adds cronJob.

Signed-off-by: ianhundere <[email protected]>
sigstore · Jul 26, 2024 · 323068b · 323068b
1 parent 6359bda
commit 323068b
Show file tree

Hide file tree

Showing 8 changed files with 289 additions and 79 deletions.
diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml
@@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture
 
 type: application
 
-version: 0.6.53
+version: 0.6.54
 keywords:
   - security
   - pki

diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.6.53](https://img.shields.io/badge/Version-0.6.53-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.6.54](https://img.shields.io/badge/Version-0.6.54-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Scaffolding the components of the sigstore architecture
 
@@ -49,6 +49,11 @@ helm uninstall [RELEASE_NAME]
 |-----|------|---------|-------------|
 | copySecretJob.affinity | object | `{}` |  |
 | copySecretJob.backoffLimit | int | `6` |  |
+| copySecretJob.copySecretCronJob.backoffLimit | int | `2` |  |
+| copySecretJob.copySecretCronJob.enabled | bool | `false` |  |
+| copySecretJob.copySecretCronJob.failedJobsHistoryLimit | int | `1` |  |
+| copySecretJob.copySecretCronJob.schedule | string | `"*/5 * * * 1-5"` |  |
+| copySecretJob.copySecretCronJob.successfulJobsHistoryLimit | int | `1` |  |
 | copySecretJob.enabled | bool | `false` |  |
 | copySecretJob.imagePullPolicy | string | `"IfNotPresent"` |  |
 | copySecretJob.name | string | `"copy-secrets-job"` |  |
@@ -91,6 +96,30 @@ helm uninstall [RELEASE_NAME]
 | rekor.server.fullnameOverride | string | `"rekor-server"` |  |
 | rekor.tolerations | list | `[]` |  |
 | rekor.trillian.enabled | bool | `false` |  |
+| secrets.ctlog.create | bool | `false` |  |
+| secrets.ctlog.deploymentName | string | `"ctlog"` |  |
+| secrets.ctlog.key | string | `"public"` |  |
+| secrets.ctlog.name | string | `"ctlog-public-key"` |  |
+| secrets.ctlog.namespace | string | `"ctlog-system"` |  |
+| secrets.ctlog.path | string | `"ctfe.pub"` |  |
+| secrets.fulcio.create | bool | `false` |  |
+| secrets.fulcio.deploymentName | string | `"fulcio-server"` |  |
+| secrets.fulcio.key | string | `"cert"` |  |
+| secrets.fulcio.name | string | `"fulcio-server-secret"` |  |
+| secrets.fulcio.namespace | string | `"fulcio-system"` |  |
+| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` |  |
+| secrets.rekor.create | bool | `false` |  |
+| secrets.rekor.deploymentName | string | `"rekor-server"` |  |
+| secrets.rekor.key | string | `"key"` |  |
+| secrets.rekor.name | string | `"rekor-public-key"` |  |
+| secrets.rekor.namespace | string | `"rekor-system"` |  |
+| secrets.rekor.path | string | `"rekor.pub"` |  |
+| secrets.tsa.create | bool | `false` |  |
+| secrets.tsa.deploymentName | string | `"tsa-server"` |  |
+| secrets.tsa.key | string | `"cert-chain"` |  |
+| secrets.tsa.name | string | `"tsa-cert-chain"` |  |
+| secrets.tsa.namespace | string | `"tsa-system"` |  |
+| secrets.tsa.path | string | `"tsa.certchain.pem"` |  |
 | trillian.affinity | object | `{}` |  |
 | trillian.enabled | bool | `true` |  |
 | trillian.forceNamespace | string | `"trillian-system"` |  |
@@ -115,20 +144,12 @@ helm uninstall [RELEASE_NAME]
 | tsa.server.fullnameOverride | string | `"tsa-server"` |  |
 | tsa.tolerations | list | `[]` |  |
 | tuf.affinity | object | `{}` |  |
-| tuf.enabled | bool | `false` |  |
+| tuf.enabled | bool | `true` |  |
 | tuf.forceNamespace | string | `"tuf-system"` |  |
 | tuf.fullnameOverride | string | `"tuf"` |  |
 | tuf.namespace.create | bool | `true` |  |
 | tuf.namespace.name | string | `"tuf-system"` |  |
 | tuf.nodeSelector | object | `{}` |  |
-| tuf.secrets.ctlog.name | string | `"ctlog-public-key"` |  |
-| tuf.secrets.ctlog.path | string | `"ctfe.pub"` |  |
-| tuf.secrets.fulcio.name | string | `"fulcio-server-secret"` |  |
-| tuf.secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` |  |
-| tuf.secrets.rekor.name | string | `"rekor-public-key"` |  |
-| tuf.secrets.rekor.path | string | `"rekor.pub"` |  |
-| tuf.secrets.tsa.name | string | `"tsa-cert-chain"` |  |
-| tuf.secrets.tsa.path | string | `"tsa.certchain.pem"` |  |
 | tuf.tolerations | list | `[]` |  |
 
 ----------------------------------------------

diff --git a/charts/scaffold/templates/_helpers.tpl b/charts/scaffold/templates/_helpers.tpl
@@ -8,4 +8,3 @@ Create the image path for the passed in image field
 {{- printf "%s/%s:%s" .registry .repository .version -}}
 {{- end -}}
 {{- end -}}
-
diff --git a/charts/scaffold/templates/clusterrole.yaml b/charts/scaffold/templates/clusterrole.yaml
@@ -6,7 +6,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "create", "patch"]
+    verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
   - apiGroups: ["apps"]
     resources: ["deployments"]
     verbs: ["get", "list"]

diff --git a/charts/scaffold/templates/copy-secrets-cronjob.yaml b/charts/scaffold/templates/copy-secrets-cronjob.yaml
@@ -0,0 +1,100 @@
+{{- if and .Values.copySecretJob.enabled .Values.copySecretJob.copySecretCronJob.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
+  name: {{ .Values.copySecretJob.name }}-scheduled
+spec:
+  schedule: "{{ .Values.copySecretJob.copySecretCronJob.schedule }}"
+  successfulJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.successfulJobsHistoryLimit }}
+  failedJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.failedJobsHistoryLimit }}
+  jobTemplate:
+    spec:
+      backoffLimit: {{ default 6 .Values.copySecretJob.copySecretCronJob.backoffLimit }}
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: {{ .Values.copySecretJob.serviceaccount }}
+          initContainers:
+          - name: wait-for-rekor-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.rekor.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.rekor.namespace }}"
+            ]
+          - name: wait-for-fulcio-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.fulcio.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.fulcio.namespace }}"
+            ]
+          - name: wait-for-ctlog-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.ctlog.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.ctlog.namespace }}"
+            ]
+          - name: wait-for-tsa-deployment-readiness
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl rollout status deployment {{ .Values.tuf.secrets.tsa.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.tsa.namespace }}"
+            ]
+          containers:
+          - name: copy-rekor-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \
+                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.rekor.name }}\n  namespace: {{ .Values.forceNamespace }}\ndata:\n  key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
+            ]
+          - name: copy-fulcio-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl -n {{ .Values.forceNamespace }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
+                kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ .Values.forceNamespace }}/' | kubectl apply -f -"
+            ]
+          - name: copy-ctlog-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl -n {{ .Values.forceNamespace }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
+                kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ .Values.forceNamespace }}/' | kubectl apply -f -"
+            ]
+          - name: copy-tsa-secret
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
+                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.tsa.name }}\n  namespace: {{ .Values.forceNamespace }}\ndata:\n  cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
+            ]
+          {{- if .Values.copySecretJob.nodeSelector }}
+          nodeSelector:
+{{ toYaml .Values.copySecretJob.nodeSelector | indent 12 }}
+          {{- end }}
+          {{- if .Values.copySecretJob.tolerations }}
+          tolerations:
+{{ toYaml .Values.copySecretJob.tolerations | indent 12 }}
+          {{- end }}
+          {{- if .Values.copySecretJob.affinity }}
+          affinity:
+{{ toYaml .Values.copySecretJob.affinity | indent 12 }}
+          {{- end }}
+{{- end }}
diff --git a/charts/scaffold/templates/copy-secrets-job.yaml b/charts/scaffold/templates/copy-secrets-job.yaml
@@ -3,9 +3,9 @@ apiVersion: batch/v1
 kind: Job
 metadata:
 {{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
-  name: {{ .Values.copySecretJob.name }}
+  name: {{ .Values.copySecretJob.name }}{{- if not .Values.copySecretJob.copySecretCronJob.enabled }}{{- else }}-immediate{{- end }}
 spec:
-  backoffLimit: {{ .Values.copySecretJob.backoffLimit }}
+  backoffLimit: {{ default 6 .Values.copySecretJob.backoffLimit }}
   template:
     spec:
       restartPolicy: OnFailure
@@ -90,4 +90,4 @@ spec:
       affinity:
 {{ toYaml .Values.copySecretJob.affinity | indent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,4 +8,3 @@ Create the image path for the passed in image field
		{{- printf "%s/%s:%s" .registry .repository .version -}}
		{{- end -}}
		{{- end -}}