Add support for Helm v3, chartmuseum, and armada chart

This adds support for Helm v3:
- 'helm init' and 'helm serv' were removed in v3, and helm
  initialization was simplified so that is not required in build.
- chart validation and version checking is enforced with 'helm lint',
  so all Charts require the tag: apiVersion: v1 (or v2).
- 'chartmuseum' is a drop-in replacement for 'helm serv', and is
  currently used for building charts only. It is not part of ISO
  image.
- armada chart is built and installed to /opt/extracharts. This
  provides a Kubernetes pod with armada-api and tiller containers.

This provides a Helm v2 client (i.e., helmv2-cli) that gives access
to containerized armada/tiller managed charts. This can be used as
an interactive shell, or as a wrapper for single helm v2 commands.

Change-Id: Iff2b219ea765cf9278c6e80c6aeb5b98cc9a0626
Depends-On: https://review.opendev.org/732731
Story: 2007000
Task: 38893
Signed-off-by: Jim Gauld <james.gauld@windriver.com>

centos_iso_image.inc

@@ -63,6 +63,9 @@ docker-distribution
 # helm
 helm
 
+# armada
+armada
+
 # rpm
 rpm-plugin-systemd-inhibit
 

centos_pkg_dirs

@@ -58,6 +58,8 @@ kubernetes/kubernetes
 kubernetes/docker-distribution
 kubernetes/etcd
 kubernetes/helm
+kubernetes/chartmuseum
+kubernetes/armada
 grub/grubby
 base/dpkg
 base/cluster-resource-agents

centos_tarball-dl.lst

@@ -25,7 +25,6 @@ googletest-fdb850479284e2aae047b87df6beae84236d0135.tar.gz#googletest#https://ap
 # gophercloud-gophercloud-aa00757ee3ab58e53520b6cb910ca0543116400a.tar.gz#gophercloud-gophercloud#github.com/gophercloud/gophercloud/archive/aa00757ee3ab58e53520b6cb910ca0543116400a.tar.gz#http##
 # gorilla-context-08b5f424b9271eedf6f9f0ce86cb9396ed337a42.tar.gz#gorilla-context#https://github.com/gorilla/context/archive/08b5f424b9271eedf6f9f0ce86cb9396ed337a42.tar.gz#http##
 # gorilla-mux-456bcfa82d672db7cae587c9b541463f65bc2718.tar.gz#gorilla-mux#https://github.com/gorilla/mux/archive/456bcfa82d672db7cae587c9b541463f65bc2718.tar.gz#http##
-helm-v2.13.1-linux-amd64.tar.gz#linux-amd64#https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz#http##
 helm-v3.2.1-linux-amd64.tar.gz#linux-amd64#https://get.helm.sh/helm-v3.2.1-linux-amd64.tar.gz#http##
 isa-l-7e1a337433a340bc0974ed0f04301bdaca374af6.tar.gz#isa-l#https://api.github.com/repos/ceph/isa-l/tarball/7e1a337433a340bc0974ed0f04301bdaca374af6#https##
 isa-l_crypto-603529a4e06ac8a1662c13d6b31f122e21830352.tar.gz#isa-l_crypto#https://api.github.com/repos/01org/isa-l_crypto/tarball/603529a4e06ac8a1662c13d6b31f122e21830352#https##

kubernetes/armada/centos/armada.spec

@@ -0,0 +1,83 @@
+%global git_sha     6cc6346cde888c683fec4df910ebefdf6dccb310
+
+# Build variables
+%global helm_folder /usr/lib/helm
+%global toolkit_version 0.1.0
+%global charts_staging ./charts
+
+Name:           armada
+Version:        0.2.0
+Release:        0%{?_tis_dist}.%{tis_patch_ver}
+Summary:        An orchestrator for managing a collection of Kubernetes Helm charts
+License:        Apache-2.0
+Group:          base
+Packager:       Wind River <info@windriver.com>
+URL:            https://airship-armada.readthedocs.io/
+Source0:        %{name}-%{git_sha}.tar.gz
+
+Patch1:         0001-Add-Helm-v2-client-initialization-using-tiller-postS.patch
+
+BuildArch:      noarch
+
+BuildRequires: helm
+BuildRequires: openstack-helm-infra
+BuildRequires: chartmuseum
+
+%description
+%{summary}
+
+%prep
+%setup -n armada
+%patch1 -p1
+
+
+%build
+# Package the armada chart tarball using methodology derived from:
+#   git clone https://opendev.org/airship/armada.git && cd armada
+#   make charts
+#
+# This provides the equivalent of 'make charts' and builds what is
+# minimally sufficient to generate the armada chart tarball.
+# - do not need to build helm-toolkit.
+# - do not need to build tiller (armada chart contains tiller).
+# - This does not download helm v2 or helm-toolkit as done by 'make charts',
+#   and does not require external network.
+# - Everything else provided by the armada Makefile build is ignored.
+#
+# This is built using helm v3.
+# - 'helm init' and 'helm serv' have been removed in helm v3
+# - chartmuseum is drop-in replacement for 'helm serv'
+# - no initial repository exist
+# - charts self-contain helm-toolkit and pass lint; requirements.yaml
+#   dependencies are safely removed from package so the cluster does
+#   not have to serve 'local' repo (i.e., with ChartMuseum).
+# - helm config of setup directories and repositories is automated
+#   (we don't need to create them)
+
+# Stage helm-toolkit in the local repo
+cp %{helm_folder}/helm-toolkit-%{toolkit_version}.tgz %{charts_staging}
+
+# Host a local server for the charts.
+chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" --storage-local-rootdir="%{charts_staging}" &
+sleep 2
+helm repo add local http://localhost:8879/charts
+
+cd %{charts_staging}
+helm dependency update armada
+helm lint armada
+rm -v -f ./requirements.lock ./requirements.yaml
+helm template --set pod.resources.enabled=true armada
+helm package armada
+cd -
+
+# Terminate helm server (the last backgrounded task)
+kill %1
+
+%install
+install -d -m 755 ${RPM_BUILD_ROOT}/opt/extracharts
+install -p -D -m 755 %{charts_staging}/armada-*.tgz ${RPM_BUILD_ROOT}/opt/extracharts
+
+%files
+%defattr(-,root,root,-)
+/opt/extracharts/*
+

kubernetes/armada/centos/build_srpm.data

@@ -0,0 +1,8 @@
+TAR_NAME=armada
+VERSION=0.2.0
+SHA=6cc6346cde888c683fec4df910ebefdf6dccb310
+TAR="$TAR_NAME-$SHA.tar.gz"
+
+COPY_LIST="${CGCS_BASE}/downloads/$TAR $FILES_BASE/*"
+
+TIS_PATCH_VER=0

kubernetes/armada/centos/files/0001-Add-Helm-v2-client-initialization-using-tiller-postS.patch

@@ -0,0 +1,92 @@
+From 6e464edeadab3b2631775326fb12e6d6e6eb1e2a Mon Sep 17 00:00:00 2001
+From: Jim Gauld <james.gauld@windriver.com>
+Date: Mon, 1 Jun 2020 11:36:46 -0400
+Subject: [PATCH] Add Helm v2 client initialization using tiller postStart exec
+
+This adds helm v2 client initialization using the tiller
+container postStart exec to access helm v2 binary.
+
+This will perform 'helm init', removes the default repos
+'stable' and 'local', and add valid repos that were provided
+as overrides. Note that helm will only add repos that exist.
+
+This expects overrides in this format:
+conf:
+  tiller:
+    charts_url: 'http://192.168.204.1:8080/helm_charts'
+    repo_names:
+      - 'starlingx'
+      - 'stx-platform'
+    repos:
+      stable: https://kubernetes-charts.storage.googleapis.com
+
+This gives the following result:
+helmv2-cli -- helm repo list
+NAME        	URL
+stable      	https://kubernetes-charts.storage.googleapis.com
+starlingx   	http://192.168.204.1:8080/helm_charts/starlingx
+stx-platform	http://192.168.204.1:8080/helm_charts/stx-platform
+
+Signed-off-by: Jim Gauld <james.gauld@windriver.com>
+---
+ charts/armada/templates/deployment-api.yaml | 28 ++++++++++++++++++++++++++++
+ charts/armada/values.yaml                   |  4 ++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml
+index a48c8b6..ccbdb4d 100644
+--- a/charts/armada/templates/deployment-api.yaml
++++ b/charts/armada/templates/deployment-api.yaml
+@@ -179,6 +179,34 @@ spec:
+             - -trace
+ {{- end }}
+           lifecycle:
++            postStart:
++              exec:
++                command:
++                  - sh
++                  - "-c"
++                  - |
++                    /bin/sh <<'EOF'
++                    # Delay initialization since postStart handler runs asynchronously and there
++                    # is no guarantee it is called before the Container’s entrypoint.
++                    sleep 5
++                    # Initialize Helm v2 client.
++                    export HELM_HOST=:{{ .Values.conf.tiller.port }}
++                    /helm init --client-only --skip-refresh
++                    /helm repo rm stable
++                    /helm repo rm local
++{{- if .Values.conf.tiller.repos }}
++                    {{- range $name, $repo := .Values.conf.tiller.repos }}
++                    /helm repo add {{ $name }} {{ $repo }}
++                    {{- end }}
++{{- end }}
++{{- if .Values.conf.tiller.repo_names }}
++                    {{- range .Values.conf.tiller.repo_names }}
++                    /helm repo add {{ . }} {{ $envAll.Values.conf.tiller.charts_url }}/{{ . }}
++                    {{- end }}
++{{- end }}
++                    ln -s -f /helm /tmp/helm
++                    exit 0
++                    EOF
+             preStop:
+               exec:
+                 command:
+diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml
+index 4c1e603..fb3e5c2 100644
+--- a/charts/armada/values.yaml
++++ b/charts/armada/values.yaml
+@@ -217,6 +217,10 @@ conf:
+     # Note: Defaulting to the (default) kubernetes grace period, as anything
+     # greater than that will have no effect.
+     prestop_sleep: 30
++    # Helm v2 initialization
++    charts_url: null
++    repo_names: []
++    repos: {}
+ 
+ monitoring:
+   prometheus:
+-- 
+1.8.3.1
+

kubernetes/chartmuseum/centos/build_srpm.data

@@ -0,0 +1,6 @@
+VERSION=0.12.0
+TAR_NAME=chartmuseum
+TAR="$TAR_NAME-$VERSION.tar.gz"
+COPY_LIST="${CGCS_BASE}/downloads/$TAR $STX_BASE/downloads/chartmuseum-v0.12.0-amd64"
+
+TIS_PATCH_VER=1

kubernetes/chartmuseum/centos/chartmuseum.spec

@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+%global with_debug 0
+
+%if 0%{?with_debug}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package   %{nil}
+%endif
+
+Name: chartmuseum
+Version: 0.12.0
+Release: %{tis_patch_ver}%{?_tis_dist}
+Summary: Helm Chart Repository with support for Amazon S3 and Google Cloud Storage
+Group: Kubernetes
+License: Apache-2.0
+Source0: %{name}-%{version}.tar.gz
+Source1: chartmuseum-v0.12.0-amd64
+Packager: Wind River <info@windriver.com>
+URL: https://github.com/helm/chartmuseum
+#URL: https://s3.amazonaws.com/chartmuseum
+
+BuildRequires: pkgconfig(systemd)
+BuildRequires: pkgconfig(libseccomp)
+BuildRequires: pkgconfig(libsystemd-journal)
+BuildRequires: golang >= 1.10.0
+BuildRequires: rsync
+BuildRequires: go-md2man
+BuildRequires: go-bindata
+BuildRequires: rpm-devel >= 4.14.0
+BuildRequires: rpm-libs >= 4.14.0
+
+Requires: /bin/bash
+
+%define CHARTMUSEUM_DIR ${HOME}/src/github.com/helm/%{name}
+
+%description
+%{summary}
+
+%prep
+%setup -q -c -n %{name}
+
+%build
+# NOTE: chartmuseum is only used to build helm charts, and is not
+# part of the ISO.
+# Gather the licence and readme from the source tarball.
+mkdir -v -p %{CHARTMUSEUM_DIR}
+mv -v %{name}/* %{CHARTMUSEUM_DIR}/
+mv -v %{CHARTMUSEUM_DIR}/{LICENSE,README.md} %{name}/
+pushd %{CHARTMUSEUM_DIR}
+# Stub out the make to build golang package; we are using a binary.
+#make
+popd
+
+%install
+install -d %{buildroot}%{_bindir}
+install -m 755 %{SOURCE1} %{buildroot}%{_bindir}/chartmuseum
+
+%files
+%defattr(-,root,root,-)
+%doc %{name}/README.md
+%license %{name}/LICENSE
+%{_bindir}/chartmuseum
+
+%changelog

kubernetes/helm/centos/build_srpm.data

@@ -1,6 +1,6 @@
-VERSION=2.13.1
+VERSION=3.2.1
 TAR_NAME=helm
 TAR="$TAR_NAME-v$VERSION-linux-amd64.tar.gz"
 COPY_LIST="${CGCS_BASE}/downloads/$TAR $FILES_BASE/*"
 
-TIS_PATCH_VER=2
+TIS_PATCH_VER=0

kubernetes/helm/centos/files/helm-upload

@@ -14,8 +14,9 @@
 # We want to run as the "www" user and scripts can't be setuid.  The
 # sudoers permissions are set up to allow sysadmin to run this script
 # as the "www" user without a password.
-if [ $USER != "www" ]; then
-    exec sudo -u www $0 $@
+WWW_ID=$(id -u www)
+if [ ${UID} -ne ${WWW_ID} ]; then
+    exec sudo -u www -g www "$0" "$@"
 fi
 
 

kubernetes/helm/centos/files/helmv2-cli

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# This script is wrapper to Helm v2 client, providing access to containerized
+# armada/tiller managed charts.
+
+# There are two modes of operation:
+# - no command specified: this is an interactive BusyBox shell
+# - command and options specified: this executes a single helm v2 command
+
+set -euo pipefail
+
+# Define minimal path
+PATH=/bin:/usr/bin:/usr/local/bin
+
+# Process input options
+SCRIPT=$(basename $0)
+OPTS=$(getopt -o dh --long debug,help -n ${SCRIPT} -- "$@")
+if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi
+eval set -- "$OPTS"
+
+DEBUG=false
+HELP=false
+while true; do
+  case "$1" in
+    -d | --debug ) DEBUG=true; shift ;;
+    -h | --help )  HELP=true; shift ;;
+    -- ) shift; break ;;
+    * ) break ;;
+  esac
+done
+
+# Treat remaining arguments as commands + options
+shift $((OPTIND-1))
+OTHERARGS="$@"
+
+if [ ${HELP} == 'true' ]; then
+    echo "Usage: ${SCRIPT} [-d|--debug] [-h|--help] -- [command] [options]"
+    echo "Options:"
+    echo " -d | --debug : display initialization information"
+    echo " -h | --help  : this help"
+    echo
+    echo "Command option examples:"
+    echo " helmv2-cli -- helm search"
+    echo " helmv2-cli -- helm list"
+    echo " helmv2-cli -- helm list --namespace openstack --pending"
+    exit 0
+fi
+
+# Logger setup
+LOG_FACILITY=user
+LOG_PRIORITY=info
+function LOG {
+    logger -t "${0##*/}[$$]" -p ${LOG_FACILITY}.${LOG_PRIORITY} "$@"
+    echo "${0##*/}[$$]" "$@"
+}
+function ERROR {
+    MSG="ERROR"
+    LOG "${MSG} $@"
+}
+
+# Determine armada pod
+POD=$(kubectl get pods -n armada --selector=application=armada \
+      --output=jsonpath={.items..metadata.name})
+if [ -z "${POD}" ]; then
+    ERROR "Could not find armada pod."
+    exit 1
+fi
+if [ ${DEBUG} == 'true' ]; then
+    LOG "Found armada pod: ${POD}"
+fi
+
+# Determine tiller listen port (configured by armada chart)
+# armada-api is container index 0, tiller is container index 1
+TILLER_PORT=$(kubectl get pod -n armada ${POD} \
+              --output=jsonpath={.spec.containers[1].ports[0].containerPort})
+if [ -z "${TILLER_PORT}" ]; then
+    ERROR "Could not find tiller listen port."
+    exit 1
+fi
+if [ ${DEBUG} == 'true' ]; then
+    LOG "Found tiller listen port: ${TILLER_PORT}"
+fi
+
+# Launch BusyBox shell with access to local tiller.
+# Can execute helm v2 commands as '/helm' or 'helm'.
+if [ ${DEBUG} == 'true' ]; then
+    LOG "Launching Helm-v2 client"
+fi
+HELM_HOST=":${TILLER_PORT}"
+if [ -z "${OTHERARGS}" ]; then
+    # Interactive BusyBox shell
+    kubectl exec -it -n armada ${POD} -c tiller -- \
+        /bin/sh -c "PATH=${PATH}:/tmp PS1='Helm-v2 \h:\w $ ' HELM_HOST=${HELM_HOST} /bin/sh"
+else
+    # Execute single helm v2 command in BusyBox shell
+    kubectl exec -n armada ${POD} -c tiller -- \
+        /bin/sh -c "PATH=${PATH}:/tmp HELM_HOST=${HELM_HOST} /bin/sh -c '$OTHERARGS'"
+fi
+
+exit 0

kubernetes/helm/centos/helm.spec

@@ -1,5 +1,5 @@
 Name: helm
-Version: 2.13.1
+Version: 3.2.1
 Release: 0%{?_tis_dist}.%{tis_patch_ver}
 Summary: The Kubernetes Package Manager 
 License: Apache-2.0
@@ -9,6 +9,7 @@ URL: https://github.com/kubernetes/helm/releases
 Source0: %{name}-v%{version}-linux-amd64.tar.gz
 Source1: helm-upload
 Source2: helm.sudo
+Source3: helmv2-cli
 
 Requires: /bin/bash
 
@@ -23,6 +24,7 @@ install -d %{buildroot}%{_sbindir}
 install -m 755 ${RPM_BUILD_DIR}/linux-amd64/helm %{buildroot}%{_sbindir}/helm
 install -d %{buildroot}/usr/local/sbin
 install -m 755 %{SOURCE1} %{buildroot}/usr/local/sbin/helm-upload
+install -m 755 %{SOURCE3} %{buildroot}/usr/local/sbin/helmv2-cli
 install -d %{buildroot}%{_sysconfdir}/sudoers.d
 install -m 440 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudoers.d/helm
 
@@ -30,4 +32,5 @@ install -m 440 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudoers.d/helm
 %defattr(-,root,root,-)
 %{_sbindir}/helm
 /usr/local/sbin/helm-upload
+/usr/local/sbin/helmv2-cli
 %{_sysconfdir}/sudoers.d/helm