portieris-helm: remove dl_hook

Add "dl_path" to download the source tarball.

Add "src_files" to copy local files to build directory.

Copy patches to deb_folder/patches, and remove the patching commands
from rules.

Remove dl_hook.

Test Plan:

Pass: successfully build portieris-helm
Pass: No difference comparing with the result of dl_hook

Story: 2009101
Task: 43845

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Change-Id: I128bac3c74e791458d4fcac6d437653abc322206

portieris-helm/debian/deb_folder/patches/0002-add-image-pull-secrets-to-images.patch

@@ -0,0 +1,28 @@
+From 77a11903c2486d07cd3b078f99476b3a855fdce0 Mon Sep 17 00:00:00 2001
+From: Michel Thebeau <Michel.Thebeau@windriver.com>
+Date: Mon, 18 Jan 2021 17:02:39 -0500
+Subject: [PATCH] add image pull secrets to images
+
+Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
+---
+ helm/portieris/templates/deployment.yaml | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
+index b72c599..d8f3590 100644
+--- a/helm/portieris/templates/deployment.yaml
++++ b/helm/portieris/templates/deployment.yaml
+@@ -21,6 +21,10 @@ spec:
+         release: {{ .Release.Name }}
+     spec:
+       serviceAccountName: portieris
++      {{ if .Values.image.host }}
++      imagePullSecrets:
++      - name: default-registry-key
++      {{ end }}
+       containers:
+         - name: {{ .Chart.Name }}
+           image: "{{ .Values.image.host | default "docker.io/ibmcom"  }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
+-- 
+2.29.2
+

portieris-helm/debian/deb_folder/patches/0003-add-toggle-to-reinstall-the-admission-webhook.patch

@@ -0,0 +1,51 @@
+From b5defc7482fa8a0b1ad7c96a1ad8d8b578fb7d2c Mon Sep 17 00:00:00 2001
+From: Michel Thebeau <Michel.Thebeau@windriver.com>
+Date: Wed, 1 Sep 2021 10:34:54 -0400
+Subject: [PATCH 3/4] add toggle to reinstall the admission webhook
+
+The backup and restore procedure will set ReapplyAdmissionWebhook to
+true to force an "upgrade" of an already installed Portieris
+application.  The webhooks job is run on the helm chart's post-upgrade
+hook.  The chart value ReapplyAdmissionWebhook is reserved to simplify
+its handling by backup and restore.
+
+Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
+---
+ .../admission-webhooks/create-admission-webhooks.yaml         | 4 ++++
+ helm/portieris/values.yaml                                    | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+index 04bb56a..7773413 100644
+--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+@@ -4,7 +4,11 @@ metadata:
+   name: create-admission-webhooks
+   namespace: {{ .Values.namespace }}
+   annotations:
++    {{ if .Values.ReapplyAdmissionWebhook }}
++    helm.sh/hook: post-install,post-upgrade
++    {{ else }}
+     helm.sh/hook: post-install
++    {{ end }}
+     helm.sh/hook-weight: "5"
+     helm.sh/hook-delete-policy: hook-succeeded
+   labels:
+diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml
+index 8b1a13e..d73d6f2 100644
+--- a/helm/portieris/values.yaml
++++ b/helm/portieris/values.yaml
+@@ -29,6 +29,10 @@ SkipSecretCreation: false
+ # If using cert-manager to handle secrets
+ UseCertManager: false
+ 
++# Set to force helm upgrade, rerun the create-admission-webhooks job
++# This value is reserved for the StarlingX backup and restore procedure
++ReapplyAdmissionWebhook: false
++
+ # Resoures defined to assist scheduling
+ # request is typical x10, limit is typical x100
+ resources:
+-- 
+2.29.2
+

portieris-helm/debian/deb_folder/patches/0004-run-admission-webhooks-as-non-root.patch

@@ -0,0 +1,105 @@
+From 8a6d884de01c2ce8ad9f68284b69a0ae2e5dea2a Mon Sep 17 00:00:00 2001
+From: Michel Thebeau <Michel.Thebeau@windriver.com>
+Date: Wed, 1 Sep 2021 18:54:44 -0400
+Subject: [PATCH 4/4] run admission webhooks as non-root
+
+With pod security policies enabled the webhooks will not run as root,
+with "Error: container has runAsNonRoot and image will run as root".
+
+Copy the securityContext from portieris chart, run as 'portieris'
+service account.
+
+Fix subsequent jobs that fail with the absent securityContext,
+permissions.  Add patch verb to customresourcedefinitions for portieris
+service add account.
+
+Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
+---
+ .../admission-webhooks/create-admission-webhooks.yaml         | 3 +++
+ .../admission-webhooks/delete-admission-webhooks.yaml         | 3 +++
+ helm/portieris/templates/clusterrole.yaml                     | 4 ++--
+ helm/portieris/templates/crd-creation/create-crds.yaml        | 4 +++-
+ helm/portieris/templates/crd-creation/delete-crds.yaml        | 4 +++-
+ .../templates/crd-creation/validate-crd-creation.yaml         | 4 +++-
+ 6 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+index 7773413..cbe0eb7 100644
+--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+@@ -44,3 +44,6 @@ spec:
+           configMap:
+             name: admission-webhooks
+       restartPolicy: OnFailure
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
+index ce34927..dd8c259 100644
+--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
+@@ -40,3 +40,6 @@ spec:
+           configMap:
+             name: admission-webhooks
+       restartPolicy: OnFailure
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml
+index 67c5912..13b4cb4 100644
+--- a/helm/portieris/templates/clusterrole.yaml
++++ b/helm/portieris/templates/clusterrole.yaml
+@@ -16,10 +16,10 @@ rules:
+   verbs: ["get", "watch", "list", "create", "patch"]
+ - apiGroups: ["apiextensions.k8s.io"]
+   resources: ["customresourcedefinitions"]
+-  verbs: ["get", "create", "delete"]
++  verbs: ["get", "create", "delete", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+   resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+-  verbs: ["get", "create", "delete"]
++  verbs: ["get", "create", "delete", "patch"]
+ - apiGroups: [""]
+   resources: ["secrets", "serviceaccounts"]
+   verbs: ["get"]
+diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
+index 3ac36f6..13b0ca2 100644
+--- a/helm/portieris/templates/crd-creation/create-crds.yaml
++++ b/helm/portieris/templates/crd-creation/create-crds.yaml
+@@ -39,4 +39,6 @@ spec:
+           configMap:
+             name: image-policy-crds
+       restartPolicy: OnFailure
+-      
+\ No newline at end of file
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
+index 9080511..783fe23 100644
+--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
++++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
+@@ -40,4 +40,6 @@ spec:
+           configMap:
+             name: image-policy-crds
+       restartPolicy: OnFailure
+-      
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
+index 5c68466..d3075da 100644
+--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
++++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
+@@ -33,4 +33,6 @@ spec:
+             - imagepolicies.securityenforcement.admission.cloud.ibm.com
+             - clusterimagepolicies.securityenforcement.admission.cloud.ibm.com
+       restartPolicy: OnFailure
+-      
+\ No newline at end of file
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+-- 
+2.29.2
+

portieris-helm/debian/deb_folder/patches/0005-add-toleration.patch

@@ -0,0 +1,130 @@
+From ed939af4c374f834f6e15e2f6c3d5cbff53c90ec Mon Sep 17 00:00:00 2001
+From: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
+Date: Tue, 28 Sep 2021 11:05:29 -0400
+Subject: [PATCH] Add toleration to deployment and jobs
+
+---
+ .../admission-webhooks/create-admission-webhooks.yaml       | 4 ++++
+ .../admission-webhooks/delete-admission-webhooks.yaml       | 4 ++++
+ helm/portieris/templates/crd-creation/create-crds.yaml      | 4 ++++
+ helm/portieris/templates/crd-creation/delete-crds.yaml      | 4 ++++
+ .../templates/crd-creation/validate-crd-creation.yaml       | 4 ++++
+ .../templates/default/create-default-policies.yaml          | 6 +++++-
+ helm/portieris/templates/deployment.yaml                    | 4 ++++
+ 7 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+index cbe0eb7..fe3e5c2 100644
+--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+@@ -27,6 +27,10 @@ spec:
+         heritage: {{ .Release.Service }}
+     spec:
+       serviceAccountName: portieris
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: hyperkube
+           image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
+diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
+index dd8c259..e8edc3d 100644
+--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
+@@ -23,6 +23,10 @@ spec:
+         heritage: {{ .Release.Service }}
+     spec:
+       serviceAccountName: portieris
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: hyperkube
+           image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
+diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
+index 13b0ca2..2033ee6 100644
+--- a/helm/portieris/templates/crd-creation/create-crds.yaml
++++ b/helm/portieris/templates/crd-creation/create-crds.yaml
+@@ -23,6 +23,10 @@ spec:
+         heritage: {{ .Release.Service }}
+     spec:
+       serviceAccountName: portieris
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: hyperkube
+           image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
+diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
+index 783fe23..894598a 100644
+--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
++++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
+@@ -23,6 +23,10 @@ spec:
+         heritage: {{ .Release.Service }}
+     spec:
+       serviceAccountName: portieris
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: hyperkube
+           image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
+diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
+index d3075da..58e501e 100644
+--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
++++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
+@@ -23,6 +23,10 @@ spec:
+         heritage: {{ .Release.Service }}
+     spec:
+       serviceAccountName: portieris
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: hyperkube
+           image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
+diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml
+index 31a38c0..fae1597 100644
+--- a/helm/portieris/templates/default/create-default-policies.yaml
++++ b/helm/portieris/templates/default/create-default-policies.yaml
+@@ -23,6 +23,10 @@ spec:
+         heritage: {{ .Release.Service }}
+     spec:
+       serviceAccountName: portieris
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: hyperkube
+           image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
+@@ -39,4 +43,4 @@ spec:
+           configMap:
+             name: default-image-policies
+       restartPolicy: OnFailure
+-      
+\ No newline at end of file
++      
+diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
+index d8f3590..e6c4184 100644
+--- a/helm/portieris/templates/deployment.yaml
++++ b/helm/portieris/templates/deployment.yaml
+@@ -25,6 +25,10 @@ spec:
+       imagePullSecrets:
+       - name: default-registry-key
+       {{ end }}
++      tolerations:
++        - key: "node-role.kubernetes.io/master"
++          operator: "Exists"
++          effect: "NoSchedule"
+       containers:
+         - name: {{ .Chart.Name }}
+           image: "{{ .Values.image.host | default "docker.io/ibmcom"  }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
+-- 
+2.29.2
+

portieris-helm/debian/deb_folder/patches/series

@@ -0,0 +1,5 @@
+0001-Squash-required-portieris-fixes.patch
+0002-add-image-pull-secrets-to-images.patch
+0003-add-toggle-to-reinstall-the-admission-webhook.patch
+0004-run-admission-webhooks-as-non-root.patch
+0005-add-toleration.patch

portieris-helm/debian/deb_folder/rules

@@ -10,23 +10,17 @@ export PORTIERIS_TARBALL = portieris-$(PORTIERIS_VERSION).tgz
 	dh $@
 
 override_dh_auto_build:
-	# Apply patches.
-	patch -d portieris --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Squash-required-portieris-fixes.patch
-	patch -d portieris --no-backup-if-mismatch --fuzz=0 -p1 < 0002-add-image-pull-secrets-to-images.patch
-	patch -d portieris --no-backup-if-mismatch --fuzz=0 -p1 < 0003-add-toggle-to-reinstall-the-admission-webhook.patch
-	patch -d portieris --no-backup-if-mismatch --fuzz=0 -p1 < 0004-run-admission-webhooks-as-non-root.patch
-	patch -d portieris --no-backup-if-mismatch --fuzz=0 -p1 < 0005-add-toleration.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
 		--storage-local-rootdir="." &
 	sleep 2
 	helm repo add local http://localhost:8879/charts
 	# Create the TGZ file.
-	cd portieris && make helm.package
+	make helm.package
 	# Terminate the helm chart server.
 	pkill chartmuseum
 
 override_dh_auto_install:
 	# Install the app tar file.
 	install -d -m 755 $(CHART_FOLDER)
-	install -p -D -m 755 portieris/$(PORTIERIS_TARBALL) $(CHART_FOLDER)
+	install -p -D -m 755 $(PORTIERIS_TARBALL) $(CHART_FOLDER)

portieris-helm/debian/dl_hook

@@ -1,25 +0,0 @@
-#!/bin/bash
-set -x
-
-PKG_BUILD_NAME=$1
-PKG_BUILD_ROOT=$(realpath `pwd`/${PKG_BUILD_NAME})
-PKG_DIR="portieris-helm"
-STX_BASE=$(realpath ${MY_REPO}/stx)
-SRC=$(realpath ${STX_BASE}/portieris-armada-app/${PKG_DIR})
-
-mkdir -p ${PKG_BUILD_ROOT}
-pushd ${PKG_BUILD_ROOT}
-
-# Local mirror workaround until CGCS_BASE mirror is supported.
-STX_MIRROR=$(realpath "/import/mirrors/starlingx")
-
-# Download portieris source package.
-PORTIERIS_PKG="portieris-0.7.0.tgz"
-PORTIERIS_SRC_PATH=$(realpath ${STX_MIRROR}/downloads/${PORTIERIS_PKG})
-cp ${PORTIERIS_SRC_PATH} ${PKG_BUILD_ROOT}
-
-# Extract the portieris tar file.
-tar xfz ${PORTIERIS_PKG}
-
-# Copy source files to the build directory.
-cp -pr ${SRC}/files/* ${PKG_BUILD_ROOT}

portieris-helm/debian/meta_data.yaml

@@ -1,7 +1,14 @@
 ---
 debname: portieris-helm
 debver: 1.0-1
-dl_hook: dl_hook
+dl_path:
+  name: portieris-0.7.0.tgz
+  url: https://github.com/IBM/portieris/archive/0.7.0.tar.gz
+  md5sum: ef9c907c5fe0e49db91fd0072d39111e
+src_files:
+  - files/metadata.yaml
+  - files/index.yaml
+  - files/repositories.yaml
 revision:
   dist: $STX_DIST
   PKG_GITREVCOUNT: true