Merge pull request #38 from securesign/add/console-deployment

[SECURESIGN-2870] Add Kustomize-based deployment resources for console stack for Tech Preview

Author: fghanmi

.env

@@ -1,4 +1,3 @@
 CONSOLE_IMAGE=quay.io/securesign/rhtas-console@sha256:75966d60ed709af33efd48c53b96ea7b2fcd4608f90ccc56885bf224e34b55f5
 CONSOLE_UI_IMAGE=quay.io/securesign/rhtas-console-ui@sha256:c0b0b2d76548c05efadb2425baf93609cf6c40180f170cb531fbb7689a91db31
-CONSOLE_DB_IMAGE=mariadb:lts-ubi
-
+CONSOLE_DB_IMAGE=registry.redhat.io/rhel9/mariadb-105@sha256:050dd5a7a32395b73b8680570e967e55050b152727412fdd73a25d8816e62d53

README.md

@@ -92,4 +92,76 @@ Make sure the `ubi.repo` file has all repositories enabled `enabled = 1` and the
 
 ```
 rpm-lockfile-prototype --image $BASE_IMAGE rpms.in.yaml
-```
+```
+
+## Deployment
+
+The `deployment/` directory contains Kubernetes manifests organized into a `base/` directory and an `overlays/dev/` directory for deploying the RHTAS Console (UI, backend, and database) using [Kustomize](https://kustomize.io/). The `base/` directory includes:
+
+- `console-backend-deploy.yaml`: Deployment configuration for the console backend.
+- `console-backend-service.yaml`: Service definition for the backend.
+- `console-db-statefulset.yaml`: StatefulSet configuration for the console database.
+- `console-db-secret.yaml`: Secrets for database credentials.
+- `console-db-service.yaml`: Service definition for the database.
+- `console-serviceaccounts.yaml`: Service accounts for the console components.
+- `console-ui-deploy.yaml`: Deployment configuration for the console UI.
+- `console-ui-route.yaml`: Route configuration for the UI.
+- `console-ui-service.yaml`: Service definition for the UI.
+- `kustomization.yaml`: Kustomize configuration to orchestrate the deployment.
+
+The `overlays/dev/` directory contains a `kustomization.yaml` for environment-specific customizations.
+
+### Prerequisites
+
+- A running OpenShift cluster.
+- `oc` CLI installed.
+- A running RHTAS instance to retrieve the TUF route URL.
+
+### Deployment Steps
+
+1. **Set TUF_REPO_URL using a ConfigMap**:
+
+   Before deploying, you need to retrieve the TUF repository URL from your running RHTAS instance. This value should be stored in a ConfigMap that the console backend can consume.
+  
+   * Retrieve the TUF route URL from your running RHTAS instance:
+   ```bash
+   oc get tuf -o jsonpath='{.items[0].status.url}'
+   ```
+   
+   * Create a ConfigMap with the retrieved URL:
+   ```bash
+   oc create configmap tuf-repo-config \
+   --from-literal=TUF_REPO_URL=<output-from-above-command> \
+   -n trusted-artifact-signer
+   ```
+
+2. **Apply the Deployment**:
+
+   Ensure that an RHTAS instance is properly deployed and running in the `trusted-artifact-signer` namespace.
+
+   Deploy the console using Kustomize:
+
+   ```bash
+   oc apply -k deployment/overlays/dev/
+   ```
+
+4. **Verify the Deployment**:
+
+   Check the status of the deployed resources:
+
+   ```bash
+   oc get pods,services,routes -n trusted-artifact-signer
+   ```
+
+   You can access the console via a browser using the UI route:
+   ```bash
+   oc get route console-ui -o jsonpath='https://{.spec.host}{"\n"}'
+   ```
+
+5. **Deletion**:
+
+   To delete the deployed resources:
+
+   ```bash
+   oc delete -k deployment/overlays/dev/
+   ```

deployment/base/console-backend-deploy.yaml

@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: console-backend
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: securesign-sample
+      app.kubernetes.io/instance: securesign-sample
+      app.kubernetes.io/part-of: trusted-artifact-signer
+      app.kubernetes.io/component: console-backend
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: securesign-sample
+        app.kubernetes.io/instance: securesign-sample
+        app.kubernetes.io/part-of: trusted-artifact-signer
+        app.kubernetes.io/component: console-backend
+    spec:
+      serviceAccountName: console-backend
+      initContainers:
+      - name: wait-for-console-db
+        image: default/console-db-image
+        command:
+        - /bin/sh
+        - -c
+        - |
+          until mysqladmin ping -hconsole-db --silent; do
+            echo 'Waiting for the console database to be ready...'
+            sleep 5
+          done
+      containers:
+      - name: console-backend
+        image: default/console-image
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: TUF_REPO_URL
+          valueFrom:
+            configMapKeyRef:
+              name: tuf-repo-config
+              key: TUF_REPO_URL
+        - name: DB_DSN
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: dsn
+        - name: MYSQL_USER
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-user
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-password
+        - name: SSL_CERT_DIR
+          value: /var/run/configs/tas/ca-trust:/var/run/secrets/kubernetes.io/serviceaccount
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5

deployment/base/console-backend-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: console-backend
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-backend
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-backend
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http

deployment/base/console-db-secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: console-db-connection
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-db
+type: Opaque
+stringData:
+  mysql-user: mysql
+  mysql-password: mysqlpassword
+  mysql-database: tuf_trust
+  mysql-root-password: rootpw
+  mysql-port: "3306"
+  dsn: "mysql:mysqlpassword@tcp(console-db:3306)/tuf_trust"

deployment/base/console-db-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: console-db
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-db
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-db
+  ports:
+  - name: mysql
+    port: 3306
+    targetPort: mysql

deployment/base/console-db-statefulset.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: console-db
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-db
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: securesign-sample
+      app.kubernetes.io/instance: securesign-sample
+      app.kubernetes.io/part-of: trusted-artifact-signer
+      app.kubernetes.io/component: console-db
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: securesign-sample
+        app.kubernetes.io/instance: securesign-sample
+        app.kubernetes.io/part-of: trusted-artifact-signer
+        app.kubernetes.io/component: console-db
+    spec:
+      serviceAccountName: console-db
+      containers:
+      - name: console-db
+        image: default/console-db-image
+        imagePullPolicy: IfNotPresent
+        command: ["run-mysqld"]
+        env:
+        - name: MYSQL_USER
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-user
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-password
+        - name: MYSQL_DATABASE
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-database
+        - name: MYSQL_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-root-password
+        - name: MYSQL_PORT
+          valueFrom:
+            secretKeyRef:
+              name: console-db-connection
+              key: mysql-port
+        ports:
+        - containerPort: 3306
+          name: mysql
+        livenessProbe:
+          exec:
+            command:
+            - bash
+            - -c
+            - mariadb-admin -u ${MYSQL_USER} -p${MYSQL_PASSWORD} ping
+          failureThreshold: 3
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          exec:
+            command:
+            - bash
+            - -c
+            - mariadb -u ${MYSQL_USER} -p${MYSQL_PASSWORD} -e "SELECT 1;"
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /var/lib/mysql
+          name: storage
+  volumeClaimTemplates:
+  - metadata:
+      name: storage
+      labels:
+        app.kubernetes.io/name: securesign-sample
+        app.kubernetes.io/instance: securesign-sample
+        app.kubernetes.io/part-of: trusted-artifact-signer
+        app.kubernetes.io/component: console-db
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi

deployment/base/console-serviceaccounts.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: console-db
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: console-backend
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: console-ui