feat: install using helm charts (#9)

* install using helm charts

* SKIP UPGRADE TEST

Author: argeiger

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-01-08T20:11:33Z",
+  "generated_at": "2025-01-24T16:49:18Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "2254481e1661d8f017a712b0d1ad9a14fd9460a3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 138,
+        "line_number": 134,
         "type": "Secret Keyword",
         "verified_result": null
       }

.trivyignore

@@ -0,0 +1,24 @@
+
+KSV014 # "Use read-only filesystem for containers where possible"
+
+KSV020 # "Force the container to run with user ID > 10000"
+
+KSV021 # "Force the container to run with group ID > 10000"
+
+KSV111 # "Cluster admin role only used where required"
+
+KSV001 # "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node."
+
+KSV003 # "The container should drop all default capabilities and add only those that are needed for its execution."
+
+KSV012 # "Force the running image to run as a non-root user to ensure least privileges."
+
+KSV013 # "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version."
+
+KSV030 # "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles."
+
+KSV104 # "A program inside the container can bypass Seccomp protection policies."
+
+KSV105 # "Containers should be forbidden from running with a root UID."
+
+KSV106 # "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability."

README.md

@@ -13,7 +13,7 @@ Update status and "latest release" badges:
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
 
-This repository contains the following deployment an Red Hat OpenShift cluster:
+This repository contains the following deployment on an Red Hat OpenShift cluster:
 - [IBM Cloud Pak for Data](./solutions/deploy)
 
 **NB:** These solutions are not intended to be called by one or more other modules since they contain a provider configurations, meaning they are not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)

chart/cloud-pak-deployer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/cloud-pak-deployer/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: cloud-pak-deployer
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

chart/cloud-pak-deployer/templates/cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.deployer.prefix }}-sa-rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.clusterRoleBinding.roleRefName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.deployer.prefix }}-sa
+  namespace: {{ .Values.namespace }}

chart/cloud-pak-deployer/templates/config-map.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  cpd-config.yaml: |
+{{ .Values.deployer.configuration | indent 4 }}
+kind: ConfigMap
+metadata:
+  name: {{ .Values.deployer.prefix }}-config
+  namespace: {{ .Values.namespace }}

chart/cloud-pak-deployer/templates/entitlement-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+data:
+  cp-entitlement-key: {{ .Values.deployer.entitlement_key | b64enc }}
+metadata:
+  name: cloud-pak-entitlement-key
+  namespace: {{ .Values.namespace }}
+type: Opaque

chart/cloud-pak-deployer/templates/image-secret.yaml

@@ -0,0 +1,10 @@
+{{- if eq (default .Values.createImagePullSecret false) true }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cpd-docker-cfg
+  namespace: {{ .Values.namespace }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}

chart/cloud-pak-deployer/templates/imageSecret.tpl

@@ -0,0 +1,5 @@
+{{- define "imagePullSecret" }}
+{{- with .Values.imageCredentials }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}