[PDP-3496] update recipe (#30)

* [PDP-3496] udpate recipe

* Add NFS server
* adjust storage
* harden the provisioner chart to support restricted profile

* Add more space per lint

* bump the version for lint

* change default to false

Author: syan-tibco

charts/platform-provisioner-ui/Chart.yaml

@@ -6,7 +6,7 @@
 
 apiVersion: v2
 name: platform-provisioner-ui
-version: "1.0.3"
+version: "1.0.8"
 appVersion: "2.0.0"
 description: A Helm chart for platform-provisioner-ui
 type: application

charts/platform-provisioner-ui/templates/deployment.yaml

@@ -70,6 +70,8 @@ spec:
               value: "{{ .Values.guiConfig.tektonAPIVersion }}"
             - name: PIPELINES_CLEAN_UP_ENABLED
               value: "{{ .Values.guiConfig.pipelinesCleanUpEnabled }}"
+            - name: PLATFORM_PROVISIONER_UI_SERVICE_PORT
+              value: "{{ .Values.service.port }}"
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

charts/platform-provisioner-ui/values.yaml

@@ -11,8 +11,8 @@
 replicaCount: 1
 
 image:
-  repository: ghcr.io/stratosphere/cic2-web-server
-  pullPolicy: IfNotPresent
+  repository: ghcr.io/tibcosoftware/platform-provisioner/platform-provisioner-ui
+  pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
@@ -40,20 +40,33 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
+# follow Restricted: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault  # RuntimeDefault or Localhost (must for Restricted)
+  runAsNonRoot: true  # Prevents processes from running as root (both) Container must run as a non-root user (must for Restricted)
+  runAsUser: 1000  # Explicitly set the user ID for running processes (both) (must for restrict, non-zero or undefined/null)
+  # runAsGroup: 3000  # Set the group ID for running processes (both)
+  # fsGroup: 2000  # Specify the group ID for mounted volumes (pod security context only)
+  # fsGroupChangePolicy: OnRootMismatch # Set the policy for the change of fsGroup in the volume (pod security context only)
+  # supplementalGroups: [1000,3000]  # Specify the group IDs for running processes (pod security context only)
+  # sysctls: {} # Kernel settings to apply (pod security context only)
+  # seLinuxOptions: {} # SELinux options to apply (both)
+  # windowsOptions: {} # Windows options to apply (both)
+
+securityContext:
+  readOnlyRootFilesystem: true  # Prevents the container from writing to the root filesystem (container security context only)
+  allowPrivilegeEscalation: false  # Prevents privilege escalation (container security context only) (must for Restricted)
+  capabilities:  # Add or drop capabilities (container security context only)
+    drop: ["ALL"]  # Drop all capabilities (must for Restricted)
+    # add: ["NET_BIND_SERVICE"] # Add the NET_BIND_SERVICE capability to the container (only for lower 1024 ports) (allow for Restricted)
+  # privileged: false # Prevents privilege escalation (container security context only) (for Baseline)
+  # procMount: Default # Set the mount propagation mode for the container (container security context only)
+
+# must be over 1024
 service:
   type: ClusterIP
-  port: 80
+  port: 8080
 
 ingress:
   enabled: false

charts/provisioner-config-local/Chart.yaml

@@ -8,7 +8,7 @@ apiVersion: v2
 name: provisioner-config-local
 description: Platform Provisioner local config
 type: application
-version: "1.0.62"
+version: "1.0.68"
 appVersion: "2.0.0"
 home: https://github.com/TIBCOSoftware/tp-helm-charts
 maintainers:

charts/provisioner-config-local/config/pp-deploy-cp-core-on-prem.yaml

@@ -35,10 +35,12 @@ groups:
   index: 7
   description: |
     Cluster storage specific configurations. For the on-perm setup we have
-    * docker desktop: `hostpath`
-    * minikube: `standard`
-    * kind: `standard`
-    * microk8s: `microk8s-hostpath`
+    * Docker Desktop: `hostpath` (support ReadWriteMany)
+    * minikube: `standard` (support ReadWriteMany)
+    * kind: `standard` (Don't support ReadWriteMany)
+    * MicroK8s: `microk8s-hostpath` (support ReadWriteMany)
+    * OpenShift: `crc-csi-hostpath-provisioner` (Don't support ReadWriteMany)
+    * NFS server provisioner: `nfs` (support ReadWriteMany)
 - title: "CP Database"
   index: 8
   description: |
@@ -165,6 +167,12 @@ options:
   guiType: input
   reference: "meta.guiEnv.GUI_CP_ADMIN_EMAIL"
   description: "The CP admin email. You will get the email in MailDev to reset the password"
+- name: "CP from and replyTo email"
+  groupIndex: 5
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_CP_FROM_REPLY_TO_EMAIL"
+  description: "The CP from and replyTo email. You will get the email from this email id"
 - name: "CP enable log"
   groupIndex: 5
   type: boolean

charts/provisioner-config-local/config/pp-deploy-tp-base-on-prem-cert.yaml

@@ -18,10 +18,12 @@ groups:
   index: 7
   description: |
     Cluster storage specific configurations. For the on-perm setup we have
-    * docker desktop: `hostpath`
-    * minikube: `standard`
-    * kind: `standard`
-    * microk8s: `microk8s-hostpath`
+    * Docker Desktop: `hostpath` (support ReadWriteMany)
+    * minikube: `standard` (support ReadWriteMany)
+    * kind: `standard` (Don't support ReadWriteMany)
+    * MicroK8s: `microk8s-hostpath` (support ReadWriteMany)
+    * OpenShift: `crc-csi-hostpath-provisioner` (Don't support ReadWriteMany)
+    * NFS server provisioner: `nfs` (support ReadWriteMany)
 - title: "Cluster tools"
   index: 8
   description: |
@@ -95,7 +97,28 @@ options:
   required: true
   reference: "meta.guiEnv.GUI_TP_STORAGE_CLASS"
   description: |
-    docker desktop: "hostpath", minikube and kind: "standard", microk8s: "microk8s-hostpath"
+    The storage class for the TP Cluster.
+- name: "Storage class name for NFS server provisioner"
+  groupIndex: 7
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER"
+  description: |
+    The storage class name that NFS server provisioner will use. Empty means use the default storage class.
+- name: "NFS server provisioner storage class name"
+  groupIndex: 7
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME"
+  description: |
+    The storage class name that NFS server provisioner will create for the TP Cluster.
+- name: "NFS server provisioner size"
+  groupIndex: 7
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_TP_NFS_SERVER_PROVISIONER_SIZE"
+  description: |
+    The size of the NFS server provisioner storage.
 
 # groupIndex: 8 Cluster tools
 - name: "Install cert-manager"
@@ -112,6 +135,13 @@ options:
   reference: "meta.guiEnv.GUI_TP_INSTALL_METRICS_SERVER"
   description: |
     Install metrics-server for TP Cluster
+- name: "Install nfs-server-provisioner"
+  groupIndex: 8
+  type: boolean
+  guiType: checkbox
+  reference: "meta.guiEnv.GUI_TP_INSTALL_NFS_SERVER_PROVISIONER"
+  description: |
+    Install NFS server provisioner for TP Cluster
 - name: "Install Postgres"
   groupIndex: 8
   type: boolean

charts/provisioner-config-local/config/pp-deploy-tp-base-on-prem.yaml

@@ -18,10 +18,12 @@ groups:
   index: 7
   description: |
     Cluster storage specific configurations. For the on-perm setup we have
-    * docker desktop: `hostpath`
-    * minikube: `standard`
-    * kind: `standard`
-    * microk8s: `microk8s-hostpath`
+    * Docker Desktop: `hostpath` (support ReadWriteMany)
+    * minikube: `standard` (support ReadWriteMany)
+    * kind: `standard` (Don't support ReadWriteMany)
+    * MicroK8s: `microk8s-hostpath` (support ReadWriteMany)
+    * OpenShift: `crc-csi-hostpath-provisioner` (Don't support ReadWriteMany)
+    * NFS server provisioner: `nfs` (support ReadWriteMany)
 - title: "Cluster tools"
   index: 8
   description: |
@@ -79,7 +81,28 @@ options:
   required: true
   reference: "meta.guiEnv.GUI_TP_STORAGE_CLASS"
   description: |
-    docker desktop: "hostpath", minikube and kind: "standard", microk8s: "microk8s-hostpath"
+    The storage class for the TP Cluster.
+- name: "Storage class name for NFS server provisioner"
+  groupIndex: 7
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER"
+  description: |
+    The storage class name that NFS server provisioner will use. Empty means use the default storage class.
+- name: "NFS server provisioner storage class name"
+  groupIndex: 7
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME"
+  description: |
+    The storage class name that NFS server provisioner will create for the TP Cluster.
+- name: "NFS server provisioner size"
+  groupIndex: 7
+  type: string
+  guiType: input
+  reference: "meta.guiEnv.GUI_TP_NFS_SERVER_PROVISIONER_SIZE"
+  description: |
+    The size of the NFS server provisioner storage.
 
 # groupIndex: 8 Cluster tools
 - name: "Install cert-manager"
@@ -96,6 +119,13 @@ options:
   reference: "meta.guiEnv.GUI_TP_INSTALL_METRICS_SERVER"
   description: |
     Install metrics-server for TP Cluster
+- name: "Install nfs-server-provisioner"
+  groupIndex: 8
+  type: boolean
+  guiType: checkbox
+  reference: "meta.guiEnv.GUI_TP_INSTALL_NFS_SERVER_PROVISIONER"
+  description: |
+    Install NFS server provisioner for TP Cluster
 - name: "Install Postgres"
   groupIndex: 8
   type: boolean

charts/provisioner-config-local/recipes/pp-deploy-cp-core-on-prem.yaml

@@ -117,6 +117,7 @@ meta:
     CP_PROVIDER: ${GUI_CP_PROVIDER:-local} # deployment target. Example: aws, azure, local.
     CP_NAMESPACE: ${GUI_CP_NAMESPACE:-"${CP_INSTANCE_ID}-ns"}
     CP_ADMIN_EMAIL: ${GUI_CP_ADMIN_EMAIL:-"[email protected]"}
+    CP_FROM_REPLY_TO_EMAIL: ${GUI_CP_FROM_REPLY_TO_EMAIL:-""}
     CP_LOG_ENABLE: ${GUI_CP_LOG_ENABLE:-false}
     CP_EXTERNAL_ENVIRONMENT: ${GUI_CP_EXTERNAL_ENVIRONMENT:-"production"}
     CP_RESOURCES_REQUEST_CPU: ${GUI_CP_RESOURCES_REQUEST_CPU:-"50m"} # 37 pods * 50m = 1850m
@@ -755,6 +756,7 @@ helmCharts:
               port: "${CP_MAIL_SERVER_PORT_NUMBER}"
               username: "${CP_MAIL_SERVER_USERNAME}"
               password: "${CP_MAIL_SERVER_PASSWORD}"
+          fromAndReplyToEmailAddress: "${CP_FROM_REPLY_TO_EMAIL}"
           admin:
             email: ${CP_ADMIN_EMAIL}
             firstname: "admin"
@@ -975,6 +977,14 @@ helmCharts:
               limits:
                 cpu: "80m"
                 memory: "200Mi"
+          monitoringcapresources:
+            resources:
+              requests:
+                cpu: ${CP_RESOURCES_REQUEST_CPU}
+                memory: ${CP_RESOURCES_REQUEST_MEMORY}
+              limits:
+                cpu: "80m"
+                memory: "200Mi"
           monitoringhomepagemetrics:
             resources:
               requests:

charts/provisioner-config-local/recipes/tp-base-on-prem-https.yaml

@@ -21,8 +21,12 @@ meta:
     GUI_TP_INSTALL_NGINX_INGRESS: true
     GUI_TP_INGRESS_SERVICE_TYPE: LoadBalancer
     GUI_TP_STORAGE_CLASS: ""
+    GUI_TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER: ""
+    GUI_TP_NFS_SERVER_PROVISIONER_SIZE: 50Gi
+    GUI_TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME: nfs
     GUI_TP_PROVISIONER_UI_INGRESS_CLASSNAME: nginx
     GUI_TP_PROVISIONER_UI_NAMESPACE: tekton-tasks
+    GUI_TP_INSTALL_NFS_SERVER_PROVISIONER: false
     GUI_TP_INSTALL_POSTGRES: true
     GUI_TP_INSTALL_PROVISIONER_UI: true
     GUI_TP_INSTALL_CERT_MANAGER: true
@@ -45,6 +49,10 @@ meta:
     TP_TLS_KEY: ${GUI_TP_TLS_KEY}
     # storage
     TP_STORAGE_CLASS: ${GUI_TP_STORAGE_CLASS:-"standard"} # hostpath for docker desktop, standard for minikube and kind, microk8s-hostpath for microk8s
+    TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER: ${GUI_TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER:-""}
+    TP_INSTALL_NFS_SERVER_PROVISIONER: ${GUI_TP_INSTALL_NFS_SERVER_PROVISIONER:-"false"}
+    TP_NFS_SERVER_PROVISIONER_SIZE: ${GUI_TP_NFS_SERVER_PROVISIONER_SIZE:-"50Gi"}
+    TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME: ${GUI_TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME:-"nfs"}
     # third party
     TP_EXT_NAMESPACE: tibco-ext
     TP_INSTALL_PROVISIONER_UI: ${GUI_TP_INSTALL_PROVISIONER_UI:-"true"}
@@ -218,6 +226,29 @@ helmCharts:
           tls.crt: ${TP_TLS_CERT}
           tls.key: ${TP_TLS_KEY}
         EOF
+- name: nfs-server-provisioner
+  version: 1.8.0 # release: https://github.com/kubernetes-sigs/nfs-ganesha-server-and-external-provisioner/releases
+  namespace: kube-system
+  releaseName: nfs-server-provisioner
+  condition: ${TP_INSTALL_NFS_SERVER_PROVISIONER}
+  repo:
+    helm:
+      url: https://kubernetes-sigs.github.io/nfs-ganesha-server-and-external-provisioner
+  cluster:
+    names:
+      - ${TP_CLUSTER_NAME}
+  values:
+    keepPrevious: true
+    content: |
+      persistence:
+        enabled: true
+        storageClass: "${TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER}"
+        size: "${TP_NFS_SERVER_PROVISIONER_SIZE}"
+      storageClass:
+        name: "${TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME}"
+  flags:
+    createNamespace: true
+    timeout: 1h
 - name: postgresql
   version: 15.5.38 # 15.5.38 use postgresql 16.4.0, 11.9.13 use postgresql 14.5.0 release: https://artifacthub.io/packages/helm/bitnami/postgresql
   namespace: ${TP_EXT_NAMESPACE}

charts/provisioner-config-local/recipes/tp-base-on-prem.yaml

@@ -19,8 +19,12 @@ meta:
     GUI_TP_INSTALL_NGINX_INGRESS: true
     GUI_TP_INGRESS_SERVICE_TYPE: LoadBalancer
     GUI_TP_STORAGE_CLASS: ""
+    GUI_TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER: ""
+    GUI_TP_NFS_SERVER_PROVISIONER_SIZE: 50Gi
+    GUI_TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME: nfs
     GUI_TP_PROVISIONER_UI_INGRESS_CLASSNAME: nginx
     GUI_TP_PROVISIONER_UI_NAMESPACE: tekton-tasks
+    GUI_TP_INSTALL_NFS_SERVER_PROVISIONER: false
     GUI_TP_INSTALL_POSTGRES: true
     GUI_TP_INSTALL_PROVISIONER_UI: true
     GUI_TP_INSTALL_CERT_MANAGER: true
@@ -41,6 +45,10 @@ meta:
     TP_INGRESS_USE_HOSTPORT: false # true for kind
     # storage
     TP_STORAGE_CLASS: ${GUI_TP_STORAGE_CLASS:-"standard"} # hostpath for docker desktop, standard for minikube and kind, microk8s-hostpath for microk8s
+    TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER: ${GUI_TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER:-""}
+    TP_INSTALL_NFS_SERVER_PROVISIONER: ${GUI_TP_INSTALL_NFS_SERVER_PROVISIONER:-"false"}
+    TP_NFS_SERVER_PROVISIONER_SIZE: ${GUI_TP_NFS_SERVER_PROVISIONER_SIZE:-"50Gi"}
+    TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME: ${GUI_TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME:-"nfs"}
     # third party
     TP_EXT_NAMESPACE: tibco-ext
     TP_INSTALL_PROVISIONER_UI: ${GUI_TP_INSTALL_PROVISIONER_UI:-"true"}
@@ -141,7 +149,6 @@ helmCharts:
     helm:
       url: https://traefik.github.io/charts
   values:
-    keepPrevious: true
     content: |
       service:  # for external-dns
         type: ${TP_INGRESS_SERVICE_TYPE}
@@ -155,6 +162,29 @@ helmCharts:
     wait: true
     timeout: 1h
     createNamespace: true
+- name: nfs-server-provisioner
+  version: 1.8.0 # release: https://github.com/kubernetes-sigs/nfs-ganesha-server-and-external-provisioner/releases
+  namespace: kube-system
+  releaseName: nfs-server-provisioner
+  condition: ${TP_INSTALL_NFS_SERVER_PROVISIONER}
+  repo:
+    helm:
+      url: https://kubernetes-sigs.github.io/nfs-ganesha-server-and-external-provisioner
+  cluster:
+    names:
+      - ${TP_CLUSTER_NAME}
+  values:
+    keepPrevious: true
+    content: |
+      persistence:
+        enabled: true
+        storageClass: "${TP_STORAGE_CLASS_FOR_NFS_SERVER_PROVISIONER}"
+        size: "${TP_NFS_SERVER_PROVISIONER_SIZE}"
+      storageClass:
+        name: "${TP_NFS_SERVER_PROVISIONER_STORAGE_CLASS_NAME}"
+  flags:
+    createNamespace: true
+    timeout: 1h
 - name: postgresql
   version: 15.5.38 # 15.5.38 use postgresql 16.4.0, 11.9.13 use postgresql 14.5.0 release: https://artifacthub.io/packages/helm/bitnami/postgresql
   namespace: ${TP_EXT_NAMESPACE}