From 024df3253fe266ea457052993de97851e9cbc16f Mon Sep 17 00:00:00 2001
From: "Anselme, Schubert (sa246v)" <sa246v@att.com>
Date: Tue, 21 Jan 2025 09:32:59 -0500
Subject: [PATCH] Add MAAS deployment gate

Change-Id: I240a098121c59157d60eef094a08c74220bf0056
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
---
 .zuul.yaml                                    |  84 +++++++
 tools/deployment/002-build-charts.sh          |  16 ++
 tools/deployment/003-prepare-k8s.sh           |  47 ++++
 tools/deployment/004-make-images.sh           |  27 ++
 tools/deployment/sleep.sh                     |  16 ++
 tools/gate/playbooks/airship-run-scripts.yaml |  75 ++++++
 tools/gate/playbooks/deploy-env.yaml          |  37 +++
 tools/gate/playbooks/mount-volumes.yaml       |  17 ++
 .../playbooks/osh-infra-collect-logs.yaml     |  43 ++++
 tools/gate/playbooks/prepare-hosts.yaml       |  17 ++
 tools/maas/100-cert-manager.sh                | 164 ++++++++++++
 tools/maas/110-build-images.sh                |  69 ++++++
 tools/maas/115-ceph.sh                        | 226 +++++++++++++++++
 tools/maas/120-postgresql.sh                  |  87 +++++++
 tools/maas/121-maas.sh                        | 234 ++++++++++++++++++
 15 files changed, 1159 insertions(+)
 create mode 100755 tools/deployment/002-build-charts.sh
 create mode 100755 tools/deployment/003-prepare-k8s.sh
 create mode 100755 tools/deployment/004-make-images.sh
 create mode 100755 tools/deployment/sleep.sh
 create mode 100644 tools/gate/playbooks/airship-run-scripts.yaml
 create mode 100644 tools/gate/playbooks/deploy-env.yaml
 create mode 100644 tools/gate/playbooks/mount-volumes.yaml
 create mode 100644 tools/gate/playbooks/osh-infra-collect-logs.yaml
 create mode 100644 tools/gate/playbooks/prepare-hosts.yaml
 create mode 100755 tools/maas/100-cert-manager.sh
 create mode 100755 tools/maas/110-build-images.sh
 create mode 100755 tools/maas/115-ceph.sh
 create mode 100755 tools/maas/120-postgresql.sh
 create mode 100755 tools/maas/121-maas.sh

diff --git a/.zuul.yaml b/.zuul.yaml
index 309824d..d02178b 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -10,6 +10,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
 - project:
     check:
       jobs:
@@ -18,12 +19,14 @@
         - airship-maas-chart-build-latest-htk
         - airship-maas-docker-build-gate
         - airship-maas-lint-yaml
+        - airship-maas-deploy-kubeadm
     gate:
       jobs:
         - airship-maas-lint-ws
         - airship-maas-chart-build-gate
         - airship-maas-docker-build-gate
         - airship-maas-lint-yaml
+        - airship-maas-deploy-kubeadm
     post:
       jobs:
         - airship-maas-docker-publish
@@ -108,6 +111,87 @@
         static:
           - latest
 
+- job:
+    name: airship-maas-deploy-kubeadm
+    description: Deploys all UC's and Executes functional tests
+    nodeset: treasuremap-airskiff-1node-ubuntu_jammy
+    roles:
+      - zuul: airship/kubernetes-entrypoint
+      - zuul: openstack/openstack-helm
+      - zuul: zuul/zuul-jobs
+    required-projects:
+      - name: openstack/openstack-helm
+      - name: openstack/openstack-helm-plugin
+      - name: airship/treasuremap
+        override-checkout: v1.9
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^doc/.*$
+      - ^releasenotes/.*$
+      - ^site/seaworthy/.*$
+      - ^site/airsloop/.*$
+      - ^site/aiab/.*$
+    timeout: 10800
+    pre-run:
+      - tools/gate/playbooks/prepare-hosts.yaml
+      - tools/gate/playbooks/mount-volumes.yaml
+    run:
+      - tools/gate/playbooks/deploy-env.yaml
+      - tools/gate/playbooks/airship-run-scripts.yaml
+    post-run:
+      - tools/gate/playbooks/osh-infra-collect-logs.yaml
+    vars:
+      treasuremap_ref: v1.9
+      extra_volume:
+        size: 80G
+        type: Linux
+        mount_point: /opt/ext_vol
+      docker:
+        root_path: "/opt/ext_vol/docker"
+      containerd:
+        root_path: "/opt/ext_vol/containerd"
+      kubeadm:
+        pod_network_cidr: "10.244.0.0/16"
+        service_cidr: "10.96.0.0/16"
+      osh_plugin_repo: "{{ zuul.project.src_dir }}/../../openstack/openstack-helm-plugin"
+      loopback_setup: true
+      loopback_device: /dev/loop100
+      loopback_image: "/opt/ext_vol/openstack-helm/ceph-loop.img"
+      ceph_osd_data_device: /dev/loop100
+      kube_version_repo: "v1.32"
+      kube_version: "1.32.1-1.1"
+      calico_setup: true
+      calico_version: "v3.27.4"
+      cilium_setup: false
+      cilium_version: "1.16.0"
+      flannel_setup: false
+      flannel_version: v0.25.4
+      metallb_setup: false
+      metallb_version: "0.13.12"
+      helm_version: "v3.14.0"
+      crictl_version: "v1.30.1"
+      osh_helm_repo: ../../openstack/openstack-helm
+      osh_values_overrides_path: ../../openstack/openstack-helm/values_overrides
+      zuul_osh_relative_path: ../../openstack/openstack-helm
+      zuul_treasuremap_relative_path: ../../airship/treasuremap
+      gate_scripts_relative_path: .
+      run_helm_tests: "no"
+      distro_suffix: ubuntu_jammy
+      osh_params:
+        container_distro_name: ubuntu
+        container_distro_version: jammy
+      HELM_ARTIFACT_URL: https://get.helm.sh/helm-v3.16.4-linux-amd64.tar.gz
+      HTK_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad
+      OSH_COMMIT: 49c117443391cec75e0bd52bb4a9d033325927ad
+      gate_scripts:
+        - ./tools/deployment/002-build-charts.sh
+        - ./tools/deployment/003-prepare-k8s.sh
+        - ./tools/deployment/004-make-images.sh
+        - ./tools/maas/100-cert-manager.sh
+        - ./tools/maas/115-ceph.sh
+        - ./tools/maas/120-postgresql.sh
+        - ./tools/maas/121-maas.sh
+
 - secret:
     name: airship_maas_quay_creds
     data:
diff --git a/tools/deployment/002-build-charts.sh b/tools/deployment/002-build-charts.sh
new file mode 100755
index 0000000..1c45ac3
--- /dev/null
+++ b/tools/deployment/002-build-charts.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+: "${MAAS_PATH:="../maas"}"
+
+cd "${MAAS_PATH}" || exit
+
+
+mkdir -p artifacts
+
+make all
+
+cd charts || exit
+for i in $(find  . -maxdepth 1  -name "*.tgz"  -print | sed -e 's/\-[0-9.]*\.tgz//'| cut -d / -f 2 | sort)
+do
+    find . -name "$i-[0-9.]*.tgz" -print -exec cp -av {} "../artifacts/$i.tgz" \;
+done
diff --git a/tools/deployment/003-prepare-k8s.sh b/tools/deployment/003-prepare-k8s.sh
new file mode 100755
index 0000000..d7b9ad5
--- /dev/null
+++ b/tools/deployment/003-prepare-k8s.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Add labels to the core namespaces & nodes
+kubectl label --overwrite namespace default name=default
+kubectl label --overwrite namespace kube-system name=kube-system
+kubectl label --overwrite namespace kube-public name=kube-public
+kubectl label --overwrite nodes --all openstack-control-plane=enabled
+kubectl label --overwrite nodes --all ucp-control-plane=enabled
+kubectl label --overwrite nodes --all openstack-compute-node=enabled
+kubectl label --overwrite nodes --all openvswitch=enabled
+kubectl label --overwrite nodes --all linuxbridge=enabled
+kubectl label --overwrite nodes --all ceph-mon=enabled
+kubectl label --overwrite nodes --all ceph-osd=enabled
+kubectl label --overwrite nodes --all ceph-mds=enabled
+kubectl label --overwrite nodes --all ceph-rgw=enabled
+kubectl label --overwrite nodes --all ceph-mgr=enabled
+# We deploy l3 agent only on the node where we run test scripts.
+# In this case virtual router will be created only on this node
+# and we don't need L2 overlay (will be implemented later).
+kubectl label --overwrite nodes -l "node-role.kubernetes.io/control-plane" l3-agent=enabled
+
+for NAMESPACE in ceph mariadb-operator utility ucp openstack osh-infra; do
+tee /tmp/${NAMESPACE}-ns.yaml << EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: ${NAMESPACE}
+    name: ${NAMESPACE}
+  name: ${NAMESPACE}
+EOF
+
+kubectl apply -f /tmp/${NAMESPACE}-ns.yaml
+done
diff --git a/tools/deployment/004-make-images.sh b/tools/deployment/004-make-images.sh
new file mode 100755
index 0000000..a68cc06
--- /dev/null
+++ b/tools/deployment/004-make-images.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -x
+
+
+: "${DISTRO:="ubuntu_jammy"}"
+
+env
+
+echo "[*] Deploy local docker registry..."
+docker rm registry --force || true
+docker run -d -p 5000:5000 --restart=always --name registry registry:2
+
+echo "[*] Build images and push them to local docker registry..."
+make images -e DOCKER_REGISTRY="localhost:5000" -e PUSH_IMAGE=true
+
diff --git a/tools/deployment/sleep.sh b/tools/deployment/sleep.sh
new file mode 100755
index 0000000..90bb3d5
--- /dev/null
+++ b/tools/deployment/sleep.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+env_output=$(env)
+
+# Loop through each line of the env output
+while IFS= read -r line; do
+    # Extract the variable name and value
+    variable=$(echo "$line" | cut -d= -f1)
+    value=$(echo "$line" | cut -d= -f2-)
+
+    # Print the export command
+    echo "export $variable=\"$value\""
+done <<< "$env_output"
+
+echo "Sleeping.............."
+while true; do sleep 10; done
diff --git a/tools/gate/playbooks/airship-run-scripts.yaml b/tools/gate/playbooks/airship-run-scripts.yaml
new file mode 100644
index 0000000..6e29edc
--- /dev/null
+++ b/tools/gate/playbooks/airship-run-scripts.yaml
@@ -0,0 +1,75 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- hosts: primary
+  tasks:
+    - name: Override images
+      when: buildset_registry is defined
+      vars:
+        work_dir: "{{ zuul.project.src_dir }}"
+      block:
+        - name: Buildset registry alias
+          include_role:
+            name: deploy-env
+            tasks_from: buildset_registry_alias
+
+        - name: Print zuul
+          debug:
+            var: zuul
+
+        - name: Override proposed images from artifacts
+          shell: >
+            find {{ override_paths | join(" ") }} -type f -exec sed -Ei
+            "s#['\"]?docker\.io/({{ repo }}):({{ tag }})['\"]?\$#{{ buildset_registry_alias }}:{{ buildset_registry.port }}/\1:\2#g" {} +
+          loop: "{{ zuul.artifacts | default([]) }}"
+          args:
+            chdir: "{{ work_dir }}"
+          loop_control:
+            loop_var: zj_zuul_artifact
+          when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'"
+          vars:
+            tag: "{{ zj_zuul_artifact.metadata.tag }}"
+            repo: "{{ zj_zuul_artifact.metadata.repository }}"
+            override_paths:
+              - ../openstack-helm*/*/values*
+              - ../openstack-helm-infra/tools/deployment/
+
+        - name: Diff
+          shell: |
+              set -ex;
+              for dir in openstack-helm openstack-helm-infra; do
+                path="{{ work_dir }}/../${dir}/"
+                if [ ! -d "${path}" ]; then continue; fi
+                echo "${dir} diff"
+                cd "${path}"; git diff; cd -;
+              done
+
+    - name: "creating directory for run artifacts"
+      file:
+        path: "/tmp/artifacts"
+        state: directory
+
+    - name: Run gate scripts
+      include_role:
+        name: "{{ ([item] | flatten | length == 1) | ternary('airship-run-script', 'airship-run-script-set') }}"
+      vars:
+        workload: "{{ [item] | flatten }}"
+      loop: "{{ gate_scripts }}"
+
+    - name: "Downloads artifacts to executor"
+      synchronize:
+        src: "/tmp/artifacts"
+        dest: "{{ zuul.executor.log_root }}/{{ inventory_hostname }}"
+        mode: pull
+      ignore_errors: True
+...
diff --git a/tools/gate/playbooks/deploy-env.yaml b/tools/gate/playbooks/deploy-env.yaml
new file mode 100644
index 0000000..950b992
--- /dev/null
+++ b/tools/gate/playbooks/deploy-env.yaml
@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- hosts: all
+  become: true
+  gather_facts: true
+
+  roles:
+    - ensure-python
+    - ensure-pip
+    - role: ensure-tox
+      become: false
+    - clear-firewall
+    - deploy-apparmor
+    - deploy-selenium
+    - deploy-env
+
+  tasks:
+    - name: Install Packaging python module for tools/airship
+      block:
+        - pip:
+            name: packaging
+            version: 23.1
+            executable: pip3
+      become: true
+
+...
diff --git a/tools/gate/playbooks/mount-volumes.yaml b/tools/gate/playbooks/mount-volumes.yaml
new file mode 100644
index 0000000..0049da1
--- /dev/null
+++ b/tools/gate/playbooks/mount-volumes.yaml
@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- hosts: all
+  roles:
+    - mount-extra-volume
+...
diff --git a/tools/gate/playbooks/osh-infra-collect-logs.yaml b/tools/gate/playbooks/osh-infra-collect-logs.yaml
new file mode 100644
index 0000000..83e7688
--- /dev/null
+++ b/tools/gate/playbooks/osh-infra-collect-logs.yaml
@@ -0,0 +1,43 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- hosts: all
+  vars_files:
+    - vars.yaml
+  vars:
+    work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}"
+    logs_dir: "/tmp/logs"
+  roles:
+    - gather-host-logs
+  tags:
+    - gather-host-logs
+
+- hosts: primary
+  vars_files:
+    - vars.yaml
+  vars:
+    work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}"
+    logs_dir: "/tmp/logs"
+  roles:
+    - helm-release-status
+    - describe-kubernetes-objects
+    - gather-pod-logs
+    - gather-prom-metrics
+    - gather-selenium-data
+  tags:
+    - helm-release-status
+    - describe-kubernetes-objects
+    - gather-pod-logs
+    - gather-prom-metrics
+    - gather-selenium-data
+...
diff --git a/tools/gate/playbooks/prepare-hosts.yaml b/tools/gate/playbooks/prepare-hosts.yaml
new file mode 100644
index 0000000..c64aa0d
--- /dev/null
+++ b/tools/gate/playbooks/prepare-hosts.yaml
@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- hosts: all
+  roles:
+    - start-zuul-console
+...
diff --git a/tools/maas/100-cert-manager.sh b/tools/maas/100-cert-manager.sh
new file mode 100755
index 0000000..27e6c37
--- /dev/null
+++ b/tools/maas/100-cert-manager.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+
+set -eux
+
+: ${CERT_MANAGER_VERSION:="v1.16.1"}
+
+cert_path="/etc/openstack-helm"
+ca_cert_root="$cert_path/certs/ca"
+
+function check_cert {
+  # $1: the certificate file, e.g. ca.pem
+  # $2: the key file, e.g. ca-key.pem
+  local cert="$(openssl x509 -noout -modulus -in $1)"
+  local key="$(openssl rsa -noout -modulus -in $2)"
+  if ! [ "$cert" = "$key" ]; then
+    echo "Failure: tls private key does not match cert"
+    exit 1
+  else
+    echo "Pass: $cert is valid with $key"
+  fi
+}
+
+# Download cfssl and cfssljson if they are not available on the system
+if type cfssl && type cfssljson; then
+  echo "cfssl and cfssljson found - skipping installation"
+else
+  echo "installing cfssl and cfssljson"
+  temp_bin=$(mktemp --directory)
+  cd $temp_bin
+  CFSSLURL=https://pkg.cfssl.org/R1.2
+  curl --retry 3 --retry-connrefused -sSL -o cfssl $CFSSLURL/cfssl_linux-amd64
+  curl --retry 3 --retry-connrefused -sSL -o cfssljson $CFSSLURL/cfssljson_linux-amd64
+  chmod +x {cfssl,cfssljson}
+  export PATH=$PATH:$temp_bin
+fi
+
+# Sets up a directory for the certs
+sudo rm -rf $cert_path
+sudo mkdir -p $ca_cert_root
+sudo chmod -R go+w $cert_path
+
+cd $ca_cert_root
+
+cat > ca-csr.json <<EOF
+{
+  "CN": "ACME Company",
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
+check_cert ca.pem ca-key.pem
+
+
+cat > cfssl.json <<EOF
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "intermediate_ca": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "digital signature",
+          "cert sign",
+          "crl sign",
+          "key encipherment",
+          "server auth",
+          "client auth"
+        ],
+        "ca_constraint": {
+          "is_ca": true
+        }
+      }
+    }
+  }
+}
+EOF
+
+cat > intermediate-ca.json <<EOF
+{
+  "CN": "OpenStack Helm CA",
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "GB",
+      "L": "Space",
+      "ST": "Earth",
+      "O": "OSH",
+      "OU": "OSH"
+    }
+  ],
+  "ca": {
+    "expiry": "8760h"
+  }
+}
+EOF
+
+cfssl gencert -initca intermediate-ca.json | cfssljson -bare intermediate-ca -
+cfssl sign -ca ca.pem -ca-key ca-key.pem -config cfssl.json -profile intermediate_ca \
+  intermediate-ca.csr | cfssljson -bare intermediate-ca
+check_cert intermediate-ca.pem intermediate-ca-key.pem
+
+kubectl create ns cert-manager
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+
+
+helm install cert-manager jetstack/cert-manager --namespace cert-manager \
+   --version ${CERT_MANAGER_VERSION} \
+   --set installCRDs=true \
+   --set extraArgs[0]="--enable-certificate-owner-ref=true" \
+   --timeout=600s
+
+helm repo remove jetstack
+
+key=$(cat /etc/openstack-helm/certs/ca/ca-key.pem | base64 | tr -d "\n")
+crt=$(cat /etc/openstack-helm/certs/ca/ca.pem | base64 | tr -d "\n")
+
+cat > /tmp/ca-issuers.yaml <<EOF
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-key-pair
+  namespace: cert-manager
+data:
+  tls.crt: $crt
+  tls.key: $key
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ca-issuer
+spec:
+  ca:
+    secretName: ca-key-pair
+EOF
+
+
+kubectl wait --for=condition=Ready pods --all -n cert-manager --timeout=180s
+
+# Per [0], put a sleep here to guard against the error - failed calling webhook "webhook.cert-manager.io"
+# [0] https://github.com/jetstack/cert-manager/issues/2602
+sleep 45
+
+kubectl apply -f /tmp/ca-issuers.yaml
diff --git a/tools/maas/110-build-images.sh b/tools/maas/110-build-images.sh
new file mode 100755
index 0000000..7b82a9e
--- /dev/null
+++ b/tools/maas/110-build-images.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+#
+# Copyright 2017 The Openstack-Helm Authors.
+# Copyright 2018 AT&T Intellectual Property.  All other rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+: "${BASE_IMG:="public.ecr.aws/docker/library/ubuntu:jammy"}"
+: "${IMG_PATH:="./images"}"
+: "${MAAS_REPO:="quay.io/airshipit"}"
+: "${SSTREAM_RELEASE:="jammy"}"
+
+# Build kube-entrypoint image
+grep -q "${MAAS_REPO}/kubernetes-entrypoint" <(docker image ls) >/dev/null ||
+docker build \
+  -t "${MAAS_REPO}/kubernetes-entrypoint:latest-ubuntu_jammy" \
+  --network=host \
+  -f ../kubernetes-entrypoint/images/Dockerfile.ubuntu_jammy \
+  --build-arg MAKE_TARGET=build \
+  ../kubernetes-entrypoint
+
+# Build maas images
+grep -q "${MAAS_REPO}/maas-region-controller" <(docker image ls) >/dev/null ||
+docker build \
+  -t "${MAAS_REPO}/maas-region-controller:latest" \
+  --network=host \
+  -f "${IMG_PATH}/maas-region-controller-jammy/Dockerfile" \
+  "${IMG_PATH}/maas-region-controller-jammy"
+
+grep -q "${MAAS_REPO}/maas-rack-controller" <(docker image ls) >/dev/null ||
+docker build \
+  -t "${MAAS_REPO}/maas-rack-controller:latest" \
+  --network=host \
+  -f "${IMG_PATH}/maas-rack-controller-jammy/Dockerfile" \
+  "${IMG_PATH}/maas-rack-controller-jammy"
+
+grep -q "${MAAS_REPO}/sstream-cache" <(docker image ls) >/dev/null ||
+docker build \
+  -t "${MAAS_REPO}/sstream-cache:latest" \
+  --network=host \
+  -f "${IMG_PATH}/sstream-cache/Dockerfile" \
+  --build-arg FROM="${BASE_IMG}" \
+	--build-arg SSTREAM_IMAGE=https://images.maas.io/ephemeral-v3/stable/ \
+  --build-arg SSTREAM_RELEASE="${SSTREAM_RELEASE}" \
+  "${IMG_PATH}/sstream-cache"
+
+# Save images to tar files
+stat -f /tmp/kubernetes-entrypoint.tar >/dev/null || docker image save "${MAAS_REPO}/kubernetes-entrypoint" -o /tmp/kubernetes-entrypoint.tar
+stat -f  /tmp/maas-region-controller.tar >/dev/null || docker image save "${MAAS_REPO}/maas-region-controller:latest" -o /tmp/maas-region-controller.tar
+stat -f /tmp/maas-rack-controller.tar >/dev/null || docker image save "${MAAS_REPO}/maas-rack-controller:latest" -o /tmp/maas-rack-controller.tar
+stat -f /tmp/sstream-cache.tar >/dev/null || docker image save "${MAAS_REPO}/sstream-cache:latest" -o /tmp/sstream-cache.tar
+
+# Load images to minikube
+grep -q "${MAAS_REPO}/kubernetes-entrypoint:latest-ubuntu_jammy" <(sudo -E minikube image ls) >/dev/null || sudo -E minikube image load /tmp/kubernetes-entrypoint.tar
+grep -q "${MAAS_REPO}/maas-region-controller:latest" <(sudo -E minikube image ls) >/dev/null || sudo -E minikube image load /tmp/maas-region-controller.tar
+grep -q "${MAAS_REPO}/maas-rack-controller:latest" <(sudo -E minikube image ls) >/dev/null || sudo -E minikube image load /tmp/maas-rack-controller.tar
+grep -q "${MAAS_REPO}/sstream-cache:latest" <(sudo -E minikube image ls) >/dev/null || sudo -E minikube image load /tmp/sstream-cache.tar
diff --git a/tools/maas/115-ceph.sh b/tools/maas/115-ceph.sh
new file mode 100755
index 0000000..be08533
--- /dev/null
+++ b/tools/maas/115-ceph.sh
@@ -0,0 +1,226 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+: ${CEPH_OSD_DATA_DEVICE:="/dev/loop100"}
+: ${POD_NETWORK_CIDR:="10.244.0.0/16"}
+: ${OSH_HELM_REPO:="../../openstack/openstack-helm"}
+: ${OSH_VALUES_OVERRIDES_PATH:="../../openstack/openstack-helm/values_overrides"}
+
+NUMBER_OF_OSDS="$(kubectl get nodes -l ceph-osd=enabled --no-headers | wc -l)"
+
+#NOTE: Deploy command
+[ -s /tmp/ceph-fs-uuid.txt ] || uuidgen > /tmp/ceph-fs-uuid.txt
+CEPH_FS_ID="$(cat /tmp/ceph-fs-uuid.txt)"
+#NOTE(portdirect): to use RBD devices with Ubuntu kernels < 4.5 this
+# should be set to 'hammer'
+. /etc/os-release
+if [ "x${ID}" == "xcentos" ] || \
+   ([ "x${ID}" == "xubuntu" ] && \
+   dpkg --compare-versions "$(uname -r)" "lt" "4.5"); then
+  CRUSH_TUNABLES=hammer
+else
+  CRUSH_TUNABLES=null
+fi
+tee /tmp/ceph.yaml <<EOF
+endpoints:
+  ceph_mon:
+    namespace: ceph
+    port:
+      mon:
+        default: 6789
+  ceph_mgr:
+    namespace: ceph
+    port:
+      mgr:
+        default: 7000
+      metrics:
+        default: 9283
+network:
+  public: "${POD_NETWORK_CIDR}"
+  cluster: "${POD_NETWORK_CIDR}"
+  port:
+    mon: 6789
+    rgw: 8088
+    mgr: 7000
+deployment:
+  storage_secrets: true
+  ceph: true
+  csi_rbd_provisioner: true
+  client_secrets: false
+  rgw_keystone_user_and_endpoints: false
+bootstrap:
+  enabled: true
+conf:
+  rgw_ks:
+    enabled: false
+  ceph:
+    global:
+      fsid: ${CEPH_FS_ID}
+      mon_addr: :6789
+      mon_allow_pool_size_one: true
+      osd_pool_default_size: 1
+    osd:
+      osd_crush_chooseleaf_type: 0
+  pool:
+    crush:
+      tunables: ${CRUSH_TUNABLES}
+    target:
+      osd: ${NUMBER_OF_OSDS}
+      final_osd: ${NUMBER_OF_OSDS}
+      pg_per_osd: 100
+    default:
+      crush_rule: same_host
+    spec:
+      # Health metrics pool
+      - name: .mgr
+        application: mgr_devicehealth
+        replication: 1
+        percent_total_data: 5
+      # RBD pool
+      - name: rbd
+        application: rbd
+        replication: 1
+        percent_total_data: 40
+      # CephFS pools
+      - name: cephfs_metadata
+        application: cephfs
+        replication: 1
+        percent_total_data: 5
+      - name: cephfs_data
+        application: cephfs
+        replication: 1
+        percent_total_data: 10
+      # RadosGW pools
+      - name: .rgw.root
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.control
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.data.root
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.gc
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.log
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.intent-log
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.meta
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.usage
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.users.keys
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.users.email
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.users.swift
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.users.uid
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.buckets.extra
+        application: rgw
+        replication: 1
+        percent_total_data: 0.1
+      - name: default.rgw.buckets.index
+        application: rgw
+        replication: 1
+        percent_total_data: 3
+      - name: default.rgw.buckets.data
+        application: rgw
+        replication: 1
+        percent_total_data: 29
+  storage:
+    osd:
+      - data:
+          type: bluestore
+          location: ${CEPH_OSD_DATA_DEVICE}
+        # block_db:
+        #   location: ${CEPH_OSD_DB_WAL_DEVICE}
+        #   size: "5GB"
+        # block_wal:
+        #   location: ${CEPH_OSD_DB_WAL_DEVICE}
+        #   size: "2GB"
+
+pod:
+  replicas:
+    mds: 1
+    mgr: 1
+    rgw: 1
+jobs:
+  ceph_defragosds:
+    # Execute every 15 minutes for gates
+    cron: "*/15 * * * *"
+    history:
+      # Number of successful job to keep
+      successJob: 1
+      # Number of failed job to keep
+      failJob: 1
+    concurrency:
+      # Skip new job if previous job still active
+      execPolicy: Forbid
+    startingDeadlineSecs: 60
+manifests:
+  job_bootstrap: false
+EOF
+
+for CHART in ceph-mon ceph-osd ceph-client ceph-provisioners; do
+  helm dependency build ${OSH_HELM_REPO}/${CHART}
+  helm upgrade --install ${CHART} ${OSH_HELM_REPO}/${CHART} \
+    --namespace=ceph \
+    --values=/tmp/ceph.yaml \
+    ${OSH_EXTRA_HELM_ARGS} \
+    ${OSH_EXTRA_HELM_ARGS_CEPH_DEPLOY:-$(helm osh get-values-overrides ${DOWNLOAD_OVERRIDES:-} -p ${OSH_VALUES_OVERRIDES_PATH} -c ${CHART} ${FEATURES})}
+
+  #NOTE: Wait for deploy
+  helm osh wait-for-pods ceph
+
+  #NOTE: Validate deploy
+  MON_POD=$(kubectl get pods \
+    --namespace=ceph \
+    --selector="application=ceph" \
+    --selector="component=mon" \
+    --no-headers | awk '{ print $1; exit }')
+  kubectl exec -n ceph ${MON_POD} -- ceph -s
+done
+
+# Delete the test pod if it still exists
+kubectl delete pods -l application=ceph-osd,release_group=ceph-osd,component=test --namespace=ceph --ignore-not-found
+helm test ceph-osd --namespace ceph --timeout 900s
+# Delete the test pod if it still exists
+kubectl delete pods -l application=ceph-client,release_group=ceph-client,component=test --namespace=ceph --ignore-not-found
+helm test ceph-client --namespace ceph --timeout 900s
diff --git a/tools/maas/120-postgresql.sh b/tools/maas/120-postgresql.sh
new file mode 100755
index 0000000..07b218c
--- /dev/null
+++ b/tools/maas/120-postgresql.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Deploy command
+: ${OSH_HELM_REPO:="../../openstack/openstack-helm"}
+: ${OSH_VALUES_OVERRIDES_PATH:="../../openstack/openstack-helm/values_overrides"}
+: ${OSH_EXTRA_HELM_ARGS:=""}
+: ${OSH_EXTRA_HELM_ARGS_POSTGRESQL:="$(helm osh get-values-overrides -p ${OSH_VALUES_OVERRIDES_PATH} -c postgresql ${FEATURES})"}
+
+DEP_CHECK_IMG="${DEP_CHECK_IMG:-quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy}"
+
+# Generate value overrides to deploy postgresql
+cat <<EOF >/tmp/values.postgres.yaml
+labels:
+  server:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+  test:
+    node_selectory_key: ucp-control-plane
+    node_selector_value: enabled
+  prometheus_postgresql_exporter:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+  job:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+images:
+  tags:
+    dep_check: ${DEP_CHECK_IMG}
+pod:
+  replicas:
+    server: 1
+    prometheus_postgresql_exporter: 0
+  mandatory_access_control:
+    type: apparmor
+storage:
+  pvc:
+    class_name: general
+  archive_pvc:
+    class_name: general
+monitoring:
+  prometheus:
+    postgresql_exporter:
+      scrape: false
+volume:
+  backup:
+    enabled: false
+    class_name: general
+manifests:
+  secret_admin: true
+  secret_backup_restore: true
+  cron_job_postgresql_backup: false
+  pvc_backup: true
+  monitoring:
+    prometheus:
+      configmap_bin: false
+      configmap_etc: false
+      deployment_exporter: false
+      job_user_create: false
+      secret_etc: false
+      service_exporter: false
+EOF
+
+
+helm dependency build ${OSH_HELM_REPO}/postgresql
+
+helm upgrade --install postgresql ${OSH_HELM_REPO}/postgresql \
+    --namespace=ucp \
+    --values=/tmp/values.postgres.yaml \
+    ${OSH_EXTRA_HELM_ARGS} \
+    ${OSH_EXTRA_HELM_ARGS_POSTGRESQL}
+
+#NOTE: Wait for deploy
+helm osh wait-for-pods ucp
diff --git a/tools/maas/121-maas.sh b/tools/maas/121-maas.sh
new file mode 100755
index 0000000..a5964bf
--- /dev/null
+++ b/tools/maas/121-maas.sh
@@ -0,0 +1,234 @@
+#!/bin/bash
+#
+# Copyright 2017 The Openstack-Helm Authors.
+# Copyright 2018 AT&T Intellectual Property.  All other rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+DEFAULT_IMAGE="${DEFAULT_IMAGE:-jammy}"
+DEFAULT_KERNEL="${DEFAULT_KERNEL:-ga-22.04}"
+DEFAULT_OS="${DEFAULT_OS:-ubuntu}"
+
+DEP_CHECK_IMG="${DEP_CHECK_IMG:-quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy}"
+REGION_CTL_IMG="${REGION_CTL_IMG:-localhost:5000/airshipit/maas-region-controller-jammy:latest}"
+RACK_CTL_IMG="${RACK_CTL_IMG:-localhost:5000/airshipit/maas-rack-controller-jammy:latest}"
+CACHE_IMG="${CACHE_IMG:-localhost:5000/airshipit/sstream-cache-jammy:latest}"
+
+# Generate value overrides to deploy maas
+cat <<eof >/tmp/values.maas.yaml
+labels:
+  rack:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+  region:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+  ingress:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+  syslog:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: ucp-control-plane
+    node_selector_value: enabled
+images:
+  tags:
+    db_sync: ${REGION_CTL_IMG}
+    maas_rack: ${RACK_CTL_IMG}
+    maas_region: ${REGION_CTL_IMG}
+    bootstrap: ${REGION_CTL_IMG}
+    export_api_key: ${REGION_CTL_IMG}
+    maas_cache: ${CACHE_IMG}
+    dep_check: ${DEP_CHECK_IMG}
+    maas_syslog: ${REGION_CTL_IMG}
+    enable_tls: ${REGION_CTL_IMG}
+network:
+  region_api:
+    ingress:
+      classes:
+        namespace: nginx
+        cluster: nginx
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/backend-protocol:  HTTPS
+    node_port:
+      enabled: true
+  region_proxy:
+    node_port:
+      enabled: false
+pod:
+  mandatory_access_control:
+    type: apparmor
+  replicas:
+    rack: 1
+    region: 1
+    syslog: 1
+storage:
+  syslog:
+    pvc:
+      class_name: general
+  rackd:
+    pvc:
+      class_name: general
+manifests:
+  ingress_region: false
+  configmap_ingress: false
+  maas_ingress: false
+dependencies:
+  static:
+    rack_controller:
+      services:
+        - service: maas_region
+          endpoint: internal
+      jobs:
+        - maas-export-api-key
+    region_controller:
+      jobs:
+        - maas-db-sync
+      services:
+        - service: maas_db
+          endpoint: internal
+    db_init:
+      services:
+        - service: maas_db
+          endpoint: internal
+    db_sync:
+      jobs:
+        - maas-db-init
+    bootstrap_admin_user:
+      jobs:
+        - maas-db-sync
+      services:
+        - service: maas_region
+          endpoint: internal
+        - service: maas_db
+          endpoint: internal
+    import_resources:
+      jobs:
+        - maas-bootstrap-admin-user
+      services:
+        - service: maas_region
+          endpoint: internal
+        - service: maas_db
+          endpoint: internal
+    export_api_key:
+      jobs:
+        - maas-bootstrap-admin-user
+      services:
+        - service: maas_region
+          endpoint: internal
+        - service: maas_db
+          endpoint: internal
+endpoints:
+  maas_region:
+    host_fqdn_override:
+      default: null
+      public:
+        host: maas-region.ucp.svc.cluster.local
+    hosts:
+      default: maas-region
+    name: maas-region
+    path:
+      default: /MAAS
+    port:
+      region_api:
+        nodeport: 31900
+        nodeporttls: 31901
+        public: 443
+        internal: 80
+    scheme:
+      default: https
+  maas_syslog:
+    host_fqdn_override:
+      public:
+        host: maas-syslog.ucp.svc.cluster.local
+conf:
+  # ssh:
+  #   private_key: null
+  # curtin:
+  #   override: false
+  #   late_commands:
+  #     install_modules_extra: ["curtin", "in-target", "--", "apt-get", "-y", "install", "linux-generic"]
+  # cloudconfig:
+  #   override: false
+  #   sections:
+  #     bootcmd:
+  #       - rm -fr /var/lib/apt/lists
+  #       - sysctl net.ipv6.conf.all.disable_ipv6=1
+  #       - sysctl net.ipv6.conf.default.disable_ipv6=1
+  #       - sysctl net.ipv6.conf.lo.disable_ipv6=0
+  # drydock:
+  #   bootaction_url: null
+  cache:
+    enabled: true
+  syslog:
+    log_level: DEBUG
+  maas:
+    cgroups:
+      disable_cgroups_region: false
+      disable_cgroups_rack: false
+    ntp:
+      use_external_only: true
+      ntp_servers:
+        - 138.197.135.239
+        - 162.159.200.123
+        - 206.108.0.133
+        - 217.180.209.214
+    dns:
+      require_dnssec: "no"
+      dns_servers:
+        - 8.8.4.4
+        - 8.8.8.8
+    proxy:
+      peer_proxy_enabled: false
+      proxy_enabled: false
+    images:
+      default_os: ${DEFAULT_OS}
+      default_image: ${DEFAULT_IMAGE}
+      default_kernel: ${DEFAULT_KERNEL}
+    credentials:
+      secret:
+        namespace: ucp
+    extra_settings:
+      network_discovery: disabled
+      active_discovery_interval: 0
+      enlist_commissioning: false
+      force_v1_network_yaml: true
+    system_passwd: null
+    system_user: null
+    tls:
+      enabled: true
+      create: true
+      insecure: "'true'"
+cert_manager:
+  enabled: true
+  issuer:
+    kind: ClusterIssuer
+    name: ca-issuer
+eof
+
+# Deploy maas
+cp -r ../../openstack/openstack-helm/helm-toolkit ./charts/deps/helm-toolkit
+helm dependency update ./charts/maas
+helm upgrade --install maas ./charts/maas \
+  --namespace=ucp \
+  --values=/tmp/values.maas.yaml
+
+# Wait for all pods to be running
+helm osh wait-for-pods ucp
+
+# Run tests
+helm test maas --namespace=ucp