review updates

Author: fghanmi

.env

@@ -1,4 +1,3 @@
 CONSOLE_IMAGE=quay.io/securesign/rhtas-console@sha256:75966d60ed709af33efd48c53b96ea7b2fcd4608f90ccc56885bf224e34b55f5
 CONSOLE_UI_IMAGE=quay.io/securesign/rhtas-console-ui@sha256:c0b0b2d76548c05efadb2425baf93609cf6c40180f170cb531fbb7689a91db31
-CONSOLE_DB_IMAGE=mariadb:lts-ubi
-
+CONSOLE_DB_IMAGE=registry.redhat.io/rhel9/mariadb-105@sha256:050dd5a7a32395b73b8680570e967e55050b152727412fdd73a25d8816e62d53

README.md

@@ -92,4 +92,77 @@ Make sure the `ubi.repo` file has all repositories enabled `enabled = 1` and the
 
 ```
 rpm-lockfile-prototype --image $BASE_IMAGE rpms.in.yaml
-```
+```
+
+## Deployment
+
+The `deployment/` directory contains Kubernetes manifests organized into a `base/` directory and an `overlays/dev/` directory for deploying the RHTAS Console (UI, backend, and database) using [Kustomize](https://kustomize.io/). The `base/` directory includes:
+
+- `console-backend-deploy.yaml`: Deployment configuration for the console backend.
+- `console-backend-service.yaml`: Service definition for the backend.
+- `console-db-deploy.yaml`: Deployment configuration for the console database.
+- `console-db-pvc.yaml`: Persistent Volume Claim for the database.
+- `console-db-secret.yaml`: Secrets for database credentials.
+- `console-db-service.yaml`: Service definition for the database.
+- `console-serviceaccounts.yaml`: Service accounts for the console components.
+- `console-ui-deploy.yaml`: Deployment configuration for the console UI.
+- `console-ui-route.yaml`: Route configuration for the UI.
+- `console-ui-service.yaml`: Service definition for the UI.
+- `kustomization.yaml`: Kustomize configuration to orchestrate the deployment.
+
+The `overlays/dev/` directory contains a `kustomization.yaml` for environment-specific customizations.
+
+### Prerequisites
+
+- A running OpenShift cluster.
+- `oc` CLI installed.
+- A running RHTAS instance to retrieve the TUF route URL.
+
+### Deployment Steps
+
+1. **Update the TUF Repository URL**:
+
+   Before deploying, update the `TUF_REPO_URL` environment variable in `deployment/base/console-backend-deploy.yaml`. The default value is `https://tuf-repo-cdn.sigstore.dev`, but it must be replaced with the actual TUF route URL from your running RHTAS instance. To retrieve the correct URL, run:
+
+   ```bash
+   oc get route tuf -o jsonpath='https://{.spec.host}{"\n"}'
+   ```
+   Edit `deployment/base/console-backend-deploy.yaml` and replace the TUF_REPO_URL value with the output from the above command.
+
+2. **Set Environment Variables**:
+   The `.env` file contains the required image variables (`CONSOLE_IMAGE, CONSOLE_UI_IMAGE, CONSOLE_DB_IMAGE`). Load the environment variables:
+
+   ```bash
+   export $(grep -v '^#' .env | xargs)
+   ```
+
+3. **Apply the Deployment**:
+
+   Ensure that an RHTAS instance is properly deployed and running in the `trusted-artifact-signer` namespace.
+
+   Deploy the console using Kustomize with environment variable substitution:
+
+   ```bash
+   oc kustomize deployment/overlays/dev | envsubst '${CONSOLE_IMAGE} ${CONSOLE_UI_IMAGE} ${CONSOLE_DB_IMAGE}' | oc apply -f -
+   ```
+
+4. **Verify the Deployment**:
+
+   Check the status of the deployed resources:
+
+   ```bash
+   oc get pods,services,routes -n trusted-artifact-signer
+   ```
+
+   You can access the console via a browser using the UI route:
+   ```bash
+   oc get route console-ui -o jsonpath='https://{.spec.host}{"\n"}'
+   ```
+
+5. **Deletion**:
+
+   To delete the deployed resources:
+
+   ```bash
+   oc kustomize deployment/overlays/dev | envsubst '${CONSOLE_IMAGE} ${CONSOLE_UI_IMAGE} ${CONSOLE_DB_IMAGE}' | oc delete -f -
+   ```

deployment/console-backend-deploy.yaml renamed to deployment/base/console-backend-deploy.yaml

@@ -3,24 +3,32 @@ kind: Deployment
 metadata:
   name: console-backend
   labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
     app.kubernetes.io/component: console-backend
-    app.kubernetes.io/name: console-backend
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: console-backend
+      app.kubernetes.io/name: securesign-sample
+      app.kubernetes.io/instance: securesign-sample
+      app.kubernetes.io/part-of: trusted-artifact-signer
+      app.kubernetes.io/component: console-backend
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: console-backend
+        app.kubernetes.io/name: securesign-sample
+        app.kubernetes.io/instance: securesign-sample
+        app.kubernetes.io/part-of: trusted-artifact-signer
+        app.kubernetes.io/component: console-backend
     spec:
       serviceAccountName: console-backend
       initContainers:
       - name: wait-for-console-db
-        image: registry.redhat.io/rhel9/mariadb-105@sha256:050dd5a7a32395b73b8680570e967e55050b152727412fdd73a25d8816e62d53
+        image: ${CONSOLE_DB_IMAGE}
         command:
         - /bin/sh
         - -c
@@ -31,7 +39,7 @@ spec:
           done
       containers:
       - name: console-backend
-        image: quay.io/securesign/rhtas-console@sha256:75966d60ed709af33efd48c53b96ea7b2fcd4608f90ccc56885bf224e34b55f5
+        image: ${CONSOLE_IMAGE}
         imagePullPolicy: IfNotPresent
         env:
         - name: TUF_REPO_URL

deployment/base/console-backend-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: console-backend
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-backend
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-backend
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http

deployment/console-db-deploy.yaml renamed to deployment/base/console-db-deploy.yaml

@@ -3,24 +3,32 @@ kind: Deployment
 metadata:
   name: console-db
   labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
     app.kubernetes.io/component: console-db
-    app.kubernetes.io/name: console-db
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: console-db
+      app.kubernetes.io/name: securesign-sample
+      app.kubernetes.io/instance: securesign-sample
+      app.kubernetes.io/part-of: trusted-artifact-signer
+      app.kubernetes.io/component: console-db
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: console-db
+        app.kubernetes.io/name: securesign-sample
+        app.kubernetes.io/instance: securesign-sample
+        app.kubernetes.io/part-of: trusted-artifact-signer
+        app.kubernetes.io/component: console-db
     spec:
       serviceAccountName: console-db
       containers:
       - name: console-db
-        image: registry.redhat.io/rhel9/mariadb-105@sha256:050dd5a7a32395b73b8680570e967e55050b152727412fdd73a25d8816e62d53
+        image: ${CONSOLE_DB_IMAGE}
         imagePullPolicy: IfNotPresent
         command: ["run-mysqld"]
         env:

deployment/console-db-pvc.yaml renamed to deployment/base/console-db-pvc.yaml

@@ -3,8 +3,10 @@ kind: PersistentVolumeClaim
 metadata:
   name: console-mysql
   labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
     app.kubernetes.io/component: console-db
-    app.kubernetes.io/name: console-db
 spec:
   accessModes:
     - ReadWriteOnce

deployment/console-db-secret.yaml renamed to deployment/base/console-db-secret.yaml

@@ -3,8 +3,10 @@ kind: Secret
 metadata:
   name: console-db-connection
   labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
     app.kubernetes.io/component: console-db
-    app.kubernetes.io/name: console-db
 type: Opaque
 stringData:
   mysql-user: mysql

deployment/base/console-db-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: console-db
+  labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-db
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
+    app.kubernetes.io/component: console-db
+  ports:
+  - name: mysql
+    port: 3306
+    targetPort: mysql

deployment/console-serviceaccounts.yaml renamed to deployment/base/console-serviceaccounts.yaml

@@ -3,22 +3,30 @@ kind: Deployment
 metadata:
   name: console-ui
   labels:
+    app.kubernetes.io/name: securesign-sample
+    app.kubernetes.io/instance: securesign-sample
+    app.kubernetes.io/part-of: trusted-artifact-signer
     app.kubernetes.io/component: console-ui
-    app.kubernetes.io/name: console-ui
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: console-ui
+      app.kubernetes.io/name: securesign-sample
+      app.kubernetes.io/instance: securesign-sample
+      app.kubernetes.io/part-of: trusted-artifact-signer
+      app.kubernetes.io/component: console-ui
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: console-ui
+        app.kubernetes.io/name: securesign-sample
+        app.kubernetes.io/instance: securesign-sample
+        app.kubernetes.io/part-of: trusted-artifact-signer
+        app.kubernetes.io/component: console-ui
     spec:
       serviceAccountName: console-ui
       initContainers:
       - name: wait-for-backend
-        image: quay.io/securesign/rhtas-console-ui@sha256:c0b0b2d76548c05efadb2425baf93609cf6c40180f170cb531fbb7689a91db31
+        image: ${CONSOLE_UI_IMAGE}
         command:
         - /bin/sh
         - -c
@@ -36,7 +44,7 @@ spec:
           done
       containers:
       - name: console-ui
-        image: quay.io/securesign/rhtas-console-ui@sha256:c0b0b2d76548c05efadb2425baf93609cf6c40180f170cb531fbb7689a91db31
+        image: ${CONSOLE_UI_IMAGE}
         imagePullPolicy: IfNotPresent
         env:
         - name: CONSOLE_API_URL