Skip to content

Commit

Permalink
Merge pull request #792 from ianhundere/adds_copysecrets_cronjob
Browse files Browse the repository at this point in the history
adds optional cronJob to copySecretJob to avoid stale secrets.
  • Loading branch information
bobcallaway authored Oct 25, 2024
2 parents 95cbdec + f48f138 commit e88db0e
Show file tree
Hide file tree
Showing 7 changed files with 295 additions and 77 deletions.
37 changes: 29 additions & 8 deletions charts/scaffold/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@ helm uninstall [RELEASE_NAME]
|-----|------|---------|-------------|
| copySecretJob.affinity | object | `{}` | |
| copySecretJob.backoffLimit | int | `6` | |
| copySecretJob.copySecretCronJob.backoffLimit | int | `2` | |
| copySecretJob.copySecretCronJob.enabled | bool | `false` | |
| copySecretJob.copySecretCronJob.failedJobsHistoryLimit | int | `1` | |
| copySecretJob.copySecretCronJob.schedule | string | `"*/5 * * * 1-5"` | |
| copySecretJob.copySecretCronJob.successfulJobsHistoryLimit | int | `1` | |
| copySecretJob.enabled | bool | `false` | |
| copySecretJob.imagePullPolicy | string | `"IfNotPresent"` | |
| copySecretJob.name | string | `"copy-secrets-job"` | |
Expand Down Expand Up @@ -91,6 +96,30 @@ helm uninstall [RELEASE_NAME]
| rekor.server.fullnameOverride | string | `"rekor-server"` | |
| rekor.tolerations | list | `[]` | |
| rekor.trillian.enabled | bool | `false` | |
| secrets.ctlog.create | bool | `false` | |
| secrets.ctlog.deploymentName | string | `"ctlog"` | |
| secrets.ctlog.key | string | `"public"` | |
| secrets.ctlog.name | string | `"ctlog-public-key"` | |
| secrets.ctlog.namespace | string | `"ctlog-system"` | |
| secrets.ctlog.path | string | `"ctfe.pub"` | |
| secrets.fulcio.create | bool | `false` | |
| secrets.fulcio.deploymentName | string | `"fulcio-server"` | |
| secrets.fulcio.key | string | `"cert"` | |
| secrets.fulcio.name | string | `"fulcio-server-secret"` | |
| secrets.fulcio.namespace | string | `"fulcio-system"` | |
| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | |
| secrets.rekor.create | bool | `false` | |
| secrets.rekor.deploymentName | string | `"rekor-server"` | |
| secrets.rekor.key | string | `"key"` | |
| secrets.rekor.name | string | `"rekor-public-key"` | |
| secrets.rekor.namespace | string | `"rekor-system"` | |
| secrets.rekor.path | string | `"rekor.pub"` | |
| secrets.tsa.create | bool | `false` | |
| secrets.tsa.deploymentName | string | `"tsa-server"` | |
| secrets.tsa.key | string | `"cert-chain"` | |
| secrets.tsa.name | string | `"tsa-cert-chain"` | |
| secrets.tsa.namespace | string | `"tsa-system"` | |
| secrets.tsa.path | string | `"tsa.certchain.pem"` | |
| trillian.affinity | object | `{}` | |
| trillian.enabled | bool | `true` | |
| trillian.forceNamespace | string | `"trillian-system"` | |
Expand Down Expand Up @@ -121,14 +150,6 @@ helm uninstall [RELEASE_NAME]
| tuf.namespace.create | bool | `true` | |
| tuf.namespace.name | string | `"tuf-system"` | |
| tuf.nodeSelector | object | `{}` | |
| tuf.secrets.ctlog.name | string | `"ctlog-public-key"` | |
| tuf.secrets.ctlog.path | string | `"ctfe.pub"` | |
| tuf.secrets.fulcio.name | string | `"fulcio-server-secret"` | |
| tuf.secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | |
| tuf.secrets.rekor.name | string | `"rekor-public-key"` | |
| tuf.secrets.rekor.path | string | `"rekor.pub"` | |
| tuf.secrets.tsa.name | string | `"tsa-cert-chain"` | |
| tuf.secrets.tsa.path | string | `"tsa.certchain.pem"` | |
| tuf.tolerations | list | `[]` | |

----------------------------------------------
Expand Down
1 change: 0 additions & 1 deletion charts/scaffold/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,3 @@ Create the image path for the passed in image field
{{- printf "%s/%s:%s" .registry .repository .version -}}
{{- end -}}
{{- end -}}

6 changes: 3 additions & 3 deletions charts/scaffold/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ metadata:
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "patch"]
verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
{{- end }}
verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}]
{{- end }}
108 changes: 108 additions & 0 deletions charts/scaffold/templates/copy-secrets-cronjob.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{{- if and .Values.copySecretJob.enabled .Values.copySecretJob.copySecretCronJob.enabled }}
apiVersion: batch/v1
kind: CronJob
metadata:
{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
name: {{ .Values.copySecretJob.name }}-scheduled
spec:
schedule: "{{ .Values.copySecretJob.copySecretCronJob.schedule }}"
successfulJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.successfulJobsHistoryLimit }}
failedJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.failedJobsHistoryLimit }}
jobTemplate:
spec:
backoffLimit: {{ default 6 .Values.copySecretJob.copySecretCronJob.backoffLimit }}
template:
spec:
restartPolicy: OnFailure
serviceAccountName: {{ .Values.copySecretJob.serviceaccount }}
initContainers:
- name: wait-for-rekor-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.rekor.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.rekor.namespace }}"
]
- name: wait-for-fulcio-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.fulcio.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.fulcio.namespace }}"
]
- name: wait-for-ctlog-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.ctlog.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.ctlog.namespace }}"
]
- name: wait-for-tsa-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.tsa.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.tsa.namespace }}"
]
containers:
- name: copy-rekor-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.rekor.name }}\n namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
]
- name: copy-fulcio-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
]
- name: copy-ctlog-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
]
- name: copy-tsa-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.tsa.name }}\n namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
]
- name: rollout-restart-tuf
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} rollout restart deployment {{ .Values.tuf.fullnameOverride}}"
]
{{- if .Values.copySecretJob.nodeSelector }}
nodeSelector:
{{ toYaml .Values.copySecretJob.nodeSelector | indent 12 }}
{{- end }}
{{- if .Values.copySecretJob.tolerations }}
tolerations:
{{ toYaml .Values.copySecretJob.tolerations | indent 12 }}
{{- end }}
{{- if .Values.copySecretJob.affinity }}
affinity:
{{ toYaml .Values.copySecretJob.affinity | indent 12 }}
{{- end }}
{{- end }}
6 changes: 3 additions & 3 deletions charts/scaffold/templates/copy-secrets-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ apiVersion: batch/v1
kind: Job
metadata:
{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
name: {{ .Values.copySecretJob.name }}
name: {{ .Values.copySecretJob.name }}{{- if not .Values.copySecretJob.copySecretCronJob.enabled }}{{- else }}-immediate{{- end }}
spec:
backoffLimit: {{ .Values.copySecretJob.backoffLimit }}
backoffLimit: {{ default 6 .Values.copySecretJob.backoffLimit }}
template:
spec:
restartPolicy: OnFailure
Expand Down Expand Up @@ -90,4 +90,4 @@ spec:
affinity:
{{ toYaml .Values.copySecretJob.affinity | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
166 changes: 117 additions & 49 deletions charts/scaffold/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,26 @@
"backoffLimit": {
"type": "integer"
},
"copySecretCronJob": {
"properties": {
"backoffLimit": {
"type": "integer"
},
"enabled": {
"type": "boolean"
},
"failedJobsHistoryLimit": {
"type": "integer"
},
"schedule": {
"type": "string"
},
"successfulJobsHistoryLimit": {
"type": "integer"
}
},
"type": "object"
},
"enabled": {
"type": "boolean"
},
Expand Down Expand Up @@ -221,6 +241,103 @@
},
"type": "object"
},
"secrets": {
"properties": {
"ctlog": {
"properties": {
"create": {
"type": "boolean"
},
"deploymentName": {
"type": "string"
},
"key": {
"type": "string"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
},
"fulcio": {
"properties": {
"create": {
"type": "boolean"
},
"deploymentName": {
"type": "string"
},
"key": {
"type": "string"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
},
"rekor": {
"properties": {
"create": {
"type": "boolean"
},
"deploymentName": {
"type": "string"
},
"key": {
"type": "string"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
},
"tsa": {
"properties": {
"create": {
"type": "boolean"
},
"deploymentName": {
"type": "string"
},
"key": {
"type": "string"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"trillian": {
"properties": {
"affinity": {
Expand Down Expand Up @@ -364,55 +481,6 @@
"properties": {},
"type": "object"
},
"secrets": {
"properties": {
"ctlog": {
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
},
"fulcio": {
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
},
"rekor": {
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
},
"tsa": {
"properties": {
"name": {
"type": "string"
},
"path": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"tolerations": {
"type": "array"
}
Expand Down
Loading

0 comments on commit e88db0e

Please sign in to comment.