feat: OpenShift Pipelines Configuration

Moving the Tekton Chains configuration to the infrastructure chart,
replacing the pre-deploy hook with a post-deploy job that will create
the Tekton Chains resources.

Improved the Helm chart testing to wait for OpenShift Pipelines to be
ready, and using official Chainguard images to run `cosign.`

charts/rhtap-backing-services/templates/openshift-gitops/job-post-deploy.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.backingServices.argoCD.enabled }}
   {{- $argoCD := .Values.backingServices.argoCD }}
-  {{- $name := printf "%s-post-deploy" $argoCD.name }}
+  {{- $name := printf "%s-post-deploy-%d" $argoCD.name .Release.Revision }}
   {{- $argoCDEnvFile := "/rhtap/argocd/env" -}}
 #
 # Generates the ArgoCD API token and stores it on a Kubernetes secret. The steps

charts/rhtap-infrastructure/Chart.yaml

@@ -3,4 +3,4 @@ apiVersion: v2
 name: rhtap-infrastructure
 description: RHTAP Infrastructure
 type: application
-version: 0.0.1
+version: 0.0.2

charts/rhtap-infrastructure/templates/NOTES.txt

@@ -1,17 +1,17 @@
 MinIO Tenants:
 {{- range $k, $v := include "infrastructure.minIOTentants.enabled" . | fromYaml }}
-  - Name:                     {{ $k }}
-    Namespace:                {{ $v.namespace }}
-    Root Credentials:         {{ $v.rootSecretName }} (Secret)
+  - Name: {{ $k }}
+    Namespace: {{ $v.namespace }}
+    Root Credentials: {{ $v.rootSecretName }} (Secret)
     Storage User Credentials: {{ $v.storageUserSecretName }} (Secret)
 {{- end }}
 
-Kafkas:
+Kafka Brokers:
 {{- range $k, $v := include "infrastructure.kafkas.enabled" . | fromYaml }}
-  - Name:         {{ $k }}
-    Namespace:    {{ $v.namespace }}
-    Username:     {{ $v.username }}
-    Credentials:  {{ $v.username }} (Secret)
+  - Name: {{ $k }}
+    Namespace: {{ $v.namespace }}
+    Username: {{ $v.username }}
+    Credentials: {{ $v.username }} (Secret)
     Topics:
   {{- range $t := $v.topics }}
       - {{ $t.name }}
@@ -20,7 +20,29 @@ Kafkas:
 
 PostgreSQL Clusters:
 {{- range $k, $v := include "infrastructure.postgresClusters.enabled" . | fromYaml }}
-  - Namespace:  {{ $v.namespace }}
-    Name:       {{ $k }}
-    Version:    {{ $v.postgresVersion }}
+  - Namespace: {{ $v.namespace }}
+    Name: {{ $k }}
+    Version: {{ $v.postgresVersion }}
+{{- end }}
+
+{{- if .Values.infrastructure.openShiftPipelines.enabled }}
+  {{- $osp := .Values.infrastructure.openShiftPipelines -}}
+OpenShift Pipelines:
+  {{- if or
+        $osp.patchClusterTektonConfig.annotations
+        $osp.patchClusterTektonConfig.labels
+  }}
+  Tekton Config Patch:
+    - Name: {{ $osp.patchClusterTektonConfig.resourceName }}
+    {{- with $osp.patchClusterTektonConfig.annotations }}
+      Annotations:
+        {{ . | toYaml | indent 8 }}
+    {{- end }}
+    {{- with $osp.patchClusterTektonConfig.labels }}
+      Labels:
+        {{ . | toYaml | indent 8 }}
+    {{- end }}
+  {{- end }}
+  Tekton Chains:
+    - Signing Keys Secret: {{ $osp.tektonChains.signingSecretName }}
 {{- end }}

charts/rhtap-infrastructure/templates/_copy-scripts.tpl

@@ -0,0 +1,25 @@
+{{/*
+
+  POD container spec to copy scripts.
+
+*/}}
+{{- define "infrastructure.copyScripts" -}}
+- name: copy-scripts
+  image: registry.access.redhat.com/ubi8/ubi-minimal:latest
+  workingDir: /scripts
+  command:
+    - /bin/bash
+    - -c
+    - |
+      set -x -e
+  {{- range $path, $content := .Files.Glob "scripts/*.sh" -}}
+    {{- $script := trimPrefix "scripts/" $path }}
+      printf '%s' "{{ $content | toString | b64enc }}" | base64 -d >{{ $script }}
+      chmod +x {{ $script }}
+  {{- end }}
+  volumeMounts:
+    - name: scripts
+      mountPath: /scripts
+  securityContext:
+    allowPrivilegeEscalation: false
+{{- end -}}

charts/rhtap-infrastructure/templates/openshift-pipelines/job-tekton-chains.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.infrastructure.openShiftPipelines.enabled }}
+  {{- $osp := .Values.infrastructure.openShiftPipelines -}}
+  {{- $signingSecretName := required
+        ".infrastructure.openShiftPipelines.tektonChains.signingSecretName"
+        $osp.tektonChains.signingSecretName
+  -}}
+  {{- $secretObj := (
+        lookup "v1" "Secret" $osp.namespace $signingSecretName
+      ) | default dict 
+  -}}
+  {{- $secretData := (get $secretObj "data") | default dict -}}
+  {{- $cosignKey := (get $secretData "cosign.key") | default "" -}}
+  {{- if eq $cosignKey "" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded
+    helm.sh/hook-weight: "2"
+  labels:
+    {{- include "rhtap-infrastructure.labels" . | nindent 4 }}
+  namespace: {{ $osp.namespace }}
+  name: {{ printf "cosign-%s-%d" $osp.name .Release.Revision }}
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ printf "patch-%s" $osp.name }}
+      restartPolicy: Never
+      containers:
+        - name: tekton-chains-cosign
+          image: ghcr.io/sigstore/cosign/cosign:latest
+          env:
+            - name: COSIGN_PASSWORD
+              value: {{ randAlphaNum 32 }}
+          workingDir: /workspace
+          command:
+            - cosign
+          args:
+            - generate-key-pair
+            - {{ printf "k8s://%s/%s" $osp.namespace $signingSecretName }}
+          volumeMounts:
+            - name: workspace
+              mountPath: /workspace
+          securityContext:
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: workspace
+          emppyDir: {}
+  {{- end }}
+{{- end }}

charts/rhtap-infrastructure/templates/openshift-pipelines/job-tekton-config.yaml

@@ -0,0 +1,82 @@
+{{- if .Values.infrastructure.openShiftPipelines.enabled }}
+  {{- $osp := .Values.infrastructure.openShiftPipelines -}}
+  {{- if or
+        $osp.patchClusterTektonConfig.annotations
+        $osp.patchClusterTektonConfig.labels
+  }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded
+    helm.sh/hook-weight: "1"
+  labels:
+    {{- include "rhtap-infrastructure.labels" . | nindent 4 }}
+  namespace: {{ $osp.namespace }}
+  name: {{ printf "patch-tekton-%s-%d" $osp.name .Release.Revision }}
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ printf "patch-%s" $osp.name }}
+      restartPolicy: Never
+      containers:
+        #
+        # Copying the scripts that will be used on the subsequent containers, the
+        # scripts are shared via the "/scripts" volume.
+        #
+    {{- include "infrastructure.copyScripts" . | nindent 8 }}
+    {{- if $osp.patchClusterTektonConfig.annotations }}
+        #
+        # Patch the Tekton Config with the provided annotations.
+        #
+        - name: patch-annotations
+          image: quay.io/codeready-toolchain/oc-client-base:latest
+          env:
+            - name: KIND
+              value: tektonconfig
+            - name: RESOURCE_NAME
+              value: {{ $osp.patchClusterTektonConfig.resourceName }}
+          command:
+            - /scripts/oc-amend.sh
+          args:
+            - annotate
+      {{- range $k, $v := $osp.patchClusterTektonConfig.annotations }}
+            - {{ printf "%s=%s" $k $v | quote }}
+      {{- end }}
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+          securityContext:
+            allowPrivilegeEscalation: false
+    {{- end }}
+    {{- if $osp.patchClusterTektonConfig.labels }}
+        #
+        # Patch the Tekton Config with the provided labels.
+        #
+        - name: patch-labels
+          image: quay.io/codeready-toolchain/oc-client-base:latest
+          env:
+            - name: KIND
+              value: tektonconfig
+            - name: RESOURCE_NAME
+              value: {{ $osp.patchClusterTektonConfig.resourceName }}
+          command:
+            - /scripts/oc-amend.sh
+          args:
+            - label
+     {{- range $k, $v := $osp.patchClusterTektonConfig.labels }}
+            - {{ printf "%s=%s" $k $v | quote }}
+     {{- end }}
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+          securityContext:
+            allowPrivilegeEscalation: false
+    {{- end }}
+      volumes:
+        - name: scripts
+          emppyDir: {}
+  {{- end }}
+{{- end }}

charts/rhtap-infrastructure/templates/openshift-pipelines/service-account.yaml

@@ -0,0 +1,74 @@
+{{- if .Values.infrastructure.openShiftPipelines.enabled }}
+  {{- $osp := .Values.infrastructure.openShiftPipelines -}}
+  {{- $name := printf "patch-%s" $osp.name }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  namespace: {{ $osp.namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ $osp.namespace }}
+  name: {{ $name }}
+rules:
+  - apiGroups: 
+      - ""
+    resources: 
+      - secrets
+    verbs: 
+      - get
+      - list
+      - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ $osp.namespace }}
+  name: {{ $name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ $osp.namespace }}
+    name: {{ $name }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $name }}
+rules:
+  - apiGroups: 
+      - operator.tekton.dev
+    resources: 
+      - tektonconfigs
+    verbs: 
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ $osp.namespace }}
+    name: {{ $name }}
+{{- end }}