[minor] Support install with manual certificates (#272)

docs/changes.md

@@ -1,5 +1,6 @@
 ## Changes
 
+- [`4.3`](https://github.com/ibm-mas/cli/releases/tag/4.3.0) Support use of manual certificates in `install-with-fvt` pipeline (#272)
 - [`4.2`](https://github.com/ibm-mas/cli/releases/tag/4.2.0) Added new Manage core functional tests and separate results from Industry Solutions by using different product ids (#241)
 - [`4.1`](https://github.com/ibm-mas/cli/releases/tag/4.1.0) Multiple updates:
     - Add mas must-gather command by @durera in #257

image/cli/Dockerfile

@@ -59,6 +59,7 @@ RUN chmod -R ug+rwx ${HOME}/env.sh && \
     chmod -R ug+rwx ${HOME}/.ansible && \
     chmod +x ${HOME}/run-playbook.sh && \
     chmod +x ${HOME}/run-role.sh && \
+    chmod +x ${HOME}/copy-certificates.sh && \
     chmod -R ug+w /mascli && \
     chmod +x /mascli/mas && \
     chmod +x /mascli/must-gather/* && \

image/cli/app-root/copy-certificates.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+appList=(
+  "core"
+  "assist" 
+  "iot"
+  "manage"
+  "monitor"
+  "optimizer"  
+  "predict"
+  "visualinspection"
+)
+
+if [ -e "/workspace/certificates" ]; then
+  for app in ${appList[@]}; do
+    # tls.crt and tls.key will always exist if pipeline is configured to use manual certificates
+    if [[ -f "/workspace/certificates/$app.tls.crt" ]]; then  
+      echo "Copying certs from $app into configs workspace"
+      mkdir -p /workspace/configs/certs/$app
+      cp /workspace/certificates/$app.tls.crt /workspace/configs/certs/$app/tls.crt
+      cp /workspace/certificates/$app.tls.key /workspace/configs/certs/$app/tls.key      
+      # ca.crt may be empty, but file must exist
+      if [[ -f "/workspace/certificates/$app.ca.crt" ]]; then  
+        cp /workspace/certificates/$app.ca.crt /workspace/configs/certs/$app/ca.crt
+      else
+        touch /workspace/configs/certs/$app/ca.crt
+      fi
+      echo "Done"
+    fi    
+  done  
+fi

image/cli/app-root/run-role.sh

@@ -4,6 +4,7 @@ if [ -e "/workspace/additional-configs" ]; then
   cp /workspace/additional-configs/* /workspace/configs/
 fi
 
+source /opt/app-root/src/copy-certificates.sh
 source /opt/app-root/src/env.sh
 
 # Useful for debugging permission issues

tekton/generate-tekton-tasks.yml

@@ -66,6 +66,7 @@
         - suite-app-upgrade
         - suite-config
         - suite-db2-setup-for-manage
+        - suite-certs
         - suite-dns
         - suite-install
         - suite-uninstall

tekton/src/params/install.yml.j2

@@ -327,6 +327,10 @@
   type: string
   default: ""
   description: Workload Scaling Custom ConfigMap Name
+- name: mas_manual_cert_mgmt
+  type: string
+  default: "False"
+  description: Optional boolean parameter that when set to True, indicates that manually created certificates will be used to certify MAS and application routes
 - name: mas_add_channel
   type: string
   default: ""

tekton/src/pipelines/install-with-fvt.yml.j2

@@ -14,6 +14,8 @@ spec:
     - name: shared-entitlement
     # Shared storage to hold mustgather output for tasks
     - name: shared-mustgather
+    # Pre-generated certificates that will be copied into certs folder of shared-configs workspace to be used by suite-certs task
+    - name: shared-certificates
 
   params:
     # 1. Common Parameters
@@ -172,26 +174,31 @@ spec:
     {{ lookup('template', 'taskdefs/core/suite-dns.yml.j2') | indent(4) }}
       runAfter:
         - cert-manager
+
+    # 5.3 Manual Certificates
+    {{ lookup('template', 'taskdefs/core/suite-certs.yml.j2') | indent(4) }}
+      runAfter:
+        - suite-dns
 
-    # 5.3 Suite Installation
+    # 5.4 Suite Installation
     {{ lookup('template', 'taskdefs/core/suite-install.yml.j2') | indent(4) }}
       runAfter:
         - sls
         - uds
         - gencfg-workspace
-        - suite-dns
+        - suite-certs
 
-    # 5.4 Suite Configuration
+    # 5.5 Suite Configuration
     {{ lookup('template', 'taskdefs/core/suite-config.yml.j2') | indent(4) }}
       runAfter:
         - suite-install
 
-    # 5.5 Suite Verification
+    # 5.6 Suite Verification
     {{ lookup('template', 'taskdefs/core/suite-verify.yml.j2') | indent(4) }}
       runAfter:
         - suite-config
 
-    # 5.6 Configure Db2 in MAS
+    # 5.7 Configure Db2 in MAS
     {{ lookup('template', 'taskdefs/core/suite-config-db2.yml.j2') | indent(4) }}
       runAfter:
         - fvt-operatormaturity

tekton/src/pipelines/taskdefs/core/suite-certs.yml.j2

@@ -0,0 +1,28 @@
+- name: suite-certs
+  params:
+    {{ lookup('template', 'taskdefs/common/cli-params.yml.j2') | indent(4) }}
+    - name: devops_suite_name
+      value: suite-certs
+    - name: dns_provider
+      value: $(params.dns_provider)
+    - name: mas_workspace_id
+      value: $(params.mas_workspace_id)
+    - name: mas_manual_cert_mgmt
+      value: $(params.mas_manual_cert_mgmt) 
+    - name: cis_crn
+      value: $(params.cis_crn)
+    - name: cis_apikey
+      value: $(params.cis_apikey)
+    - name: cis_subdomain
+      value: $(params.cis_subdomain)
+    - name: cis_proxy
+      value: $(params.cis_proxy)
+  taskRef:
+    kind: Task
+    name: mas-devops-suite-certs
+  workspaces:
+    # This is the stage at which we copy across any pre-generated certificates into shared-configs
+    - name: configs
+      workspace: shared-configs
+    - name: certificates
+      workspace: shared-certificates

tekton/src/pipelines/taskdefs/core/suite-dns.yml.j2

@@ -8,6 +8,8 @@
       value: $(params.mas_domain)
     - name: mas_workspace_id
       value: $(params.mas_workspace_id)
+    - name: mas_manual_cert_mgmt
+      value: $(params.mas_manual_cert_mgmt)
 
     - name: dns_provider
       value: $(params.dns_provider)

tekton/src/pipelines/taskdefs/core/suite-install.yml.j2

@@ -32,6 +32,8 @@
       value: $(params.mas_entitlement_key)
     - name: mas_customize_scaling
       value: $(params.mas_customize_scaling)
+    - name: mas_manual_cert_mgmt
+      value: $(params.mas_manual_cert_mgmt)
     - name: custom_labels
       value: $(params.custom_labels)
     - name: mas_add_catalog

tekton/src/tasks/suite-certs.yml.j2

@@ -0,0 +1,77 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: mas-devops-suite-certs
+spec:
+  params:
+    - name: dns_provider
+      type: string
+      default: ""
+    - name: mas_instance_id
+      type: string    
+    - name: mas_workspace_id
+      type: string
+      default: ""
+    - name: mas_manual_cert_mgmt
+      type: string
+      description: Optional boolean parameter that when set to True, indicates that manually created certificates will be used to certify MAS and application routes
+      default: ""
+
+    # IBM Cloud Internet Services support
+    - name: cis_crn
+      type: string
+      default: ""
+    - name: cis_apikey
+      type: string
+      default: ""
+    - name: cis_subdomain
+      type: string
+      default: ""
+    - name: cis_proxy
+      type: string
+      default: ""
+
+    # Optional support built into the ansible-devops image
+    # for saving task execution results to a MongoDb instance
+    - name: devops_suite_name
+      type: string
+      description: Optional name for the junit suite, used to enable save-junit-to-mongo.py
+      default: ""
+
+  stepTemplate:
+    env:
+      {{ lookup('template', task_src_dir ~ '/common/cli-env.yml.j2') | indent(6) }}
+      # General
+      - name: MAS_CONFIG_DIR
+        value: /workspace/configs
+      - name: DNS_PROVIDER
+        value: $(params.dns_provider)
+      - name: MAS_INSTANCE_ID
+        value: $(params.mas_instance_id)
+      - name: MAS_WORKSPACE_ID
+        value: $(params.mas_workspace_id)
+      - name: MAS_MANUAL_CERT_MGMT
+        value: $(params.mas_manual_cert_mgmt) 
+      - name: CIS_CRN
+        value: $(params.cis_crn)
+      - name: CIS_APIKEY
+        value: $(params.cis_apikey)
+      - name: CIS_SUBDOMAIN
+        value: $(params.cis_subdomain)
+      - name: CIS_PROXY
+        value: $(params.cis_proxy)
+      - name: DEVOPS_SUITE_NAME
+        value: $(params.devops_suite_name)
+
+  steps:
+    - name: suite-certs
+      command:
+        - /opt/app-root/src/run-role.sh
+        - suite_certs
+      image: quay.io/ibmmas/cli:latest
+      imagePullPolicy: $(params.image_pull_policy)
+
+  workspaces:
+    - name: configs
+    - name: certificates

tekton/src/tasks/suite-dns.yml.j2

@@ -70,6 +70,12 @@ spec:
     - name: cis_proxy
       type: string
       default: ""
+
+    # Use of Manual Certificates
+    - name: mas_manual_cert_mgmt
+      type: string
+      description: Optional boolean parameter that when set to True, indicates that manually created certificates will be used to certify MAS and application routes
+      default: ""
 
     # Optional support built into the ansible-devops image
     # for saving task execution results to a MongoDb instance
@@ -121,6 +127,8 @@ spec:
         value: $(params.override_edge_certs)
       - name: CIS_PROXY
         value: $(params.cis_proxy)
+      - name: MAS_MANUAL_CERT_MGMT
+        value: $(params.mas_manual_cert_mgmt)
 
   steps:
     - name: suite-dns

tekton/src/tasks/suite-install.yml.j2

@@ -43,6 +43,10 @@ spec:
       type: string
       description: Optional identifier for the Upgrade strategy for MAS Operator. Default is set to Automatic
       default: ""
+    - name: mas_manual_cert_mgmt
+      type: string
+      description: Optional boolean parameter that when set to True, indicates that manually created certificates will be used to certify MAS and application routes
+      default: ""
 
     - name: mas_icr_cp
       type: string
@@ -112,6 +116,8 @@ spec:
         value: $(params.mas_cluster_issuer)
       - name: MAS_UPGRADE_STRATEGY
         value: $(params.mas_upgrade_strategy)
+      - name: MAS_MANUAL_CERT_MGMT
+        value: $(params.mas_manual_cert_mgmt)
 
       - name: ARTIFACTORY_USERNAME
         value: $(params.artifactory_username)