vms helm deployment (#64)

* controller and postgres deploy if cert-manager is pre-installed

* cert-manager install working

* converted to helmfile for dependency management

* templatize postgres config to apply to multiple releases

* deploy works with clusterIP + port-forward

* deploy skupper for cross cluster connectivity

* remove unneeded files and values

* local keycloak deploy working

* configurable keycloak deployment

* persistent keycloak

* cleanup variables

* updated README

* fixes connection pool passwords

* fixed chart defaults

* use secrets instead of plain text

* removed keycloak and multicluster

* update README

* point getting-started.md to helmfile

* revert management-controller.yaml changes

* removing /scripts and /yaml directories

* set management-server chart to use production node env

Author: JPadovano1483

README.md

@@ -67,7 +67,7 @@ SkupperVMS management plane components are deployed on Kubernetes.  Backbone and
 
 #### Database
 
-A relational database (Postgres) is used as the central persistent store of configuration and current state.  The schema for the database can be found in `scripts/db-setup.sql`.
+A relational database (Postgres) is used as the central persistent store of configuration and current state.  The schema for the database can be found in `charts/helmfile/resources/db-setup.sql` (optional teardown script: `charts/helmfile/resources/drop.sql`).
 
 #### Certificate Management
 

charts/README.md

@@ -0,0 +1,5 @@
+# Charts
+
+Helmfile and Helm charts for deploying cert-manager, PostgreSQL, and the management server live under **`helmfile/`**. Full deployment steps are in **[helmfile/README.md](./helmfile/README.md)**.
+
+PostgreSQL schema (`db-setup.sql`) and the optional teardown helper (`drop.sql`) live under **`helmfile/resources/`**.

charts/helmfile/README.md

@@ -0,0 +1,158 @@
+# VMS deployment
+
+The **`charts/helmfile`** directory is a [Helmfile](https://github.com/helmfile/helmfile) environment that installs:
+
+| Chart | Role |
+| ----- | ---- |
+| **cert-manager** | Jetstack OCI chart (`v1.20.0`) — TLS issuers / certificates (optional). |
+| **postgresql** | Bitnami `postgresql` `18.3.0` — application database; schema from `resources/db-setup.sql`. |
+| **management-server** | Local chart at `../management-server` — VMS management controller. This chart can be deployed/managed by itself with standard Helm commands. |
+
+Helmfile uses your **current** `kubectl` context. Namespace behavior is described below.
+
+Keycloak is **not** installed here. Supply the controller with a **`keycloak-config`** Secret as in [Keycloak adapter](#keycloak-adapter).
+
+## Layout under `charts/`
+
+```
+charts/
+├── helmfile/                 # This README
+│   ├── helmfile.yaml.gotmpl
+│   ├── values/
+│   │   ├── common.yaml       # postgres.* + releases.*
+│   │   ├── postgres.yaml.gotmpl
+│   │   └── management-server.yaml.gotmpl
+│   └── resources/
+│       ├── db-setup.sql      # Applied to Postgres on init (via ConfigMap)
+│       └── drop.sql          # Optional manual teardown helper (not used by Helmfile)
+└── management-server/        # Helm chart for the management controller
+```
+
+## Prerequisites
+
+- **[kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)** (1.15+).
+
+- **[Helm](https://helm.sh/docs/intro/install/)** and **[Helmfile](https://github.com/helmfile/helmfile)** on your `PATH`.
+
+- **[helm-diff](https://github.com/databus23/helm-diff)**:
+
+  ```shell
+  helm plugin install https://github.com/databus23/helm-diff
+  ```
+
+- Keycloak instance running and configured (see [Keycloak Setup](/docs/notes/keycloak-setup.md)).
+
+## Credentials (Kubernetes Secrets)
+
+Passwords are **not** stored in `values/common.yaml`. Create Secrets **before** install; names and keys come from **`postgres.credentialsSecret`** (defaults below).
+
+### PostgreSQL + management-server
+
+Create **`postgres-credentials`** (default name from `common.yaml`) in:
+
+1. The **same namespace as the PostgreSQL release**.  
+2. The **same namespace as the management-server release**.
+
+If Postgres and management-server run in different namespaces, duplicate the Secret in both with identical keys.
+
+| Key (defaults in `common.yaml`) | Purpose |
+| ------------------------------- | ------- |
+| `postgres-password` | Bitnami superuser (`auth.secretKeys.adminPasswordKey`). |
+| `app-user-password` | `db-setup.sql` and management controller `APP_USER_PASSWORD`. |
+| `app-system-password` | `db-setup.sql` and management controller `APP_SYSTEM_PASSWORD`. |
+
+Example:
+
+```shell
+kubectl create secret generic postgres-credentials \
+  --from-literal=postgres-password='REPLACE_SUPERUSER_PASSWORD' \
+  --from-literal=app-user-password='REPLACE_APP_USER_PASSWORD' \
+  --from-literal=app-system-password='REPLACE_APP_SYSTEM_PASSWORD' \
+  -n <namespace>
+```
+
+## Keycloak adapter
+
+The **management-server** chart expects a Secret **`keycloak-config`** with key **`keycloak.json`**. Helmfile does not create it.
+
+1. Create a Keycloak instance that the management-controller can connect to.  
+2. Configure the client per [Keycloak setup guide](/docs/notes/keycloak-setup.md).  
+3. Create the Secret in the management-server namespace:
+
+   ```shell
+   kubectl create secret generic keycloak-config \
+     --from-file=/path/to/your-keycloak.json \
+     -n <management-server-namespace>
+   ```
+
+## Configuration (`values/common.yaml`)
+
+### `releases`
+
+Toggles and PostgreSQL namespace (from inline comments in `common.yaml`):
+
+| Key | Purpose |
+| --- | ------- |
+| `releases.certManager.enabled` | Install Jetstack cert-manager into namespace **`cert-manager`** (created if missing). |
+| `releases.postgresql.enabled` | Install Bitnami PostgreSQL. |
+| `releases.postgresql.namespace` | If **non-empty**, PostgreSQL is installed in that namespace (`createNamespace: true`). If **empty**, the release uses the current namespace used when running the helmfile command. |
+| `releases.managementServer.enabled` | Install `../management-server`. Namespace follows Helmfile’s default unless you set release-level namespace in `helmfile.yaml.gotmpl`. |
+
+### `postgres`
+
+Used by **`values/postgres.yaml.gotmpl`** for Bitnami auth, persistence, and init SQL env vars. Passed through **`values/management-server.yaml.gotmpl`** as `PGHOST`, `PGPORT`, `PGDATABASE`, and `credentialsSecret` for app role passwords.
+
+Set **`postgres.host`** / **`postgres.port`** to a hostname and port reachable from management-server pods (for example `postgresql` or `postgresql.<namespace>.svc.cluster.local`).
+
+## Database init hook
+
+Before sync, Helmfile runs a **`presync`** hook that applies ConfigMap **`db-init-configmap`** from **`resources/db-setup.sql`**. The `kubectl` command passes **`-n <namespace>`** when **`releases.postgresql.namespace`** is set; otherwise it uses your current kubectl namespace context—align that with where PostgreSQL is installed so the ConfigMap lands in the correct namespace.
+
+## Components (Helm releases)
+
+| Release | Source | Installed when |
+| ------- | ------ | -------------- |
+| `cert-manager` | `oci://quay.io/jetstack/charts/cert-manager` | `releases.certManager.enabled` |
+| `postgresql` | `bitnami/postgresql` `18.3.0` | `releases.postgresql.enabled` |
+| `management-server` | `../management-server` | `releases.managementServer.enabled` |
+
+Select a specific release to manage with **`helmfile -l component=<label>`** (labels are `cert-manager`, `postgresql`, `management-server` in `helmfile.yaml.gotmpl`).
+
+## Deploying
+
+1. Edit **`values/common.yaml`**: **`releases.*`**, **`postgres.*`**.  
+2. Create **`postgres-credentials`** (and **`keycloak-config`** when ready) in the required namespaces.  
+3. From **`charts/helmfile`**:
+
+   ```shell
+   cd charts/helmfile
+   helmfile sync
+   ```
+
+Use **`helmfile apply`** for incremental diffs. To release an individual chart, run `helmfile -l component=<label> apply`.
+
+## Teardown
+
+To destroy all resources created by the Helmfile releases (including the management server, PostgreSQL, and cert-manager, if installed), use:
+
+```shell
+helmfile destroy
+```
+
+You can selectively destroy a single release (component) using the label, just like for deploys. For example, to tear down only the Bitnami PostgreSQL release:
+
+```shell
+helmfile -l component=postgresql destroy
+```
+
+Or, for cert-manager:
+
+```shell
+helmfile -l component=cert-manager destroy
+```
+
+This will remove the resources managed by the specified release from your cluster. Double-check your namespace/context to ensure the correct resources are modified.
+
+## Related documentation
+
+- **[getting-started](/docs/notes/getting-started.md)** — broader VMS setup. This file documents only **`charts/helmfile`** and the **`management-server`** chart path used from it.

charts/helmfile/helmfile.yaml.gotmpl

@@ -0,0 +1,57 @@
+environments:
+  default:
+    values:
+      - ./values/common.yaml
+---
+{{- $deployCertManager := .Values.releases.certManager.enabled }}
+{{- $deployPostgresql := .Values.releases.postgresql.enabled }}
+{{- $deployManagementServer := .Values.releases.managementServer.enabled }}
+{{- $postgresqlNamespace := .Values.releases.postgresql.namespace }}
+{{- if ne $postgresqlNamespace "" }}
+{{- $postgresqlNamespace = printf "-n %s" $postgresqlNamespace }}
+{{- end }}
+
+repositories:
+  - name: bitnami
+    url: https://charts.bitnami.com/bitnami
+
+releases:
+  - name: cert-manager
+    namespace: cert-manager
+    createNamespace: true
+    chart: oci://quay.io/jetstack/charts/cert-manager
+    version: v1.20.0
+    installed: {{ $deployCertManager }}
+    labels:
+      component: cert-manager
+    values:
+      - crds:
+          enabled: true
+          keep: true
+  - name: postgresql
+    {{- if ne .Values.releases.postgresql.namespace "" }}
+    namespace: {{ .Values.releases.postgresql.namespace }}
+    {{- end }}
+    createNamespace: true
+    chart: bitnami/postgresql
+    version: 18.3.0
+    installed: {{ $deployPostgresql }}
+    labels:
+      component: postgresql
+    values:
+      - ./values/postgres.yaml.gotmpl
+    hooks:
+      - events: ["presync"]
+        showlogs: true
+        command: sh
+        args:
+          - -c
+          - |
+            kubectl create configmap db-init-configmap {{ $postgresqlNamespace }} --from-file=./resources/db-setup.sql -o yaml --dry-run=client | kubectl apply -f -
+  - name: management-server
+    chart: ../management-server
+    installed: {{ $deployManagementServer }}
+    labels:
+      component: management-server
+    values:
+      - ./values/management-server.yaml.gotmpl

scripts/db-setup.sql charts/helmfile/resources/db-setup.sqlscripts/db-setup.sql renamed to charts/helmfile/resources/db-setup.sql

@@ -0,0 +1,45 @@
+# Shared Postgres settings (environments.default.values). Consumed by values/*.gotmpl.
+#
+# host: PGHOST (in-cluster Service name, usually postgresql).
+# port: PGPORT.
+# user: database bootstrap user for Bitnami PostgreSQL (typically postgres).
+# database: PGDATABASE / Bitnami created database name.
+# credentialsSecret — create this Secret in the PostgreSQL release namespace before
+#   helmfile sync. The management-server chart reads the same secret name in its own
+#   namespace for APP_* passwords; duplicate the Secret there if namespaces differ.
+#   Required keys (unless you override key names below):
+#     postgres-password — Bitnami superuser password (see adminPasswordKey)
+#     app-user-password — passed to db-setup.sql for CREATE ROLE app_user
+#     app-system-password — passed to db-setup.sql for CREATE ROLE app_system
+# persistence:
+#   enabled: whether to deploy a pv for postgres.
+#   size: size of the pv.
+#   storageClass: storage class if postgres persistence is enabled. Leave empty for default storage class.
+postgres:
+  host: postgresql
+  port: 5432
+  user: postgres
+  database: studiodb
+  credentialsSecret:
+    name: postgres-credentials
+    adminPasswordKey: postgres-password
+    appUserPasswordKey: app-user-password
+    appSystemPasswordKey: app-system-password
+  persistence:
+    enabled: true
+    size: 5Gi
+    storageClass: ""
+  imagePullSecret: ""
+
+# Release configuration:
+# certManager: installed into the cert-manager namespace (will be created if not exists)
+# postgresql: installed into the namespace specified in the namespace key (will be created if not exists). If namespace is empty, the release will be installed into the current namespace.
+# managementServer: installed into the current namespace.
+releases:
+  certManager:
+    enabled: true
+  postgresql:
+    enabled: true
+    namespace: ""
+  managementServer:
+    enabled: true

scripts/drop.sql charts/helmfile/resources/drop.sqlscripts/drop.sql renamed to charts/helmfile/resources/drop.sql

@@ -0,0 +1,6 @@
+postgres:
+  host: {{ .Values.postgres.host | quote }}
+  port: {{ .Values.postgres.port | quote }}
+  database: {{ .Values.postgres.database | quote }}
+  credentialsSecret:
+    {{- toYaml .Values.postgres.credentialsSecret | nindent 4 }}

charts/helmfile/values/common.yaml

@@ -0,0 +1,38 @@
+{{- $pg := .Values.postgres | required "environment values must define 'postgres' (charts/helmfile/values/common.yaml)" }}
+{{- $sec := $pg.credentialsSecret | required "postgres.credentialsSecret is required (create the Secret before install; see charts/helmfile/README.md)" }}
+{{- $pullSecret := .Values.postgres.imagePullSecret | default "" }}
+{{- if ne $pullSecret "" }}
+global:
+  imagePullSecrets:
+    - name: {{ $pullSecret | quote }}
+{{- end }}
+auth:
+  username: {{ $pg.user | quote }}
+  database: {{ $pg.database | quote }}
+  existingSecret: {{ $sec.name | quote }}
+  secretKeys:
+    adminPasswordKey: {{ $sec.adminPasswordKey | quote }}
+primary:
+  initdb:
+    scriptsConfigMap: db-init-configmap
+  service:
+    type: ClusterIP
+    ports:
+      postgresql: {{ $pg.port | quote }}
+  persistence:
+    enabled: {{ $pg.persistence.enabled }}
+    size: {{ $pg.persistence.size | default "5Gi" }}
+    {{- if ne $pg.persistence.storageClass "" }}
+    storageClass: {{ $pg.persistence.storageClass | quote }}
+    {{- end }}
+  extraEnvVars:
+    - name: APP_USER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: {{ $sec.name | quote }}
+          key: {{ $sec.appUserPasswordKey | quote }}
+    - name: APP_SYSTEM_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: {{ $sec.name | quote }}
+          key: {{ $sec.appSystemPasswordKey | quote }}

charts/helmfile/values/management-server.yaml.gotmpl

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/