRTUAL_ENV={envdir}
+   OS_STDOUT_CAPTURE=1
+   OS_STDERR_CAPTURE=1
+   OS_DEBUG=1
+   OS_LOG_CAPTURE=1
+deps =
+  -r{toxinidir}/requirements.txt
+  -r{toxinidir}/test-requirements.txt
+whitelist_externals =
+  bash
+
+[testenv:bashate]
+# Treat all E* codes as Errors rather than warnings using: -e 'E*'
+commands =
+  bash -c "find {toxinidir}                    \
+         -not \( -type d -name .?\* -prune \) \
+         -type f                              \
+         -not -name \*~                       \
+         -not -name \*.md                     \
+         -name \*.sh                          \
+         -print0 | xargs -r -n 1 -0 bashate -v   \
+         -e 'E*'"
+
+[testenv:linters]
+commands =
+    {[testenv:bashate]commands}