Fix tekton results storage configurations

* Add minio user creation through tenant, and disable TLS
* Add minio and postgres as multiple sources in pipeline storage ArgoCD application
* Increase timeouts
* Fix reset script

Author: sayan-biswas

developer/openshift/dev_setup.sh

@@ -227,7 +227,7 @@ install_pipeline_service() {
   TEKTON_RESULTS_DATABASE_PASSWORD="$(yq '.tekton_results_db.password' "$CONFIG")"
   export TEKTON_RESULTS_DATABASE_USER
   export TEKTON_RESULTS_DATABASE_PASSWORD
-  TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "minio"' "$CONFIG")"
+  TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "tekton"' "$CONFIG")"
   TEKTON_RESULTS_S3_PASSWORD="$(yq ".tekton_results_s3.password // \"$(openssl rand -base64 20)\"" "$CONFIG")"
   export TEKTON_RESULTS_S3_USER
   export TEKTON_RESULTS_S3_PASSWORD
@@ -244,17 +244,14 @@ install_pipeline_service() {
   for app in "pipeline-service" "pipeline-service-storage"; do
     cat << EOF >"$manifest_dir/patch-$app.yaml"
 ---
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: $app
-  namespace: openshift-gitops
-spec:
-  source:
-    repoURL: $GIT_URL
-    targetRevision: $GIT_REF
+- op: replace
+  path: "/spec/sources/0/repoURL"
+  value: $GIT_URL
+- op: replace
+  path: "/spec/sources/0/targetRevision"
+  value: $GIT_REF
 EOF
-    yq -i ".patches += [{\"path\": \"patch-$app.yaml\"}]" "$manifest_dir/kustomization.yaml"
+    yq -i ".patches += [{\"path\": \"patch-$app.yaml\", \"target\": {\"kind\": \"Application\", \"namespace\": \"openshift-gitops\", \"name\": \"$app\" }}]" "$manifest_dir/kustomization.yaml"
   done
 
   #############################################################################

developer/openshift/gitops/argocd/pipeline-service-storage.yaml

@@ -6,12 +6,20 @@ metadata:
   namespace: openshift-gitops
 spec:
   destination:
-    namespace: openshift-gitops
+    namespace: tekton-results
     server: https://kubernetes.default.svc
-  source:
-    path: developer/openshift/gitops/argocd/pipeline-service-storage
-    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
-    targetRevision: main
+  sources:
+    - repoURL: https://github.com/openshift-pipelines/pipeline-service.git
+      path: developer/openshift/gitops/argocd/pipeline-service-storage/minio
+      targetRevision: main
+      ref: values
+    - repoURL: https://charts.bitnami.com/bitnami
+      chart: postgresql
+      targetRevision: 12.2.7
+      helm:
+        releaseName: postgres
+        valueFiles:
+          - $values/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the

developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml

@@ -1,6 +1,6 @@
 ---
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 
 resources:
   - operator

developer/openshift/gitops/argocd/pipeline-service-storage/minio/kustomization.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: openshift-minio-apply-tenants
+  name: openshift-gitops-minio
 rules:
   - apiGroups:
       - minio.min.io
@@ -19,23 +19,31 @@ rules:
     resources:
       - deployments
     verbs:
-      - "*"
+      - "get"
+      - "create"
+      - "update"
+      - "patch"
+      - "delete"
   - apiGroups:
       - ""
     resources:
       - serviceaccounts
       - services
     verbs:
       - create
+      - delete
+      - update
+      - patch
+      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: openshift-minio-apply-tenants
+  name: openshift-gitops-minio
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: openshift-minio-apply-tenants
+  name: openshift-gitops-minio
 subjects:
   - kind: ServiceAccount
     name: openshift-gitops-argocd-application-controller

developer/openshift/gitops/argocd/pipeline-service-storage/minio/operator/allow-argocd-to-manage.yaml

@@ -2,7 +2,7 @@
 apiVersion: minio.min.io/v2
 kind: Tenant
 metadata:
-  name: storage
+  name: minio
   namespace: tekton-results
   labels:
     app: minio
@@ -12,60 +12,35 @@ metadata:
     prometheus.io/scrape: "true"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
+  image: quay.io/minio/minio:latest
+  requestAutoCert: false
+  podManagementPolicy: Parallel
+  configuration:
+    name: minio-configuration
   exposeServices:
     minio: true
   features:
     bucketDNS: false
-    domains: {}
-  # This desired part doesn't work. Issues:
-  # https://github.com/minio/operator/issues/1345
-  # https://github.com/minio/operator/issues/1346
-  # users:
-  #   - name: storage-user
-  # buckets:
-  #   - name: "tekton-results"
-  #     region: "us-east-1"
-  #     objectLock: true
-  certConfig: {}
-  podManagementPolicy: Parallel
-  configuration:
-    name: minio-storage-configuration
-  env: []
-  serviceMetadata:
-    minioServiceLabels: {}
-    minioServiceAnnotations: {}
-    consoleServiceLabels: {}
-    consoleServiceAnnotations: {}
-  priorityClassName: ""
-  externalCaCertSecret: []
-  externalCertSecret: []
-  externalClientCertSecrets: []
-  image: quay.io/minio/minio:RELEASE.2022-09-17T00-09-45Z
-  imagePullSecret: {}
-  mountPath: /export
-  subPath: ""
+  users:
+    - name: minio-user
+  buckets:
+    - name: tekton-results
+      region: not-applicable
+      objectLock: true
   pools:
     - servers: 1
       name: pool-0
       volumesPerServer: 2
-      nodeSelector: {}
-      tolerations: []
-      affinity:
-        nodeAffinity: {}
-        podAffinity: {}
-        podAntiAffinity: {}
-      resources: {}
       volumeClaimTemplate:
         apiVersion: v1
         kind: persistentvolumeclaims
-        metadata: {}
         spec:
           accessModes:
             - ReadWriteOnce
           resources:
             requests:
               storage: 1Gi
-        status: {}
-      securityContext: {}
-      containerSecurityContext: {}
-  requestAutoCert: true
+      securityContext:
+        runAsNonRoot: true
+      containerSecurityContext:
+        runAsNonRoot: true

developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml

@@ -0,0 +1,38 @@
+---
+image:
+  tag: 13.10.0
+
+tls:
+  enabled: true
+  autoGenerated: true
+
+auth:
+  database: tekton_results
+  username: tekton
+  existingSecret: tekton-results-database
+  secretKeys:
+    userPasswordKey: db.password
+    adminPasswordKey: db.password
+
+primary:
+  resources:
+    requests: null
+  podSecurityContext:
+    fsGroup: null
+    seccompProfile:
+      type: RuntimeDefault
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: null
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+
+volumePermissions:
+  enabled: false
+
+shmVolume:
+  enabled: false

developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml

@@ -6,12 +6,12 @@ metadata:
   namespace: openshift-gitops
 spec:
   destination:
-    namespace: openshift-gitops
+    namespace: pipeline-service
     server: https://kubernetes.default.svc
-  source:
-    path: developer/openshift/gitops/argocd/pipeline-service
-    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
-    targetRevision: main
+  sources:
+    - path: developer/openshift/gitops/argocd/pipeline-service
+      repoURL: https://github.com/openshift-pipelines/pipeline-service.git
+      targetRevision: main
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the

developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml

@@ -5,9 +5,9 @@ kind: Kustomization
 resources:
   - ../../../../../operator/gitops/argocd/pipeline-service
 
-patches:
-  - path: tekton-results/minio-create-bucket.yaml
-  - path: tekton-results/minio-tls.yaml
+  # Temporarily disabling the Minio TLS because the user creation with CSR is a bit flaky in the current version
+  #  patches:
+  #  - path: tekton-results/minio-tls.yaml
 
   # Skip applying the Tekton operands while the Tekton operator is being installed.
   # See more information about this option, here: