Retire portieris-cert helm chart

Retiring the currently used portieris-cert helm chart, in favor of the
existing implementation in the upstream portieris chart. This is to
resolve the issue of incorrectly configured cert secret seen by the
application during helm apply.

This also includes a patch of the portieris helm chart, to allow
specifying a CA to trust. Currently the portieris helm chart does not
allow both the use of cert-manager and adding a CA to the trust.

Test Plan:
PASS    Build the new application
PASS    Application lifecycle (upload, apply, remove, delete)
PASS    The webhook error is no longer visible after applying the app
for a second time.
PASS    Application sanity test
PASS    Cpu core selection workflow
PASS    CA cert trust workflow: self-signed certificate; as presented in
the Starlingx Harbor app install instructions
PASS    Provide secret generated with system-local-ca
PASS    Above tests done on AIO-DX
PASS    Porteris works post platform upgrade

Closes-Bug: 2122612

Change-Id: I4dde467894a04ba3a997d2073227104419a4f0b5
Signed-off-by: Tae Park <tae.park@windriver.com>

debian_pkg_dirs

@@ -1,4 +1,3 @@
 helm-charts/upstream/portieris-helm
-helm-charts/custom/portieris-certs-helm
 python3-k8sapp-portieris
 stx-portieris-helm

helm-charts/custom/portieris-certs-helm/debian/deb_folder/changelog

@@ -1,5 +0,0 @@
-portieris-certs-helm (0.1-0) unstable; urgency=medium
-
-  * Initial release.
-
- --  Tae Park <tae.park@windriver.com>  Thu, 30 May 2024 13:02:42 +0000

helm-charts/custom/portieris-certs-helm/debian/deb_folder/control

@@ -1,15 +0,0 @@
-Source: portieris-certs-helm
-Section: libs
-Priority: optional
-Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
-Build-Depends: debhelper-compat (= 13),
- helm
-Standards-Version: 4.5.1
-Homepage: https://www.starlingx.io
-
-Package: portieris-certs-helm
-Section: libs
-Architecture: any
-Depends: ${misc:Depends}
-Description: StarlingX Portieris Certs Helm Charts
- This package contains helm chart Portieris Certs for the portieris application.

helm-charts/custom/portieris-certs-helm/debian/deb_folder/copyright

@@ -1,21 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: portieris-certs-helm
-Source: https://opendev.org/starlingx/portieris-armada-app/
-
-Files: *
-Copyright: (c) 2020-2024 Wind River Systems, Inc
-License: Apache-2
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- .
-    https://www.apache.org/licenses/LICENSE-2.0
- .
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- .
- On Debian-based systems the full text of the Apache version 2.0 license
- can be found in `/usr/share/common-licenses/Apache-2.0'.

helm-charts/custom/portieris-certs-helm/debian/deb_folder/portieris-certs-helm.install

@@ -1 +0,0 @@
-usr/lib/helm/*

helm-charts/custom/portieris-certs-helm/debian/deb_folder/rules

@@ -1,22 +0,0 @@
-#!/usr/bin/make -f
-# export DH_VERBOSE = 1
-
-export DEB_VERSION = $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
-export PATCH_VERSION = $(shell echo $(DEB_VERSION) | cut -f 4 -d '.')
-export PORTIERIS_BASE_VERSION = $(shell echo $(DEB_VERSION) | cut -f 1 -d '-')
-export PORTIERIS_VERSION = $(PORTIERIS_BASE_VERSION).$(PATCH_VERSION)
-
-export ROOT = debian/tmp
-export CHART_FOLDER = $(ROOT)/usr/lib/helm
-
-%:
-	dh $@
-
-override_dh_auto_build:
-
-	make CHART_VERSION=$(PORTIERIS_VERSION) portieris-certs
-
-override_dh_auto_install:
-	# Install the app tar file.
-	install -d -m 755 $(CHART_FOLDER)
-	install -p -D -m 755 portieris-certs*.tgz $(CHART_FOLDER)

helm-charts/custom/portieris-certs-helm/debian/deb_folder/source/format

@@ -1 +0,0 @@
-3.0 (quilt)

helm-charts/custom/portieris-certs-helm/debian/meta_data.yaml

@@ -1,10 +0,0 @@
----
-debname: portieris-certs-helm
-debver: 0.1-0
-src_path: portieris-certs-helm
-revision:
-  dist: $STX_DIST
-  PKG_GITREVCOUNT: true
-  GITREVCOUNT:
-    SRC_DIR: ${MY_REPO}/stx/portieris-armada-app/helm-charts/custom/portieris-certs-helm
-    BASE_SRCREV: 419816d74a38e978a2743365052073719dc0cc8b

helm-charts/custom/portieris-certs-helm/portieris-certs-helm/Makefile

@@ -1,42 +0,0 @@
-#
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Copyright (c) 2024 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# It's necessary to set this because some environments don't link sh -> bash.
-SHELL := /bin/bash
-TASK  := build
-
-EXCLUDES := helm-toolkit doc tests tools logs tmp
-CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
-
-.PHONY: $(EXCLUDES) $(CHARTS)
-
-all: $(CHARTS)
-
-$(CHARTS):
-	@if [ -d $@ ]; then \
-		echo; \
-		echo "===== Processing [$@] chart ====="; \
-		make $(TASK)-$@; \
-	fi
-
-init-%:
-	if [ -f $*/Makefile ]; then make -C $*; fi
-	if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
-
-lint-%: init-%
-	if [ -d $* ]; then helm lint $*; fi
-
-build-%: lint-%
-	if [ -d $* ]; then helm package --version $(CHART_VERSION) $*; fi
-
-clean:
-	@echo "Clean all build artifacts"
-	rm -f */templates/_partials.tpl */templates/_globals.tpl
-	rm -rf */charts */tmpcharts
-
-%:
-	@:

helm-charts/custom/portieris-certs-helm/portieris-certs-helm/portieris-certs/Chart.yaml

@@ -1,5 +0,0 @@
-apiVersion: v1
-appVersion: "1.0"
-description: StarlingX-Helm portieris-certs
-name: portieris-certs
-version: 0.1.0

helm-charts/custom/portieris-certs-helm/portieris-certs-helm/portieris-certs/templates/certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  creationTimestamp: null
-  name: portieris-certs
-  namespace: portieris
-spec:
-  dnsNames:
-  - portieris.portieris.svc
-  issuerRef:
-    name: stx-portieris
-  secretName: portieris-certs
-status: {}

helm-charts/custom/portieris-certs-helm/portieris-certs-helm/portieris-certs/templates/issuer.yaml

@@ -1,9 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  creationTimestamp: null
-  name: stx-portieris
-  namespace: portieris
-spec:
-  selfSigned: {}
-status: {}

helm-charts/custom/portieris-certs-helm/portieris-certs-helm/portieris-certs/templates/secret.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-data:
-    ca.pem: {{ .Values.caCert | toString | quote }}
-    tls.crt: ""
-    tls.key: ""
-kind: Secret
-metadata:
-  name: portieris-certs
-  namespace: portieris
-type: kubernetes.io/tls

helm-charts/custom/portieris-certs-helm/portieris-certs-helm/portieris-certs/values.yaml

@@ -1,11 +0,0 @@
-#
-# Copyright (c) 2018 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-# Default values for nova-api-proxy.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-caCert: ""

helm-charts/upstream/portieris-helm/debian/deb_folder/patches/0004-Add-trusted-CA-Cert-secret.patch

@@ -0,0 +1,80 @@
+From 0e576f796c4e07ba8457c1d39ea7e145d5641aaa Mon Sep 17 00:00:00 2001
+From: Tae Park <tae.park@windriver.com>
+Date: Tue, 9 Sep 2025 14:59:42 +0000
+Subject: [PATCH] Add trusted CA Cert secret
+
+Adding a secret that contains a trusted CA cert for portieris. It allows
+communication with the image trust server.
+
+Signed-off-by: Tae Park <tae.park@windriver.com>
+---
+ helm/portieris/templates/deployment.yaml | 11 +++++++++++
+ helm/portieris/templates/secret.yaml     | 11 +++++++++++
+ helm/portieris/values.yaml               |  6 ++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
+index 826fdba..53d120f 100644
+--- a/helm/portieris/templates/deployment.yaml
++++ b/helm/portieris/templates/deployment.yaml
+@@ -51,6 +51,12 @@ spec:
+           - name: portieris-certs
+             readOnly: true
+             mountPath: "/etc/certs"
++          {{- if .Values.TrustedCACert }}
++          - name: trusted-cert
++            readOnly: true
++            mountPath: /etc/pki/tls/certs/trustedcert.pem
++            subPath: trustedcert.pem
++          {{- end }}
+           livenessProbe:
+             httpGet:
+               port: 8000
+@@ -86,3 +92,8 @@ spec:
+       - name: portieris-certs
+         secret:
+           secretName: portieris-certs
++      {{- if .Values.TrustedCACert }}
++      - name: trusted-cert
++        secret:
++          secretName: trusted-cert
++      {{- end }}
+diff --git a/helm/portieris/templates/secret.yaml b/helm/portieris/templates/secret.yaml
+index 805b7d3..e8c6c46 100644
+--- a/helm/portieris/templates/secret.yaml
++++ b/helm/portieris/templates/secret.yaml
+@@ -39,3 +39,14 @@ data:
+   {{- end }}
+ {{ end }}
+ {{ end }}
++{{ if .Values.TrustedCACert }}
++---
++apiVersion: v1
++kind: Secret
++metadata:
++  name: trusted-cert
++  namespace: {{ .Release.Namespace }}
++type: Opaque
++data:
++  trustedcert.pem: {{ .Values.TrustedCACert | quote }}
++{{ end }}
+diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml
+index ebe26e5..c9ff82f 100644
+--- a/helm/portieris/values.yaml
++++ b/helm/portieris/values.yaml
+@@ -53,6 +53,12 @@ UseGeneratedCerts:
+   tlsKey: |-
+   caCert: |-
+ 
++# Add the specified certificate(s) to the pod filesystem trust store.
++# The golang x509 module will read all files in this location, and
++# portieris will trust those certificates.
++# The value must be a base 64 encoded list of certificate(s) in PEM format.
++TrustedCACert: ""
++
+ # Resoures defined to assist scheduling
+ # request is typical x10, limit is typical x100
+ resources:
+-- 
+2.34.1
+

helm-charts/upstream/portieris-helm/debian/deb_folder/patches/series

@@ -1,3 +1,4 @@
 0001-Add-permissive-cluster-policy-by-default.patch
 0002-Hardcode-app-label-selector.patch
 0003-Adjust-liveness-readiness-probe-configurations.patch
+0004-Add-trusted-CA-Cert-secret.patch

python3-k8sapp-portieris/k8sapp_portieris/k8sapp_portieris/common/constants.py

@@ -8,6 +8,5 @@
 # These values match the names in the chart package's Chart.yaml
 HELM_APP_PORTIERIS = 'portieris'
 HELM_CHART_PORTIERIS = 'portieris'
-HELM_CHART_PORTIERIS_CERTS = 'portieris-certs'
 HELM_NS_PORTIERIS = 'portieris'
 HELM_COMPONENT_LABEL_PORTIERIS = 'app.starlingx.io/component'

python3-k8sapp-portieris/k8sapp_portieris/k8sapp_portieris/helm/portieris_certs.py

@@ -1,41 +0,0 @@
-#
-# Copyright (c) 2020 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-from k8sapp_portieris.common import constants
-
-from sysinv.common import exception
-
-from sysinv.helm import base
-
-
-class PortierisCertsHelm(base.BaseHelm):
-    """Class to encapsulate helm operations for the psp rolebinding chart"""
-
-    SUPPORTED_NAMESPACES = base.BaseHelm.SUPPORTED_NAMESPACES + \
-        [constants.HELM_NS_PORTIERIS]
-    SUPPORTED_APP_NAMESPACES = {
-        constants.HELM_APP_PORTIERIS:
-            base.BaseHelm.SUPPORTED_NAMESPACES + [constants.HELM_NS_PORTIERIS],
-    }
-
-    CHART = constants.HELM_CHART_PORTIERIS_CERTS
-    SERVICE_NAME = 'portieris-certs'
-
-    def get_namespaces(self):
-        return self.SUPPORTED_NAMESPACES
-
-    def get_overrides(self, namespace=None):
-        overrides = {
-            constants.HELM_NS_PORTIERIS: {}
-        }
-
-        if namespace in self.SUPPORTED_NAMESPACES:
-            return overrides[namespace]
-        elif namespace:
-            raise exception.InvalidHelmNamespace(chart=self.CHART,
-                                                 namespace=namespace)
-        else:
-            return overrides

python3-k8sapp-portieris/k8sapp_portieris/setup.cfg

@@ -33,7 +33,6 @@ systemconfig.helm_applications =
     portieris = systemconfig.helm_plugins.portieris
 
 systemconfig.helm_plugins.portieris =
-    001_portieris-certs = k8sapp_portieris.helm.portieris_certs:PortierisCertsHelm
     002_portieris = k8sapp_portieris.helm.portieris:PortierisHelm
 
 systemconfig.app_lifecycle =

stx-portieris-helm/debian/deb_folder/control

@@ -5,7 +5,6 @@ Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
 Build-Depends: debhelper-compat (= 13),
  helm,
  portieris-helm,
- portieris-certs-helm,
  python3-k8sapp-portieris-wheels,
  build-info
 Standards-Version: 4.5.1

stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/kustomization.yaml

@@ -9,5 +9,4 @@ kind: Kustomization
 namespace: portieris
 resources:
   - base
-  - portieris-certs
   - portieris

stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris-certs/helmrelease.yaml

@@ -1,36 +0,0 @@
-#
-# Copyright (c) 2022 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-apiVersion: "helm.toolkit.fluxcd.io/v2"
-kind: HelmRelease
-metadata:
-  name: portieris-certs
-  labels:
-    chart_group: portieris-charts
-spec:
-  releaseName: portieris-portieris-certs
-  chart:
-    spec:
-      chart: portieris-certs
-      version: REPLACE_HELM_CHART_VERSION
-      sourceRef:
-        kind: HelmRepository
-        name: stx-platform
-  interval: 1m
-  timeout: 30m
-  test:
-    enable: false
-  install:
-    disableHooks: false
-  upgrade:
-    disableHooks: false
-  valuesFrom:
-    - kind: Secret
-      name: portieris-certs-static-overrides
-      valuesKey: portieris-certs-static-overrides.yaml
-    - kind: Secret
-      name: portieris-certs-system-overrides
-      valuesKey: portieris-certs-system-overrides.yaml

stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris-certs/kustomization.yaml

@@ -1,18 +0,0 @@
-#
-# Copyright (c) 2022 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-namespace: portieris
-resources:
-  - helmrelease.yaml
-secretGenerator:
-  - name: portieris-certs-static-overrides
-    files:
-      - portieris-certs-static-overrides.yaml
-  - name: portieris-certs-system-overrides
-    files:
-      - portieris-certs-system-overrides.yaml
-generatorOptions:
-  disableNameSuffixHash: true

stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris-certs/portieris-certs-static-overrides.yaml

@@ -1,7 +0,0 @@
-#
-# Copyright (c) 2022 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-caCert: ""

stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris-certs/portieris-certs-system-overrides.yaml

@@ -1,6 +0,0 @@
-#
-# Copyright (c) 2022 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-

stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/portieris-static-overrides.yaml

@@ -29,5 +29,5 @@ readinessProbe:
   initialDelaySeconds: 17
   periodSeconds: 19
   timeoutSeconds: 11
-SkipSecretCreation: true
+SkipSecretCreation: false
 UseCertManager: true