Skip to content

Commit

Permalink
adding job for post-install and moving job to cronjob for nightly met…
Browse files Browse the repository at this point in the history
…rics
  • Loading branch information
Gregory-Pereira committed Nov 10, 2023
1 parent 966f820 commit abc860e
Show file tree
Hide file tree
Showing 10 changed files with 136 additions and 35 deletions.
15 changes: 9 additions & 6 deletions charts/trusted-artifact-signer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,12 +117,15 @@ Kubernetes: `>= 1.19.0-0`
| configs.fulcio.server.secret.public_key_file | file containing signer public key | string | `""` |
| configs.fulcio.server.secret.root_cert | fulcio root certificate authority (CA) | string | `""` |
| configs.fulcio.server.secret.root_cert_file | file containing fulcio root certificate authority (CA) | string | `""` |
| configs.nightlymetrics.image.pullPolicy | | string | `"IfNotPresent"` |
| configs.nightlymetrics.image.registry | | string | `"registry.access.redhat.com"` |
| configs.nightlymetrics.image.repository | | string | `"ubi9/python-311"` |
| configs.nightlymetrics.image.version | | string | `"sha256:92416840a0361bf5c8ed6071f50098ddbdd1d14285793d4bcd8e761658c97df8"` |
| configs.nightlymetrics.name | | string | `"nightlyMetricsCollection"` |
| configs.nightlymetrics.namespace | | string | `"sigstore-monitoring"` |
| configs.sigstore_monitoring.namespace | | string | `"sigstore-monitoring"` |
| configs.sigstore_monitoring.namespace_create | | bool | `true` |
| configs.segment_backup_job.image.registry | | string | `"registry.access.redhat.com"` |
| configs.segment_backup_job.image.pullPolicy | | string | `"IfNotPresent"` |
| configs.segment_backup_job.image.registry | | string | `"registry.access.redhat.com"` |
| configs.segment_backup_job.image.repository | | string | `"ubi9/python-311"` |
| configs.segment_backup_job.image.version | | string | `"sha256:92416840a0361bf5c8ed6071f50098ddbdd1d14285793d4bcd8e761658c97df8"` |
| configs.segment_backup_job.name | | string | `"nightlyMetricsCollection"` |
| configs.segment_backup_job.namespace | | string | `"sigstore-monitoring"` |
| configs.rekor.clusterMonitoring.enabled | | bool | `true` |
| configs.rekor.clusterMonitoring.endpoints[0].interval | | string | `"30s"` |
| configs.rekor.clusterMonitoring.endpoints[0].port | | string | `"2112-tcp"` |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: segment-backup-sa
namespace: {{ .Values.configs.segment_backup_job.namespace }}
secrets:
- name: pull-secret
imagePullSecrets:
- name: pull-secret
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
namespace: {{ .Values.configs.segment_backup_job.namespace }}
spec:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
schedule: "0 0 * * *"
concurrencyPolicy: "Replace"
startingDeadlineSeconds: 200
suspend: false
successfulJobsHistoryLimit: 7
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
labels:
parent: "segment-backup-job"
spec:
containers:
- name: {{ .Values.configs.segment_backup_job.name }}
image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
volumeMounts:
volumeMounts:
- mountPath: "/opt/app-root/src/pull-secret"
name: "pull-secret"
readOnly: true
volumes:
- name: "pull-secret"
secret:
secretName: "pull-secret"
restartPolicy: OnFailure
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: segment-backup-sa
namespace: sigstore-monitoring
namespace: trusted-artifact-signer
secrets:
- name: pull-secret
imagePullSecrets:
Expand Down
52 changes: 32 additions & 20 deletions charts/trusted-artifact-signer/templates/segment-backup-job.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,36 @@
apiVersion: batch/v1
kind: Cronjob
kind: Job
metadata:
name: {{ .Values.configs.segment-backup-job.name }}
name: {{ .Values.configs.segment_backup_job.name }}
namespace: trusted-artifact-signer
spec:
schedule: "0 0 * * *"
concurrencyPolicy: "Replace"
startingDeadlineSeconds: 200
suspend: false
successfulJobsHistoryLimit: 7
failedJobsHistoryLimit: 3
jobTemplate:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
parallelism: 1
completions: 1
activeDeadlineSeconds: 600
backoffLimit: 5
template:
metadata:
name: {{ .Values.configs.segment_backup_job.name }}
labels:
parent: "segment-backup-job"
spec:
template:
serviceAccountName: segment-backup-sa
metadata:
labels:
parent: "segment-backup-job"
spec:
containers:
- name: {{ .Values.configs.segment-backup-job.name }}
image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
restartPolicy: OnFailure
containers:
- name: {{ .Values.configs.segment_backup_job.name }}
image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
command: ["/bin/bash", "/opt/app-root/src/script.sh"]
volumeMounts:
- mountPath: "/opt/app-root/src/pull-secret"
name: "pull-secret"
readOnly: true
volumes:
- name: "pull-secret"
secret:
secretName: "pull-secret"
restartPolicy: OnFailure
12 changes: 11 additions & 1 deletion charts/trusted-artifact-signer/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,17 @@
"properties": {
"configs": {
"properties": {
"segment-backup-job":{
"sigstore_monitoring": {
"properties": {
"namespace": {
"type": "string"
},
"namespace_create": {
"type": "boolean"
}
}
},
"segment_backup_job":{
"properties": {
"name": {
"type": "string"
Expand Down
15 changes: 12 additions & 3 deletions charts/trusted-artifact-signer/values.schema.tmpl.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,17 @@
"configs": {
"type": "object",
"properties": {
"segment-backup-job":{
"sigstore_monitoring": {
"properties": {
"namespace": {
"type": "string"
},
"namespace_create": {
"type": "boolean"
}
}
},
"segment_backup_job":{
"properties": {
"name": {
"type": "string"
Expand Down Expand Up @@ -301,8 +311,7 @@
},
"type": "object"
}
},
"type": "object"
}
},
"rbac": {
"properties": {
Expand Down
7 changes: 4 additions & 3 deletions charts/trusted-artifact-signer/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ global:
appsSubdomain: ""

configs:
segment-backup-job:
sigstore_monitoring:
namespace: sigstore-monitoring
namespace_create: true
segment_backup_job:
name: segment-backup-job
namespace: sigstore-monitoring
image:
Expand Down Expand Up @@ -146,8 +149,6 @@ rbac:
# -- clusterrole to be added to sigstore component serviceaccounts.
clusterrole: system:openshift:scc:anyuid

https://github.com/securesign/sigstore-ocp/blob/dc536fd05432421742f1952cc0c8ff04f64bb97f/charts/trusted-artifact-signer/values.yaml#L139C3-L139C43

# github.com/sigstore/helm-charts/charts
scaffold:
ctlog:
Expand Down
2 changes: 1 addition & 1 deletion grafana/operator/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- namespace.yaml
# - namespace.yaml
- operator.yaml
16 changes: 16 additions & 0 deletions tas-easy-install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,22 @@ oc -n rekor-system create secret generic rekor-private-key --from-file=private=.
#OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm install --debug trusted-artifact-signer trusted-artifact-signer/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values -
OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values -


# parse values for job creation to phone home
image_registry=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.image.registry)
image_repository=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.image.repository)
image_version=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.image.version)
image="${image_registry}/${image_repository}@${image_version}"
job_name=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.name)
job_namespace=job_name=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.segment_backup_job.namespace)

job_namespace_exits=$(oc projects | grep $job_namespace)
if [[ -z $job_namespace_exits ]]; then
oc -n trusted-artifact-signer run $job_name --image=$image --command
else
oc -n $job_namespace run $job_name --image=$image --command
fi

# Create the script to initialize the environment variables for the service endpoints
generate_env_script

0 comments on commit abc860e

Please sign in to comment.