Skip to content

Commit

Permalink
adding job for post-install and moving job to cronjob for nightly met…
Browse files Browse the repository at this point in the history
…rics
  • Loading branch information
Gregory-Pereira committed Nov 12, 2023
1 parent 966f820 commit 8421d88
Show file tree
Hide file tree
Showing 13 changed files with 193 additions and 44 deletions.
15 changes: 9 additions & 6 deletions charts/trusted-artifact-signer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,12 +117,15 @@ Kubernetes: `>= 1.19.0-0`
| configs.fulcio.server.secret.public_key_file | file containing signer public key | string | `""` |
| configs.fulcio.server.secret.root_cert | fulcio root certificate authority (CA) | string | `""` |
| configs.fulcio.server.secret.root_cert_file | file containing fulcio root certificate authority (CA) | string | `""` |
| configs.nightlymetrics.image.pullPolicy | | string | `"IfNotPresent"` |
| configs.nightlymetrics.image.registry | | string | `"registry.access.redhat.com"` |
| configs.nightlymetrics.image.repository | | string | `"ubi9/python-311"` |
| configs.nightlymetrics.image.version | | string | `"sha256:92416840a0361bf5c8ed6071f50098ddbdd1d14285793d4bcd8e761658c97df8"` |
| configs.nightlymetrics.name | | string | `"nightlyMetricsCollection"` |
| configs.nightlymetrics.namespace | | string | `"sigstore-monitoring"` |
| configs.sigstore_monitoring.namespace | | string | `"sigstore-monitoring"` |
| configs.sigstore_monitoring.namespace_create | | bool | `true` |
| configs.segment_backup_job.image.registry | | string | `"registry.access.redhat.com"` |
| configs.segment_backup_job.image.pullPolicy | | string | `"IfNotPresent"` |
| configs.segment_backup_job.image.registry | | string | `"registry.access.redhat.com"` |
| configs.segment_backup_job.image.repository | | string | `"ubi9/python-311"` |
| configs.segment_backup_job.image.version | | string | `"sha256:92416840a0361bf5c8ed6071f50098ddbdd1d14285793d4bcd8e761658c97df8"` |
| configs.segment_backup_job.name | | string | `"nightlyMetricsCollection"` |
| configs.segment_backup_job.namespace | | string | `"sigstore-monitoring"` |
| configs.rekor.clusterMonitoring.enabled | | bool | `true` |
| configs.rekor.clusterMonitoring.endpoints[0].interval | | string | `"30s"` |
| configs.rekor.clusterMonitoring.endpoints[0].port | | string | `"2112-tcp"` |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
namespace: {{ .Values.configs.segment_backup_job.namespace }}
spec:
schedule: "0 0 * * *"
concurrencyPolicy: "Replace"
startingDeadlineSeconds: 200
suspend: false
successfulJobsHistoryLimit: 7
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
labels:
parent: "segment-backup-job"
spec:
restartPolicy: OnFailure
serviceAccountName: segment-backup-job
containers:
- name: {{ .Values.configs.segment_backup_job.name }}
# image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
env:
- name: RUN_TYPE
value: "nightly"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: segment-backup-job
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- apiGroups:
- "route.openshift.io"
resources:
- routes
verbs:
- get
- list
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: segment-backup-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: segment-backup-job
subjects:
- kind: ServiceAccount
name: segment-backup-job
namespace: {{ .Values.configs.segment_backup_job.namespace }}
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: segment-backup-sa
name: segment-backup-job
# namespace: {{ .Values.configs.segment_backup_job.namespace }}
namespace: sigstore-monitoring
secrets:
- name: pull-secret
imagePullSecrets:
- name: pull-secret
51 changes: 30 additions & 21 deletions charts/trusted-artifact-signer/templates/segment-backup-job.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,33 @@
apiVersion: batch/v1
kind: Cronjob
kind: Job
metadata:
name: {{ .Values.configs.segment-backup-job.name }}
spec:
schedule: "0 0 * * *"
concurrencyPolicy: "Replace"
startingDeadlineSeconds: 200
suspend: false
successfulJobsHistoryLimit: 7
failedJobsHistoryLimit: 3
jobTemplate:
name: {{ .Values.configs.segment_backup_job.name }}
namespace: {{ .Values.configs.segment_backup_job.namespace }}
spec:
parallelism: 1
completions: 1
activeDeadlineSeconds: 600
backoffLimit: 5
template:
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
labels:
parent: "segment-backup-job"
spec:
template:
serviceAccountName: segment-backup-sa
metadata:
labels:
parent: "segment-backup-job"
spec:
containers:
- name: {{ .Values.configs.segment-backup-job.name }}
image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
restartPolicy: OnFailure
restartPolicy: OnFailure
serviceAccountName: segment-backup-job
containers:
- name: {{ .Values.configs.segment_backup_job.name }}
# image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
env:
- name: RUN_TYPE
value: "installation"
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
18 changes: 17 additions & 1 deletion charts/trusted-artifact-signer/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,17 @@
"properties": {
"configs": {
"properties": {
"segment-backup-job":{
"sigstore_monitoring": {
"properties": {
"namespace": {
"type": "string"
},
"namespace_create": {
"type": "boolean"
}
}
},
"segment_backup_job":{
"properties": {
"name": {
"type": "string"
Expand All @@ -26,6 +36,12 @@
"type": "string"
}
}
},
"rolebindings": {
"items": {
"type": "string"
},
"type": "array"
}
}
},
Expand Down
21 changes: 18 additions & 3 deletions charts/trusted-artifact-signer/values.schema.tmpl.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,17 @@
"configs": {
"type": "object",
"properties": {
"segment-backup-job":{
"sigstore_monitoring": {
"properties": {
"namespace": {
"type": "string"
},
"namespace_create": {
"type": "boolean"
}
}
},
"segment_backup_job":{
"properties": {
"name": {
"type": "string"
Expand All @@ -42,6 +52,12 @@
"type": "string"
}
}
},
"rolebindings": {
"items": {
"type": "string"
},
"type": "array"
}
}
},
Expand Down Expand Up @@ -301,8 +317,7 @@
},
"type": "object"
}
},
"type": "object"
}
},
"rbac": {
"properties": {
Expand Down
13 changes: 8 additions & 5 deletions charts/trusted-artifact-signer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,19 @@ global:
appsSubdomain: ""

configs:
segment-backup-job:
sigstore_monitoring:
namespace: sigstore-monitoring
namespace_create: true
segment_backup_job:
name: segment-backup-job
namespace: sigstore-monitoring
image:
registry: quay.io
repository: ubi9/python-311
version: sha256:92416840a0361bf5c8ed6071f50098ddbdd1d14285793d4bcd8e761658c97df8
repository: grpereir/segment-backup-job
version: sha256:dc434af4ccec3fa10dcf0daf1531dea7aeeb661df3d4398554d45b4e3be9ce55
pullPolicy: IfNotPresent
rolebindings:
- segment-backup-job
clientserver:
# -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary.
# -- This can only be enabled if the OpenShift CRD is registered.
Expand Down Expand Up @@ -146,8 +151,6 @@ rbac:
# -- clusterrole to be added to sigstore component serviceaccounts.
clusterrole: system:openshift:scc:anyuid

https://github.com/securesign/sigstore-ocp/blob/dc536fd05432421742f1952cc0c8ff04f64bb97f/charts/trusted-artifact-signer/values.yaml#L139C3-L139C43

# github.com/sigstore/helm-charts/charts
scaffold:
ctlog:
Expand Down
1 change: 0 additions & 1 deletion grafana/operator/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- namespace.yaml
- operator.yaml
4 changes: 0 additions & 4 deletions grafana/operator/namespace.yaml

This file was deleted.

1 change: 1 addition & 0 deletions kind/kind-up-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ then
else
mv /tmp/config ~/.kube/config
fi
chmod go-r ~/.kube/config

oc config use-context kind-kind

Expand Down
39 changes: 39 additions & 0 deletions tas-easy-install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,36 @@ openssl ec -in file_ca_key.pem -passin pass:"$password" -pubout -out file_ca_pub
openssl req -new -x509 -days 365 -key file_ca_key.pem -passin pass:"$password" -out fulcio-root.pem -passout pass:"$password" -subj "/CN=$common_name/emailAddress=$email_address/O=$organization_name"
openssl ecparam -name prime256v1 -genkey -noout -out rekor_key.pem

read -p "Are you providing your trusted-artifact-signer pull-secret? (Y/N): " -n1 use_default_pull_secret
echo ""

if [[ $use_default_pull_secret == "Y" || $use_default_pull_secret == "y" ]]; then
pull_secret_exists=$(oc get secret pull-secret -n sigstore-monitoring --ignore-not-found=true)
read -p "Please enter the absolute path to the pull-secret.json file:
" pull_secret_path
file_exists=$(ls $pull_secret_path 2>/dev/null)
if [[ -n $file_exists ]]; then
if [[ -z $pull_secret_exists ]]; then
oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path
else
oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path --dry-run=client -o yaml | oc replace -f -
fi
else
echo "pull secret was not found based on the path provided: $pull_secret_path"
exit 0
fi
elif [[ $use_default_pull_secret == "n" || $use_default_pull_secret == "n" ]]; then
pull_secret_exists=$(oc get secret pull-secret -n sigstore-monitoring --ignore-not-found=true)
pull_secret_literal=$(oc get secret pull-secret -n openshift-config -o "jsonpath={.data.\.dockerconfigjson}" | base64 -d)
echo $pull_secret_literal > ./pull-secret.json
if [[ -z $pull_secret_exists ]]; then
oc create secret generic pull-secret -n sigstore-monitoring --from-file=./pull-secret.json
else
oc create secret generic pull-secret -n sigstore-monitoring --from-file=./pull-secret.json --dry-run=client -o yaml | oc replace -f -
fi
rm ./pull-secret.json
fi

rm unenc.key
popd > /dev/null

Expand All @@ -112,6 +142,15 @@ oc -n rekor-system create secret generic rekor-private-key --from-file=private=.
#OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm install --debug trusted-artifact-signer trusted-artifact-signer/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values -
OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values -


# parse values for job creation to phone home
image_registry=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.image.registry)
image_repository=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.image.repository)
image_version=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.image.version)
image="${image_registry}/${image_repository}@${image_version}"
job_name=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.name)
job_namespace=job_name=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.namespace)

# Create the script to initialize the environment variables for the service endpoints
generate_env_script

0 comments on commit 8421d88

Please sign in to comment.