Skip to content

Commit

Permalink
Trust-anchor in all pods (#76)
Browse files Browse the repository at this point in the history 
* Trust-anchor in all pods

* Removing xtra params Graphql

* Fix insertion in systemd-conjob j2
  • Loading branch information
@gildub
gildub authored Oct 11, 2024
1 parent ff16251 commit 241e8fb
Show file tree
Hide file tree
Showing 25 changed files with 101 additions and 34 deletions.
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/bombastic/indexer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@
systemd_file: bombastic-indexer
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/indexer/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/bombastic/walker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,5 @@
timer_type: monotonic # realtime
time_pattern: 1h # *:0/10 for realtime instead of monotonic
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/bombastic/walker/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
1 change: 1 addition & 0 deletions roles/tpa_single_node/tasks/collector/osv.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,5 @@
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collector-osv.yaml"
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collectorist-api-guac.yaml"
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
configmap_changed: "{{ oidc_configmap_result.changed or collectorist_api_configmap_result.changed }}"
1 change: 1 addition & 0 deletions roles/tpa_single_node/tasks/collectorist/api.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,5 @@
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collectorist-api.yaml"
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/collectorist-api-guac.yaml"
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
configmap_changed: "{{ oidc_configmap_result.changed or collectorist_api_configmap_result.changed }}"
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/guac/bombastic_collector.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@
systemd_file: guac-collector-bombastic
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/guac/bombastic-collector/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/guac/vexination_collector.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@
systemd_file: guac-collector-vexination
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/guac/vexination-collector/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
1 change: 1 addition & 0 deletions roles/tpa_single_node/tasks/v11y/api.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/api/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/v11y-api.yaml"
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
configmap_changed: oidc_configmap_result.changed
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/v11y/indexer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@
systemd_file: v11y-indexer
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/indexer/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/v11y/walker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,5 @@
time_pattern: 1h # *:0/10 for realtime instead of monotonic
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/walker/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/vexination/indexer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@
systemd_file: vexination-indexer
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/vexination/indexer/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
2 changes: 2 additions & 0 deletions roles/tpa_single_node/tasks/vexination/walker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,5 @@
time_pattern: 1h # *:0/10 for realtime instead of monotonic
network: "{{ tpa_single_node_podman_network }}"
kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/vexination/walker/Deployment.yaml.j2') | from_yaml }}"
configmaps:
- "{{ tpa_single_node_kube_manifest_dir }}/ConfigMaps/custom-trust-anchor.yaml"
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/bombastic/indexer/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ spec:
- name: bombastic-indexer-event-secret
secret:
secretName: event_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- name: service
image: "{{ tpa_single_node_trustification_image }}"
Expand Down Expand Up @@ -138,3 +141,6 @@ spec:
name: bombastic-indexer-storage-secret
- mountPath: /etc/bombastic-indexer-event-secret
name: bombastic-indexer-event-secret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/bombastic/walker/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ spec:
- name: oidc-secret
secret:
secretName: oidc_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- image: "{{ tpa_single_node_trustification_image }}"
imagePullPolicy: Always
Expand Down Expand Up @@ -69,6 +72,9 @@ spec:
name: walker-state
- mountPath: /etc/oidc-secret
name: oidc-secret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
livenessProbe:
httpGet:
path: /health/live
Expand Down
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/collector/osv/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ spec:
- name: collector-oidc-secret
secret:
secretName: oidc_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- name: service
image: "{{ tpa_single_node_trustification_image }}"
Expand Down Expand Up @@ -106,6 +109,9 @@ spec:
- name: config-auth
mountPath: /etc/config/auth.yaml
subPath: auth.yaml
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
livenessProbe:
initialDelaySeconds: 2
httpGet:
Expand Down
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/collectorist/api/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ spec:
- name: config
configMap:
name: collectorist-api
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- name: service
image: "{{ tpa_single_node_trustification_image }}"
Expand Down Expand Up @@ -106,6 +109,9 @@ spec:
- name: config-auth
mountPath: /etc/config/auth.yaml
subPath: auth.yaml
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
livenessProbe:
initialDelaySeconds: 2
httpGet:
Expand Down
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/guac/bombastic-collector/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ spec:
- name: bombastic-collector-event-secret
secret:
secretName: event_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- name: service
image: {{ tpa_single_node_guac_image }}
Expand Down Expand Up @@ -113,3 +116,6 @@ spec:
name: bombastic-collector-storage-secret
- mountPath: /etc/bombastic-collector-event-secret
name: bombastic-collector-event-secret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
14 changes: 1 addition & 13 deletions roles/tpa_single_node/templates/manifests/guac/graphql/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,41 +43,29 @@ spec:
command:
- /opt/guac/guacgql
args:
- --gql-listen-port={{ tpa_single_node_guac_graphql_port }}
- --gql-backend=ent
- --db-address=postgres://{{ tpa_single_node_pg_user }}:{{ tpa_single_node_pg_user_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }}?sslmode={{ tpa_single_node_pg_ssl_mode }}
- --db-driver=postgres
- --db-debug=true
- --gql-debug=true
workingDir: /opt/guac
env:
- name: GUAC_PROMETHEUS_ADDR
value: '9010'
- name: GUAC_GQL_TLS_CERT_FILE
value: /etc/tls/tls.crt
- name: GUAC_GQL_TLS_KEY_FILE
value: /etc/tls/tls.key
volumeMounts:
- mountPath: /etc/tls
name: tls
readOnly: true
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
readinessProbe:
httpGet:
path: /healthz
port: {{ tpa_single_node_guac_graphql_port }}
scheme: HTTPS
scheme: HTTP
ports:
- containerPort: 9010
protocol: TCP
name: infra
- containerPort: {{ tpa_single_node_guac_graphql_port }}
protocol: TCP
name: endpoint
hostPort: {{ tpa_single_node_guac_graphql_port }}
hostIP: {{ tpa_single_node_rhel_host }}
volumes:
- name: tls
secret:
Expand Down
27 changes: 16 additions & 11 deletions roles/tpa_single_node/templates/manifests/guac/vexination-collector/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,23 +94,28 @@ spec:
- name: GUAC_S3_QUEUES
value: "{{ tpa_single_node_vexination_topic_indexed }}"
- name: GUAC_GQL_ADDR
value: 127.0.0.1:8080/query
value: {{ tpa_single_node_rhel_host }}:{{ tpa_single_node_guac_graphql_port }}/query
- name: GUAC_CSUB_ADDR
value: 127.0.0.1:2782
# TODO
# - name: GUAC_CSUB_TLS_ROOT_CA
# value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
# - name: GUAC_GQL_TLS_ROOT_CA
# value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
value: {{ tpa_single_node_rhel_host }}:2782
- name: GUAC_CSUB_TLS_ROOT_CA
value: {{ tpa_single_node_root_ca }}
- name: GUAC_GQL_TLS_ROOT_CA
value: {{ tpa_single_node_root_ca }}
volumeMounts:
- mountPath: /etc/vexcolstoragesecret
name: vex-collector-storage-secret
- mountPath: /etc/vexcoloidcsecret
name: vex-collector-oidc-secret
- name: vex-collector-storage-secret
mountPath: /etc/vexcolstoragesecret
- name: vex-collector-oidc-secret
mountPath: /etc/vexcoloidcsecret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
volumes:
- name: vex-collector-storage-secret
secret:
secretName: storage_secret
- name: vex-collector-oidc-secret
secret:
secretName: oidc_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
2 changes: 1 addition & 1 deletion roles/tpa_single_node/templates/manifests/spog/api/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ spec:
- --crda-url
- https://rhda.rhcloud.com/api/v4/analysis
- --guac
- https://{{ tpa_single_node_rhel_host }}:{{ tpa_single_node_guac_graphql_port }}/query
- http://guac-graphql-pod:{{ tpa_single_node_guac_graphql_port }}/query
- --auth-configuration
- /etc/config/auth.yaml
env:
Expand Down
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/v11y/api/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ spec:
- name: tls
secret:
secretName: tls_cert
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- image: "{{ tpa_single_node_trustification_image }}"
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -74,6 +77,9 @@ spec:
name: v11y-api-storage-secret
- mountPath: /etc/v11yapioidcsecret
name: v11y-api-oidc-secret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
livenessProbe:
initialDelaySeconds: 2
httpGet:
Expand Down
9 changes: 6 additions & 3 deletions roles/tpa_single_node/templates/manifests/v11y/indexer/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@ spec:
- name: v11y-indexer-event-secret
secret:
secretName: event_secret

- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- name: service

Expand Down Expand Up @@ -157,5 +159,6 @@ spec:
name: v11y-indexer-storage-secret
- mountPath: /etc/v11yapieventsecret
name: v11y-indexer-event-secret


- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
8 changes: 6 additions & 2 deletions roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ spec:
volumeMounts:
- mountPath: /mnt
name: cvelist
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
args:
- "/trust"
- "v11y"
Expand Down Expand Up @@ -79,5 +82,6 @@ spec:
- name: cvelist
persistentVolumeClaim:
claimName: cvelist


- name: trust-anchor
configMap:
name: custom-trust-anchor
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/vexination/indexer/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ spec:
- name: vexination-indexer-event-secret
secret:
secretName: event_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- name: service
image: "{{ tpa_single_node_trustification_image }}"
Expand Down Expand Up @@ -138,3 +141,6 @@ spec:
name: vexination-indexer-storage-secret
- mountPath: /etc/vexination-indexer-event-secret
name: vexination-indexer-event-secret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
6 changes: 6 additions & 0 deletions roles/tpa_single_node/templates/manifests/vexination/walker/Deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ spec:
- name: vexination-walker-oidc-secret
secret:
secretName: oidc_secret
- name: trust-anchor
configMap:
name: custom-trust-anchor
containers:
- image: "{{ tpa_single_node_trustification_image }}"
imagePullPolicy: Always
Expand Down Expand Up @@ -62,6 +65,9 @@ spec:
name: walker-state
- mountPath: /etc/vexwalkeroidcsecret
name: vexination-walker-oidc-secret
- name: trust-anchor
mountPath: /etc/trust-anchor
readOnly: true
livenessProbe:
httpGet:
path: /health/live
Expand Down
8 changes: 4 additions & 4 deletions roles/tpa_single_node/templates/systemd/systemd-cronjob.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ Type=notify
Environment=PODMAN_SYSTEMD_UNIT=%n
TimeoutStartSec=2400
ExecStart=/usr/bin/podman kube play --replace --service-container=true "{{ kube_play_file }}" --network "{{ podman_spec.network | default('podman') }}"
{% if podman_spec.configmaps is defined -%}
{%- for configmap in podman_spec.configmaps -%}
{%- if podman_spec.configmaps is defined %}
{%- for configmap in podman_spec.configmaps %}
--configmap "{{ configmap | default(omit) }}"
{% endfor -%}
{% endif -%}
{%- endfor %}
{%- endif %}

[Install]
WantedBy=default.target

0 comments on commit 241e8fb

Please sign in to comment.