PLNSRVCE-769: Add minio tenant for tekton results

DEPENDENCIES.md

@@ -28,20 +28,21 @@
 
 ### **Tools**
 
-| **Component**      | **Version**                                          | **Purpose**                                                                 | **Comments** |
-|--------------------|------------------------------------------------------|-----------------------------------------------------------------------------|--------------|
-| oc (OpenShift CLI) | see [dependencies.sh](shared/config/dependencies.sh) | To interact with the cluster                                                | Follows OpenShift version |
-| kubectl            | see [dependencies.sh](shared/config/dependencies.sh) | To interact with the cluster                                                | Follows kubernetes version which follows OpenShift version. We only need either oc or kubectl |
-| tkn                | see [dependencies.sh](shared/config/dependencies.sh) | To interact with tekton                                                     | |
-| tkn pac plugin     | 0.15.0                                               | To set up PaC                                                               | Optional plugin for customers during the cluster setup phase. Follows PaC Version |
-| Argo CD (client)   | see [dependencies.sh](shared/config/dependencies.sh) | To run Argo CD related commands                                             | Follows version of argocd engine used in openshift gitops |
-| checkov            | see [dependencies.sh](shared/config/dependencies.sh) | Validate k8s manifests                                                      | |
-| hadolint           | see [dependencies.sh](shared/config/dependencies.sh) | Validate Dockerfiles                                                        | |
-| shellcheck         | see [dependencies.sh](shared/config/dependencies.sh) | Validate shell scripts | |
-| skopeo             | 1.y.z                                                | Interact with images                                                        | |
-| yamllint           | see [dependencies.sh](shared/config/dependencies.sh) | Validate YAML                                                               | |
-| yq                 | see [dependencies.sh](shared/config/dependencies.sh) | Required for parsing things; used in various scripts throughout the project | Certain features are not supported with versions < 4.18.1. Use Latest version to avoid any issues |
-| docker             | 20.10.z                                              | For local development only                                                  | Only one of docker or podman is required. No requirement to use a particular version; users can install the latest version available at the time |
-| podman             | 4.0.0                                                | For local development only                                                  | Only one of docker or podman is required. No requirement to use a particular version; users can install the latest version available at the time |
-| openssl            | 3.0.2                                                | To manipulate certificate information during cluster regsitration           | |
-| bitwarden          | see [dependencies.sh](shared/config/dependencies.sh) | To store credentials outside the gitops repository                          | |
+| **Component**      | **Version**                                          | **Purpose**                                                                 | **Comments**                                                                                                                                                             |
+|--------------------|------------------------------------------------------|-----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| oc (OpenShift CLI) | see [dependencies.sh](shared/config/dependencies.sh) | To interact with the cluster                                                | Follows OpenShift version                                                                                                                                                |
+| kubectl            | see [dependencies.sh](shared/config/dependencies.sh) | To interact with the cluster                                                | Follows kubernetes version which follows OpenShift version. We only need either oc or kubectl                                                                            |
+| tkn                | see [dependencies.sh](shared/config/dependencies.sh) | To interact with tekton                                                     |                                                                                                                                                                          |
+| tkn pac plugin     | 0.15.0                                               | To set up PaC                                                               | Optional plugin for customers during the cluster setup phase. Follows PaC Version                                                                                        |
+| Argo CD (client)   | see [dependencies.sh](shared/config/dependencies.sh) | To run Argo CD related commands                                             | Follows version of argocd engine used in openshift gitops                                                                                                                |
+| checkov            | see [dependencies.sh](shared/config/dependencies.sh) | Validate k8s manifests                                                      |                                                                                                                                                                          |
+| hadolint           | see [dependencies.sh](shared/config/dependencies.sh) | Validate Dockerfiles                                                        |                                                                                                                                                                          |
+| shellcheck         | see [dependencies.sh](shared/config/dependencies.sh) | Validate shell scripts                                                      |                                                                                                                                                                          |
+| skopeo             | 1.y.z                                                | Interact with images                                                        |                                                                                                                                                                          |
+| yamllint           | see [dependencies.sh](shared/config/dependencies.sh) | Validate YAML                                                               |                                                                                                                                                                          |
+| yq                 | see [dependencies.sh](shared/config/dependencies.sh) | Required for parsing things; used in various scripts throughout the project | Certain features are not supported with versions < 4.18.1. Use Latest version to avoid any issues                                                                        |
+| docker             | 20.10.z                                              | For local development only                                                  | Only one of docker or podman is required. No requirement to use a particular version; users can install the latest version available at the time                         |
+| podman             | 4.0.0                                                | For local development only                                                  | Only one of docker or podman is required. No requirement to use a particular version; users can install the latest version available at the time                         |
+| openssl            | 3.0.2                                                | To manipulate certificate information during cluster registration           |                                                                                                                                                                          |
+| bitwarden          | see [dependencies.sh](shared/config/dependencies.sh) | To store credentials outside the gitops repository                          |                                                                                                                                                                          |
+| minio              | 4.5.x                                                | S3 compatible storage for tekton-results api server                         | Inconsistency in the operator catalogs available on HyperShift currently lead to variance of the version of minio seen in CI.  Have see 4.5.3 and 4.5.1 in CI test runs. |

developer/config.yaml

@@ -19,3 +19,8 @@ apps:
 tekton_results_db:
   user:
   password:
+
+# Minio S3 compatible storage credentials for tekton results
+tekton_results_log:
+  user:
+  password:

developer/openshift/README.md

@@ -52,5 +52,5 @@ Considerations for testing a new component:-
 
 One can reset its environement and all the resources deployed by dev scripts :-
 ```bash
-developer/reset.sh --work-dir /path/to/my_dir
+developer/openshift/reset.sh --work-dir /path/to/my_dir
 ```

developer/openshift/dev_setup.sh

@@ -188,6 +188,11 @@ install_pipeline_service() {
   export TEKTON_RESULTS_DATABASE_USER
   export TEKTON_RESULTS_DATABASE_PASSWORD
 
+  TEKTON_RESULTS_MINIO_USER="$(yq '.tekton_results_log.user' "$CONFIG")"
+  TEKTON_RESULTS_MINIO_PASSWORD="$(yq '.tekton_results_log.password' "$CONFIG")"
+  export TEKTON_RESULTS_MINIO_USER
+  export TEKTON_RESULTS_MINIO_PASSWORD
+
   echo "- Setup working directory:"
   "$PROJECT_DIR/operator/images/access-setup/content/bin/setup_work_dir.sh" \
     ${DEBUG:+"$DEBUG"} \

developer/openshift/operators/minio/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - minio.yaml

developer/openshift/operators/minio/minio.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: minio-operator
+  namespace: openshift-operators
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: minio-operator
+  source: certified-operators
+  sourceNamespace: openshift-marketplace

developer/openshift/operators/minio/tenant/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - tenant.yaml
+  - tenant-permissions.yaml

developer/openshift/operators/minio/tenant/tenant-permissions.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: minio
+  namespace: tekton-results
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: minio
+  namespace: tekton-results
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: minio
+  namespace: tekton-results
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: minio
+subjects:
+  - kind: ServiceAccount
+    name: minio
+    namespace: tekton-results

developer/openshift/operators/minio/tenant/tenant.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: storage
+  namespace: tekton-results
+  labels:
+    app: minio
+  annotations:
+    prometheus.io/path: /minio/v2/metrics/cluster
+    prometheus.io/port: "9000"
+    prometheus.io/scrape: "true"
+spec:
+  exposeServices:
+    console: true
+    minio: true
+  features:
+    bucketDNS: false
+    domains: {}
+  # This desired part doesn't work. Issues:
+  # https://github.com/minio/operator/issues/1345
+  # https://github.com/minio/operator/issues/1346
+  # users:
+  #   - name: storage-user
+  # buckets:
+  #   - name: "tekton-results"
+  #     region: "us-east-1"
+  #     objectLock: true
+  certConfig: {}
+  podManagementPolicy: Parallel
+  configuration:
+    name: minio-storage-configuration
+  env: []
+  serviceMetadata:
+    minioServiceLabels: {}
+    minioServiceAnnotations: {}
+    consoleServiceLabels: {}
+    consoleServiceAnnotations: {}
+  priorityClassName: ""
+  externalCaCertSecret: []
+  externalCertSecret: []
+  externalClientCertSecrets: []
+  image: quay.io/minio/minio:RELEASE.2022-09-17T00-09-45Z
+  imagePullSecret: {}
+  mountPath: /export
+  subPath: ""
+  serviceAccountName: "minio"
+  pools:
+    - servers: 1
+      name: pool-0
+      volumesPerServer: 2
+      nodeSelector: {}
+      tolerations: []
+      affinity:
+        nodeAffinity: {}
+        podAffinity: {}
+        podAntiAffinity: {}
+      resources: {}
+      volumeClaimTemplate:
+        apiVersion: v1
+        kind: persistentvolumeclaims
+        metadata: {}
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
+        status: {}
+      securityContext: {}
+  requestAutoCert: true

operator/docs/sre/examples/providers/credentials/secrets/aws-secret-manager.yaml

@@ -8,3 +8,6 @@ credentials:
   # tekton results secrets
   - id: 1234abcd-abcd-1234-abcd-1234abcd1234
     path: credentials/manifests/compute/tekton-results/tekton-results-secret.yaml
+  # minio S3 storage secret
+  - id: 1234abcd-abcd-1234-abcd-1234abcd1234
+    path: credentials/manifests/compute/tekton-results/tekton-results-minio-secret.yaml

operator/docs/sre/examples/single_cluster/credentials/manifests/compute/tekton-results/tekton-results-minio-secret.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-storage-configuration
+  namespace: tekton-results
+type: Opaque
+stringData:
+  config.env: |-
+    export MINIO_ROOT_USER=user
+    export MINIO_ROOT_PASSWORD=password
+    export MINIO_STORAGE_CLASS_STANDARD="EC:2"
+    export MINIO_BROWSER="on"

operator/gitops/argocd/pipeline-service/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
   - openshift-pipelines
   - pipelines-as-code
   - tekton-chains
-  - tekton-results
+  - tekton-results/base
 
   # Skip applying the Tekton operands while the Tekton operator is being installed.
   # See more information about this option, here:

operator/gitops/argocd/pipeline-service/tekton-results/base/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tekton-results

operator/gitops/compute/pipeline-service-manager/role.yaml

@@ -22,6 +22,9 @@ rules:
       - secrets
       - serviceaccounts
       - services
+      - pods
+      - pods/log
+      - events
     verbs:
       - "*"
   - apiGroups:
@@ -91,6 +94,30 @@ rules:
       - tasks
     verbs:
       - "*"
+  - apiGroups:
+      - operators.coreos.com
+    resources:
+      - subscriptions
+    verbs:
+      - "get"
+      - "create"
+      - "update"
+  - apiGroups:
+      - minio.min.io
+    resources:
+      - tenants
+    verbs:
+      - "get"
+      - "create"
+      - "update"
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
   - apiGroups:
       - pipelinesascode.tekton.dev
     resources:

operator/gitops/sre/credentials/secrets/README.md

@@ -12,7 +12,7 @@ credentials:
     path:
 ```
 
-### Bitwarden Example  
+### Bitwarden Example
 
 Create a new file named `bitwarden.yaml` under secrets directory and provide a list of id & path values for each secret.
 ```

operator/images/access-setup/content/bin/setup_work_dir.sh

@@ -98,6 +98,11 @@ init() {
   TEKTON_RESULTS_DATABASE_USER=${TEKTON_RESULTS_DATABASE_USER:="tekton"}
   TEKTON_RESULTS_DATABASE_PASSWORD=${TEKTON_RESULTS_DATABASE_PASSWORD:=$(openssl rand -base64 20)}
 
+  TEKTON_RESULTS_MINIO_USER=${TEKTON_RESULTS_MINIO_USER:="minio"}
+  export TEKTON_RESULTS_MINIO_USER
+  TEKTON_RESULTS_MINIO_PASSWORD=${TEKTON_RESULTS_MINIO_PASSWORD:=$(openssl rand -base64 20)}
+  export TEKTON_RESULTS_MINIO_PASSWORD
+
   detect_container_engine
 }
 
@@ -174,6 +179,7 @@ tekton_results_manifest(){
   results_kustomize="$manifests_dir/compute/tekton-results/kustomization.yaml"
   results_namespace="$manifests_dir/compute/tekton-results/namespace.yaml"
   results_secret="$manifests_dir/compute/tekton-results/tekton-results-secret.yaml"
+  results_minio_secret="$manifests_dir/compute/tekton-results/tekton-results-minio-secret.yaml"
   if [ ! -e "$results_kustomize" ]; then
     results_dir="$(dirname "$results_kustomize")"
     mkdir -p "$results_dir"
@@ -184,10 +190,31 @@ tekton_results_manifest(){
       exit 1
     fi
 
+    if [[ -z $TEKTON_RESULTS_MINIO_USER || -z $TEKTON_RESULTS_MINIO_PASSWORD ]]; then
+      printf "[ERROR] Tekton results log variable is not set, either set the variables using \n \
+      the config.yaml under tekton_results_log \n \
+      Or create '%s' \n" "$results_secret" >&2
+      exit 1
+    fi
+
     kubectl create namespace tekton-results --dry-run=client -o yaml > "$results_namespace"
     kubectl create secret generic -n tekton-results tekton-results-database --from-literal=DATABASE_USER="$TEKTON_RESULTS_DATABASE_USER" --from-literal=DATABASE_PASSWORD="$TEKTON_RESULTS_DATABASE_PASSWORD" --dry-run=client -o yaml > "$results_secret"
 
-    yq e -n '.resources += ["namespace.yaml", "tekton-results-secret.yaml"]' > "$results_kustomize"
+    echo "---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: minio-storage-configuration
+      namespace: tekton-results
+    type: Opaque
+    stringData:
+      config.env: |-
+        export MINIO_ROOT_USER=\"$TEKTON_RESULTS_MINIO_USER\"
+        export MINIO_ROOT_PASSWORD=\"$TEKTON_RESULTS_MINIO_PASSWORD\"
+        export MINIO_STORAGE_CLASS_STANDARD=\"EC:2\"
+        export MINIO_BROWSER=\"on\"" >> "$results_minio_secret"
+
+    yq e -n '.resources += ["namespace.yaml", "tekton-results-secret.yaml", "tekton-results-minio-secret.yaml"]' > "$results_kustomize"
     if [ "$(yq ".data" < "$results_secret" | grep -cE "DATABASE_USER|DATABASE_PASSWORD")" != "2" ]; then
       printf "[ERROR] Invalid manifest: '%s'" "$results_secret" >&2
       exit 1

operator/images/cluster-setup/content/bin/install.sh

@@ -23,6 +23,11 @@ SCRIPT_DIR="$(
   pwd
 )"
 
+ROOT_DIR=$(
+  cd "$SCRIPT_DIR/../../../../.." >/dev/null
+  pwd
+)
+
 # shellcheck source=operator/images/cluster-setup/content/bin/utils.sh
 source "$SCRIPT_DIR/utils.sh"
 
@@ -123,6 +128,9 @@ install_clusters() {
 
     printf -- "- Installing shared manifests... \n"
     install_shared_manifests | indent 4
+
+    install_minio
+
     printf -- "- Installing applications via Openshift GitOps... \n"
     install_applications | indent 4
 
@@ -146,6 +154,29 @@ install_shared_manifests() {
   kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-results"
 }
 
+install_minio() {
+  local APP="minio"
+  DEV_DIR="$ROOT_DIR/developer/openshift"
+
+  #############################################################################
+  # Install the minio operator
+  #############################################################################
+  echo -n "- Minio: "
+  kubectl apply -k "$DEV_DIR/operators/$APP" >/dev/null
+  echo "OK"
+
+  check_deployments "openshift-operators" "minio-operator" | indent 2
+
+  echo -n "- Display Minio Subscription information for potential debug: "
+  kubectl -n openshift-operators get subscriptions minio-operator -o yaml
+
+  echo -n "- Minio tenant: "
+  kubectl apply -k "$DEV_DIR/operators/$APP/tenant" >/dev/null
+  echo "OK"
+
+  check_pod_by_label "tekton-results" "app=minio" | indent 2
+}
+
 install_applications() {
   CONFIG_DIR=$(find "${WORKSPACE_DIR}/environment/compute" -type d -name "${clusters[$i]}")
   kubectl apply -k "$CONFIG_DIR"