Use helm for pko

config/config.schema.json

@@ -126,6 +126,26 @@
           "regionalSubdomain"
         ]
       },
+      "pko": {
+        "type": "object",
+        "properties": {
+          "image": {
+            "type": "string"
+          },
+          "imageManager": {
+            "type": "string"
+          },
+          "imageTag": {
+            "type": "string"
+          }
+        },
+        "additionalProperties": false,
+        "required": [
+          "image",
+          "imageManager",
+          "imageTag"
+        ]
+      },
       "clusterService": {
         "type": "object",
         "properties": {

config/config.yaml

@@ -86,6 +86,11 @@ defaults:
     consumerName: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}
     imageBase: quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
 
+  pko:
+    image: arohcpsvcdev.azurecr.io/package-operator/package-operator-package
+    imageManager: arohcpsvcdev.azurecr.io/package-operator/package-operator-manager
+    imageTag: v1.15.0
+
   # Cluster Service
   clusterService:
     acrRG: global

dev-infrastructure/configurations/global-roles.bicepparam

@@ -0,0 +1,3 @@
+using '../templates/global-roles.bicep'
+
+param manageTokenRole = true

dev-infrastructure/templates/mgmt-cluster.bicep

@@ -107,6 +107,11 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
         namespace: 'maestro'
         serviceAccountName: 'maestro'
       }
+      package_operator: {
+        uamiName: 'package-operator'
+        namespace: 'package-operator-system'
+        serviceAccountName: 'package-operator'
+      }
     })
     aksKeyVaultName: aksKeyVaultName
     acrPullResourceGroups: acrPullResourceGroups

pko/Makefile

@@ -1,6 +1,39 @@
-SHELL = /bin/bash
+-include ../setup-env.mk
+-include ../helm-cmd.mk
+HELM_CMD ?= helm upgrade --install
+
+NAMESPACE ?= package-operator-system
+ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
+ARO_HCP_IMAGE_REPOSITORY ?= package-operator/package-operator-package
 
 deploy:
-	kubectl apply -f https://github.com/package-operator/package-operator/releases/download/v1.15.0/self-bootstrap-job.yaml
+	@kubectl create namespace ${NAMESPACE} --dry-run=client -o json | kubectl apply -f -
+	PKO_MI_CLIENT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n package-operator \
+			--query clientId -o tsv) && \
+	PKO_MI_TENANT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n package-operator \
+			--query tenantId -o tsv) && \
+	IMAGE_PULLER_MI_CLIENT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n image-puller \
+			--query clientId -o tsv) && \
+	IMAGE_PULLER_MI_TENANT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n image-puller \
+			--query tenantId -o tsv) && \
+	${HELM_CMD} package-operator ./helm \
+	--namespace ${NAMESPACE} \
+	--set pkoImage=${PKO_IMAGE} \
+	--set pkoImageManager=${PKO_IMAGE_MANAGER} \
+	--set pkoImageTag=${PKO_IMAGE_TAG} \
+	--set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \
+	--set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \
+	--set pullBinding.registry=${ARO_HCP_IMAGE_REGISTRY} \
+	--set pullBinding.scope='repository:*:pull' \
+	--set serviceAccount.workloadIdentityClientId="$${PKO_MI_CLIENT_ID}" \
+	--set serviceAccount.workloadIdentityTenantId="$${PKO_MI_CLIENT_ID}"
 
 .PHONY: deploy

pko/config.mk

@@ -0,0 +1,2 @@
+IMAGE_BASE ?= arohcpsvcdev.azurecr.io/package-operator/package-operator-package
+IMAGE_TAG ?= v1.11.0

pko/helm/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: package-operator
+description: A Helm chart for package-operator
+type: application
+
+version: 0.1.0
+appVersion: "1.0.0"

pko/helm/templates/acrpullbinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: acrpull.microsoft.com/v1beta2
+kind: AcrPullBinding
+metadata:
+  name: pull-binding
+spec:
+  acr:
+    environment: PublicCloud
+    server: {{ .Values.pullBinding.registry }}
+    scope: {{ .Values.pullBinding.scope }}
+  auth:
+    workloadIdentity:
+      serviceAccountRef: package-operator
+      clientID: {{ .Values.pullBinding.workloadIdentityClientId }}
+      tenantID: {{ .Values.pullBinding.workloadIdentityTenantId }}
+  serviceAccountName: package-operator

pko/helm/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: package-operator
+  labels:
+    package-operator.run/cache: "True"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: package-operator
+  namespace: package-operator-system

pko/helm/templates/job.yaml

@@ -0,0 +1,37 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: package-operator-bootstrap
+  namespace: package-operator-system
+spec:
+  # delete right after completion
+  ttlSecondsAfterFinished: 0
+  # set deadline to 30min
+  activeDeadlineSeconds: 1800
+  template:
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: package-operator
+      containers:
+      - name: package-operator
+        image: "{{ .Values.pkoImageManager }}:{{ .Values.pkoImageTag }}"
+        args: ["-self-bootstrap={{ .Values.pkoImage }}:{{ .Values.pkoImageTag }}"]
+        imagePullPolicy: Always
+        env:
+        - name: PKO_REGISTRY_HOST_OVERRIDES
+          value: ''
+        - name: PKO_CONFIG
+          value: ''
+        - name: PKO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: PKO_SERVICE_ACCOUNT_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: PKO_SERVICE_ACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+  backoffLimit: 3

pko/helm/templates/serviceaccount.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: package-operator
+  namespace: package-operator-system
+  annotations:
+    azure.workload.identity/client-id: '{{ .Values.serviceAccount.workloadIdentityClientId }}'
+    azure.workload.identity/tenant-id: '{{ .Values.serviceAccount.workloadIdentityTenantId }}'
+  labels:
+    package-operator.run/cache: "True"

pko/helm/values.yaml

@@ -0,0 +1,11 @@
+pkoImage: ""
+pkoImageManager: ""
+pkoImageTag: ""
+pullBinding:
+  registry: ""
+  scope: ""
+  workloadIdentityClientId: ""
+  workloadIdentityTenantId: ""
+serviceAccount:
+  workloadIdentityClientId: ""
+  workloadIdentityTenantId: ""

pko/pipeline.yaml

@@ -0,0 +1,26 @@
+$schema: "pipeline.schema.v1"
+serviceGroup: Microsoft.Azure.ARO.HCP.RP.PKO
+rolloutName: RP PKO Rollout
+resourceGroups:
+- name: {{ .mgmt.rg }}
+  subscription: {{ .svc.subscription }}
+  aksCluster: {{ .aksName }}
+  steps:
+  - name: deploy
+    action: Shell
+    command: make deploy
+    dryRun:
+      variables:
+        - name: DRY_RUN
+          value: "true"
+    variables:
+    - name: ARO_HCP_IMAGE_ACR
+      configRef: svcAcrName
+    - name: PKO_IMAGE
+      configRef: pko.image
+    - name: PKO_IMAGE_MANAGER
+      configRef: pko.imageManager
+    - name: PKO_IMAGE_TAG
+      configRef: pko.imageTag
+    - name: RESOURCEGROUP
+      configRef: mgmt.rg