securesign · red-hat-konflux · Nov 10, 2023 · Nov 15, 2023 · Nov 30, 2023
diff --git a/.tekton/client-server-pull-request.yaml b/.tekton/client-server-pull-request.yaml
diff --git a/.tekton/client-server-push.yaml b/.tekton/client-server-push.yaml
diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml
@@ -33,4 +33,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.22
+version: 0.1.24
diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md
@@ -3,7 +3,7 @@
 
 A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift
 
-![Version: 0.1.22](https://img.shields.io/badge/Version-0.1.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 ## Overview
 
@@ -117,6 +117,15 @@ Kubernetes: `>= 1.19.0-0`
 | configs.fulcio.server.secret.public_key_file | file containing signer public key | string | `""` |
 | configs.fulcio.server.secret.root_cert | fulcio root certificate authority (CA) | string | `""` |
 | configs.fulcio.server.secret.root_cert_file | file containing fulcio root certificate authority (CA) | string | `""` |
+| configs.sigstore_monitoring.namespace |  | string | `"sigstore-monitoring"` |
+| configs.sigstore_monitoring.namespace_create |  | bool | `true` |
+| configs.segment_backup_job.image.registry |  | string | `"quay.io"` |
+| configs.segment_backup_job.image.pullPolicy |  | string | `"IfNotPresent"` |
+| configs.segment_backup_job.image.registry |  | string | `"quay.io"` |
+| configs.segment_backup_job.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/segment-backup-job"` |
+| configs.segment_backup_job.image.version |  | string | `"sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44"` |
+| configs.segment_backup_job.name |  | string | `"nightlyMetricsCollection"` |
+| configs.segment_backup_job.namespace |  | string | `"sigstore-monitoring"` |
 | configs.rekor.clusterMonitoring.enabled |  | bool | `true` |
 | configs.rekor.clusterMonitoring.endpoints[0].interval |  | string | `"30s"` |
 | configs.rekor.clusterMonitoring.endpoints[0].port |  | string | `"2112-tcp"` |

diff --git a/charts/trusted-artifact-signer/templates/_helpers.tpl b/charts/trusted-artifact-signer/templates/_helpers.tpl
@@ -60,3 +60,14 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the image path for the passed in image field
+*/}}
+{{- define "image" -}}
+{{- if eq (substr 0 7 .version) "sha256:" -}}
+{{- printf "%s/%s@%s" .registry .repository .version -}}
+{{- else -}}
+{{- printf "%s/%s:%s" .registry .repository .version -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml
@@ -21,7 +21,7 @@ spec:
       serviceAccountName: {{ .Values.configs.clientserver.name }}
       containers:
       - name: tas-clients
-        image: "{{ .Values.configs.clientserver.image.registry }}/{{ .Values.configs.clientserver.image.repository }}:{{ .Values.configs.clientserver.image.version }}"
+        image: "{{ template "image" .Values.configs.clientserver.image }}"
         #image: quay.io/sallyom/tas-clients:httpd
         imagePullPolicy: IfNotPresent
         ports:

diff --git a/charts/trusted-artifact-signer/templates/cosign-deployment.yaml b/charts/trusted-artifact-signer/templates/cosign-deployment.yaml
@@ -21,7 +21,7 @@ spec:
       {{- end }}
       containers:
       - name: {{ .Values.configs.cosign_deploy.name }}
-        image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
+        image: "{{ template "image" .Values.configs.cosign_deploy.image }}"
         env:
         - name: OPENSHIFT_APPS_SUBDOMAIN
           value: {{ .Values.global.appsSubdomain }}

diff --git a/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml b/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml
@@ -0,0 +1,37 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Values.configs.segment_backup_job.name }}
+  namespace: {{ .Values.configs.segment_backup_job.namespace }}
+spec:
+  schedule: "0 0 * * *"  
+  concurrencyPolicy: "Replace"
+  startingDeadlineSeconds: 200
+  suspend: false
+  successfulJobsHistoryLimit: 7
+  failedJobsHistoryLimit: 3
+  jobTemplate:                  
+    spec:
+      template:
+          metadata:
+            name: {{ .Values.configs.segment_backup_job.name }}
+            labels:               
+              parent: "segment-backup-job"
+          spec:
+            restartPolicy: OnFailure 
+            serviceAccountName: segment-backup-job
+            containers:
+              - name: {{ .Values.configs.segment_backup_job.name }}
+                # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
+                image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
+                command: ["/bin/bash",  "/opt/app-root/src/script.sh"]
+                env:
+                  - name: RUN_TYPE
+                    value: "nightly"
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  seccompProfile:
+                    type: RuntimeDefault
+                  capabilities:
+                    drop:
+                    - ALL
diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: segment-backup-job
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - "route.openshift.io"
+  resources:
+  - routes
+  verbs:
+  - get
+  - list 
diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: segment-backup-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: segment-backup-job
+subjects:
+- kind: ServiceAccount
+  name: segment-backup-job
+  namespace: {{ .Values.configs.segment_backup_job.namespace }}
diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: segment-backup-job
+  # namespace: {{ .Values.configs.segment_backup_job.namespace }}
+  namespace: sigstore-monitoring
+secrets:
+- name: pull-secret
diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml
@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.configs.segment_backup_job.name }}
+  namespace: {{ .Values.configs.segment_backup_job.namespace }}
+spec:  
+  parallelism: 1    
+  completions: 1
+  activeDeadlineSeconds: 600
+  backoffLimit: 5
+  template:
+    metadata:
+      name: {{ .Values.configs.segment_backup_job.name }}
+      labels:               
+        parent: "segment-backup-job"
+    spec:
+      restartPolicy: OnFailure 
+      serviceAccountName: segment-backup-job
+      containers:
+        - name: {{ .Values.configs.segment_backup_job.name }}
+          # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
+          image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
+          command: ["/bin/bash",  "/opt/app-root/src/script.sh"]
+          env:
+            - name: RUN_TYPE
+              value: "installation"
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
diff --git a/charts/trusted-artifact-signer/values.schema.json b/charts/trusted-artifact-signer/values.schema.json
@@ -3,6 +3,45 @@
     "properties": {
         "configs": {
             "properties": {
+                "sigstore_monitoring": {
+                    "properties": {
+                        "namespace": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "segment_backup_job":{
+                    "properties": {
+                        "name": {
+                            "type": "string"
+                        },
+                        "namespace": {
+                            "type" : "string"
+                        },
+                        "image": {
+                            "properties": {
+                                "pullPolicy": {
+                                    "type": "string"
+                                },
+                                "registry": {
+                                    "type": "string"
+                                },
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "version": {
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "rolebindings": {
+                            "items": {
+                                "type": "string"
+                            },
+                            "type": "array"
+                        }
+                    }
+                },
                 "clientserver": {
                     "properties": {
                         "consoleDownload": {

diff --git a/charts/trusted-artifact-signer/values.schema.tmpl.json b/charts/trusted-artifact-signer/values.schema.tmpl.json
@@ -19,6 +19,45 @@
         "configs": {
             "type": "object",
             "properties": {
+                "sigstore_monitoring": {
+                    "properties": {
+                        "namespace": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "segment_backup_job":{
+                    "properties": {
+                        "name": {
+                            "type": "string"
+                        },
+                        "namespace": {
+                            "type" : "string"
+                        },
+                        "image": {
+                            "properties": {
+                                "pullPolicy": {
+                                    "type": "string"
+                                },
+                                "registry": {
+                                    "type": "string"
+                                },
+                                "repository": {
+                                    "type": "string"
+                                },
+                                "version": {
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "rolebindings": {
+                            "items": {
+                                "type": "string"
+                            },
+                            "type": "array"
+                        }
+                    }
+                },
                 "clientserver": {
                     "properties": {
                         "consoleDownload": {
@@ -275,8 +314,7 @@
                     },
                     "type": "object"
                 }
-            },
-            "type": "object"
+            }
         },
         "rbac": {
             "properties": {

diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml
@@ -5,6 +5,18 @@ global:
   appsSubdomain: ""
 
 configs:
+  sigstore_monitoring:
+    namespace: sigstore-monitoring
+  segment_backup_job:
+    name: segment-backup-job
+    namespace: sigstore-monitoring
+    image:
+      registry: quay.io
+      repository: redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/segment-backup-job
+      version: sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44
+      pullPolicy: IfNotPresent
+    rolebindings:
+      - segment-backup-job
   clientserver:
     # -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary.
     # -- This can only be enabled if the OpenShift CRD is registered.

diff --git a/grafana/operator/kustomization.yaml b/grafana/operator/kustomization.yaml
@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- namespace.yaml
 - operator.yaml
diff --git a/grafana/operator/namespace.yaml b/grafana/operator/namespace.yaml
diff --git a/kind/kind-up-test.sh b/kind/kind-up-test.sh
@@ -21,6 +21,7 @@ then
 else
   mv /tmp/config ~/.kube/config
 fi
+chmod go-r ~/.kube/config
 
 oc config use-context kind-kind
 

diff --git a/tas-easy-install.sh b/tas-easy-install.sh
@@ -97,6 +97,38 @@ openssl ec -in file_ca_key.pem -passin pass:"$password" -pubout -out file_ca_pub
 openssl req -new -x509 -days 365 -key file_ca_key.pem -passin pass:"$password"  -out fulcio-root.pem -passout pass:"$password" -subj "/CN=$common_name/emailAddress=$email_address/O=$organization_name"
 openssl ecparam -name prime256v1 -genkey -noout -out rekor_key.pem
 
+segment_backup_job=$(oc get job -n sigstore-monitoring --ignore-not-found=true | tail -n 1 | awk '{print $1}')
+if [[ -n $segment_backup_job ]]; then
+    oc delete job $segment_backup_job -n sigstore-monitoring
+fi
+
+oc new-project sigstore-monitoring > /dev/null 2>&1
+
+pull_secret_exists=$(oc get secret pull-secret -n sigstore-monitoring --ignore-not-found=true)
+if [[ -n $pull_secret_exists ]]; then
+    read -p "Secret \"pull-secret\" in namespace \"sigstore-monitoring\" already exists. Overwrite it (Y/N)?: " -n1 overwrite_pull_secret
+    echo ""
+    if [[ $overwrite_pull_secret == "Y" || $overwrite_pull_secret == 'y' ]]; then
+        read -p "Please enter the absolute path to the pull-secret.json file:
+" pull_secret_path
+        file_exists=$(ls $pull_secret_path 2>/dev/null)
+        if [[ -n $file_exists ]]; then
+            oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path --dry-run=client -o yaml | oc replace -f -
+        else
+            echo "pull secret was not found based on the path provided: $pull_secret_path"
+            exit 0
+        fi
+    elif [[ $overwrite_pull_secret == "N" || $overwrite_pull_secret == 'n' ]]; then
+        echo "Skipping overwriting pull-secret..."
+    else 
+        echo "Bad input. Skipping this step, using existing pull-secret"
+    fi
+else
+    read -p "Please enter the absolute path to the pull-secret.json file:
+" pull_secret_path
+    oc create secret generic pull-secret -n sigstore-monitoring --from-file=$pull_secret_path
+fi
+
 rm unenc.key
 popd > /dev/null