Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/go_modules/github.com/open-policy…
Browse files Browse the repository at this point in the history 
…-agent/opa-0.65.0
  • Loading branch information
@dmjb
dmjb authored May 31, 2024
2 parents 0c0659c + bebb689 commit 62199d3
Show file tree
Hide file tree
Showing 4 changed files with 200 additions and 0 deletions.
20 changes: 20 additions & 0 deletions deployment/helm/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,29 @@ installed in the namespace specified by your current Kubernetes context.
| migrationSettings.imagePullPolicy | string | `"IfNotPresent"` | Image pull policy to use for the migration job |
| migrationSettings.resources | object | `{"limits":{"cpu":1,"memory":"300Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}` | Resources to use for the migration job |
| migrationSettings.sidecarContainers | array, optional | `nil` | Additional configuration for sidecar containers |
| rotateProviderTokensJobSettings.extraEnv | list | `[]` | |
| rotateProviderTokensJobSettings.extraVolumeMounts | list | `[]` | |
| rotateProviderTokensJobSettings.extraVolumes | list | `[]` | |
| rotateProviderTokensJobSettings.image | string | `"ko://github.com/stacklok/minder/cmd/server"` | |
| rotateProviderTokensJobSettings.imagePullPolicy | string | `"IfNotPresent"` | |
| rotateProviderTokensJobSettings.resources | object | `{}` | |
| rotateProviderTokensJobSettings.restartPolicy | string | `"OnFailure"` | |
| rotateProviderTokensJobSettings.schedule | string | `"0 2 * * *"` | |
| rotateProviderTokensJobSettings.sidecarContainers | list | `[]` | |
| service.grpcPort | int | `8090` | Port for the gRPC API |
| service.httpPort | int | `8080` | Port for the HTTP API |
| service.metricPort | int | `9090` | Port for the metrics endpoint |
| serviceAccounts.migrate | string, optional | `""` | If non-empty, minder will use the named ServiceAccount resources rather than creating a ServiceAccount |
| serviceAccounts.rotateProviderTokensJob | string | `""` | |
| serviceAccounts.server | string, optional | `""` | If non-empty, minder will use the named ServiceAccount resources rather than creating a ServiceAccount |
| serviceAccounts.sessionExpirationPurgeJob | string | `""` | |
| sessionExpirationPurgeJobSettings.extraEnv | list | `[]` | |
| sessionExpirationPurgeJobSettings.extraVolumeMounts | list | `[]` | |
| sessionExpirationPurgeJobSettings.extraVolumes | list | `[]` | |
| sessionExpirationPurgeJobSettings.image | string | `"ko://github.com/stacklok/minder/cmd/server"` | |
| sessionExpirationPurgeJobSettings.imagePullPolicy | string | `"IfNotPresent"` | |
| sessionExpirationPurgeJobSettings.resources | object | `{}` | |
| sessionExpirationPurgeJobSettings.restartPolicy | string | `"OnFailure"` | |
| sessionExpirationPurgeJobSettings.schedule | string | `"0 0 * * *"` | |
| sessionExpirationPurgeJobSettings.sidecarContainers | list | `[]` | |
| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Trusty host to use |
78 changes: 78 additions & 0 deletions deployment/helm/templates/rotate_provider_tokens.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Copyright 2024 Stacklok, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Note that this assumes read/write permissions to the provider_access_tokens database
# table.
apiVersion: batch/v1
kind: CronJob
metadata:
name: rotate-provider-tokens
spec:
schedule: {{ .Values.rotateProviderTokensJobSettings.schedule | quote }}
jobTemplate:
spec:
template:
spec:
serviceAccountName: {{ .Values.serviceAccounts.rotateProviderTokensJob | default "minder" }}
containers:
- name: rotator
image: {{ .Values.rotateProviderTokensJobSettings.image }}
# restricted security context:
# https://kubernetes.io/docs/concepts/security/pod-security-standards/
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
args:
- encryption
- rotate-provider-tokens
- "--yes"
- "--db-host={{ .Values.db.host }}"
- "--config=/config/server-config.yaml"
# We use two config files, one with all the defaults, and one with
# additional override values from helm. (This is a viper feature.)
- "--config=/config/overrides.yaml"
imagePullPolicy: {{ .Values.rotateProviderTokensJobSettings.imagePullPolicy }}
resources:
{{- toYaml .Values.rotateProviderTokensJobSettings.resources | nindent 14 }}
{{- if .Values.rotateProviderTokensJobSettings.extraEnv }}
env:
{{- toYaml .Values.rotateProviderTokensJobSettings.extraEnv | nindent 14 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /config
{{- if .Values.rotateProviderTokensJobSettings.extraVolumeMounts }}
{{- toYaml .Values.rotateProviderTokensJobSettings.extraVolumeMounts | nindent 14 }}
{{- end }}
{{- if .Values.rotateProviderTokensJobSettings.sidecarContainers }}
{{- toYaml .Values.rotateProviderTokensJobSettings.sidecarContainers | nindent 10 }}
{{- end }}
restartPolicy: {{ .Values.rotateProviderTokensJobSettings.restartPolicy | quote }}
volumes:
- name: config
configMap:
name: db-update-config
items:
- key: server-config.yaml
path: server-config.yaml
- key: overrides.yaml
path: overrides.yaml
{{- if .Values.rotateProviderTokensJobSettings.extraVolumes }}
{{- toYaml .Values.rotateProviderTokensJobSettings.extraVolumes | nindent 10 }}
{{- end }}
78 changes: 78 additions & 0 deletions deployment/helm/templates/session_expiration_purge_job.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Copyright 2024 Stacklok, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Note that this assumes read/write permissions to the session_store database
# table.
apiVersion: batch/v1
kind: CronJob
metadata:
name: session-expiration-purge
spec:
schedule: {{ .Values.sessionExpirationPurgeJobSettings.schedule | quote }}
jobTemplate:
spec:
template:
spec:
serviceAccountName: {{ .Values.serviceAccounts.sessionExpirationPurgeJob | default "minder" }}
containers:
- name: purger
image: {{ .Values.sessionExpirationPurgeJobSettings.image }}
# restricted security context:
# https://kubernetes.io/docs/concepts/security/pod-security-standards/
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
args:
- encryption
- purge-sessions
- "--yes"
- "--db-host={{ .Values.db.host }}"
- "--config=/config/server-config.yaml"
# We use two config files, one with all the defaults, and one with
# additional override values from helm. (This is a viper feature.)
- "--config=/config/overrides.yaml"
imagePullPolicy: {{ .Values.sessionExpirationPurgeJobSettings.imagePullPolicy }}
resources:
{{- toYaml .Values.sessionExpirationPurgeJobSettings.resources | nindent 14 }}
{{- if .Values.sessionExpirationPurgeJobSettings.extraEnv }}
env:
{{- toYaml .Values.sessionExpirationPurgeJobSettings.extraEnv | nindent 14 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /config
{{- if .Values.sessionExpirationPurgeJobSettings.extraVolumeMounts }}
{{- toYaml .Values.sessionExpirationPurgeJobSettings.extraVolumeMounts | nindent 14 }}
{{- end }}
{{- if .Values.sessionExpirationPurgeJobSettings.sidecarContainers }}
{{- toYaml .Values.sessionExpirationPurgeJobSettings.sidecarContainers | nindent 10 }}
{{- end }}
restartPolicy: {{ .Values.sessionExpirationPurgeJobSettings.restartPolicy | quote }}
volumes:
- name: config
configMap:
name: minder-config
items:
- key: server-config.yaml
path: server-config.yaml
- key: overrides.yaml
path: overrides.yaml
{{- if .Values.sessionExpirationPurgeJobSettings.extraVolumes }}
{{- toYaml .Values.sessionExpirationPurgeJobSettings.extraVolumes | nindent 10 }}
{{- end }}
24 changes: 24 additions & 0 deletions deployment/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ serviceAccounts:
migrate: ""
# -- (string, optional) If non-empty, minder will use the named ServiceAccount resources rather than creating a ServiceAccount
server: ""
sessionExpirationPurgeJob: ""
rotateProviderTokensJob: ""

# ingress settings
ingress:
Expand Down Expand Up @@ -139,6 +141,28 @@ deploymentSettings:
# -- (int) Max surge pods during a rolling update
maxSurge: 2

sessionExpirationPurgeJobSettings:
schedule: "0 0 * * *"
image: ko://github.com/stacklok/minder/cmd/server
restartPolicy: "OnFailure"
imagePullPolicy: "IfNotPresent"
resources: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
sidecarContainers: []

rotateProviderTokensJobSettings:
# Run daily a couple of hours after the session expiration purge job
schedule: "0 2 * * *"
image: ko://github.com/stacklok/minder/cmd/server
restartPolicy: "OnFailure"
imagePullPolicy: "IfNotPresent"
resources: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
sidecarContainers: []

# -- (string) Additional configuration yaml beyond what's in server-config.yaml.example
extra_config: |
Expand Down

0 comments on commit 62199d3

Please sign in to comment.