Merge pull request #1 from cloud-native-toolkit/feat/mascli

Feat/mascli

Author: davidstacy

maximo-pipeline-run.yaml 8.10.x/pipeline-run.yamlmaximo-pipeline-run.yaml renamed to 8.10.x/pipeline-run.yaml

@@ -2,10 +2,17 @@
 apiVersion: tekton.dev/v1beta1
 kind: PipelineRun
 metadata:
-  generateName: pr-mas-core-
+  generateName: pr-mas-cli-
 spec:
+  params:
+    - name: uds-email
+      value: "dev-techzone@ibm.com"
+    - name: uds-firstname
+      value: "TechZone"
+    - name: uds-lastname
+      value: "Developer"
   workspaces:
-    - name: shared-workspace
+    - name: ws
       volumeClaimTemplate:
         spec:
           accessModes:
@@ -14,7 +21,7 @@ spec:
             requests:
               storage: 1Gi
   pipelineRef:
-    name: mas-core-deploy
+    name: mas-cli-deploy
   podTemplate:
     securityContext:
       fsGroup: 65532

8.10.x/pipeline.yaml

@@ -0,0 +1,250 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: mas-cli-deploy
+  namespace: default
+spec:
+  workspaces:
+    - name: ws
+  params:
+    - name: namespace
+      type: string
+      default: "maximo-suite"
+    - name: mas-instance-id
+      type: string
+      default: "inst1"
+    - name: mas-workspace-id
+      type: string
+      default: "maxworkspace"
+    - name: mas-workspace-name
+      type: string
+      default: "My Maximo Workspace"
+    - name: mas-catalog-version
+      type: string
+      description: "Do not change this unless you know what you are doing"
+      default: "v8-amd64"
+    - name: mas-channel
+      type: string
+      description: "Controls version of Maximo Operators.  Do not change this unless you know what you are doing."
+      default: "8.10.x"
+    - name: license-file-secret-name
+      description: "Store your BYOL license key stored as a base64 encoded arbitrary secret in the kube-system namespace.  provide the name of the secret here.  the defaul is false which means the pipeline will attempt to download a techzone license"
+      type: string
+      default: "false"
+    - name: ibm-entitlement-key
+      description: "IBM entitlement key. If not set, will use secret manager."
+      type: string
+      default: "false"
+    - name: uds-email
+      description: "Contact Email"
+      type: string
+    - name: uds-firstname
+      description: "Contact first name"
+      type: string
+    - name: uds-lastname
+      description: "Contact last name"
+      type: string
+    - name: storage-rwo
+      description: "RWO Storage Class"
+      type: string
+      default: "ocs-storagecluster-cephfs"
+    - name: storage-rwx
+      description: "RWX Storage Class"
+      type: string
+      default: "ocs-storagecluster-cephfs"
+    - name: storage-pipeline
+      description: "Pipeline Storage Class"
+      type: string
+      default: "ocs-storagecluster-cephfs"
+    - name: storage-accessmode
+      description: "Install Pipeline storage class access mode (ReadWriteMany or ReadWriteOnce)"
+      type: string
+      default: "ReadWriteMany"
+  tasks:
+    - name: add-namespace
+      taskRef:
+        kind: Task
+        name: ibm-pak
+      params:
+        - name: SCRIPT
+          value: |
+            oc apply -f - <<EOF
+            kind: Namespace
+            apiVersion: v1
+            metadata:
+              name: $(params.namespace)
+            EOF
+    - name: get-maximo-licensefile
+      workspaces:
+        - name: ws
+      params:
+        - name: KEY_ID
+          value: 0ae3295c-95dd-c323-82af-1be5587d998f
+        - name: SECRETS_MANAGER_ENDPOINT_URL
+          value: >-
+            https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud
+        - name: LICENSE_FILE_SECRET_NAME
+          value: "$(params.license-file-secret-name)"
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: KEY_ID
+          - name: SECRETS_MANAGER_ENDPOINT_URL
+          - name: LICENSE_FILE_SECRET_NAME
+        steps:
+          - name: write-maximo-licensefile
+            image: quay.io/openshift/origin-cli:4.10
+            script: |
+              #!/usr/bin/env bash
+
+              if [[ $(params.LICENSE_FILE_SECRET_NAME) == "false" ]]; then
+                # Retrieve the IBM Cloud API Key configured in a `deployer` cluster
+                export IBMCLOUD_API_KEY=$(oc get secret ibm-secret -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d)
+                export AUTH_RESPONSE_JSON=$(curl -s -X POST \
+                  "https://iam.cloud.ibm.com/identity/token" \
+                  --header 'Content-Type: application/x-www-form-urlencoded' \
+                  --header 'Accept: application/json' \
+                  --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey' \
+                  --data-urlencode "apikey=${IBMCLOUD_API_KEY}")
+                export ACCESS_TOKEN=$(echo $AUTH_RESPONSE_JSON | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$')
+                export SECRET_JSON=$(curl -s -X GET --location --header "Authorization: Bearer ${ACCESS_TOKEN}" --header "Accept: application/json" "$(params.SECRETS_MANAGER_ENDPOINT_URL)/api/v2/secrets/$(params.KEY_ID)")
+                echo $SECRET_JSON |  grep -o '"payload":"[^"]*' | grep -o '[^"]*$' | base64 -d > $(workspaces.ws.path)/license.dat
+
+              else
+                oc get secret $(params.LICENSE_FILE_SECRET_NAME) -n kube-system -o jsonpath='{.data.apiKey}' | base64 -d > $(workspaces.ws.path)/license.dat
+              fi
+
+              cat $(workspaces.ws.path)/license.dat
+    - name: get-ibm-entitlement-key
+      taskRef:
+        name: ibmcloud-secrets-manager-get
+        kind: Task
+      params:
+        - name: KEY_ID
+          value: 968d7819-f2c5-7b67-c420-3c6bfd51521e
+        - name: SECRETS_MANAGER_ENDPOINT_URL
+          value: >-
+            https://afa20521-cd75-4864-843f-e59fd0ffd49d.us-south.secrets-manager.appdomain.cloud
+    - name: set-retrieved-entitlement-key
+      when:
+        - input: "$(params.ibm-entitlement-key)"
+          operator: in
+          values: ["false"]
+      runAfter:
+        - get-ibm-entitlement-key
+      params:
+        - name: entitlement-key
+          value: $(tasks.get-ibm-entitlement-key.results.secret-value)
+      workspaces:
+        - name: ws
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: entitlement-key
+        steps:
+          - name: set-entitlement-key
+            image: quay.io/openshift/origin-cli:4.10
+            script: |
+              #!/usr/bin/env bash
+              echo $(params.entitlement-key) > $(workspaces.ws.path)/ek.dat
+              echo "ek.dat created"
+              exit
+    - name: set-provided-entitlement-key
+      workspaces:
+        - name: ws
+      when:
+        - input: "$(params.ibm-entitlement-key)"
+          operator: notin
+          values: ["false"]
+      params:
+        - name: ibm-entitlement-key
+          value: "$(params.ibm-entitlement-key)"
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: ibm-entitlement-key
+        steps:
+          - name: set-entitlement
+            image: quay.io/openshift/origin-cli:4.10
+            script: |
+              #!/usr/bin/env bash
+              echo $(params.entitlement-key) > $(workspaces.ws.path)/ek.dat
+              echo "ek.dat created"
+              exit
+    - name: install-mas
+      runAfter:
+        - get-maximo-licensefile
+        - set-provided-entitlement-key
+        - set-retrieved-entitlement-key
+      workspaces:
+        - name: ws
+      params:
+        - name: mas-instance-id
+          value: "$(params.mas-instance-id)"
+        - name: mas-workspace-id
+          value: "$(params.mas-workspace-id)"
+        - name: mas-workspace-name
+          value: "$(params.mas-workspace-name)"
+        - name: mas-catalog-version
+          value: "$(params.mas-catalog-version)"
+        - name: mas-channel
+          value: "$(params.mas-channel)"
+        - name: uds-email
+          value: "$(params.uds-email)"
+        - name: uds-firstname
+          value: "$(params.uds-firstname)"
+        - name: uds-lastname
+          value: "$(params.uds-lastname)"
+        - name: storage-rwo
+          value: "$(params.storage-rwo)"
+        - name: storage-rwx
+          value: "$(params.storage-rwx)"
+        - name: storage-pipeline
+          value: "$(params.storage-pipeline)"
+        - name: storage-accessmode
+          value: "$(params.storage-accessmode)"
+      taskSpec:
+        workspaces:
+          - name: ws
+        params:
+          - name: ibm-entitlement-key
+          - name: mas-instance-id
+          - name: mas-workspace-id
+          - name: mas-workspace-name
+          - name: mas-catalog-version
+          - name: mas-channel
+          - name: uds-email
+          - name: uds-firstname
+          - name: uds-lastname
+          - name: storage-rwo
+          - name: storage-rwx
+          - name: storage-pipeline
+          - name: storage-accessmode
+        steps:
+          - name: run-mas-cli
+            image: quay.io/ibmmas/cli:latest
+            script: |
+              #!/usr/bin/env bash
+              # extract entitlement key
+              oc get secret ibm-entitlement-key -n $(params.namespace) -o jsonpath='{}'
+              # extract license id from license.dat
+              export LICENSE_ID=$(cat $(workspaces.ws.path)/license.dat | head -1 | cut -d ' ' -f3)
+
+              export ENTITLEMENT_KEY=$(cat $(workspaces.ws.path)/ek.dat)
+
+              #run mas install non-interactively
+              mas install -i $(params.mas-instance-id) \
+                -w $(params.mas-workspace-id) \
+                -W "$(params.mas-workspace-name)" \
+                -c $(params.mas-catalog-version) \
+                --mas-channel $(params.mas-channel) \
+                --ibm-entitlement-key $ENTITLEMENT_KEY \
+                --license-id $LICENSE_ID --license-file $(workspaces.ws.path)/license.dat \
+                --uds-email $(params.uds-email) --uds-firstname $(params.uds-firstname) --uds-lastname $(params.uds-lastname) \
+                --storage-rwo $(params.storage-rwo) --storage-rwx $(params.storage-rwx) \
+                --storage-pipeline $(params.storage-pipeline) --storage-accessmode $(params.storage-accessmode) \
+                --no-confirm

README.md

@@ -4,72 +4,61 @@ This repository contains a Tekton pipelines to deploy the [Maximo Operator](http
 
 ## Pre-requisites
 
+### Deployer Cluster
+
 An IBM Technology Zone `deployer` cluster is assumed to be configured with an appropriate Red Hat OpenShift version for the Maximo version you wish to deploy, with appropriate sizing. Refer to [Maximo Product Documentation](https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=planning) for more information.
 
 A `deployer` cluster is configured with the following items:
 
-- ExternalSecrets operator deployed with a ClusterSecretStore configured. The remote ExternalSecrets secret store must include an IBM Entitlement Key.
+- ExternalSecrets operator deployed with a ClusterSecretStore configured. 
 - Techzone Deployer Tekton tasks deployed ([deploy YAML](https://github.com/cloud-native-toolkit/deployer-tekton-tasks/blob/main/argocd.yaml)).
 - OpenShift GitOps configured with [One Touch Provisioning ArgoCD instance](https://github.com/one-touch-provisioning/otp-gitops), and any relevant RBAC rules.
 - OpenShift Pipelines operator deployed.
 - deployer pipelines tasks and cluster tasks
 
+### Entitlement key
 
-## Pipelines organisation
+If deploying on TechZone the entitlement key is provided from the TechZone Secrets Repo.  If deploying in a non-techzone cluster you will need to provide an entitlement key for the pipelinerun.
 
-Maximo is deployed with a Tekton Pipeline that is defined in maximo-pipeline.yaml
+Documentation for obtaining an entitlement key here: https://www.ibm.com/docs/en/cloud-paks/1.0?topic=clusters-obtaining-your-entitlement-key
 
 
-## Tasks
+### Maximo License
 
-Currently uses oc client, git clone, and helm-update-from-source from tekton hub
+To activate Maximo you will need a valid license key which is a text file that contains software authorizations and entitlements.  This pipeline in order to run automatically will need this file to be base64 encoded and saved in a kubernetes secret.
 
-## Usage
+1. save the license file to a file locally such as license.dat.
+2. Use a tool to base64 encode the file such as "
 
-###
 ```
-oc apply -f maximo-pipeline.yaml
+cat license.dat | base64 > license.dat.b64
+```
 
-tkn pipeline start mas-core-deploy --pod-template pod-template.yaml -w name=shared-workspace,volumeClaimTemplateFile=workspace-template.yaml
+3. copy the output into an OpenShift secret in the default namespace
+
+```
+oc create secret generic maximolicense --from-file=fil1=license.dat.b64
 ```
 
+remember the name of the secret for the pipeline run.  ( in the example above "maximolicense" is the name)
+
+
+## Pipelines organisation
+
+Maximo is deployed with a Tekton Pipeline that is defined in maximo-pipeline.yaml
+
+
+
+## Usage
+
+### If using your own cluster
+Run Deployer prep on the cluster.
+link: https://github.com/cloud-native-toolkit/deployer-cluster-prep/blob/main/prepare-cluster.sh
+
+
+###
+switch to version directory of choice and run these commands
+```
+oc apply -f pipeline.yaml
+oc create -f pipeline-run.yaml
 ```
-yaml 
-apiVersion: tekton.dev/v1 
-kind: Task 
-metadata: 
-  name: mytask 
-spec: 
-  steps: 
-    - name: writesomething 
-	  image: ubuntu 
-	  command: ["bash", "-c"] 
-	  args: ["echo 'foo' > /my-cache/bar"] volumeMounts: 
-	    - name: my-cache 
-		  mountPath: /my-cache 
---- 
-apiVersion: tekton.dev/v1 
-kind: Pipeline 
-metadata: 
-  name: mypipeline 
-spec: 
-  tasks: 
-    - name: task1 
-	  taskRef: 
-	    name: mytask 
---- 
-apiVersion: tekton.dev/v1 
-kind: PipelineRun 
-metadata: 
-  name: mypipelinerun 
-spec: 
-  pipelineRef: 
-    name: mypipeline 
-	taskRunTemplate: 
-	  podTemplate: 
-	    securityContext: 
-		  runAsNonRoot: true 
-		  runAsUser: 1001 
-		  volumes: 
-		    - name: my-cache    	  persistentVolumeClaim: claimName: my-volume-claim 
-```