feat: install using helm charts (#9)

* install using helm charts

* SKIP UPGRADE TEST

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-01-08T20:11:33Z",
+  "generated_at": "2025-01-24T16:49:18Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "2254481e1661d8f017a712b0d1ad9a14fd9460a3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 138,
+        "line_number": 134,
         "type": "Secret Keyword",
         "verified_result": null
       }

.trivyignore

@@ -0,0 +1,24 @@
+
+KSV014 # "Use read-only filesystem for containers where possible"
+
+KSV020 # "Force the container to run with user ID > 10000"
+
+KSV021 # "Force the container to run with group ID > 10000"
+
+KSV111 # "Cluster admin role only used where required"
+
+KSV001 # "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node."
+
+KSV003 # "The container should drop all default capabilities and add only those that are needed for its execution."
+
+KSV012 # "Force the running image to run as a non-root user to ensure least privileges."
+
+KSV013 # "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version."
+
+KSV030 # "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles."
+
+KSV104 # "A program inside the container can bypass Seccomp protection policies."
+
+KSV105 # "Containers should be forbidden from running with a root UID."
+
+KSV106 # "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability."

README.md

@@ -13,7 +13,7 @@ Update status and "latest release" badges:
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
 
-This repository contains the following deployment an Red Hat OpenShift cluster:
+This repository contains the following deployment on an Red Hat OpenShift cluster:
 - [IBM Cloud Pak for Data](./solutions/deploy)
 
 **NB:** These solutions are not intended to be called by one or more other modules since they contain a provider configurations, meaning they are not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)

chart/cloud-pak-deployer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/cloud-pak-deployer/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: cloud-pak-deployer
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

chart/cloud-pak-deployer/templates/cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.deployer.prefix }}-sa-rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.clusterRoleBinding.roleRefName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.deployer.prefix }}-sa
+  namespace: {{ .Values.namespace }}

chart/cloud-pak-deployer/templates/config-map.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  cpd-config.yaml: |
+{{ .Values.deployer.configuration | indent 4 }}
+kind: ConfigMap
+metadata:
+  name: {{ .Values.deployer.prefix }}-config
+  namespace: {{ .Values.namespace }}

chart/cloud-pak-deployer/templates/entitlement-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+data:
+  cp-entitlement-key: {{ .Values.deployer.entitlement_key | b64enc }}
+metadata:
+  name: cloud-pak-entitlement-key
+  namespace: {{ .Values.namespace }}
+type: Opaque

chart/cloud-pak-deployer/templates/image-secret.yaml

@@ -0,0 +1,10 @@
+{{- if eq (default .Values.createImagePullSecret false) true }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cpd-docker-cfg
+  namespace: {{ .Values.namespace }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}

chart/cloud-pak-deployer/templates/imageSecret.tpl

@@ -0,0 +1,5 @@
+{{- define "imagePullSecret" }}
+{{- with .Values.imageCredentials }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}

chart/cloud-pak-deployer/templates/install-job.yaml

@@ -0,0 +1,90 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: {{ .Values.deployer.prefix }}-{{ .Values.deployer.job_name_suffix }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    App: {{ .Values.deployer.prefix }}
+  annotations:
+    checkov.io/skip1: CKV_K8S_10
+    checkov.io/skip2: CKV_K8S_11
+    checkov.io/skip3: CKV_K8S_12
+    checkov.io/skip4: CKV_K8S_13
+    checkov.io/skip5: CKV_K8S_14
+    checkov.io/skip6: CKV_K8S_35
+    checkov.io/skip7: CKV_K8S_21
+    checkov.io/skip8: CKV_K8S_30
+    checkov.io/skip9: CKV_K8S_28
+    checkov.io/skip10: CKV_K8S_22
+    checkov.io/skip11: CKV_K8S_20
+    checkov.io/skip12: CKV_K8S_37
+    checkov.io/skip13: CKV_K8S_23
+    checkov.io/skip14: CKV_K8S_38
+    checkov.io/skip15: CKV_K8S_29
+    checkov.io/skip16: CKV_K8S_40
+    checkov.io/skip17: CKV_K8S_31
+    checkov.io/skip18: CKV_K8S_9
+    checkov.io/skip19: CKV_K8S_16
+    checkov.io/skip20: CKV_K8S_8
+    checkov.io/skip21: CKV_K8S_43
+spec:
+  backoffLimit: 0
+  completions: 1
+  template:
+    metadata:
+      name: {{ .Values.deployer.prefix }}
+      labels:
+        App: {{ .Values.deployer.prefix }}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ .Values.deployer.prefix }}-sa
+      securityContext:
+        runAsUser: 0
+        readOnlyRootFilesystem: true
+      {{ if eq (default .Values.createImagePullSecret false) true }}
+      imagePullSecrets:
+      - name: {{ .Values.imagePullSecName }}
+      {{ end }}
+      containers:
+        - terminationMessagePath: /dev/termination-log
+          name: {{ .Values.deployer.prefix }}
+          command:
+            - /bin/sh
+            - '-xc'
+          env:
+            - name: CONFIG_DIR
+              value: /Data/cpd-config
+            - name: STATUS_DIR
+              value: /Data/cpd-status
+            - name: CP_ENTITLEMENT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: cloud-pak-entitlement-key
+                  key: cp-entitlement-key
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: config-volume
+              mountPath: /Data/cpd-config/config
+            - name: status-volume
+              mountPath: /Data/cpd-status
+          terminationMessagePolicy: File
+          image: {{ .Values.deployer.image }}
+          args:
+            - '/cloud-pak-deployer/cp-deploy.sh vault set -vs cp4d_admin_cpd_{{ .Values.cluster_name }} -vsv {{ .Values.deployer.admin_password }} && /cloud-pak-deployer/cp-deploy.sh env apply -vvvv {{ .Values.deployer.accept_license_flag }}'
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+      serviceAccount: {{ .Values.deployer.prefix }}-sa
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ .Values.deployer.prefix }}-config
+        - name: status-volume
+          persistentVolumeClaim:
+            claimName: {{ .Values.deployer.prefix }}-status
+      dnsPolicy: ClusterFirst
+  parallelism: 1

chart/cloud-pak-deployer/templates/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Values.deployer.prefix }}-status
+  namespace: {{ .Values.namespace }}
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: ibmc-vpc-block-10iops-tier
+  volumeMode: Filesystem

chart/cloud-pak-deployer/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:openshift:scc:privileged
+  namespace: {{ .Values.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.deployer.prefix }}-sa
+  namespace: {{ .Values.namespace }}

chart/cloud-pak-deployer/templates/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.deployer.prefix }}-sa
+  namespace: {{ .Values.namespace }}

chart/cloud-pak-deployer/templates/uninstall-job.yaml

@@ -0,0 +1,82 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app: {{ .Values.deployer.prefix }}-uninstall
+  name: {{ .Values.deployer.prefix }}-uninstall
+  namespace: {{ .Values.namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+    "helm.sh/hook-weight": "4"
+    checkov.io/skip1: CKV_K8S_21
+    checkov.io/skip2: CKV_K8S_30
+    checkov.io/skip3: CKV_K8S_28
+    checkov.io/skip4: CKV_K8S_22
+    checkov.io/skip5: CKV_K8S_20
+    checkov.io/skip6: CKV_K8S_37
+    checkov.io/skip7: CKV_K8S_23
+    checkov.io/skip8: CKV_K8S_38
+    checkov.io/skip9: CKV_K8S_29
+    checkov.io/skip10: CKV_K8S_40
+    checkov.io/skip11: CKV_K8S_31
+    checkov.io/skip12: CKV_K8S_9
+    checkov.io/skip13: CKV_K8S_16
+    checkov.io/skip14: CKV_K8S_8
+    checkov.io/skip15: CKV_K8S_43
+    checkov.io/skip16: CKV_K8S_10
+    checkov.io/skip17: CKV_K8S_11
+    checkov.io/skip18: CKV_K8S_12
+    checkov.io/skip19: CKV_K8S_13
+    checkov.io/skip20: CKV_K8S_14
+spec:
+  parallelism: 1
+  completions: 1
+  backoffLimit: 0
+  template:
+    metadata:
+      name: {{ .Values.deployer.prefix }}-uninstall
+      labels:
+        app: {{ .Values.deployer.prefix }}-uninstall
+    spec:
+      {{ if eq (default .Values.createImagePullSecret false) true }}
+      imagePullSecrets:
+      - name: {{ .Values.imagePullSecName }}
+      {{ end }}
+      containers:
+        - name: {{ .Values.deployer.prefix }}-uninstall
+          image: {{ .Values.deployer.image }}
+          imagePullPolicy: Always
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          env:
+            - name: CONFIG_DIR
+              value: /Data/cpd-config
+            - name: STATUS_DIR
+              value: /Data/cpd-status
+          volumeMounts:
+            - name: config-volume
+              mountPath: /Data/cpd-config/config
+            - name: status-volume
+              mountPath: /Data/cpd-status
+          command: ["/bin/sh", "-xc"]
+          args:
+            - /cloud-pak-deployer/scripts/cp4d/cp4d-delete-instance.sh cpd <<< "y"
+          resources:
+            limits:
+              cpu: 200m
+              memory: 512Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+      restartPolicy: Never
+      securityContext:
+        runAsUser: 0
+      serviceAccountName: {{ .Values.deployer.prefix }}-sa
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ .Values.deployer.prefix }}-config
+        - name: status-volume
+          persistentVolumeClaim:
+            claimName: {{ .Values.deployer.prefix }}-status

chart/cloud-pak-deployer/values.yaml

@@ -0,0 +1,30 @@
+# Default values for cloud-pak-deployer.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+namespace: cloud-pak-deployer
+
+cluster_name: ""
+
+deployer:
+  prefix: "cloud-pak-deployer"
+  configuration: ""
+  cluster_role_name: "cluster-admin"
+  accept_license_flag: ""
+  admin_password: ""
+  scc_name: "priveleged"
+  image: "quay.io/cloud-pak-deployer/cloud-pak-deployer"
+  job_name_suffix: ""
+  entitlement_key: ""
+
+createImagePullSecret: false
+imagePullSecName: "cpd-docker-cfg"
+
+imageCredentials:
+  registry: ""
+  username: ""
+  password: ""
+  email: ""
+
+clusterRoleBinding:
+  roleRefName: "cluster-admin"