Skip to content

Commit

Permalink
Nightly metrics (#81)
Browse files Browse the repository at this point in the history
* Added nightly cronjob template
Updated templates based on the segment-backup-job repo

* adding job for post-install and moving job to cronjob for nightly metrics

* chore: update segment-backup-job sha

Signed-off-by: Lance Ball <lball@redhat.com>

* adding job for post-install and moving job to cronjob for nightly metrics

---------

Signed-off-by: Lance Ball <lball@redhat.com>
Co-authored-by: greg pereira <grpereir@redhat.com>
Co-authored-by: Lance Ball <lball@redhat.com>
  • Loading branch information
3 people authored Nov 15, 2023
1 parent a0e1115 commit 4c07b4d
Show file tree
Hide file tree
Showing 14 changed files with 245 additions and 9 deletions.
2 changes: 1 addition & 1 deletion charts/trusted-artifact-signer/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ sources:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.23
version: 0.1.24
11 changes: 10 additions & 1 deletion charts/trusted-artifact-signer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift

![Version: 0.1.22](https://img.shields.io/badge/Version-0.1.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

## Overview

Expand Down Expand Up @@ -117,6 +117,15 @@ Kubernetes: `>= 1.19.0-0`
| configs.fulcio.server.secret.public_key_file | file containing signer public key | string | `""` |
| configs.fulcio.server.secret.root_cert | fulcio root certificate authority (CA) | string | `""` |
| configs.fulcio.server.secret.root_cert_file | file containing fulcio root certificate authority (CA) | string | `""` |
| configs.sigstore_monitoring.namespace | | string | `"sigstore-monitoring"` |
| configs.sigstore_monitoring.namespace_create | | bool | `true` |
| configs.segment_backup_job.image.registry | | string | `"quay.io"` |
| configs.segment_backup_job.image.pullPolicy | | string | `"IfNotPresent"` |
| configs.segment_backup_job.image.registry | | string | `"quay.io"` |
| configs.segment_backup_job.image.repository | | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/segment-backup-job"` |
| configs.segment_backup_job.image.version | | string | `"sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44"` |
| configs.segment_backup_job.name | | string | `"nightlyMetricsCollection"` |
| configs.segment_backup_job.namespace | | string | `"sigstore-monitoring"` |
| configs.rekor.clusterMonitoring.enabled | | bool | `true` |
| configs.rekor.clusterMonitoring.endpoints[0].interval | | string | `"30s"` |
| configs.rekor.clusterMonitoring.endpoints[0].port | | string | `"2112-tcp"` |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
namespace: {{ .Values.configs.segment_backup_job.namespace }}
spec:
schedule: "0 0 * * *"
concurrencyPolicy: "Replace"
startingDeadlineSeconds: 200
suspend: false
successfulJobsHistoryLimit: 7
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
labels:
parent: "segment-backup-job"
spec:
restartPolicy: OnFailure
serviceAccountName: segment-backup-job
containers:
- name: {{ .Values.configs.segment_backup_job.name }}
# image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
env:
- name: RUN_TYPE
value: "nightly"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: segment-backup-job
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- "route.openshift.io"
resources:
- routes
verbs:
- get
- list
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: segment-backup-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: segment-backup-job
subjects:
- kind: ServiceAccount
name: segment-backup-job
namespace: {{ .Values.configs.segment_backup_job.namespace }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: segment-backup-job
# namespace: {{ .Values.configs.segment_backup_job.namespace }}
namespace: sigstore-monitoring
secrets:
- name: pull-secret
33 changes: 33 additions & 0 deletions charts/trusted-artifact-signer/templates/segment-backup-job.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
namespace: {{ .Values.configs.segment_backup_job.namespace }}
spec:
parallelism: 1
completions: 1
activeDeadlineSeconds: 600
backoffLimit: 5
template:
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
labels:
parent: "segment-backup-job"
spec:
restartPolicy: OnFailure
serviceAccountName: segment-backup-job
containers:
- name: {{ .Values.configs.segment_backup_job.name }}
# image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
env:
- name: RUN_TYPE
value: "installation"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
39 changes: 39 additions & 0 deletions charts/trusted-artifact-signer/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,45 @@
"properties": {
"configs": {
"properties": {
"sigstore_monitoring": {
"properties": {
"namespace": {
"type": "string"
}
}
},
"segment_backup_job":{
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type" : "string"
},
"image": {
"properties": {
"pullPolicy": {
"type": "string"
},
"registry": {
"type": "string"
},
"repository": {
"type": "string"
},
"version": {
"type": "string"
}
}
},
"rolebindings": {
"items": {
"type": "string"
},
"type": "array"
}
}
},
"clientserver": {
"properties": {
"consoleDownload": {
Expand Down
42 changes: 40 additions & 2 deletions charts/trusted-artifact-signer/values.schema.tmpl.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,45 @@
"configs": {
"type": "object",
"properties": {
"sigstore_monitoring": {
"properties": {
"namespace": {
"type": "string"
}
}
},
"segment_backup_job":{
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type" : "string"
},
"image": {
"properties": {
"pullPolicy": {
"type": "string"
},
"registry": {
"type": "string"
},
"repository": {
"type": "string"
},
"version": {
"type": "string"
}
}
},
"rolebindings": {
"items": {
"type": "string"
},
"type": "array"
}
}
},
"clientserver": {
"properties": {
"consoleDownload": {
Expand Down Expand Up @@ -275,8 +314,7 @@
},
"type": "object"
}
},
"type": "object"
}
},
"rbac": {
"properties": {
Expand Down
12 changes: 12 additions & 0 deletions charts/trusted-artifact-signer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,18 @@ global:
appsSubdomain: ""

configs:
sigstore_monitoring:
namespace: sigstore-monitoring
segment_backup_job:
name: segment-backup-job
namespace: sigstore-monitoring
image:
registry: quay.io
repository: redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/segment-backup-job
version: sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44
pullPolicy: IfNotPresent
rolebindings:
- segment-backup-job
clientserver:
# -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary.
# -- This can only be enabled if the OpenShift CRD is registered.
Expand Down
1 change: 0 additions & 1 deletion grafana/operator/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- namespace.yaml
- operator.yaml
4 changes: 0 additions & 4 deletions grafana/operator/namespace.yaml

This file was deleted.

1 change: 1 addition & 0 deletions kind/kind-up-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ then
else
mv /tmp/config ~/.kube/config
fi
chmod go-r ~/.kube/config

oc config use-context kind-kind

Expand Down
32 changes: 32 additions & 0 deletions tas-easy-install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,38 @@ openssl ec -in file_ca_key.pem -passin pass:"$password" -pubout -out file_ca_pub
openssl req -new -x509 -days 365 -key file_ca_key.pem -passin pass:"$password" -out fulcio-root.pem -passout pass:"$password" -subj "/CN=$common_name/emailAddress=$email_address/O=$organization_name"
openssl ecparam -name prime256v1 -genkey -noout -out rekor_key.pem

segment_backup_job=$(oc get job -n sigstore-monitoring --ignore-not-found=true | tail -n 1 | awk '{print $1}')
if [[ -n $segment_backup_job ]]; then
oc delete job $segment_backup_job -n sigstore-monitoring
fi

oc new-project sigstore-monitoring > /dev/null 2>&1

pull_secret_exists=$(oc get secret pull-secret -n sigstore-monitoring --ignore-not-found=true)
if [[ -n $pull_secret_exists ]]; then
read -p "Secret \"pull-secret\" in namespace \"sigstore-monitoring\" already exists. Overwrite it (Y/N)?: " -n1 overwrite_pull_secret
echo ""
if [[ $overwrite_pull_secret == "Y" || $overwrite_pull_secret == 'y' ]]; then
read -p "Please enter the absolute path to the pull-secret.json file:
" pull_secret_path
file_exists=$(ls $pull_secret_path 2>/dev/null)
if [[ -n $file_exists ]]; then
oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path --dry-run=client -o yaml | oc replace -f -
else
echo "pull secret was not found based on the path provided: $pull_secret_path"
exit 0
fi
elif [[ $overwrite_pull_secret == "N" || $overwrite_pull_secret == 'n' ]]; then
echo "Skipping overwriting pull-secret..."
else
echo "Bad input. Skipping this step, using existing pull-secret"
fi
else
read -p "Please enter the absolute path to the pull-secret.json file:
" pull_secret_path
oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path
fi

rm unenc.key
popd > /dev/null

Expand Down

0 comments on commit 4c07b4d

Please sign in to comment.