From 98aa0d5f2bba7ae8a6e791c850856a79c0ca3d67 Mon Sep 17 00:00:00 2001
From: Robert Church <robert.church@windriver.com>
Date: Thu, 16 Aug 2018 14:57:27 -0400
Subject: [PATCH] Enable helm repository and chart upload tool

There's a lot going on here but conceptually we're just enabling a
local helm repo along with a helper script to install helm charts into
the repo.

The first item is to configure lighttpd to serve up helm charts as
static information (so no proxying) at http://127.0.0.1/helm_charts".
This is fairly straightforward, but the files are served out of
/www which isn't a replicated filesystem and which is owned by the www
user.

The helm puppet manifest is modified to create the "helm_charts"
directory for the webserver, to generate the initial index file,
and to tell helm to add the new repo for the "wrsroot" user.  The
various commands are run as specific users with specific environment
variables, this is key to making everything work as planned.

To allow the wrsroot user to upload charts into /www the helm-upload
script will re-run itself as the www user.  /etc/sudoers.d is modified
to allow this without asking for a password.  The upload script will
copy the specified charts in to /www/pages/helm_charts, and will then
regenerate the index.yaml file. The upload script will then try to
sync the files over to the other node.  To enable this without
prompting for a password we modify /etc/rsyncd.conf to allow
passwordless syncing into /www/helm_charts.

In a future commit we'll need to sync charts with the other
controller when booting up, and also configure the local starlingx
helm repo on the second controller.

Change-Id: I86a7795decb7833cb22c04e34e298c8d24ed7fa3
Signed-off-by: David Sullivan <david.sullivan@windriver.com>
Story: 2002876
Task: 22831
Depends-On: https://review.openstack.org/596802
---
 base/rsync/centos/build_srpm.data        |  2 +-
 base/rsync/files/rsyncd.conf             |  6 ++
 kubernetes/helm/centos/build_srpm.data   |  5 +-
 kubernetes/helm/centos/files/helm-upload | 79 ++++++++++++++++++++++++
 kubernetes/helm/centos/files/helm.sudo   |  3 +
 kubernetes/helm/centos/helm.spec         | 13 ++--
 6 files changed, 99 insertions(+), 9 deletions(-)
 create mode 100644 kubernetes/helm/centos/files/helm-upload
 create mode 100644 kubernetes/helm/centos/files/helm.sudo

diff --git a/base/rsync/centos/build_srpm.data b/base/rsync/centos/build_srpm.data
index 2c93764a1..69cb924ed 100644
--- a/base/rsync/centos/build_srpm.data
+++ b/base/rsync/centos/build_srpm.data
@@ -1,2 +1,2 @@
 COPY_LIST="$PKG_BASE/files/rsyncd.conf"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
diff --git a/base/rsync/files/rsyncd.conf b/base/rsync/files/rsyncd.conf
index 8b56742b8..f7a26e1df 100644
--- a/base/rsync/files/rsyncd.conf
+++ b/base/rsync/files/rsyncd.conf
@@ -49,3 +49,9 @@ read only = yes
         comment = SSL ca certificate
         uid = root
         read only = no
+
+[helm_charts]
+        path = /www/pages/helm_charts
+        comment = Helm chart repo
+        uid = root
+        read only = no
diff --git a/kubernetes/helm/centos/build_srpm.data b/kubernetes/helm/centos/build_srpm.data
index 1d35a996a..d18ca5832 100644
--- a/kubernetes/helm/centos/build_srpm.data
+++ b/kubernetes/helm/centos/build_srpm.data
@@ -1,7 +1,6 @@
 VERSION=2.9.1
 TAR_NAME=helm
 TAR="$TAR_NAME-v$VERSION-linux-amd64.tar.gz"
-#COPY_LIST="${CGCS_BASE}/downloads/$TAR ${CGCS_BASE}/downloads/tiller-2.9.1-docker-image.tgz"
-COPY_LIST="${CGCS_BASE}/downloads/$TAR"
+COPY_LIST="${CGCS_BASE}/downloads/$TAR $FILES_BASE/*"
 
-TIS_PATCH_VER=2
+TIS_PATCH_VER=3
diff --git a/kubernetes/helm/centos/files/helm-upload b/kubernetes/helm/centos/files/helm-upload
new file mode 100644
index 000000000..a7f8dcde5
--- /dev/null
+++ b/kubernetes/helm/centos/files/helm-upload
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2018 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# This script takes the names of packaged helm charts as arguments.
+# It installs them in the on-node helm chart repository and regenerates
+# the repository index.
+
+
+# We want to run as the "www" user and scripts can't be setuid.  The
+# sudoers permissions are set up to allow wrsroot to run this script
+# as the "www" user without a password.
+if [ $USER != "www" ]; then
+    exec sudo -u www $0 $@
+fi
+
+
+RETVAL=0
+REINDEX=0
+
+REPO_DIR='/www/pages/helm_charts'
+
+for FILE in "$@"; do
+    if [ -r $FILE ]; then
+        # QUESTION:  should we disallow overwriting an existing file?
+        # The versions are embedded in the filename, so it shouldn't
+        # cause problems.
+        cp $FILE $REPO_DIR
+        if [ $? -ne 0 ]; then
+            echo Problem adding $FILE to helm chart registry.
+            RETVAL=1
+        else
+            REINDEX=1
+        fi
+    else
+        echo Cannot read file ${FILE}.
+        RETVAL=1
+    fi
+done
+
+
+# Now re-index the helm repository if we successfully copied in
+# any new charts.
+if [ $REINDEX -eq 1 ]; then
+    /usr/sbin/helm repo index $REPO_DIR
+fi
+
+if [ ! -f "/etc/platform/simplex" ]; then
+    # We're not a one node system, copy the files to the other
+    # controller if we can
+    if [ $HOSTNAME == "controller-0" ]; then
+        TARGET="controller-1"
+    else
+        TARGET="controller-0"
+    fi
+
+    # We've modified etc/rsyncd.conf to allow access to /www/helm_charts
+    # To avoid races, copy over the index file last.
+    rsync -acv --exclude=index.yaml ${REPO_DIR}/ rsync://${TARGET}/helm_charts
+    if [ $? -ne 0 ]; then
+        echo Problem syncing helm charts to $TARGET
+        RETVAL=1
+    fi
+
+    rsync -acv ${REPO_DIR}/index.yaml rsync://${TARGET}/helm_charts
+    if [ $? -ne 0 ]; then
+        echo Problem syncing helm chart index file to $TARGET
+        RETVAL=1
+    fi
+fi
+
+# We also need to sync the helm charts on node startup
+# in case they were added while the node was down.
+
+exit $RETVAL
diff --git a/kubernetes/helm/centos/files/helm.sudo b/kubernetes/helm/centos/files/helm.sudo
new file mode 100644
index 000000000..48e02bfbb
--- /dev/null
+++ b/kubernetes/helm/centos/files/helm.sudo
@@ -0,0 +1,3 @@
+wrsroot ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload
+
+Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
diff --git a/kubernetes/helm/centos/helm.spec b/kubernetes/helm/centos/helm.spec
index 6afe901ef..f4f56e31c 100644
--- a/kubernetes/helm/centos/helm.spec
+++ b/kubernetes/helm/centos/helm.spec
@@ -7,7 +7,8 @@ Group: devel
 Packager: Wind River <info@windriver.com>
 URL: https://github.com/kubernetes/helm/releases
 Source0: %{name}-v%{version}-linux-amd64.tar.gz
-#Source1: tiller-2.9.1-docker-image.tgz
+Source1: helm-upload
+Source2: helm.sudo
 
 Requires: /bin/bash
 
@@ -20,11 +21,13 @@ Requires: /bin/bash
 %install
 install -d %{buildroot}%{_sbindir}
 install -m 755 ${RPM_BUILD_DIR}/linux-amd64/helm %{buildroot}%{_sbindir}/helm
-#install -d %{buildroot}%{_sharedstatedir}/tiller
-#install -m 400 %{SOURCE1} %{buildroot}%{_sharedstatedir}/tiller/tiller-2.9.1-docker-image.tgz
+install -d %{buildroot}/usr/local/sbin
+install -m 755 %{SOURCE1} %{buildroot}/usr/local/sbin/helm-upload
+install -d %{buildroot}%{_sysconfdir}/sudoers.d
+install -m 440 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudoers.d/helm
 
 %files
 %defattr(-,root,root,-)
 %{_sbindir}/helm
-#%{_sharedstatedir}/tiller/tiller-2.9.1-docker-image.tgz
-
+/usr/local/sbin/helm-upload
+%{_sysconfdir}/sudoers.d/helm