bcgov · vikasgrover2 · Feb 7, 2024 · Jan 26, 2024 · Jan 30, 2024 · Jan 30, 2024
diff --git a/.github/workflows/docker-publish-opensearch.yml b/.github/workflows/docker-publish-opensearch.yml
@@ -0,0 +1,73 @@
+name: Push to GHCR
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+
+env:
+  # DF-NOTE: pull ghcr.io/bcgov/nr-openmetadata-opensearch:main
+  REGISTRY: ghcr.io
+  DOCKERFILE_PATH: charts/deps/charts/opensearch-2.12.1/containers
+  IMAGE_NAME: ${{ github.repository }}-opensearch
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # DF-NOTE: delete after merging PR
+        with: 
+          ref: security-context-changes
+
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
+        with:
+          cosign-release: 'v2.1.1'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          # DF-NOTE: to help the action find the Dockerfile to build from
+          context: ${{ env.DOCKERFILE_PATH }}/       
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+charts-1.2.4
diff --git a/README.md b/README.md
@@ -68,7 +68,7 @@ helm uninstall openmetadata-dependencies
 ```
 
 ## Deploying to OpenShift
-To deploy to OpenShift, using OC commands make sure Helm cli is installed on your local machine.
+To deploy to OpenShift, use OC commands and make sure Helm cli is installed on your local machine.
 ```
 brew install helm
 ```
@@ -79,33 +79,48 @@ Source: https://github.com/open-metadata/openmetadata-helm-charts/tree/main/char
 ```
 oc create secret generic airflow-mysql-secrets --from-literal=airflow-mysql-password=airflow_pass
 ```
-#### Add Helm repo to OS
+#### Deploy dependencies to OpenShift
+Navigate to the 'deps' chart folder then:
 ```
-helm repo add open-metadata https://helm.open-metadata.org
-```
-#### Deploy dependencies to OS
-```
-helm install openmetadata-dependencies open-metadata/openmetadata-dependencies
+helm install openmetadata-dependencies .
 ```
 If you see the below error then get admin access to the dev namespace
 Issues:  User "[email protected]" cannot get resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "a1b9b0-dev"
 
 ### Install OpenMetadata
+Source: https://github.com/open-metadata/openmetadata-helm-charts/tree/main/charts/openmetadata
+
 #### Create default Secrets
 ```
 oc create secret generic mysql-secrets --from-literal=openmetadata-mysql-password=openmetadata_password
 oc create secret generic airflow-secrets --from-literal=openmetadata-airflow-password=admin
 ```
-#### Deploy Helm chart
+## Apply the pod label policies under 'oc' folder: 
+```
+oc apply -f [auto-label].yaml 
+```
+## Apply the network policies under 'oc' folder: 
 ```
-helm install openmetadata-dependencies open-metadata/openmetadata-dependencies --values charts/deps/values.yaml
-helm install openmetadata open-metadata/openmetadata --values charts/openmetadata/values.yaml
+oc apply -f [net-pol].yaml 
+```
+#### Deploy OpenMetadata to OpenShift:
+Navigate to the 'openmetadata' chart folder then:
+```
+helm install openmetadata .
+```
+#### Port Forward OpenMetadata to view UI
 ```
 
-## Creating OpenShift ConfigMaps 
 
-## Errors encountered
+```
 
+##  OpenSearch Dockerfile and Use of GHCR
+OpenSearch requires a modified Dockerfile to work within the OpenShift restricted security context. The Dockerfile can be found under charts/opensearch-2.12.1/containers. The image is built automatically and pushed to the GHCR any time there is a push or PR to the **main** branch. 
 
+Usage example: 
+```sh
+docker pull ghcr.io/bcgov/nr-openmetadata-opensearch:main
+```
 
-create Pod mysql-0 in StatefulSet mysql failed error: pods "mysql-0" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1001900000, 1001909999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1001900000, 1001909999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
+## Helm chart modifications
+To review all Helm chart modifications (i.e. differences between the OpenMetadata default config and this config), search this repo for "DF-NOTE:" annotations. 
diff --git a/charts/deps/Chart.yaml b/charts/deps/Chart.yaml
@@ -16,13 +16,13 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.2.3
+version: 1.2.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.2"
+appVersion: "1.2.5"
 
 home: https://open-metadata.org/
 

diff --git a/charts/deps/charts/airflow-8.8.0/.helmignore b/charts/deps/charts/airflow-8.8.0/.helmignore
@@ -0,0 +1,47 @@
+# Patterns to ignore when building the helm package
+
+## Git
+.git
+.gitignore
+
+## JetBrains
+.idea/
+*.iml
+*.ipr
+*.iws
+
+## VSCode
+.vscode/*
+*.code-workspace
+.history/
+
+## Vim
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+Session.vim
+Sessionx.vim
+.netrwhist
+*~
+[._]*.un~
+
+## Emacs
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+.\#*
+
+## macOS
+.DS_Store
+.AppleDouble
+.LSOverride
+._*
+
+## Chart Documentation
+/ci
+/docs
+/examples