feat: onboard cloudpak 4 data

.catalog-onboard-pipeline.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+offerings:
+  - name: deploy-arch-ibm-watsonx-self-managed
+    kind: solution
+    catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
+    offering_id: 86425cf1-a763-4d17-9bb9-75276274a5f6
+    variations:
+      - name: fully-configurable
+        mark_ready: true
+        install_type: fullstack
+        pre_validation: "tests/scripts/pre-validation-deploy-ocp-instances.sh"
+        post_validation: "tests/scripts/post-validation-destroy-ocp-instances.sh"
+        scc:
+          instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
+          region: us-south

.releaserc

@@ -10,6 +10,9 @@
     }],
     ["@semantic-release/exec", {
       "successCmd": "echo \"SEMVER_VERSION=${nextRelease.version}\" >> $GITHUB_ENV"
+    }],
+    ["@semantic-release/exec",{
+      "publishCmd": "./ci/trigger-catalog-onboarding-pipeline.sh --version=v${nextRelease.version}"
     }]
   ]
 }

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-02-11T22:49:03Z",
+  "generated_at": "2025-02-11T22:49:04Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -1,24 +1,141 @@
-<!-- Update this title with a descriptive name. Use sentence case. -->
-# IBM Cloud Pak for Data deployment on OpenShift
+# Watsonx (Self-Managed) on Red Hat OpenShift
 
-<!--
-Update status and "latest release" badges:
-  1. For the status options, see https://terraform-ibm-modules.github.io/documentation/#/badge-status
-  2. Update the "latest release" badge to point to the correct module's repo. Replace "terraform-ibm-module-template" in two places.
--->
-[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
-[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-cloudpak-data?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-cloudpak-data/releases/latest)
+[![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
+[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/releases/latest)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
+Deploy Watsonx services on an existing Red Hat OpenShift cluster.
+
+<!--
+If this repo contains any reference architectures, uncomment the heading below and links to them.
+(Usually in the `/reference-architectures` directory.)
+See "Reference architecture" in Authoring Guidelines in the public documentation at
+https://terraform-ibm-modules.github.io/documentation/#/implementation-guidelines?id=reference-architecture
+-->
+<!-- ## Reference architectures -->
+
+<!-- Below content is automatically populated via pre-commit hook -->
+<!-- BEGIN OVERVIEW HOOK -->
+## Overview
+* [terraform-ibm-watsonx-self-managed-ocp](#terraform-ibm-watsonx-self-managed-ocp)
+* [Submodules](./modules)
+* [Examples](./examples)
+    * [Basic example](./examples/basic)
+* [Contributing](#contributing)
+<!-- END OVERVIEW HOOK -->
+
+## terraform-ibm-watsonx-self-managed-ocp
+
+### Usage
+
+```hcl
+module "watsonx_self_managed_ocp" {
+  source                    = "terraform-ibm-modules/watsonx-self-managed-ocp/ibm"
+  version                   = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
+  ibmcloud_api_key          = "xxxxxxxxxxxxxxxxx"   # pragma: allowlist secret
+  resource_group_id         = "xxxxxxxxxxxxxxxxx"
+  region                    = "us-south"
+  prefix                    = "cp4d"
+  cluster_name              = "my-ocp-cluster"
+  cluster_rg_id             = "xxxxxxxxxxxxxxxxx"
+  install_odf_cluster_addon = true
+  watsonx_ai_install        = true
+  watsonx_data_install      = true
+  watson_assistant_install  = true
+  watson_discovery_install  = true
+  cpd_admin_password        = "Passw0rd!"  # pragma: allowlist secret
+  cpd_entitlement_key       = "entitlementKey"
+  # Add other configuration options as needed
+}
+```
+
+### Required IAM access policies
+
+You need the following permissions to run this module.
+
+* Account Management
+  * **All Resource Groups** service
+    * `Viewer` platform access
+* IAM Services
+  * **Kubernetes Service** (OpenShift)
+    * `Administrator` platform access
+    * `Manager` service access
+  * **VPC Infrastructure**
+    * `Administrator` platform access
+    * `Manager` service access
+  * **Container Registry**
+    * `Administrator` platform access
+    * `Manager` service access
+
+For more information on access and permissions, see [IBM Cloud IAM service roles and actions](https://cloud.ibm.com/docs/account?topic=account-iam-service-roles-actions).
+
+<!-- Below content is automatically populated via pre-commit hook -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >=1.79.1 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_build_cpd_image"></a> [build\_cpd\_image](#module\_build\_cpd\_image) | ./modules/cpd-image-build | n/a |
+| <a name="module_cloud_pak_deployer"></a> [cloud\_pak\_deployer](#module\_cloud\_pak\_deployer) | ./modules/cloud-pak-deployer | n/a |
+| <a name="module_config"></a> [config](#module\_config) | ./modules/cloud-pak-deployer/config | n/a |
+| <a name="module_watsonx_ai"></a> [watsonx\_ai](#module\_watsonx\_ai) | ./modules/watsonx-ai | n/a |
+| <a name="module_watsonx_data"></a> [watsonx\_data](#module\_watsonx\_data) | ./modules/watsonx-data | n/a |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [ibm_container_addons.odf_cluster_addon](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/container_addons) | resource |
+| [ibm_container_vpc_cluster.cluster_info](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/container_vpc_cluster) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cloud_pak_deployer_image"></a> [cloud\_pak\_deployer\_image](#input\_cloud\_pak\_deployer\_image) | Cloud Pak Deployer image to use. If `null`, the image will be built using Code Engine. | `string` | `null` | no |
+| <a name="input_cloud_pak_deployer_release"></a> [cloud\_pak\_deployer\_release](#input\_cloud\_pak\_deployer\_release) | Release of Cloud Pak Deployer version to use. View releases at: https://github.com/IBM/cloud-pak-deployer/releases. | `string` | `"v3.1.8"` | no |
+| <a name="input_cloud_pak_deployer_secret"></a> [cloud\_pak\_deployer\_secret](#input\_cloud\_pak\_deployer\_secret) | Secret for accessing the Cloud Pak Deployer image. If `null`, a default secret will be created # pragma: allowlist secret. | <pre>object({<br/>    username = string<br/>    password = string<br/>    server   = string<br/>    email    = string<br/>  })</pre> | `null` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of Red Hat OpenShift cluster to install watsonx onto | `string` | n/a | yes |
+| <a name="input_cluster_rg_id"></a> [cluster\_rg\_id](#input\_cluster\_rg\_id) | Resource group id of the cluster | `string` | n/a | yes |
+| <a name="input_code_engine_project_id"></a> [code\_engine\_project\_id](#input\_code\_engine\_project\_id) | If you want to use an existing project, you can pass the code engine project ID and the Cloud Pak Deployer build will be built within the existing project instead of creating a new one. | `string` | `null` | no |
+| <a name="input_code_engine_project_name"></a> [code\_engine\_project\_name](#input\_code\_engine\_project\_name) | If `cloud_pak_deployer_image` is `null`, it will build the image with code engine and store it within a private ICR registry. Provide a name if you want to set the name. If not defined, default will be `{prefix}-cpd-{random-suffix}`. | `string` | `null` | no |
+| <a name="input_cpd_accept_license"></a> [cpd\_accept\_license](#input\_cpd\_accept\_license) | When set to 'true', it is understood that the user has read the terms of the Cloud Pak license(s) and agrees to the terms outlined. | `bool` | `true` | no |
+| <a name="input_cpd_admin_password"></a> [cpd\_admin\_password](#input\_cpd\_admin\_password) | Password for the Cloud Pak for Data admin user. | `string` | n/a | yes |
+| <a name="input_cpd_entitlement_key"></a> [cpd\_entitlement\_key](#input\_cpd\_entitlement\_key) | Cloud Pak for Data entitlement key for access to the IBM Entitled Registry. Can be fetched from https://myibm.ibm.com/products-services/containerlibrary. | `string` | n/a | yes |
+| <a name="input_cpd_version"></a> [cpd\_version](#input\_cpd\_version) | Cloud Pak for Data version to install.  Only version 5.x.x is supported, latest versions can be found [here](https://www.ibm.com/docs/en/cloud-paks/cp-data?topic=versions-cloud-pak-data). | `string` | `"5.0.3"` | no |
+| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key to deploy resources. | `string` | n/a | yes |
+| <a name="input_install_odf_cluster_addon"></a> [install\_odf\_cluster\_addon](#input\_install\_odf\_cluster\_addon) | Install the ODF cluster addon. | `bool` | `true` | no |
+| <a name="input_odf_config"></a> [odf\_config](#input\_odf\_config) | Configuration for the ODF addon. | `map(string)` | <pre>{<br/>  "addSingleReplicaPool": "false",<br/>  "billingType": "essentials",<br/>  "clusterEncryption": "false",<br/>  "disableNoobaaLB": "false",<br/>  "enableNFS": "false",<br/>  "encryptionInTransit": "false",<br/>  "hpcsBaseUrl": "",<br/>  "hpcsEncryption": "false",<br/>  "hpcsInstanceId": "",<br/>  "hpcsSecretName": "",<br/>  "hpcsServiceName": "",<br/>  "hpcsTokenUrl": "",<br/>  "ignoreNoobaa": "true",<br/>  "numOfOsd": "1",<br/>  "ocsUpgrade": "false",<br/>  "odfDeploy": "true",<br/>  "osdDevicePaths": "",<br/>  "osdSize": "512Gi",<br/>  "osdStorageClassName": "ibmc-vpc-block-metro-10iops-tier",<br/>  "prepareForDisasterRecovery": "false",<br/>  "resourceProfile": "balanced",<br/>  "taintNodes": "false",<br/>  "useCephRBDAsDefaultStorageClass": "false",<br/>  "workerNodes": "all",<br/>  "workerPool": ""<br/>}</pre> | no |
+| <a name="input_odf_version"></a> [odf\_version](#input\_odf\_version) | Version of ODF to install. | `string` | `"4.16.0"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters. | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where resources will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | Resource group to provision services within. If not defined, a resource group called `{prefix}-cpd` will be created. | `string` | `null` | no |
+| <a name="input_watson_assistant_install"></a> [watson\_assistant\_install](#input\_watson\_assistant\_install) | If watsonx.ai is being installed, also install watson assistant | `bool` | `false` | no |
+| <a name="input_watson_discovery_install"></a> [watson\_discovery\_install](#input\_watson\_discovery\_install) | If watsonx.ai is being installed, also install watson discovery | `bool` | `false` | no |
+| <a name="input_watsonx_ai_install"></a> [watsonx\_ai\_install](#input\_watsonx\_ai\_install) | Determine whether the watsonx.ai cartridge for the deployer will be installed | `bool` | `false` | no |
+| <a name="input_watsonx_ai_models"></a> [watsonx\_ai\_models](#input\_watsonx\_ai\_models) | List of watsonx.ai models to install.  Information on the foundation models including pre-reqs can be found here - https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=install-foundation-models.  Use the ModelID as input | `list(string)` | <pre>[<br/>  "ibm-granite-13b-instruct-v2"<br/>]</pre> | no |
+| <a name="input_watsonx_data_install"></a> [watsonx\_data\_install](#input\_watsonx\_data\_install) | Determine whether the watsonx.data cartridge for the deployer will be installed | `bool` | `false` | no |
 
-This repository contains the following deployment on an Red Hat OpenShift cluster:
-- [IBM Cloud Pak for Data](./solutions/deploy)
+### Outputs
 
-**NB:** These solutions are not intended to be called by one or more other modules since they contain a provider configurations, meaning they are not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)
+| Name | Description |
+|------|-------------|
+| <a name="output_cloud_pak_deployer_image"></a> [cloud\_pak\_deployer\_image](#output\_cloud\_pak\_deployer\_image) | The Cloud Pak Deployer image used. |
+| <a name="output_cloud_pak_deployer_secret"></a> [cloud\_pak\_deployer\_secret](#output\_cloud\_pak\_deployer\_secret) | The secret used for accessing the Cloud Pak Deployer image. |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The name of the OpenShift cluster. |
+| <a name="output_code_engine_project_name"></a> [code\_engine\_project\_name](#output\_code\_engine\_project\_name) | The name of the code engine project that was created |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
-<!-- Leave this section as is so that your module has a link to local development environment set-up steps for contributors to follow -->
+<!-- Leave this section as is so that your module has a link to local development environment set up steps for contributors to follow -->
 ## Contributing
 
 You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).

chart/cloud-pak-deployer/templates/install-job.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     App: {{ .Values.deployer.prefix }}
   annotations:
-    # https://github.com/terraform-ibm-modules/terraform-ibm-cloudpak-data/issues/14
+    # https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/14
     checkov.io/skip1: CKV_K8S_10
     checkov.io/skip2: CKV_K8S_11
     checkov.io/skip3: CKV_K8S_12

chart/cloud-pak-deployer/templates/uninstall-job.yaml

@@ -9,7 +9,7 @@ metadata:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
     "helm.sh/hook-weight": "4"
-    # https://github.com/terraform-ibm-modules/terraform-ibm-cloudpak-data/issues/14
+    # https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-self-managed-ocp/issues/14
     checkov.io/skip1: CKV_K8S_21
     checkov.io/skip2: CKV_K8S_30
     checkov.io/skip3: CKV_K8S_28

cra-config.yaml

@@ -13,5 +13,5 @@ CRA_TARGETS: [] # disable CRA since no SCC instance exists in the test account
   #   # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.
   #   # SCC_REGION: "" # The IBM Cloud region that the SCC instance is in. If not provided, a default global value will be used.
   #   CRA_ENVIRONMENT_VARIABLES: # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-  #     TF_VAR_prefix: "roks-cpd"
+  #     TF_VAR_prefix: "ocp-cpd"
   #     TF_VAR_region: "au-syd"

examples/basic/README.md

@@ -0,0 +1,17 @@
+# Basic example
+
+<!--
+The basic example should call the module(s) stored in this repository with a basic configuration.
+Note, there is a pre-commit hook that will take the title of each example and include it in the repos main README.md.
+The text below should describe exactly what resources are provisioned / configured by the example.
+-->
+
+This basic example demonstrates how to deploy IBM Cloud Pak for Data and optional watsonx services on a new Red Hat OpenShift cluster using this module.
+
+It provisions the following resources:
+
+- A new resource group (if not provided)
+- A new VPC, subnet, and public gateway
+- A new Red Hat OpenShift cluster with configurable worker pools
+- IBM Cloud Pak for Data installation
+- Optional watsonx services (watsonx.ai, watsonx.data, Watson Assistant, Watson Discovery)