Enable helm repository and chart upload tool

There's a lot going on here but conceptually we're just enabling a
local helm repo along with a helper script to install helm charts into
the repo.

The first item is to configure lighttpd to serve up helm charts as
static information (so no proxying) at http://127.0.0.1/helm_charts".
This is fairly straightforward, but the files are served out of
/www which isn't a replicated filesystem and which is owned by the www
user.

The helm puppet manifest is modified to create the "helm_charts"
directory for the webserver, to generate the initial index file,
and to tell helm to add the new repo for the "wrsroot" user.  The
various commands are run as specific users with specific environment
variables, this is key to making everything work as planned.

To allow the wrsroot user to upload charts into /www the helm-upload
script will re-run itself as the www user.  /etc/sudoers.d is modified
to allow this without asking for a password.  The upload script will
copy the specified charts in to /www/pages/helm_charts, and will then
regenerate the index.yaml file. The upload script will then try to
sync the files over to the other node.  To enable this without
prompting for a password we modify /etc/rsyncd.conf to allow
passwordless syncing into /www/helm_charts.

In a future commit we'll need to sync charts with the other
controller when booting up, and also configure the local starlingx
helm repo on the second controller.

Change-Id: I86a7795decb7833cb22c04e34e298c8d24ed7fa3
Signed-off-by: David Sullivan <david.sullivan@windriver.com>
Story: 2002876
Task: 22831
Depends-On: https://review.openstack.org/596802

base/rsync/centos/build_srpm.data

@@ -1,2 +1,2 @@
 COPY_LIST="$PKG_BASE/files/rsyncd.conf"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2

base/rsync/files/rsyncd.conf

@@ -49,3 +49,9 @@ read only = yes
         comment = SSL ca certificate
         uid = root
         read only = no
+
+[helm_charts]
+        path = /www/pages/helm_charts
+        comment = Helm chart repo
+        uid = root
+        read only = no

kubernetes/helm/centos/build_srpm.data

@@ -1,7 +1,6 @@
 VERSION=2.9.1
 TAR_NAME=helm
 TAR="$TAR_NAME-v$VERSION-linux-amd64.tar.gz"
-#COPY_LIST="${CGCS_BASE}/downloads/$TAR ${CGCS_BASE}/downloads/tiller-2.9.1-docker-image.tgz"
-COPY_LIST="${CGCS_BASE}/downloads/$TAR"
+COPY_LIST="${CGCS_BASE}/downloads/$TAR $FILES_BASE/*"
 
-TIS_PATCH_VER=2
+TIS_PATCH_VER=3

kubernetes/helm/centos/files/helm-upload

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2018 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# This script takes the names of packaged helm charts as arguments.
+# It installs them in the on-node helm chart repository and regenerates
+# the repository index.
+
+
+# We want to run as the "www" user and scripts can't be setuid.  The
+# sudoers permissions are set up to allow wrsroot to run this script
+# as the "www" user without a password.
+if [ $USER != "www" ]; then
+    exec sudo -u www $0 $@
+fi
+
+
+RETVAL=0
+REINDEX=0
+
+REPO_DIR='/www/pages/helm_charts'
+
+for FILE in "$@"; do
+    if [ -r $FILE ]; then
+        # QUESTION:  should we disallow overwriting an existing file?
+        # The versions are embedded in the filename, so it shouldn't
+        # cause problems.
+        cp $FILE $REPO_DIR
+        if [ $? -ne 0 ]; then
+            echo Problem adding $FILE to helm chart registry.
+            RETVAL=1
+        else
+            REINDEX=1
+        fi
+    else
+        echo Cannot read file ${FILE}.
+        RETVAL=1
+    fi
+done
+
+
+# Now re-index the helm repository if we successfully copied in
+# any new charts.
+if [ $REINDEX -eq 1 ]; then
+    /usr/sbin/helm repo index $REPO_DIR
+fi
+
+if [ ! -f "/etc/platform/simplex" ]; then
+    # We're not a one node system, copy the files to the other
+    # controller if we can
+    if [ $HOSTNAME == "controller-0" ]; then
+        TARGET="controller-1"
+    else
+        TARGET="controller-0"
+    fi
+
+    # We've modified etc/rsyncd.conf to allow access to /www/helm_charts
+    # To avoid races, copy over the index file last.
+    rsync -acv --exclude=index.yaml ${REPO_DIR}/ rsync://${TARGET}/helm_charts
+    if [ $? -ne 0 ]; then
+        echo Problem syncing helm charts to $TARGET
+        RETVAL=1
+    fi
+
+    rsync -acv ${REPO_DIR}/index.yaml rsync://${TARGET}/helm_charts
+    if [ $? -ne 0 ]; then
+        echo Problem syncing helm chart index file to $TARGET
+        RETVAL=1
+    fi
+fi
+
+# We also need to sync the helm charts on node startup
+# in case they were added while the node was down.
+
+exit $RETVAL

kubernetes/helm/centos/files/helm.sudo

@@ -0,0 +1,3 @@
+wrsroot ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload
+
+Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

kubernetes/helm/centos/helm.spec

@@ -7,7 +7,8 @@ Group: devel
 Packager: Wind River <info@windriver.com>
 URL: https://github.com/kubernetes/helm/releases
 Source0: %{name}-v%{version}-linux-amd64.tar.gz
-#Source1: tiller-2.9.1-docker-image.tgz
+Source1: helm-upload
+Source2: helm.sudo
 
 Requires: /bin/bash
 
@@ -20,11 +21,13 @@ Requires: /bin/bash
 %install
 install -d %{buildroot}%{_sbindir}
 install -m 755 ${RPM_BUILD_DIR}/linux-amd64/helm %{buildroot}%{_sbindir}/helm
-#install -d %{buildroot}%{_sharedstatedir}/tiller
-#install -m 400 %{SOURCE1} %{buildroot}%{_sharedstatedir}/tiller/tiller-2.9.1-docker-image.tgz
+install -d %{buildroot}/usr/local/sbin
+install -m 755 %{SOURCE1} %{buildroot}/usr/local/sbin/helm-upload
+install -d %{buildroot}%{_sysconfdir}/sudoers.d
+install -m 440 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudoers.d/helm
 
 %files
 %defattr(-,root,root,-)
 %{_sbindir}/helm
-#%{_sharedstatedir}/tiller/tiller-2.9.1-docker-image.tgz
-
+/usr/local/sbin/helm-upload
+%{_sysconfdir}/sudoers.d/helm