Changelog:

- Rename oauth2 to auth in Helm chart configuration
- Add ClusterRole/ClusterRoleBinding for insights-ros-ingress
- Update deployment templates and API middleware
- Enhance test and deployment scripts

Signed-off-by: Jordi Gil <jgil@redhat.com>

Author: jordigilh

deployment/docker-compose/test-ros-ocp-dataflow.sh

@@ -523,7 +523,7 @@ main() {
     wait_for_service "PostgreSQL (Sources)" "podman exec db-sources_1 pg_isready -U postgres" 90
     wait_for_service "Kafka" "podman exec kafka_1 kafka-broker-api-versions --bootstrap-server localhost:29092" 90
     wait_for_service "MinIO" "curl -f http://localhost:9000/minio/health/live" 60
-    wait_for_service "Redis" "podman exec redis_1 redis-cli ping" 60
+    wait_for_service "Redis" "podman exec redis_1 valkey-cli ping" 60
 
     # Wait for application services
     wait_for_service "Ingress" "curl -f http://localhost:${ACTUAL_INGRESS_PORT}/health" 120

deployment/kubernetes/helm/ros-ocp/templates/clusterrole-insights-ros-ingress.yaml

@@ -0,0 +1,13 @@
+{{/* Create ClusterRole for insights-ros-ingress service account */}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ros-ocp.fullname" . }}-insights-ros-ingress
+  labels:
+    {{- include "ros-ocp.labels" . | nindent 4 }}
+    app.kubernetes.io/component: rbac
+rules:
+  # Token validation permissions - only what's needed for authentication
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]

deployment/kubernetes/helm/ros-ocp/templates/clusterrolebinding-insights-ros-ingress.yaml

@@ -0,0 +1,16 @@
+{{/* Create ClusterRoleBinding for insights-ros-ingress service account */}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ros-ocp.fullname" . }}-insights-ros-ingress
+  labels:
+    {{- include "ros-ocp.labels" . | nindent 4 }}
+    app.kubernetes.io/component: rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ros-ocp.fullname" . }}-insights-ros-ingress
+subjects:
+  - kind: ServiceAccount
+    name: insights-ros-ingress
+    namespace: {{ .Release.Namespace }}

deployment/kubernetes/helm/ros-ocp/templates/deployment-ingress.yaml

@@ -51,6 +51,7 @@ spec:
               done
               echo "Kafka is ready"
               echo "Kafka is ready"
+      serviceAccountName: insights-ros-ingress
       containers:
         - name: ingress
           image: "{{ .Values.ingress.image.repository }}:{{ .Values.ingress.image.tag }}"
@@ -141,6 +142,21 @@ spec:
               value: {{ .Values.ingress.metrics.path | quote }}
             - name: METRICS_PORT
               value: {{ .Values.ingress.metrics.port | quote }}
+
+            # HCCM Validation configuration
+            # Platform-specific validation settings: disabled for KIND/development, enabled for OpenShift/production
+            - name: HCCM_VALIDATION_ENABLED
+              value: {{ if eq (include "ros-ocp.isOpenShift" .) "true" }}"true"{{ else }}"false"{{ end }}
+            - name: HCCM_VALIDATION_SERVICE_URL
+              value: {{ if eq (include "ros-ocp.isOpenShift" .) "true" }}{{ .Values.ingress.validation.hccm.serviceUrl | quote }}{{ else }}""{{ end }}
+            - name: HCCM_VALIDATION_TIMEOUT
+              value: {{ .Values.ingress.validation.hccm.timeout | quote }}
+            - name: HCCM_VALIDATION_RETRIES
+              value: {{ .Values.ingress.validation.hccm.retries | quote }}
+            - name: PLATFORM_MODE
+              value: {{ if eq (include "ros-ocp.isOpenShift" .) "true" }}"production"{{ else }}"development"{{ end }}
+            - name: VALIDATION_BYPASS_MODE
+              value: {{ if eq (include "ros-ocp.isOpenShift" .) "true" }}"false"{{ else }}"true"{{ end }}
           livenessProbe:
             httpGet:
               path: /health

deployment/kubernetes/helm/ros-ocp/templates/deployment-rosocp-api.yaml

@@ -99,6 +99,8 @@ spec:
               value: {{ include "ros-ocp.databaseUrl" . }}
             - name: KAFKA_BOOTSTRAP_SERVERS
               value: {{ include "ros-ocp.fullname" . }}-kafka:{{ .Values.kafka.broker.port }}
+            - name: ID_PROVIDER
+              value: {{ .Values.auth.provider | quote }}
           livenessProbe:
             httpGet:
               path: /status

deployment/kubernetes/helm/ros-ocp/templates/insights-ros-ingress-serviceaccount.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: insights-ros-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ros-ocp.labels" . | nindent 4 }}
+    app.kubernetes.io/component: ingress

deployment/kubernetes/helm/ros-ocp/values.yaml

@@ -20,6 +20,10 @@ serviceAccount:
   create: true
   name: ros-ocp-backend
 
+# Auth Configuration
+auth:
+  provider: "oauth2"
+
 # Database configurations
 database:
   ros: # Database configuration for ros-ocp services
@@ -157,6 +161,19 @@ ingress:
     path: "/metrics"
     port: 8080
 
+  # Validation configuration
+  validation:
+    hccm:
+      # Enable hccm validation service (disabled for KIND/development, enabled for OpenShift/production)
+      # This will be overridden by platform detection in deployment-ingress.yaml
+      enabled: false
+      # HCCM validation service URL (empty for development mode)
+      serviceUrl: ""
+      # Validation timeout in seconds
+      timeout: "30"
+      # Number of retries for validation calls
+      retries: "3"
+
 # Sources API
 sourcesApi:
   image:
@@ -227,7 +244,8 @@ kruize:
 rosocp:
   processor:
     image:
-      repository: quay.io/insights-onprem/ros-ocp-backend
+#TODO: Change to quay.io/insights-onprem/ros-ocp-backend when access is granted
+      repository: quay.io/jordigilh/ros-ocp-backend
       tag: "latest"
     metricsPort: 9000
     kafkaConsumerGroupId: rosocp-processor
@@ -239,7 +257,8 @@ rosocp:
 
   recommendationPoller:
     image:
-      repository: quay.io/insights-onprem/ros-ocp-backend
+#TODO: Change to quay.io/insights-onprem/ros-ocp-backend when access is granted
+      repository: quay.io/jordigilh/ros-ocp-backend
       tag: "latest"
     metricsPort: 9000
     kafkaConsumerGroupId: rosocp-recommendation-poller
@@ -251,7 +270,8 @@ rosocp:
 
   api:
     image:
-      repository: quay.io/insights-onprem/ros-ocp-backend
+#TODO: Change to quay.io/insights-onprem/ros-ocp-backend when access is granted
+      repository: quay.io/jordigilh/ros-ocp-backend
       tag: "latest"
     port: 8000
     metricsPort: 9000
@@ -264,15 +284,17 @@ rosocp:
 
   housekeeper:
     image:
-      repository: quay.io/insights-onprem/ros-ocp-backend
+#TODO: Change to quay.io/insights-onprem/ros-ocp-backend when access is granted
+      repository: quay.io/jordigilh/ros-ocp-backend
       tag: "latest"
     serviceName: rosocp-housekeeper-sources
     logLevel: INFO
 
   partitionCleaner:
     schedule: "0 0 */15 * *"  # Runs at 12:00 AM, every 15 days
     image:
-      repository: quay.io/insights-onprem/ros-ocp-backend
+#TODO: Change to quay.io/insights-onprem/ros-ocp-backend when access is granted
+      repository: quay.io/jordigilh/ros-ocp-backend
       tag: "latest"
     serviceName: rosocp-housekeeper-partition
     logLevel: INFO

deployment/kubernetes/scripts/cleanup-kind-artifacts.sh

@@ -0,0 +1,168 @@
+#!/bin/bash
+
+# KIND Artifacts Cleanup Script
+# This script cleans up KIND clusters, containers, and related images
+# Can be used standalone or called from other scripts
+
+set -e  # Exit on any error
+
+# Color codes for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ros-ocp-cluster}
+CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-podman}
+
+echo_info() {
+    echo -e "${BLUE}[INFO]${NC} $1"
+}
+
+echo_success() {
+    echo -e "${GREEN}[SUCCESS]${NC} $1"
+}
+
+echo_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+echo_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Function to check if a command exists
+command_exists() {
+    command -v "$1" >/dev/null 2>&1
+}
+
+# Function to detect container runtime
+detect_container_runtime() {
+    local runtime="${CONTAINER_RUNTIME:-podman}"
+
+    if [ "$runtime" = "auto" ]; then
+        if command_exists podman; then
+            runtime="podman"
+        elif command_exists docker; then
+            runtime="docker"
+        else
+            echo_error "No supported container runtime found. Please install Docker or Podman."
+            return 1
+        fi
+    fi
+
+    if ! command_exists "$runtime"; then
+        echo_error "$runtime specified but not found. Please install $runtime."
+        return 1
+    fi
+
+    export DETECTED_RUNTIME="$runtime"
+    echo_info "Using $runtime as container runtime"
+    return 0
+}
+
+# Function to clean up existing KIND containers and project images
+cleanup_kind_artifacts() {
+    echo_info "Performing cleanup of KIND artifacts..."
+
+    # Remove KIND cluster if it exists
+    if command_exists kind; then
+        if kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$"; then
+            echo_info "Removing existing KIND cluster: $KIND_CLUSTER_NAME"
+            kind delete cluster --name "$KIND_CLUSTER_NAME" || echo_warning "Failed to delete KIND cluster (may not exist)"
+        else
+            echo_info "No KIND cluster '$KIND_CLUSTER_NAME' found to remove"
+        fi
+    else
+        echo_warning "kind command not found, skipping cluster cleanup"
+    fi
+
+    # Detect container runtime for cleanup
+    if ! detect_container_runtime; then
+        echo_warning "Could not detect container runtime, skipping container cleanup"
+        return 0
+    fi
+
+    # Remove KIND containers that might be lingering
+    echo_info "Cleaning up lingering KIND containers..."
+    if command_exists "$DETECTED_RUNTIME"; then
+        # Stop and remove KIND control plane containers
+        "$DETECTED_RUNTIME" ps -a --format "{{.Names}}" | grep -E "kind|ros-ocp" | while read -r container; do
+            if [ -n "$container" ]; then
+                echo_info "Stopping and removing container: $container"
+                "$DETECTED_RUNTIME" stop "$container" 2>/dev/null || true
+                "$DETECTED_RUNTIME" rm "$container" 2>/dev/null || true
+            fi
+        done
+
+        # Remove project-related images
+        echo_info "Cleaning up project-related images..."
+        "$DETECTED_RUNTIME" images --format "{{.Repository}}:{{.Tag}}" | grep -E "ros-ocp-backend|jordigilh" | while read -r image; do
+            if [ -n "$image" ]; then
+                echo_info "Removing image: $image"
+                "$DETECTED_RUNTIME" rmi -f "$image" 2>/dev/null || true
+            fi
+        done
+
+        # Remove dangling images
+        echo_info "Cleaning up dangling images..."
+        "$DETECTED_RUNTIME" image prune -f 2>/dev/null || true
+    fi
+
+    echo_success "Cleanup completed"
+}
+
+# Function to show help
+show_help() {
+    echo "Usage: $0 [options]"
+    echo ""
+    echo "Clean up KIND clusters, containers, and related images"
+    echo ""
+    echo "Options:"
+    echo "  --cluster-name NAME    KIND cluster name to clean up (default: ros-ocp-cluster)"
+    echo "  --container-runtime     Container runtime to use (default: podman, supports: podman, docker, auto)"
+    echo "  --help, -h             Show this help message"
+    echo ""
+    echo "Environment Variables:"
+    echo "  KIND_CLUSTER_NAME      Name of KIND cluster (default: ros-ocp-cluster)"
+    echo "  CONTAINER_RUNTIME      Container runtime to use (default: podman)"
+    echo ""
+    echo "Examples:"
+    echo "  $0                                    # Clean up default cluster"
+    echo "  $0 --cluster-name my-cluster         # Clean up specific cluster"
+    echo "  CONTAINER_RUNTIME=docker $0          # Use Docker instead of Podman"
+}
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --cluster-name)
+            KIND_CLUSTER_NAME="$2"
+            shift 2
+            ;;
+        --container-runtime)
+            CONTAINER_RUNTIME="$2"
+            shift 2
+            ;;
+        --help|-h)
+            show_help
+            exit 0
+            ;;
+        *)
+            echo_error "Unknown option: $1"
+            show_help
+            exit 1
+            ;;
+    esac
+done
+
+# Main execution
+echo_info "Starting KIND artifacts cleanup..."
+echo_info "Cluster name: $KIND_CLUSTER_NAME"
+echo_info "Container runtime: $CONTAINER_RUNTIME"
+
+cleanup_kind_artifacts
+
+echo_success "KIND artifacts cleanup completed successfully!"