From c3b2d1c7fb17390dd188454d76b92f7b73c2e14e Mon Sep 17 00:00:00 2001 From: akash2237778 Date: Sun, 8 Dec 2024 18:43:14 +0530 Subject: [PATCH 1/6] fix: Restructure HELM charts, secrets encryption --- Dockerfile | 10 +++ Makefile | 4 +- deployment/templates/deployment.yaml | 40 --------- .../templates/mongodb/mongodb-deployment.yaml | 32 ------- deployment/templates/mongodb/mongodb-pvc.yaml | 30 ------- .../templates/mongodb/mongodb-service.yaml | 14 --- .../notify-completion-deployment.yaml | 25 ------ deployment/templates/pubgrade-pvc.yaml | 63 -------------- deployment/templates/services.yaml | 12 --- deployment/values.yaml | 33 ------- {deployment => helm}/Chart.yaml | 2 +- .../deployment.yaml | 25 ++++++ .../pubgrade-mongodb/deployment.yaml | 32 +++++++ helm/templates/pubgrade-mongodb/pvc.yaml | 30 +++++++ helm/templates/pubgrade-mongodb/service.yaml | 14 +++ .../pubgrade-webserver/deployment.yaml | 85 +++++++++++++++++++ .../pubgrade-webserver}/ingress.yaml | 18 ++-- helm/templates/pubgrade-webserver/pvc.yaml | 30 +++++++ .../pubgrade-webserver}/role-binding.yaml | 2 +- .../templates/pubgrade-webserver}/role.yaml | 0 .../pubgrade-webserver/secrets-encrypted.yaml | 37 ++++++++ .../pubgrade-webserver}/service-account.yaml | 2 +- .../pubgrade-webserver/services.yaml | 12 +++ helm/values.yaml | 60 +++++++++++++ pubgrade/config.yaml | 17 ++-- pubgrade/modules/endpoints/builds.py | 16 ++-- pubgrade/secrets.py | 9 -- .../utils/__init__.py | 0 pubgrade/utils/decrypt_secrets.py | 20 +++++ 29 files changed, 384 insertions(+), 290 deletions(-) delete mode 100644 deployment/templates/deployment.yaml delete mode 100644 deployment/templates/mongodb/mongodb-deployment.yaml delete mode 100644 deployment/templates/mongodb/mongodb-pvc.yaml delete mode 100644 deployment/templates/mongodb/mongodb-service.yaml delete mode 100644 deployment/templates/notify-completion-deployment.yaml delete mode 100644 deployment/templates/pubgrade-pvc.yaml delete mode 100644 deployment/templates/services.yaml delete mode 100644 deployment/values.yaml rename {deployment => helm}/Chart.yaml (87%) create mode 100644 helm/templates/pubgrade-build-complete-updater/deployment.yaml create mode 100644 helm/templates/pubgrade-mongodb/deployment.yaml create mode 100644 helm/templates/pubgrade-mongodb/pvc.yaml create mode 100644 helm/templates/pubgrade-mongodb/service.yaml create mode 100644 helm/templates/pubgrade-webserver/deployment.yaml rename {deployment/templates => helm/templates/pubgrade-webserver}/ingress.yaml (59%) create mode 100644 helm/templates/pubgrade-webserver/pvc.yaml rename {deployment/templates => helm/templates/pubgrade-webserver}/role-binding.yaml (82%) rename {deployment/templates => helm/templates/pubgrade-webserver}/role.yaml (100%) create mode 100644 helm/templates/pubgrade-webserver/secrets-encrypted.yaml rename {deployment/templates => helm/templates/pubgrade-webserver}/service-account.yaml (57%) create mode 100644 helm/templates/pubgrade-webserver/services.yaml create mode 100644 helm/values.yaml delete mode 100644 pubgrade/secrets.py rename deployment/templates/mongodb/mongodb-secret.yaml => pubgrade/utils/__init__.py (100%) create mode 100644 pubgrade/utils/decrypt_secrets.py diff --git a/Dockerfile b/Dockerfile index 9f42f34..af36317 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,16 @@ LABEL maintainer.organisation="ELIXIR Cloud & AAI" RUN groupadd -r pubgrade --gid 1000 && useradd -d /home/pubgrade -ms /bin/bash -r -g pubgrade pubgrade --uid 1000 +RUN apt update && apt install -y \ + curl \ + gnupg \ + && apt clean && rm -rf /var/lib/apt/lists/* + +ENV SOPS_VERSION v3.8.0 + +RUN curl -Lo /usr/local/bin/sops https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \ + chmod +x /usr/local/bin/sops + ## Copy remaining app files COPY --chown=1000:1000 ./ /app diff --git a/Makefile b/Makefile index 7c94b46..8ad0f44 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -IMAGE_NAME_PUBGRADE=akash7778/pubgrade +IMAGE_NAME_PUBGRADE=akash7778/pubgrade:test_build_1 IMAGE_NAME_UPDATER=akash7778/pubgrade-updater APP_NAME=pubgrade @@ -21,7 +21,7 @@ test: ## Runs unit tests and shows coverage. coverage report -m install-pubgrade: # build ## Install pubgrade on cluster using helm. - kubectl create namespace $(APP_NAME) --dry-run=client -o yaml | kubectl apply -f - +# kubectl create namespace $(APP_NAME) --dry-run=client -o yaml | kubectl apply -f - sed -i 's#akash7778/pubgrade:test_build#$(IMAGE_NAME_PUBGRADE)#g' deployment/values.yaml sed -i 's#akash7778/notify-completion#$(IMAGE_NAME_UPDATER)#g' deployment/values.yaml helm upgrade --install $(APP_NAME) deployment/ -n $(APP_NAME) diff --git a/deployment/templates/deployment.yaml b/deployment/templates/deployment.yaml deleted file mode 100644 index ea6f642..0000000 --- a/deployment/templates/deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pubgrade -spec: - replicas: 1 - selector: - matchLabels: - app: pubgrade - template: - metadata: - labels: - app: pubgrade - spec: - serviceAccountName: pubgrade - automountServiceAccountToken: true - securityContext: - runAsUser: 1000 - containers: - - name: pubgrade - imagePullPolicy: IfNotPresent - image: {{ .Values.Pubgrade.image }} - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: {{ .Values.volumes.Pubgrade.pathToMountedDir }} - name: pubgrade-storage - env: - - name: NAMESPACE - value: {{ .Release.Namespace }} - - name: PV_NAME - value: {{ .Values.volumes.Pubgrade.name }} - - name: BASE_DIR - value: {{ .Values.volumes.Pubgrade.pathToMountedDir }} - - name: PUBGRADE_URL - value: "http://pubgrade-service.pubgrade-ns" - volumes: - - name: pubgrade-storage - persistentVolumeClaim: - claimName: {{ .Values.volumes.Pubgrade.name }} diff --git a/deployment/templates/mongodb/mongodb-deployment.yaml b/deployment/templates/mongodb/mongodb-deployment.yaml deleted file mode 100644 index e8c09c7..0000000 --- a/deployment/templates/mongodb/mongodb-deployment.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongodb - labels: - app: db -spec: - replicas: 1 - selector: - matchLabels: - app: db - template: - metadata: - labels: - app: db - spec: - securityContext: - runAsUser: 999 - containers: - - name: mongodb - image: mongo:3.6 - ports: - - containerPort: 27017 - name: db-container - volumeMounts: - - mountPath: /data/db - name: mongodb-storage - volumes: - - name: mongodb-storage - persistentVolumeClaim: - claimName: {{ .Values.volumes.mongodb.name }} - \ No newline at end of file diff --git a/deployment/templates/mongodb/mongodb-pvc.yaml b/deployment/templates/mongodb/mongodb-pvc.yaml deleted file mode 100644 index 03591a2..0000000 --- a/deployment/templates/mongodb/mongodb-pvc.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{ if .Values.volumes.mongodb.storage_active }} -{{ if .Values.volumes.mongodb.deployLocalPv }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: mongo-pv - labels: - type: local -spec: - storageClassName: {{ .Values.volumes.mongodb.storageClass }} - capacity: - storage: {{ .Values.volumes.mongodb.size }} - accessModes: - - ReadWriteOnce - hostPath: - path: {{ .Values.volumes.mongodb.pathToLocalDir }} -{{ end }} ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ .Values.volumes.mongodb.name }} -spec: - storageClassName: {{ .Values.volumes.mongodb.storageClass }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.volumes.mongodb.size }} -{{ end }} \ No newline at end of file diff --git a/deployment/templates/mongodb/mongodb-service.yaml b/deployment/templates/mongodb/mongodb-service.yaml deleted file mode 100644 index ab3d421..0000000 --- a/deployment/templates/mongodb/mongodb-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: mongodb - labels: - app: db -spec: - ports: - - port: 27017 - protocol: TCP - name: mongodb - selector: - app: db - type: NodePort \ No newline at end of file diff --git a/deployment/templates/notify-completion-deployment.yaml b/deployment/templates/notify-completion-deployment.yaml deleted file mode 100644 index b972b90..0000000 --- a/deployment/templates/notify-completion-deployment.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: build-complete-updater -spec: - replicas: 1 - selector: - matchLabels: - app: pubgrade - template: - metadata: - labels: - app: pubgrade - spec: - serviceAccountName: pubgrade - automountServiceAccountToken: true - containers: - - image: {{ .Values.imageNotifyCompletion }} - name: notify-completion - imagePullPolicy: IfNotPresent - env: - - name: NAMESPACE - value: {{ .Release.Namespace }} - - name: BROKER_URL - value: {{ .Values.pubgrade_URL }} diff --git a/deployment/templates/pubgrade-pvc.yaml b/deployment/templates/pubgrade-pvc.yaml deleted file mode 100644 index 8c739fa..0000000 --- a/deployment/templates/pubgrade-pvc.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{ if .Values.volumes.Pubgrade.storage_active }} -{{ if .Values.volumes.Pubgrade.deployLocalPv }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: pubgrade-pv - labels: - type: local -spec: - storageClassName: {{ .Values.volumes.Pubgrade.storageClass }} - capacity: - storage: {{ .Values.volumes.Pubgrade.size }} - accessModes: - - ReadWriteOnce - hostPath: - path: {{ .Values.volumes.Pubgrade.pathToLocalDir }} -{{ end }} ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ .Values.volumes.Pubgrade.name }} -spec: - storageClassName: {{ .Values.volumes.Pubgrade.storageClass }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.volumes.Pubgrade.size }} ---- -apiVersion: v1 -items: -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - finalizers: - - kubernetes.io/pvc-protection - name: mongo-pvc - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - storageClassName: standard-rwo -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - finalizers: - - kubernetes.io/pvc-protection - name: pubgrade-pvc - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - storageClassName: standard-rwo -kind: List -metadata: - resourceVersion: "" - selfLink: "" -{{ end }} \ No newline at end of file diff --git a/deployment/templates/services.yaml b/deployment/templates/services.yaml deleted file mode 100644 index 28d7d6b..0000000 --- a/deployment/templates/services.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: pubgrade-service -spec: - type: NodePort - selector: - app: pubgrade - ports: - - port: 8080 - targetPort: 8080 - nodePort: 30008 diff --git a/deployment/values.yaml b/deployment/values.yaml deleted file mode 100644 index f5dccfe..0000000 --- a/deployment/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -imageNotifyCompletion: 'akash7778/notify-completion' # This will be moved to elixir-cloud-aai -pubgrade_URL: "https://pubgrade.dyn.cloud.e-infra.cz" - -ingress: - enabled: true - url: 'your.url.without.http.com' - https: - enabled: true - issuer: letsencrypt-prod - -Pubgrade: - image: akash7778/pubgrade:test_build_1 - -#Persistent volumes and claims -volumes: - Pubgrade: - # In case you are working with minikube or another single-worker solution - # you can add a peristent volume from a local directory. For fully-distributed - #clusters you should use a StorageClass already existing in your cluster, so set this to false. - deployLocalPv: false - pathToMountedDir: /pubgrade_temp_files - pathToLocalDir: /tmp/pubgrade-pv - name: pubgrade-pvc - storageClass: manual - size: 2Gi - storage_active: false - mongodb: - deployLocalPv: false - pathToLocalDir: /tmp/mongo-pv - name: mongo-pvc - storageClass: manual - size: 2Gi - storage_active: false diff --git a/deployment/Chart.yaml b/helm/Chart.yaml similarity index 87% rename from deployment/Chart.yaml rename to helm/Chart.yaml index cc520da..0a43a28 100644 --- a/deployment/Chart.yaml +++ b/helm/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v2 +apiVersion: v1 name: pubgrade description: A Helm chart for Kubernetes type: application diff --git a/helm/templates/pubgrade-build-complete-updater/deployment.yaml b/helm/templates/pubgrade-build-complete-updater/deployment.yaml new file mode 100644 index 0000000..fa4f4ac --- /dev/null +++ b/helm/templates/pubgrade-build-complete-updater/deployment.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: build-complete-updater +spec: + replicas: {{ .Values.pubgrade_build_complete_updater.replicaCount }} + selector: + matchLabels: + app: {{ .Values.appName }} + template: + metadata: + labels: + app: {{ .Values.appName }} + spec: + serviceAccountName: {{ .Values.pubgrade_webserver.serviceAccountName }} + automountServiceAccountToken: true + containers: + - image: {{ .Values.pubgrade_build_complete_updater.image }} + name: pubgrade_build_complete_updater + imagePullPolicy: {{ .Values.pubgrade_build_complete_updater.imagePullPolicy }} + env: + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: BROKER_URL + value: {{ .Values.pubgrade_url }} diff --git a/helm/templates/pubgrade-mongodb/deployment.yaml b/helm/templates/pubgrade-mongodb/deployment.yaml new file mode 100644 index 0000000..49a172c --- /dev/null +++ b/helm/templates/pubgrade-mongodb/deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.pubgrade_mongodb.name }} + labels: + app: db +spec: + replicas: {{ .Values.pubgrade_mongodb.replicaCount }} + selector: + matchLabels: + app: db + template: + metadata: + labels: + app: db + spec: + securityContext: + runAsUser: {{ .Values.pubgrade_mongodb.securityContext.runAsUser }} + containers: + - name: mongodb + image: {{ .Values.pubgrade_mongodb.image }} + ports: + - containerPort: {{ .Values.pubgrade_mongodb.port }} + name: db-container + volumeMounts: + - mountPath: /data/db + name: {{ .Values.pubgrade_mongodb.volume.name }} + volumes: + - name: {{ .Values.pubgrade_mongodb.volume.name }} + persistentVolumeClaim: + claimName: {{ .Values.pubgrade_mongodb.volume.claimName }} + \ No newline at end of file diff --git a/helm/templates/pubgrade-mongodb/pvc.yaml b/helm/templates/pubgrade-mongodb/pvc.yaml new file mode 100644 index 0000000..0cbc236 --- /dev/null +++ b/helm/templates/pubgrade-mongodb/pvc.yaml @@ -0,0 +1,30 @@ +{{ if .Values.pubgrade_mongodb.volume.storageActive }} +{{ if .Values.pubgrade_mongodb.volume.deployLocalPv }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: mongo-pv + labels: + type: local +spec: + storageClassName: {{ .Values.pubgrade_mongodb.volume.storageClass }} + capacity: + storage: {{ .Values.pubgrade_mongodb.volume.size }} + accessModes: + - ReadWriteOnce + hostPath: + path: {{ .Values.pubgrade_mongodb.volume.pathToLocalDir }} +{{ end }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Values.pubgrade_mongodb.volume.claimName }} +spec: + storageClassName: {{ .Values.pubgrade_mongodb.volume.storageClass }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.pubgrade_mongodb.volume.size }} +{{ end }} diff --git a/helm/templates/pubgrade-mongodb/service.yaml b/helm/templates/pubgrade-mongodb/service.yaml new file mode 100644 index 0000000..0b16af2 --- /dev/null +++ b/helm/templates/pubgrade-mongodb/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.pubgrade_mongodb.name }} + labels: + app: db +spec: + ports: + - port: {{ .Values.pubgrade_mongodb.port }} + protocol: TCP + name: {{ .Values.pubgrade_mongodb.name }} + selector: + app: db + type: {{ .Values.pubgrade_mongodb.portType }} \ No newline at end of file diff --git a/helm/templates/pubgrade-webserver/deployment.yaml b/helm/templates/pubgrade-webserver/deployment.yaml new file mode 100644 index 0000000..bd1cd44 --- /dev/null +++ b/helm/templates/pubgrade-webserver/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.appName }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.appName }} + template: + metadata: + labels: + app: {{ .Values.appName }} + spec: + serviceAccountName: {{ .Values.pubgrade_webserver.serviceAccountName }} + automountServiceAccountToken: true + securityContext: + runAsUser: {{ .Values.pubgrade_webserver.securityContext.runAsUser }} + initContainers: + - name: gpg-setup + image: debian:bullseye + command: + - "/bin/bash" + - "-c" + - > + apt-get update && + apt-get install -y gnupg && + mkdir -p /root/.gnupg && + gpg --import /tmp/gpg/private-key.asc && + gpg --import /tmp/gpg/public-key.asc; + volumeMounts: + - name: gpg-keys + mountPath: /tmp/gpg + containers: + - name: pubgrade + imagePullPolicy: {{ .Values.pubgrade_webserver.imagePullPolicy }} + image: {{ .Values.pubgrade_webserver.image }} + ports: + - containerPort: {{ .Values.pubgrade_webserver.port }} + volumeMounts: + - mountPath: {{ .Values.pubgrade_webserver.volume.pathToMountedDir }} + name: pubgrade-storage + - mountPath: /root/.gnupg + name: gpg-keyring + env: + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: PV_NAME + value: {{ .Values.pubgrade_webserver.volume.pvcName }} + - name: BASE_DIR + value: {{ .Values.pubgrade_webserver.volume.pathToMountedDir }} + - name: PUBGRADE_URL + value: {{ .Values.pubgrade_url }} + volumes: + - name: pubgrade-storage + persistentVolumeClaim: + claimName: {{ .Values.pubgrade_webserver.volume.pvcName }} + - name: gpg-keys + secret: + secretName: gpg-secret + - name: gpg-keyring + emptyDir: {} + + + +apiVersion: v1 +kind: Config +clusters: +- name: "kuba-cluster" + cluster: + server: "https://rancher.cloud.e-infra.cz/k8s/clusters/c-m-qvndqhf6" + +users: +- name: "kuba-cluster" + user: + token: "kubeconfig-u-l42egxdec69j9jp:tjf64q62tw65jl9wz64mbtqk88t5snzdh8ll2xsp68jkcj7n7nwrcg" + + +contexts: +- name: "kuba-cluster" + context: + user: "kuba-cluster" + cluster: "kuba-cluster" + +current-context: "kuba-cluster" diff --git a/deployment/templates/ingress.yaml b/helm/templates/pubgrade-webserver/ingress.yaml similarity index 59% rename from deployment/templates/ingress.yaml rename to helm/templates/pubgrade-webserver/ingress.yaml index 9216644..79ad4ba 100644 --- a/deployment/templates/ingress.yaml +++ b/helm/templates/pubgrade-webserver/ingress.yaml @@ -1,31 +1,31 @@ -{{- if .Values.ingress.enabled }} +{{- if .Values.pubgrade_webserver.ingress.enabled }} {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx - {{- if .Values.ingress.https.enabled }} - cert-manager.io/cluster-issuer: {{ .Values.ingress.https.issuer }} - kubernetes.io/tls-acme: {{ quote .Values.ingress.https.enabled}} + {{- if .Values.pubgrade_webserver.ingress.https.enabled }} + cert-manager.io/cluster-issuer: {{ .Values.pubgrade_webserver.ingress.https.issuer }} + kubernetes.io/tls-acme: {{ quote .Values.pubgrade_webserver.ingress.https.enabled}} {{- end }} name: pubgrade-ingress spec: rules: - - host: {{ .Values.ingress.url }} + - host: {{ .Values.pubgrade_webserver.ingress.url }} http: paths: - backend: service: name: pubgrade-service port: - number: 8080 + number: {{ .Values.pubgrade_webserver.port }} path: / pathType: Prefix - {{- if .Values.ingress.https.enabled }} + {{- if .Values.pubgrade_webserver.ingress.https.enabled }} tls: - hosts: - - {{ .Values.ingress.url }} + - {{ .Values.pubgrade_webserver.ingress.url }} secretName: pubgrade-ingress-secret {{- end }} {{- else if .Capabilities.APIVersions.Has "route.openshift.io/v1/Route" -}} @@ -34,7 +34,7 @@ kind: Route metadata: name: pubgrade-ingress spec: - host: {{ .Values.ingress.url }} + host: {{ .Values.pubgrade_webserver.ingress.url }} tls: insecureEdgeTerminationPolicy: Redirect termination: edge diff --git a/helm/templates/pubgrade-webserver/pvc.yaml b/helm/templates/pubgrade-webserver/pvc.yaml new file mode 100644 index 0000000..42f3706 --- /dev/null +++ b/helm/templates/pubgrade-webserver/pvc.yaml @@ -0,0 +1,30 @@ +{{ if .Values.pubgrade_webserver.volume.storage_active }} +{{ if .Values.pubgrade_webserver.volume.deployLocalPv }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pubgrade-pv + labels: + type: local +spec: + storageClassName: {{ .Values.pubgrade_webserver.volume.storageClass }} + capacity: + storage: {{ .Values.pubgrade_webserver.volume.size }} + accessModes: + - ReadWriteOnce + hostPath: + path: {{ .Values.pubgrade_webserver.volume.pathToLocalDir }} +{{ end }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Values.pubgrade_webserver.volume.pvcName }} +spec: + storageClassName: {{ .Values.pubgrade_webserver.volume.storageClass }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.pubgrade_webserver.volume.size }} +{{ end }} \ No newline at end of file diff --git a/deployment/templates/role-binding.yaml b/helm/templates/pubgrade-webserver/role-binding.yaml similarity index 82% rename from deployment/templates/role-binding.yaml rename to helm/templates/pubgrade-webserver/role-binding.yaml index dd2d15d..1bffd51 100644 --- a/deployment/templates/role-binding.yaml +++ b/helm/templates/pubgrade-webserver/role-binding.yaml @@ -5,7 +5,7 @@ metadata: namespace: {{ .Release.Namespace }} subjects: - kind: ServiceAccount - name: pubgrade + name: {{ .Values.pubgrade_webserver.serviceAccountName }} namespace: {{ .Release.Namespace }} roleRef: kind: Role diff --git a/deployment/templates/role.yaml b/helm/templates/pubgrade-webserver/role.yaml similarity index 100% rename from deployment/templates/role.yaml rename to helm/templates/pubgrade-webserver/role.yaml diff --git a/helm/templates/pubgrade-webserver/secrets-encrypted.yaml b/helm/templates/pubgrade-webserver/secrets-encrypted.yaml new file mode 100644 index 0000000..a71ff49 --- /dev/null +++ b/helm/templates/pubgrade-webserver/secrets-encrypted.yaml @@ -0,0 +1,37 @@ +apiVersion: ENC[AES256_GCM,data:+vg=,iv:UnK74espS/z6fqJSyBMPhpw3t2s0a6f6IC0En1W0YpY=,tag:vv8Dg10rEAf0YOThpiwETQ==,type:str] +kind: ENC[AES256_GCM,data:IyZo+CSz,iv:zlpPQabpDtFzwydptd8O6kJ2GsNQH0fpMXgnXSQGYUw=,tag:RqlZ7j25H8v0+daXco/vfg==,type:str] +metadata: + name: ENC[AES256_GCM,data:yIuw4M3Sh97N,iv:jhddrS5kVViKh6GiMxUUdX4nwWcumRa5xrBLZj/U+7k=,tag:qoyRqRED2QeESyRCeI2oyA==,type:str] +type: ENC[AES256_GCM,data:i3GPrysL,iv:TTlqxNcRZqAfAw2BXq+p0Zdi0DWZc40A75zDVu8wznk=,tag:m6SRWfLMwRWxSJkPyCr2hg==,type:str] +data: + gh_access_token: ENC[AES256_GCM,data:hjRG1TjSH13D6jQsFl+j0o3UbMaMRgOw5/ea3xXzmuJDDZDT8tRpGA==,iv:+yJSIVk8xm6SmUhp7z6+/XIFwIQ0Li3UXbbpZjYAaHk=,tag:BIJ3KfH7phFMeOSlyS5t5w==,type:str] + cosign: + password: ENC[AES256_GCM,data:FHm1KLoG,iv:Gw6v3xnwB4ZuUYhJ2cutmZIaqsVUFxaDx0xRRE/j2OE=,tag:+x5PRFkTad6timBN7cRQdw==,type:str] + private_key: ENC[AES256_GCM,data:6I0y3E+plKMIVmhR8ZymDR92s+jG8pRi2i/5ru/+4GFIE7gn1INRPaytlkmPRmrADXpxPyf7JzRJNeYVyj9P3LSHin9YWFnwygH0s/5CcvTqYkyk01b+qAJ+XUA6bfdFtE8D1S/qvbWp/9QADaghIBCsBWkjHwd/DrEcgUhOzfAR10Mez6RPFTe8dmkRsbzQAyOBY+nLYL3D9HFyD2NpgkYXmrLDJJKYyE0BWRpSF7sHk59numKXk6ez7tvzgeNUJTjLetB0Ss5orVcfKiXvt1FXIoADTfDs43PfqRocvXAmmVyc3yFfMO+rIBk7QXRLt/efr7q4jlo0Cma16dIlrCCfG3bsi7IJG6/8cZ3VX4/0dwDW0dsf6BkQl51FdyZCMSoSYmAs873aCexPjHrcx8lVBBnR9rxcarR5tol6zat6I6sLfXZKYglF9+Kjd8pPWtoUA/U5g9dQUhQZ7cSUdRo7QN51bVCrN7lhaVEqa/0gTAJI45xz22qBIcEuV/0leALVZP2LzWyzkZ6u5fed7PyA5QMmg/97lqmoR3fYu0TW6tgEBeMB+y4rAu7nCqn4E6ivobYhHRfFwATNjUrUf3p/U1FXNTNAGD3UPEoveUC8tXOKKgoR7PQ63Bn2nNEXUgDZb4HPOBPQsh+Wg4Ps7CEWkfhQMokl/xH6xUmhmuN7osql8VRDjH+DS3A0CevmKvTG9uKYvkSQ+6TGW3eIiY629rHjLfnONSSWymKNyOkrbvQ1OTB5bo8K8J2d4Ln2u469jb2uRpJoBISaK25St4dj23xIvDKRe3ylVd+Gn4t0PJc03/quKYGHNjUbneHOWePAW1ztJTtAZskhVwcHWbmZIdXGHw56ZQ==,iv:Hfzw4vRY2k9wdHL/fz1yFUAiZ+aoxCvEUsADgBkE0gs=,tag:qZkQRg3KqLSVBTXT+/Sk2w==,type:str] + intermediate_registry_token: ENC[AES256_GCM,data:ShspPX4hEb3buruOe1FksQpkoa431YXUlDJrPk22BopEegfAphbfwcU9nCybgRCxW5OmQC3CfDTkBRF9U5jhhFGcW9k4P1pDz4A5IM8mOkUqAczGBTc5Zoi+2RD1QbWjFXLq+Bkg3hCV1eEKUWTQBMwn3eI+/ziEN80sqzN49yShDvAxMiPdy/WyYWpzy3wETXTi05XfQft2unovhLXwhBadbFp3jWCsfR69DkMOo/QXtyKM5Vfaa6HuuGGFJ8rtFb/p7d17bjlQMfdvbjd2wRlVanBlWPHqkePmrUEWYxv5zjxf5V6GpPq+Ww4OIZueuNRVdELhL0QJZHsPSuZRcDlnj1YPbu1DS1fo01vi5gF9TaOw2E4991Uat59cRm1m6n+s00TDoWvGRcs8jJ/1WV95pvVNfOghLOyhtutTUGfiXhT9Xlg8SLM3WQ77+GHlHkyrF1EqK7SXrEtwC7tW8ArdCiXsABcO+7bw9kOT4tGhqvVI8sjI7T41i4w3FhvDEUpBtA/RlkqJ23950uvv7urp+P4V0RDMppuiSl7Uis15BuX+RL6LmTRZYf/om9+t89DavaaiDHk/ppWzqB+VlOGOunjuj6r6yRYA1JRzD458TbYkb/8KIc9x68dsWERPQQCoFQh7A28tU3dJobPEXqMjVZHZ4xKZ/Y+bgeScgF/oayz2pj28XXRS5JKAzSRSmjWDErhOslGzQCaB1a4+VVNwVJ+wxti8zh+VRNdVxb5/msnEL8N95NqclB5VAeR8yYb6GcShywVQo6SYJXrOvjliHRXkBHQ4d5E4oxIITkAIe5OUfJ5a7zVwiuCSjQVQROhP1whzMH6upoa225nDFx0FPPVzoSPSkVa7IbjuyL3lrZX+FhiLwOtFIoCgeXNfIeYPx8NAM8+TneJKmb7+bmYIOERpFlkaHbyK21PFNeSTyf/r9yq7aB4ztflnV698P7S3khCQY5F79ZEfXdK0ail+aFl8vkTydAkYPx1LPUGFtvbqiCdA00rHQMJcNaHdPmlKV3o/VMgcMREAdF+vBlpggQA7SgeFrwQdCE/3K1YIEB5wpnOZGiiBEpVRWY+h6UyMJFXfw1GahaP2S5b0A+BPtBv8zPLAeDeS2xFaTtDS4yL6+kENwd++RM/drGDGq7SFCRaeA+PPBo7iGYjf3WHvkqBgv4BKYdv5jcd0Ok80KOUFMOyt6VyUyyRwNDc4CtCktIivbI8JJzAd3w4aWo7v5i6PAQCuNpkOtbVWz0Gv9b3mejgBZE7j9ykzlD1+vzTXo2UemOoDtmqLat8UYamS80py5F3ad92t8jGevbniUkvgBwhJgQl6joOS8XkoXTNZuFPVv+ooxYbUbYewMfbtMlA+66fDSXc2ZjFcXFLf8V+bROxj6LeQXLd6KgBEv1Kh6UpKnl1mZebLznfnZw6FENvWPjkUbllrP7filYNwh6ltiMZ4ELRb3O8HWq/qiBHtv9Igw3jm1ALPuBZdV0hr+DF+g1cnB++jkKW1tOM/DYknSJh0Rl9lye7qqHaGVreRrK6fKrzIqZK7B5Lt9vi1HX1vPrfO4eWzgwJNImc/Y8qeb06x+V1HIxIF3pevo7gpjzHo0P+h/S6TsqDRH8HNloNb/ZStUxdhIe03YRYKGxW3mR65rKc9R+cfFVaXbLr0SKB9O47K9MsOB8erwdTgwUm2huPW1S7yavgpZMTQez8bA3q4SFhS5WA3IiU3/Kih+GtrpSWltefmaRG2KiFJO/hmOuUPjie+C+nzgR3xml73wIsSKSs+yi/+N/HQUQQ85fYySzG8Qk/KL2o7QWsgf9pvIMmH9HDxYgQNy6B+dF5BGJyO/8wAjGOycm2OSA5qGH+MWviQBcD6LbNsip740LN6Vo8Ac6HZcmKUIz+9n9CdBxUdw6gH/F33Ux/bRN6AxcY9lTO+qOthmb5/2uxCN/Ue6u8eo8vrrMVnF96tyRc8osHYLhdlWgOSQdDVJGYUuL4I61o3CPIS30j21GJCAyli86hfNl1Rk8XyzbDLeGMvBeVXElteYwMXsge3nBxr6pOV/clmqvK+yJb2D1pkDIiOqC2kjys6WZStG41x42To9r8k9mr3Mis+aucxTcBoRoSQKGnyx5tKeDYAErQnX6oV9g6rClxB9J6nbaxlVhT3H8+rmbOt+//WjlTQEJS2EIfgpjSGM76ulQrQ3XF26gU1FXWrweEAu8XUsAA8cOOGKoVUynexVfP1mX/XGQK29Q==,iv:8RtTe1zpuIjOT8SXzw9f7p0ujGOBA6WlZEcURhp6uaI=,tag:xvqjZnK3c2Q7VSsnQjYDaA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-12-08T13:05:45Z" + mac: ENC[AES256_GCM,data:Yvt6Oe0sgYgq6JkHKxrbNii0mgrW4h/AcnmldAtOsYXvhg79agCz2eyBebQQS6NBjbntoQ5TM4LWuozcFFvx3WxC3wBlstUEebryesLvBALes6bp7IE49LTYGuXdb8T8SHibl0NbI9npxXqVoq6wMKfDxM8q5yLQbWom40T8+Xc=,iv:1klt2GFXbH7XnColKW9Boh6J98cxfzYrcuSKwcryyw0=,tag:F+yAlAWgbYvOpnEDRug3Sw==,type:str] + pgp: + - created_at: "2024-12-08T13:05:45Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMAzQN8EMB5J0MAQf/XOX2aNGijbqJ8BfbK+SQqsLu8mKsaDVbqZkVHX9EyfQ/ + wcVb6CtHtbMFQmxuLbfelcRR1JaDHnFslscHgjLusLuapE/wfwGD1pKPDfMqq44b + OrpJDCUzA3dtfGxfYvMuf4o26KclHw0nm+nXljwI6r2iFho0o1nSTlMpTep6y4lW + w30nDMhHcCVMdAHkxWEZ7EFr8jWupFqdgmE1fo4T/SPBCHA+/hCwL54txBxKlpr9 + TgbfBzpzLZYHezuY1VadcIwwcw9sZUuo3a7+R79kC9KRfZPhwfLES9y9knI5qcfm + 3MTFIGLNbe4/W/ZYqaoWuMqW9PJnrFISO6whrAnFadRbAQkCEB67P5RibRRBvTLK + J1Y1xnYkqFJ8wGY1hBDcsOTNkDdQy3lZYWMqNTh2Q38B00kNKS90kQbXyRhlAk7/ + 4BBdr31K+FXgc+xAT4TMfhpZ50+2iV9N4uistA== + =g5PB + -----END PGP MESSAGE----- + fp: F9AE1A45239C35E85249F8BFF0273FEC7C5D429A + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/deployment/templates/service-account.yaml b/helm/templates/pubgrade-webserver/service-account.yaml similarity index 57% rename from deployment/templates/service-account.yaml rename to helm/templates/pubgrade-webserver/service-account.yaml index bb11cbb..812950b 100644 --- a/deployment/templates/service-account.yaml +++ b/helm/templates/pubgrade-webserver/service-account.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: pubgrade + name: {{ .Values.pubgrade_webserver.serviceAccountName }} automountServiceAccountToken: true diff --git a/helm/templates/pubgrade-webserver/services.yaml b/helm/templates/pubgrade-webserver/services.yaml new file mode 100644 index 0000000..045329c --- /dev/null +++ b/helm/templates/pubgrade-webserver/services.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: pubgrade-service +spec: + type: {{ .Values.pubgrade_webserver.portType }} + selector: + app: {{ .Values.appName }} + ports: + - port: {{ .Values.pubgrade_webserver.port }} + targetPort: {{ .Values.pubgrade_webserver.port }} + nodePort: 30008 diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..7753aeb --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,60 @@ +appName: pubgrade +pubgrade_url: "https://pubgrade.dyn.cloud.e-infra.cz" + +pubgrade_build_complete_updater: + replicaCount: 1 + image: "akash7778/pubgrade-updater" # This will be moved to elixir-cloud-aai + imagePullPolicy: IfNotPresent + + + +pubgrade_mongodb: + image: mongo:3.6 + name: mongodb + replicaCount: 1 + port: 27017 + portType: NodePort + volume: + # In case you are working with minikube or another single-worker solution + # you can add a peristent volume from a local directory. For fully-distributed + # clusters you should use a StorageClass already existing in your cluster, so set this to false. + deployLocalPv: false + name: mongodb-storage + claimName: mongo-pvc + storageActive: true + storageClass: manual + size: 2Gi + pathToLocalDir: /tmp/mongo-pv + securityContext: + runAsUser: 1004510000 + + +pubgrade_webserver: + serviceAccountName: pubgrade + replicaCount: 3 + imagePullPolicy: IfNotPresent + image: akash7778/pubgrade:test_build_1 # This will be moved to elixir-cloud-aai + port: 8080 + portType: NodePort + + volume: + # In case you are working with minikube or another single-worker solution + # you can add a peristent volume from a local directory. For fully-distributed + # clusters you should use a StorageClass already existing in your cluster, so set this to false. + deployLocalPv: false + pathToMountedDir: /pubgrade_temp_files + pathToLocalDir: /tmp/pubgrade-pv + pvcName: pubgrade-pvc + storageClass: manual + size: 2Gi + storage_active: true + + ingress: + enabled: true + url: 'your.url.without.http.com' + https: + enabled: true + issuer: letsencrypt-prod + + securityContext: + runAsUser: 1004510000 diff --git a/pubgrade/config.yaml b/pubgrade/config.yaml index feb0db2..7e5de38 100644 --- a/pubgrade/config.yaml +++ b/pubgrade/config.yaml @@ -17,31 +17,31 @@ db: indexes: - keys: id: 1 - options: + options: 'unique': True builds: indexes: - keys: id: 1 - options: + options: 'unique': True subscriptions: indexes: - keys: id: 1 - options: + options: 'unique': True users: indexes: - keys: uid: 1 - options: + options: 'unique': True admin_users: indexes: - keys: uid: 1 - options: + options: 'unique': True api: @@ -98,11 +98,10 @@ endpoints: admin_users: - name: 'Akash' uid: 'akash.saini' - user_access_token: 'XXXXXXXXXXXXXXXXXXXX' + user_access_token: 'c42a6d44e3d0' - name: 'Alvaro' uid: 'alvaro.gonzalez' - user_access_token: 'XXXXXXXXXXXXXXXXXXX' + user_access_token: 'c42fhg44e3d0' builds: gh_action_path: "akash2237778/pubgrade-signer" - intermediate_registery_format: "docker-registry.rahti.csc.fi/pubgrade/{}:1h" - intermediate_registry_token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + intermediate_registery_format: "cloud-registry.2.rahtiapp.fi/pubgrade/{}:1h" \ No newline at end of file diff --git a/pubgrade/modules/endpoints/builds.py b/pubgrade/modules/endpoints/builds.py index 785815b..dc1457b 100644 --- a/pubgrade/modules/endpoints/builds.py +++ b/pubgrade/modules/endpoints/builds.py @@ -24,7 +24,7 @@ ) from pubgrade.modules.endpoints.repositories import generate_id from pubgrade.modules.endpoints.subscriptions import notify_subscriptions -from pubgrade.secrets import gh_access_token, cosign_password, cosign_private_key +from pubgrade.utils.decrypt_secrets import load_secrets logger = logging.getLogger(__name__) @@ -405,7 +405,6 @@ def create_dockerhub_config_file( it contains dockerhub access token. """ intermediate_registry_format = current_app.config["FOCA"].endpoints["builds"]["intermediate_registery_format"] - intermediate_registry_token = current_app.config["FOCA"].endpoints["builds"]["intermediate_registry_token"] template_config_file = ( """{ "auths": { @@ -414,7 +413,8 @@ def create_dockerhub_config_file( } } }""" - ) % (intermediate_registry_format.split("/", 1)[0], intermediate_registry_token ) + ) % (intermediate_registry_format.split("/", 1)[0], + load_secrets()["secrets"]["intermediate_registry_token"] ) f = open(config_file_location, "w") f.write(template_config_file) f.close() @@ -505,9 +505,7 @@ def build_completed( intermediate_registry_format = current_app.config["FOCA"].endpoints["builds"]["intermediate_registery_format"] trigger_signing_image( image_path=data["images"][0]["name"], - cosign_private_key=cosign_private_key, dockerhub_token=data["dockerhub_token"], - cosign_password=cosign_password, pull_tag=intermediate_registry_format.format(data["images"][0]["name"].split("/")[1].split(":")[0]), push_tag=data["images"][0]["name"] ) @@ -569,7 +567,7 @@ def delete_pod(name: str, namespace: str): raise DeletePodError -def trigger_signing_image(cosign_private_key: str, cosign_password: str, dockerhub_token: str, +def trigger_signing_image(dockerhub_token: str, image_path: str, pull_tag: str, push_tag: str): username, password = base64.b64decode(dockerhub_token).decode('utf-8').split(":") url = "https://api.github.com/repos/{}/dispatches".format( @@ -577,10 +575,10 @@ def trigger_signing_image(cosign_private_key: str, cosign_password: str, dockerh payload = json.dumps({ "event_type": "sign-image", "client_payload": { - "cosign_key": cosign_private_key, + "cosign_key": load_secrets()["secrets"]["cosign"]["private_key"], "docker_username": username, "docker_password": password, - "cosign_password": cosign_password, + "cosign_password": load_secrets()["secrets"]["cosign"]["password"], "image_path": image_path, "pull_tag": pull_tag, "push_tag": push_tag, @@ -589,7 +587,7 @@ def trigger_signing_image(cosign_private_key: str, cosign_password: str, dockerh }) headers = { 'Accept': 'application/vnd.github+json', - 'Authorization': 'Bearer {}'.format(gh_access_token), + 'Authorization': 'Bearer {}'.format(load_secrets["secrets"]["gh_access_token"]), 'X-GitHub-Api-Version': '2022-11-28', 'Content-Type': 'application/json' } diff --git a/pubgrade/secrets.py b/pubgrade/secrets.py deleted file mode 100644 index d875930..0000000 --- a/pubgrade/secrets.py +++ /dev/null @@ -1,9 +0,0 @@ -gh_access_token="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -cosign_password="XXXXX" -cosign_private_key="""-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- -XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ------END ENCRYPTED COSIGN PRIVATE KEY-----""" - - - - diff --git a/deployment/templates/mongodb/mongodb-secret.yaml b/pubgrade/utils/__init__.py similarity index 100% rename from deployment/templates/mongodb/mongodb-secret.yaml rename to pubgrade/utils/__init__.py diff --git a/pubgrade/utils/decrypt_secrets.py b/pubgrade/utils/decrypt_secrets.py new file mode 100644 index 0000000..ec1a9e2 --- /dev/null +++ b/pubgrade/utils/decrypt_secrets.py @@ -0,0 +1,20 @@ +import subprocess +import yaml + +def load_secrets(): + file_path = "../../helm/templates/pubgrade-webserver/secrets-encrypted.yaml" + try: + decrypted_output = subprocess.check_output(["sops", "--decrypt", file_path]) + secrets = yaml.safe_load(decrypted_output) + return secrets + except Exception as e: + print(f"Error decrypting or loading secrets: {e}") + return None + +# from pubgrade.utils.decrypt_secrets import load_secrets +# print(load_secrets["secrets"]["gh_access_token"]) + + + +if __name__ == "__main__": + print(load_secrets()["secrets"]["cosign"]["private_key"]) \ No newline at end of file From 97116093cee1b779de5536e880f5e35b86d2f9d8 Mon Sep 17 00:00:00 2001 From: akash2237778 Date: Mon, 9 Dec 2024 00:10:58 +0530 Subject: [PATCH 2/6] configured sops --- helm/Chart.yaml | 2 +- helm/templates/pubgrade-webserver/.sops.yaml | 4 ++ .../pubgrade-webserver/deployment.yaml | 20 ++++++++++ .../pubgrade-webserver/secrets-encrypted.yaml | 37 ------------------- .../templates/pubgrade-webserver/secrets.yaml | 36 ++++++++++++++++++ pubgrade/modules/endpoints/builds.py | 9 ++--- pubgrade/utils/__init__.py | 0 pubgrade/utils/decrypt_secrets.py | 20 ---------- 8 files changed, 65 insertions(+), 63 deletions(-) create mode 100644 helm/templates/pubgrade-webserver/.sops.yaml delete mode 100644 helm/templates/pubgrade-webserver/secrets-encrypted.yaml create mode 100644 helm/templates/pubgrade-webserver/secrets.yaml delete mode 100644 pubgrade/utils/__init__.py delete mode 100644 pubgrade/utils/decrypt_secrets.py diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 0a43a28..cc520da 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v2 name: pubgrade description: A Helm chart for Kubernetes type: application diff --git a/helm/templates/pubgrade-webserver/.sops.yaml b/helm/templates/pubgrade-webserver/.sops.yaml new file mode 100644 index 0000000..dd859a9 --- /dev/null +++ b/helm/templates/pubgrade-webserver/.sops.yaml @@ -0,0 +1,4 @@ +creation_rules: +- path_regex: secrets.yaml + encrypted_regex: ^data$ + pgp: "F9AE1A45239C35E85249F8BFF0273FEC7C5D429A" diff --git a/helm/templates/pubgrade-webserver/deployment.yaml b/helm/templates/pubgrade-webserver/deployment.yaml index bd1cd44..e23f19f 100644 --- a/helm/templates/pubgrade-webserver/deployment.yaml +++ b/helm/templates/pubgrade-webserver/deployment.yaml @@ -51,6 +51,26 @@ spec: value: {{ .Values.pubgrade_webserver.volume.pathToMountedDir }} - name: PUBGRADE_URL value: {{ .Values.pubgrade_url }} + - name: GH_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: pubgrade-secret + key: gh_access_token + - name: COSIGN_PASSWORD + valueFrom: + secretKeyRef: + name: pubgrade-secret + key: cosign_password + - name: COSIGN_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: pubgrade-secret + key: cosign_private_key + - name: INTERMEDIATE_REGISTRY_TOKEN + valueFrom: + secretKeyRef: + name: pubgrade-secret + key: intermediate_registry_token volumes: - name: pubgrade-storage persistentVolumeClaim: diff --git a/helm/templates/pubgrade-webserver/secrets-encrypted.yaml b/helm/templates/pubgrade-webserver/secrets-encrypted.yaml deleted file mode 100644 index a71ff49..0000000 --- a/helm/templates/pubgrade-webserver/secrets-encrypted.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: ENC[AES256_GCM,data:+vg=,iv:UnK74espS/z6fqJSyBMPhpw3t2s0a6f6IC0En1W0YpY=,tag:vv8Dg10rEAf0YOThpiwETQ==,type:str] -kind: ENC[AES256_GCM,data:IyZo+CSz,iv:zlpPQabpDtFzwydptd8O6kJ2GsNQH0fpMXgnXSQGYUw=,tag:RqlZ7j25H8v0+daXco/vfg==,type:str] -metadata: - name: ENC[AES256_GCM,data:yIuw4M3Sh97N,iv:jhddrS5kVViKh6GiMxUUdX4nwWcumRa5xrBLZj/U+7k=,tag:qoyRqRED2QeESyRCeI2oyA==,type:str] -type: ENC[AES256_GCM,data:i3GPrysL,iv:TTlqxNcRZqAfAw2BXq+p0Zdi0DWZc40A75zDVu8wznk=,tag:m6SRWfLMwRWxSJkPyCr2hg==,type:str] -data: - gh_access_token: ENC[AES256_GCM,data:hjRG1TjSH13D6jQsFl+j0o3UbMaMRgOw5/ea3xXzmuJDDZDT8tRpGA==,iv:+yJSIVk8xm6SmUhp7z6+/XIFwIQ0Li3UXbbpZjYAaHk=,tag:BIJ3KfH7phFMeOSlyS5t5w==,type:str] - cosign: - password: ENC[AES256_GCM,data:FHm1KLoG,iv:Gw6v3xnwB4ZuUYhJ2cutmZIaqsVUFxaDx0xRRE/j2OE=,tag:+x5PRFkTad6timBN7cRQdw==,type:str] - private_key: ENC[AES256_GCM,data:6I0y3E+plKMIVmhR8ZymDR92s+jG8pRi2i/5ru/+4GFIE7gn1INRPaytlkmPRmrADXpxPyf7JzRJNeYVyj9P3LSHin9YWFnwygH0s/5CcvTqYkyk01b+qAJ+XUA6bfdFtE8D1S/qvbWp/9QADaghIBCsBWkjHwd/DrEcgUhOzfAR10Mez6RPFTe8dmkRsbzQAyOBY+nLYL3D9HFyD2NpgkYXmrLDJJKYyE0BWRpSF7sHk59numKXk6ez7tvzgeNUJTjLetB0Ss5orVcfKiXvt1FXIoADTfDs43PfqRocvXAmmVyc3yFfMO+rIBk7QXRLt/efr7q4jlo0Cma16dIlrCCfG3bsi7IJG6/8cZ3VX4/0dwDW0dsf6BkQl51FdyZCMSoSYmAs873aCexPjHrcx8lVBBnR9rxcarR5tol6zat6I6sLfXZKYglF9+Kjd8pPWtoUA/U5g9dQUhQZ7cSUdRo7QN51bVCrN7lhaVEqa/0gTAJI45xz22qBIcEuV/0leALVZP2LzWyzkZ6u5fed7PyA5QMmg/97lqmoR3fYu0TW6tgEBeMB+y4rAu7nCqn4E6ivobYhHRfFwATNjUrUf3p/U1FXNTNAGD3UPEoveUC8tXOKKgoR7PQ63Bn2nNEXUgDZb4HPOBPQsh+Wg4Ps7CEWkfhQMokl/xH6xUmhmuN7osql8VRDjH+DS3A0CevmKvTG9uKYvkSQ+6TGW3eIiY629rHjLfnONSSWymKNyOkrbvQ1OTB5bo8K8J2d4Ln2u469jb2uRpJoBISaK25St4dj23xIvDKRe3ylVd+Gn4t0PJc03/quKYGHNjUbneHOWePAW1ztJTtAZskhVwcHWbmZIdXGHw56ZQ==,iv:Hfzw4vRY2k9wdHL/fz1yFUAiZ+aoxCvEUsADgBkE0gs=,tag:qZkQRg3KqLSVBTXT+/Sk2w==,type:str] - intermediate_registry_token: ENC[AES256_GCM,data:ShspPX4hEb3buruOe1FksQpkoa431YXUlDJrPk22BopEegfAphbfwcU9nCybgRCxW5OmQC3CfDTkBRF9U5jhhFGcW9k4P1pDz4A5IM8mOkUqAczGBTc5Zoi+2RD1QbWjFXLq+Bkg3hCV1eEKUWTQBMwn3eI+/ziEN80sqzN49yShDvAxMiPdy/WyYWpzy3wETXTi05XfQft2unovhLXwhBadbFp3jWCsfR69DkMOo/QXtyKM5Vfaa6HuuGGFJ8rtFb/p7d17bjlQMfdvbjd2wRlVanBlWPHqkePmrUEWYxv5zjxf5V6GpPq+Ww4OIZueuNRVdELhL0QJZHsPSuZRcDlnj1YPbu1DS1fo01vi5gF9TaOw2E4991Uat59cRm1m6n+s00TDoWvGRcs8jJ/1WV95pvVNfOghLOyhtutTUGfiXhT9Xlg8SLM3WQ77+GHlHkyrF1EqK7SXrEtwC7tW8ArdCiXsABcO+7bw9kOT4tGhqvVI8sjI7T41i4w3FhvDEUpBtA/RlkqJ23950uvv7urp+P4V0RDMppuiSl7Uis15BuX+RL6LmTRZYf/om9+t89DavaaiDHk/ppWzqB+VlOGOunjuj6r6yRYA1JRzD458TbYkb/8KIc9x68dsWERPQQCoFQh7A28tU3dJobPEXqMjVZHZ4xKZ/Y+bgeScgF/oayz2pj28XXRS5JKAzSRSmjWDErhOslGzQCaB1a4+VVNwVJ+wxti8zh+VRNdVxb5/msnEL8N95NqclB5VAeR8yYb6GcShywVQo6SYJXrOvjliHRXkBHQ4d5E4oxIITkAIe5OUfJ5a7zVwiuCSjQVQROhP1whzMH6upoa225nDFx0FPPVzoSPSkVa7IbjuyL3lrZX+FhiLwOtFIoCgeXNfIeYPx8NAM8+TneJKmb7+bmYIOERpFlkaHbyK21PFNeSTyf/r9yq7aB4ztflnV698P7S3khCQY5F79ZEfXdK0ail+aFl8vkTydAkYPx1LPUGFtvbqiCdA00rHQMJcNaHdPmlKV3o/VMgcMREAdF+vBlpggQA7SgeFrwQdCE/3K1YIEB5wpnOZGiiBEpVRWY+h6UyMJFXfw1GahaP2S5b0A+BPtBv8zPLAeDeS2xFaTtDS4yL6+kENwd++RM/drGDGq7SFCRaeA+PPBo7iGYjf3WHvkqBgv4BKYdv5jcd0Ok80KOUFMOyt6VyUyyRwNDc4CtCktIivbI8JJzAd3w4aWo7v5i6PAQCuNpkOtbVWz0Gv9b3mejgBZE7j9ykzlD1+vzTXo2UemOoDtmqLat8UYamS80py5F3ad92t8jGevbniUkvgBwhJgQl6joOS8XkoXTNZuFPVv+ooxYbUbYewMfbtMlA+66fDSXc2ZjFcXFLf8V+bROxj6LeQXLd6KgBEv1Kh6UpKnl1mZebLznfnZw6FENvWPjkUbllrP7filYNwh6ltiMZ4ELRb3O8HWq/qiBHtv9Igw3jm1ALPuBZdV0hr+DF+g1cnB++jkKW1tOM/DYknSJh0Rl9lye7qqHaGVreRrK6fKrzIqZK7B5Lt9vi1HX1vPrfO4eWzgwJNImc/Y8qeb06x+V1HIxIF3pevo7gpjzHo0P+h/S6TsqDRH8HNloNb/ZStUxdhIe03YRYKGxW3mR65rKc9R+cfFVaXbLr0SKB9O47K9MsOB8erwdTgwUm2huPW1S7yavgpZMTQez8bA3q4SFhS5WA3IiU3/Kih+GtrpSWltefmaRG2KiFJO/hmOuUPjie+C+nzgR3xml73wIsSKSs+yi/+N/HQUQQ85fYySzG8Qk/KL2o7QWsgf9pvIMmH9HDxYgQNy6B+dF5BGJyO/8wAjGOycm2OSA5qGH+MWviQBcD6LbNsip740LN6Vo8Ac6HZcmKUIz+9n9CdBxUdw6gH/F33Ux/bRN6AxcY9lTO+qOthmb5/2uxCN/Ue6u8eo8vrrMVnF96tyRc8osHYLhdlWgOSQdDVJGYUuL4I61o3CPIS30j21GJCAyli86hfNl1Rk8XyzbDLeGMvBeVXElteYwMXsge3nBxr6pOV/clmqvK+yJb2D1pkDIiOqC2kjys6WZStG41x42To9r8k9mr3Mis+aucxTcBoRoSQKGnyx5tKeDYAErQnX6oV9g6rClxB9J6nbaxlVhT3H8+rmbOt+//WjlTQEJS2EIfgpjSGM76ulQrQ3XF26gU1FXWrweEAu8XUsAA8cOOGKoVUynexVfP1mX/XGQK29Q==,iv:8RtTe1zpuIjOT8SXzw9f7p0ujGOBA6WlZEcURhp6uaI=,tag:xvqjZnK3c2Q7VSsnQjYDaA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-12-08T13:05:45Z" - mac: ENC[AES256_GCM,data:Yvt6Oe0sgYgq6JkHKxrbNii0mgrW4h/AcnmldAtOsYXvhg79agCz2eyBebQQS6NBjbntoQ5TM4LWuozcFFvx3WxC3wBlstUEebryesLvBALes6bp7IE49LTYGuXdb8T8SHibl0NbI9npxXqVoq6wMKfDxM8q5yLQbWom40T8+Xc=,iv:1klt2GFXbH7XnColKW9Boh6J98cxfzYrcuSKwcryyw0=,tag:F+yAlAWgbYvOpnEDRug3Sw==,type:str] - pgp: - - created_at: "2024-12-08T13:05:45Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQEMAzQN8EMB5J0MAQf/XOX2aNGijbqJ8BfbK+SQqsLu8mKsaDVbqZkVHX9EyfQ/ - wcVb6CtHtbMFQmxuLbfelcRR1JaDHnFslscHgjLusLuapE/wfwGD1pKPDfMqq44b - OrpJDCUzA3dtfGxfYvMuf4o26KclHw0nm+nXljwI6r2iFho0o1nSTlMpTep6y4lW - w30nDMhHcCVMdAHkxWEZ7EFr8jWupFqdgmE1fo4T/SPBCHA+/hCwL54txBxKlpr9 - TgbfBzpzLZYHezuY1VadcIwwcw9sZUuo3a7+R79kC9KRfZPhwfLES9y9knI5qcfm - 3MTFIGLNbe4/W/ZYqaoWuMqW9PJnrFISO6whrAnFadRbAQkCEB67P5RibRRBvTLK - J1Y1xnYkqFJ8wGY1hBDcsOTNkDdQy3lZYWMqNTh2Q38B00kNKS90kQbXyRhlAk7/ - 4BBdr31K+FXgc+xAT4TMfhpZ50+2iV9N4uistA== - =g5PB - -----END PGP MESSAGE----- - fp: F9AE1A45239C35E85249F8BFF0273FEC7C5D429A - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/helm/templates/pubgrade-webserver/secrets.yaml b/helm/templates/pubgrade-webserver/secrets.yaml new file mode 100644 index 0000000..c6a56ab --- /dev/null +++ b/helm/templates/pubgrade-webserver/secrets.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pubgrade-secret +type: Opaque +data: + gh_access_token: ENC[AES256_GCM,data:2yc5lVS/GBEb4ThSWPs/m/nppPF+0A2wYvVHpU8iKn9r9mPBIf2O2Q==,iv:haeqq8K2Xpsc+qLc0XHpWON7+1GUcN6PuXLMfCHddS4=,tag:6na+yGbfj/Bp1RaJJnoMPA==,type:str] + cosign_password: ENC[AES256_GCM,data:Yo4uOwUy,iv:VX4Mn0bsZQrsQUEI7PpxiQPaZjDh84kn1ZLf3ErkQAc=,tag:1sN4AW7Yf9y9NO82A+XwMg==,type:str] + cosign_private_key: ENC[AES256_GCM,data:c5hpWrgLkMR+Q2WYCfmE6IH90KWhV0m0BD8Rsd3rePVgQqjS0J/PiH3Cg8s3wPn554Oiq+7GkcBznokO1lPwT1L2Zq6RgKNlAcUQNQ4MjYMKjjXtYz4FLu5LYirkT0SxpOUvjSdgXseOWJXFfV50h+awGQfEkPqxqjxcfrBh1OhSmHgwtLt9DCTmGrlV20Q/zpmhdhVZvmgmcHpdTmnNer2P6FchnhY/PkKzEYrtCf8uYaDX4CyEbrFEMm4PnORaH52O5DIQbITnHu36/Uw/ltueXJSFnsSsXXvUY4VLG9z2+fw82cZ6F1qOJrAs697H9kuAh/vPasw7BcfGzAAHnvYqficEh2G9gzt+U4TAjt+KZcsmcy3F0GMS1/k90fmiL0px8d3QD5L4BxXQFplDqgCXJHHLqGGMe0/5+gl/5sZqCyDM2jZt7CzR5jAGnCLJkfisJIAJ+zklbBNPmhrihdFw/kapNc8wD18VFtpioHHz5aMQiVLGwNeOivOE4fXpduh/1BrOn74yzBnooLDZMW28DNiYO1aktQgv4anVWaUTTnp4d8IeiR8De7nnp8uabkA6lICSXmuBc8S4y5xjdyQUvc00KfMe7+B+1sf3axwlkU9URqJuwWmXf1klmsVKpulq66eL//Pju9VqVOsP/M5W7q3yaRkbL9Xx64TAKF8HOgGD+Ydmlg4GYZbj0nRr8APS3HeiofCSp3OlKtJbBlqqQ5EyyocR8qfUJD78upU1XIMbNkSAC4FTefHLwCzjJtXs5xuaQN8o6dZihDFMBwmNgsf6ZzJfS7YzInhBVjCj1NhFNntsMvoM7miaS90gBb+X4iPDCMi5Xj+2wj1qUfmjJa/CMaQ6Ag==,iv:0L4MmRjbjZL/r/GMG/u2iSsu5AEAF1356RjuAcO89bI=,tag:gnJVVu/X/Y1YL0k+c4wqyg==,type:str] + intermediate_registry_token: ENC[AES256_GCM,data:kqi9Bu9iemedzD3qoyZJBHU5OcF+8RdVeHV3JcXm9bmom4kIAJAsorzZlKiyIcIlTdqzzj8FB8+uSs1Xto3YjNWXKwfzHQztBkLAzK6iDZcRRTEHHUCXTeudtcTbcaShpisPVzne73b3D9gdpWv65KARdYiGPOY0SgNMR+6hz8q2sHWraqxjABWMsJA+iBl+yAtQJOGg08TXcWT7D+p0LOSo52pIUUHOfF190zpX84YsQC70Bqklo9ZnCeaJrEVXgyOTTMoaNG/afFI6pOR6pefYk6O/g5j9zNvdjkq8LamNbjEWnjpL6RPvlz9dAg/DnFbf0NSYVDBhqNarI2ZqFq0lC1LRBp3ZOaCIm2T6snMQatd+DeHXYh359zzcXQcQKVQpVvvkoKc7j1oHGKvU1pzfXmj/wpJ5nx2m2ONhcGQArWfUuf7vvTpDB8Q/67fJ4cZaB7ly20YTGcHpzAP5vAmzKHMbKYqFg+i9qMW6ujcQJcBZSn1ISsrVXycflPaG4ZaoE1/wjjNNWmizmoxuf8yuefG+wvrDCcwXOwU8U+xjvK3rNLOQlodc3WKd9ye+GgxC4awnhICf63FLxhgmkI7aF+gMNIASs8vftpsw4PXvrMIYh0J9nLqJFhFV5ddN9Nhkg5UqtD+YH0yNPp2wQP+KIllDx0ZN15/d8juGILTldDY7wncN0IjOxhF9ibnx+tUyVKhqFxLkqB4fwGgvQzSb5x6YNnFR/dnoPzhC98kGjHb4+3reUZ6wooaTikeifjTHI2NgqHI+mhPfEsDW/I40DE9HP9N7WjmohD092Cw9cE02u18AK28z2iCsBP6OSrtHmpxOKa3ALP1Rs5+UIwIZhTr/u38pHTuTUriwJ7eV7WB/vxfd+OrNDTdzYWKal+KjKpUGd1ro7nhoPzwK0XuPFaEspxHteILbjf0Vn1/KCyLpImu2tLmne0Mp8xSRMW3FoKYKgqQSX/BbPUmgZE5/aGeUoNU1O+E9wE7mH0V+uTLAlp1/lvng9oSp+nQ7cO5Md6csJdXoZO79whm6b+OfWkew02O5nhOPRhPW4zVGuEcMM2nn8Xmvs2si7EOFwCvKWN4oGFNs4eLrx+mimzq69Cp0JcV+l2/vKpckTuV9wRoO/s83l8vd35+VSOC7hTfWlRzxfKBfS90bx6z0zzo57ATtwnlMv1nLYgt/2lYlxBdwD95sa+ueTt51ilO9Xm1z4dQd8yWEFz1SZqkNTKhgvG0VcH6f5sFbkSssiuYxuDlgsWKmwdD5Y4HzAurwFZsuoKKTRFCPOjBkVkVtDqVnspFyGt/qYVXMNP7VM8q4kWfeDIFc6urhFnOETSitDDQQSBB1ICOaKJOFjQdeNrEfheQfveZkMvd49ey0P7/Fr3kmcnAAtIR9+SNNm0OpeshAZIP91xYQztKg+VPhHFmPGsPC+7jRlRsXa4T2vGKBtUxl1x4+ojnn1fw9kcETYIOjLQWxx9CauXy8PGAsZ5DF2B3zitFWjuPs1KFARXbP/bzfh4BCQNRb2oe/E9KozPazyezcovJwkTnos2HdWjhPVY2joDlY5f/TdbdJsTsTPtknC0+lFVZSg4iL5f3NmeA4UHegenwI/eZ9+phR04fTXYgds8OK9xQnaxHptw1XahRt3eNXoQMu/Qhcbkz/Nx7AQP2jtrDD1O3ls5xjTz7hj6ln71M+YqosjnivRt11Q9mqtoYidfMKJqo9t1NWDRDTGTKc8luI+pm59mW3FUiKAGvoTnKRkJqhPIn7heWyQtzWaCnQzSk3xybDTwlYErTQgimojljXZGiooH/29bFTnGjBBd/HJo9c+zmVmW1+gqMAvuUVuX1C1gYoXrPxz7D7fzoTCdr2DJugF/v4yv1Ab41qSDHTDv79SsRuuMKqOtvmQwG9hHmq2akjSZ4hRqV/xNnf9mAe0L+Q9YBDJQNSoFs9JMONpnmm1RPtFR1XXXebZ5IgGP1yiCcZZ7j/D89F9lGT1Zvpzd6Ncg7UEh8iXd5NjQVQUg3CUQPuNmiIVjymde/FkGZ9yrlw6+zIMtkp9R6uFZ0ETCc+HR66tiXvMubmMNF2/2dm0fFgGEihLSoXrwyYo+3dhJdQlfzrho4/blZ8ObPSWZogY9VUszUJ3FieOk3evORcSyTQDwwg9BZm4N3qTMrqYa5GHZVRLOTY6h2vQr/JHxH/n65OqM2pn5RueKvl0fD4aXKLnhdShjbjYbM/8+RYHAMnr25dFJd/Ng==,iv:ZNmFf8VH/DCX1H4Cgn+fkurHU+1WTnVaZdZ/PwlLaBQ=,tag:fopkf8QhJqQhTH3qCmE6xA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-12-08T18:28:08Z" + mac: ENC[AES256_GCM,data:t26s0FbeXWLvRfOLli17bCDKxvIrnpVPxeJR+rjH/xog20K4FQlIvEN3leClO5Lo0uO31zilWN/+uf2vsy24WKrlys2PVp3yJL3+1j73aEkr23H/U8llJncKJ33BKyoRsk+Y1RbWcLwmRk3ZIVQDiDOkeInrWQkfzcknRisBEQE=,iv:Frl1elx9tfrMHOGrVIUBPhy85eXHUfNnv3xepuNVLhs=,tag:XzrMINnH+A+DJHAxZOh7fA==,type:str] + pgp: + - created_at: "2024-12-08T18:28:08Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMAzQN8EMB5J0MAQf9FpIhmkLe8SwOB+2A1UGwAXUAOllkyb6qQkkr3xlaTqvL + hxwxNKvQDlXM90puLJcPndI9je84bp5kwogvllxiaKm3lEE8oOHLlI0Uc6CYG64w + ZBf4XpRxk2e2XbIc9MFBZBjKNMWLMgl8QjA0UiUIvcopwxDmMYEPFME+SF3Oh5yg + b1MHL/0K19xmtoUjxvmL59MeRq51X+BR2iJSr5wmrEy+aiMAKGQ6pmkGHBfb2pYo + ArdLZu9eISH9/4odAcbjIlXKCx4i76g6LI762v/oB8aoIEhrM7Sb0ilXf68DoNSL + UGHGQfJ9pGe0l0Hh3htbWmp2Or3YuKlwtWpW/YF5stRmAQkCEFTOeFjXItCjHTto + QziUZYejk1aW6mcMGO/YN4OIq439I6U3K4wHCmspk3UvZ2cpRrImCikzwyTLZ5OI + jN56EnuJH+Dyn+mCB04Jlt6UZIUZI6/meUcmE6Td5ViR8KIxTyvw + =W6LG + -----END PGP MESSAGE----- + fp: F9AE1A45239C35E85249F8BFF0273FEC7C5D429A + encrypted_regex: ^data$ + version: 3.7.3 diff --git a/pubgrade/modules/endpoints/builds.py b/pubgrade/modules/endpoints/builds.py index dc1457b..444199f 100644 --- a/pubgrade/modules/endpoints/builds.py +++ b/pubgrade/modules/endpoints/builds.py @@ -24,7 +24,6 @@ ) from pubgrade.modules.endpoints.repositories import generate_id from pubgrade.modules.endpoints.subscriptions import notify_subscriptions -from pubgrade.utils.decrypt_secrets import load_secrets logger = logging.getLogger(__name__) @@ -414,7 +413,7 @@ def create_dockerhub_config_file( } }""" ) % (intermediate_registry_format.split("/", 1)[0], - load_secrets()["secrets"]["intermediate_registry_token"] ) + os.get_env("INTERMEDIATE_REGISTRY_TOKEN") ) f = open(config_file_location, "w") f.write(template_config_file) f.close() @@ -575,10 +574,10 @@ def trigger_signing_image(dockerhub_token: str, payload = json.dumps({ "event_type": "sign-image", "client_payload": { - "cosign_key": load_secrets()["secrets"]["cosign"]["private_key"], + "cosign_key": os.getenv("COSIGN_PRIVATE_KEY"), "docker_username": username, "docker_password": password, - "cosign_password": load_secrets()["secrets"]["cosign"]["password"], + "cosign_password": os.getenv("COSIGN_PASSWORD"), "image_path": image_path, "pull_tag": pull_tag, "push_tag": push_tag, @@ -587,7 +586,7 @@ def trigger_signing_image(dockerhub_token: str, }) headers = { 'Accept': 'application/vnd.github+json', - 'Authorization': 'Bearer {}'.format(load_secrets["secrets"]["gh_access_token"]), + 'Authorization': 'Bearer {}'.format(os.getenv("GH_ACCESS_TOKEN")), 'X-GitHub-Api-Version': '2022-11-28', 'Content-Type': 'application/json' } diff --git a/pubgrade/utils/__init__.py b/pubgrade/utils/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/pubgrade/utils/decrypt_secrets.py b/pubgrade/utils/decrypt_secrets.py deleted file mode 100644 index ec1a9e2..0000000 --- a/pubgrade/utils/decrypt_secrets.py +++ /dev/null @@ -1,20 +0,0 @@ -import subprocess -import yaml - -def load_secrets(): - file_path = "../../helm/templates/pubgrade-webserver/secrets-encrypted.yaml" - try: - decrypted_output = subprocess.check_output(["sops", "--decrypt", file_path]) - secrets = yaml.safe_load(decrypted_output) - return secrets - except Exception as e: - print(f"Error decrypting or loading secrets: {e}") - return None - -# from pubgrade.utils.decrypt_secrets import load_secrets -# print(load_secrets["secrets"]["gh_access_token"]) - - - -if __name__ == "__main__": - print(load_secrets()["secrets"]["cosign"]["private_key"]) \ No newline at end of file From f3e649362a1d71c8a58386afbbd4e6ecf6362a2c Mon Sep 17 00:00:00 2001 From: akash2237778 Date: Mon, 9 Dec 2024 00:14:32 +0530 Subject: [PATCH 3/6] changes to Dockerfile --- Dockerfile | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index af36317..9f42f34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,16 +13,6 @@ LABEL maintainer.organisation="ELIXIR Cloud & AAI" RUN groupadd -r pubgrade --gid 1000 && useradd -d /home/pubgrade -ms /bin/bash -r -g pubgrade pubgrade --uid 1000 -RUN apt update && apt install -y \ - curl \ - gnupg \ - && apt clean && rm -rf /var/lib/apt/lists/* - -ENV SOPS_VERSION v3.8.0 - -RUN curl -Lo /usr/local/bin/sops https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 && \ - chmod +x /usr/local/bin/sops - ## Copy remaining app files COPY --chown=1000:1000 ./ /app From 997f23b544693bfde45898b10e5f2c03717a79e0 Mon Sep 17 00:00:00 2001 From: akash2237778 Date: Mon, 9 Dec 2024 00:18:40 +0530 Subject: [PATCH 4/6] removed kubeconfig --- .../pubgrade-webserver/deployment.yaml | 43 ------------------- 1 file changed, 43 deletions(-) diff --git a/helm/templates/pubgrade-webserver/deployment.yaml b/helm/templates/pubgrade-webserver/deployment.yaml index e23f19f..b54bde8 100644 --- a/helm/templates/pubgrade-webserver/deployment.yaml +++ b/helm/templates/pubgrade-webserver/deployment.yaml @@ -16,21 +16,6 @@ spec: automountServiceAccountToken: true securityContext: runAsUser: {{ .Values.pubgrade_webserver.securityContext.runAsUser }} - initContainers: - - name: gpg-setup - image: debian:bullseye - command: - - "/bin/bash" - - "-c" - - > - apt-get update && - apt-get install -y gnupg && - mkdir -p /root/.gnupg && - gpg --import /tmp/gpg/private-key.asc && - gpg --import /tmp/gpg/public-key.asc; - volumeMounts: - - name: gpg-keys - mountPath: /tmp/gpg containers: - name: pubgrade imagePullPolicy: {{ .Values.pubgrade_webserver.imagePullPolicy }} @@ -75,31 +60,3 @@ spec: - name: pubgrade-storage persistentVolumeClaim: claimName: {{ .Values.pubgrade_webserver.volume.pvcName }} - - name: gpg-keys - secret: - secretName: gpg-secret - - name: gpg-keyring - emptyDir: {} - - - -apiVersion: v1 -kind: Config -clusters: -- name: "kuba-cluster" - cluster: - server: "https://rancher.cloud.e-infra.cz/k8s/clusters/c-m-qvndqhf6" - -users: -- name: "kuba-cluster" - user: - token: "kubeconfig-u-l42egxdec69j9jp:tjf64q62tw65jl9wz64mbtqk88t5snzdh8ll2xsp68jkcj7n7nwrcg" - - -contexts: -- name: "kuba-cluster" - context: - user: "kuba-cluster" - cluster: "kuba-cluster" - -current-context: "kuba-cluster" From 069a8c6cef82ca254795d33f4eb775de9b3123ef Mon Sep 17 00:00:00 2001 From: akash2237778 Date: Mon, 9 Dec 2024 01:27:36 +0530 Subject: [PATCH 5/6] fix helm chart --- helm/.helmignore | 1 + helm/Chart.yaml | 2 +- .../pubgrade-build-complete-updater/deployment.yaml | 11 ++++++++++- helm/templates/pubgrade-webserver/deployment.yaml | 12 ++++++++---- helm/templates/pubgrade-webserver/secrets.yaml | 12 ++++++------ helm/values.yaml | 4 ++-- 6 files changed, 28 insertions(+), 14 deletions(-) create mode 100644 helm/.helmignore diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..e9fb551 --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1 @@ +.sops.yaml \ No newline at end of file diff --git a/helm/Chart.yaml b/helm/Chart.yaml index cc520da..0a43a28 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,4 +1,4 @@ -apiVersion: v2 +apiVersion: v1 name: pubgrade description: A Helm chart for Kubernetes type: application diff --git a/helm/templates/pubgrade-build-complete-updater/deployment.yaml b/helm/templates/pubgrade-build-complete-updater/deployment.yaml index fa4f4ac..8277237 100644 --- a/helm/templates/pubgrade-build-complete-updater/deployment.yaml +++ b/helm/templates/pubgrade-build-complete-updater/deployment.yaml @@ -16,7 +16,16 @@ spec: automountServiceAccountToken: true containers: - image: {{ .Values.pubgrade_build_complete_updater.image }} - name: pubgrade_build_complete_updater + name: pubgrade-build-complete-updater + securityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + runAsUser: {{ .Values.pubgrade_webserver.securityContext.runAsUser }} + runAsNonRoot: true imagePullPolicy: {{ .Values.pubgrade_build_complete_updater.imagePullPolicy }} env: - name: NAMESPACE diff --git a/helm/templates/pubgrade-webserver/deployment.yaml b/helm/templates/pubgrade-webserver/deployment.yaml index b54bde8..3d16cd4 100644 --- a/helm/templates/pubgrade-webserver/deployment.yaml +++ b/helm/templates/pubgrade-webserver/deployment.yaml @@ -14,19 +14,23 @@ spec: spec: serviceAccountName: {{ .Values.pubgrade_webserver.serviceAccountName }} automountServiceAccountToken: true - securityContext: - runAsUser: {{ .Values.pubgrade_webserver.securityContext.runAsUser }} containers: - name: pubgrade imagePullPolicy: {{ .Values.pubgrade_webserver.imagePullPolicy }} image: {{ .Values.pubgrade_webserver.image }} + securityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + runAsUser: {{ .Values.pubgrade_webserver.securityContext.runAsUser }} ports: - containerPort: {{ .Values.pubgrade_webserver.port }} volumeMounts: - mountPath: {{ .Values.pubgrade_webserver.volume.pathToMountedDir }} name: pubgrade-storage - - mountPath: /root/.gnupg - name: gpg-keyring env: - name: NAMESPACE value: {{ .Release.Namespace }} diff --git a/helm/templates/pubgrade-webserver/secrets.yaml b/helm/templates/pubgrade-webserver/secrets.yaml index c6a56ab..0a62529 100644 --- a/helm/templates/pubgrade-webserver/secrets.yaml +++ b/helm/templates/pubgrade-webserver/secrets.yaml @@ -4,18 +4,18 @@ metadata: name: pubgrade-secret type: Opaque data: - gh_access_token: ENC[AES256_GCM,data:2yc5lVS/GBEb4ThSWPs/m/nppPF+0A2wYvVHpU8iKn9r9mPBIf2O2Q==,iv:haeqq8K2Xpsc+qLc0XHpWON7+1GUcN6PuXLMfCHddS4=,tag:6na+yGbfj/Bp1RaJJnoMPA==,type:str] - cosign_password: ENC[AES256_GCM,data:Yo4uOwUy,iv:VX4Mn0bsZQrsQUEI7PpxiQPaZjDh84kn1ZLf3ErkQAc=,tag:1sN4AW7Yf9y9NO82A+XwMg==,type:str] - cosign_private_key: ENC[AES256_GCM,data:c5hpWrgLkMR+Q2WYCfmE6IH90KWhV0m0BD8Rsd3rePVgQqjS0J/PiH3Cg8s3wPn554Oiq+7GkcBznokO1lPwT1L2Zq6RgKNlAcUQNQ4MjYMKjjXtYz4FLu5LYirkT0SxpOUvjSdgXseOWJXFfV50h+awGQfEkPqxqjxcfrBh1OhSmHgwtLt9DCTmGrlV20Q/zpmhdhVZvmgmcHpdTmnNer2P6FchnhY/PkKzEYrtCf8uYaDX4CyEbrFEMm4PnORaH52O5DIQbITnHu36/Uw/ltueXJSFnsSsXXvUY4VLG9z2+fw82cZ6F1qOJrAs697H9kuAh/vPasw7BcfGzAAHnvYqficEh2G9gzt+U4TAjt+KZcsmcy3F0GMS1/k90fmiL0px8d3QD5L4BxXQFplDqgCXJHHLqGGMe0/5+gl/5sZqCyDM2jZt7CzR5jAGnCLJkfisJIAJ+zklbBNPmhrihdFw/kapNc8wD18VFtpioHHz5aMQiVLGwNeOivOE4fXpduh/1BrOn74yzBnooLDZMW28DNiYO1aktQgv4anVWaUTTnp4d8IeiR8De7nnp8uabkA6lICSXmuBc8S4y5xjdyQUvc00KfMe7+B+1sf3axwlkU9URqJuwWmXf1klmsVKpulq66eL//Pju9VqVOsP/M5W7q3yaRkbL9Xx64TAKF8HOgGD+Ydmlg4GYZbj0nRr8APS3HeiofCSp3OlKtJbBlqqQ5EyyocR8qfUJD78upU1XIMbNkSAC4FTefHLwCzjJtXs5xuaQN8o6dZihDFMBwmNgsf6ZzJfS7YzInhBVjCj1NhFNntsMvoM7miaS90gBb+X4iPDCMi5Xj+2wj1qUfmjJa/CMaQ6Ag==,iv:0L4MmRjbjZL/r/GMG/u2iSsu5AEAF1356RjuAcO89bI=,tag:gnJVVu/X/Y1YL0k+c4wqyg==,type:str] - intermediate_registry_token: ENC[AES256_GCM,data:kqi9Bu9iemedzD3qoyZJBHU5OcF+8RdVeHV3JcXm9bmom4kIAJAsorzZlKiyIcIlTdqzzj8FB8+uSs1Xto3YjNWXKwfzHQztBkLAzK6iDZcRRTEHHUCXTeudtcTbcaShpisPVzne73b3D9gdpWv65KARdYiGPOY0SgNMR+6hz8q2sHWraqxjABWMsJA+iBl+yAtQJOGg08TXcWT7D+p0LOSo52pIUUHOfF190zpX84YsQC70Bqklo9ZnCeaJrEVXgyOTTMoaNG/afFI6pOR6pefYk6O/g5j9zNvdjkq8LamNbjEWnjpL6RPvlz9dAg/DnFbf0NSYVDBhqNarI2ZqFq0lC1LRBp3ZOaCIm2T6snMQatd+DeHXYh359zzcXQcQKVQpVvvkoKc7j1oHGKvU1pzfXmj/wpJ5nx2m2ONhcGQArWfUuf7vvTpDB8Q/67fJ4cZaB7ly20YTGcHpzAP5vAmzKHMbKYqFg+i9qMW6ujcQJcBZSn1ISsrVXycflPaG4ZaoE1/wjjNNWmizmoxuf8yuefG+wvrDCcwXOwU8U+xjvK3rNLOQlodc3WKd9ye+GgxC4awnhICf63FLxhgmkI7aF+gMNIASs8vftpsw4PXvrMIYh0J9nLqJFhFV5ddN9Nhkg5UqtD+YH0yNPp2wQP+KIllDx0ZN15/d8juGILTldDY7wncN0IjOxhF9ibnx+tUyVKhqFxLkqB4fwGgvQzSb5x6YNnFR/dnoPzhC98kGjHb4+3reUZ6wooaTikeifjTHI2NgqHI+mhPfEsDW/I40DE9HP9N7WjmohD092Cw9cE02u18AK28z2iCsBP6OSrtHmpxOKa3ALP1Rs5+UIwIZhTr/u38pHTuTUriwJ7eV7WB/vxfd+OrNDTdzYWKal+KjKpUGd1ro7nhoPzwK0XuPFaEspxHteILbjf0Vn1/KCyLpImu2tLmne0Mp8xSRMW3FoKYKgqQSX/BbPUmgZE5/aGeUoNU1O+E9wE7mH0V+uTLAlp1/lvng9oSp+nQ7cO5Md6csJdXoZO79whm6b+OfWkew02O5nhOPRhPW4zVGuEcMM2nn8Xmvs2si7EOFwCvKWN4oGFNs4eLrx+mimzq69Cp0JcV+l2/vKpckTuV9wRoO/s83l8vd35+VSOC7hTfWlRzxfKBfS90bx6z0zzo57ATtwnlMv1nLYgt/2lYlxBdwD95sa+ueTt51ilO9Xm1z4dQd8yWEFz1SZqkNTKhgvG0VcH6f5sFbkSssiuYxuDlgsWKmwdD5Y4HzAurwFZsuoKKTRFCPOjBkVkVtDqVnspFyGt/qYVXMNP7VM8q4kWfeDIFc6urhFnOETSitDDQQSBB1ICOaKJOFjQdeNrEfheQfveZkMvd49ey0P7/Fr3kmcnAAtIR9+SNNm0OpeshAZIP91xYQztKg+VPhHFmPGsPC+7jRlRsXa4T2vGKBtUxl1x4+ojnn1fw9kcETYIOjLQWxx9CauXy8PGAsZ5DF2B3zitFWjuPs1KFARXbP/bzfh4BCQNRb2oe/E9KozPazyezcovJwkTnos2HdWjhPVY2joDlY5f/TdbdJsTsTPtknC0+lFVZSg4iL5f3NmeA4UHegenwI/eZ9+phR04fTXYgds8OK9xQnaxHptw1XahRt3eNXoQMu/Qhcbkz/Nx7AQP2jtrDD1O3ls5xjTz7hj6ln71M+YqosjnivRt11Q9mqtoYidfMKJqo9t1NWDRDTGTKc8luI+pm59mW3FUiKAGvoTnKRkJqhPIn7heWyQtzWaCnQzSk3xybDTwlYErTQgimojljXZGiooH/29bFTnGjBBd/HJo9c+zmVmW1+gqMAvuUVuX1C1gYoXrPxz7D7fzoTCdr2DJugF/v4yv1Ab41qSDHTDv79SsRuuMKqOtvmQwG9hHmq2akjSZ4hRqV/xNnf9mAe0L+Q9YBDJQNSoFs9JMONpnmm1RPtFR1XXXebZ5IgGP1yiCcZZ7j/D89F9lGT1Zvpzd6Ncg7UEh8iXd5NjQVQUg3CUQPuNmiIVjymde/FkGZ9yrlw6+zIMtkp9R6uFZ0ETCc+HR66tiXvMubmMNF2/2dm0fFgGEihLSoXrwyYo+3dhJdQlfzrho4/blZ8ObPSWZogY9VUszUJ3FieOk3evORcSyTQDwwg9BZm4N3qTMrqYa5GHZVRLOTY6h2vQr/JHxH/n65OqM2pn5RueKvl0fD4aXKLnhdShjbjYbM/8+RYHAMnr25dFJd/Ng==,iv:ZNmFf8VH/DCX1H4Cgn+fkurHU+1WTnVaZdZ/PwlLaBQ=,tag:fopkf8QhJqQhTH3qCmE6xA==,type:str] + gh_access_token: ENC[AES256_GCM,data:UBkjenltnbZYbVABRxQU94C5sjfN/qSqfsp21QgHKdCfGb3T38HoAxyJJYkIAqCWW1/yellZEqQ=,iv:SOozTjfhKVZMf4yoMldAB7jbGQQp3MGabG+Xj6CcSJQ=,tag:dFoj8Dqnv8NJHqCXslQcIg==,type:str] + cosign_password: ENC[AES256_GCM,data:nPLDBdTyE4g=,iv:1CnDCgprepOADS3gCgYmsHY5R4cKukIgVNVmPyHflwA=,tag:7ZVLeGM6Fo8/bc/lDtvXsQ==,type:str] + cosign_private_key: ENC[AES256_GCM,data:EWGPN0MAg+Z20GISbyB7LsYWiREjsBX6lhqLl9ooodTZORCJaRri6zSRMFvG/7n4K7FdKqUVdlzUWEr+9r+hJp4ZmTXGLAZRK0FuxmJl4q74q2WlZBaTC8zn4oJMGhg8oA9XO7ASOQarHKM5a66pHVB2tOx3sn98tM6rEhPqf89Is33i8DXr+qE7HmrKDd7yZcORKBqZK3laoTivXJ6Sm2Lj+hSxf1oyinsCSl8SVKe1lUGwqZtAlGD7DsU4XRjadcG2iR2EpR4HxRNQF6zbXLtLxrVp4lkD4KwMSE9he1MiVjT1p6ABR7+bzCHJ6nFq85U+sBgNIfLRbYYAmDKeqtzZrxdUz2ZH0UjenfslyhkYQQBnRb0zdWR8FL7SrWgscABPjr6FwD70AldIdU09da+1tV/UmLeGSUl8K9QaYgmBeR2OQLu/2DpmiqSDPy9Enwd3Nzy7XOFTCOHRPP74nquqjVAg5e46ke4BOeFoPAIV6GN8m8b0NOTIniOf2t5xSLZjpM+pCRkHMOpyDXRSbQIYA2b0GVVVIzwmTkiME97mS1XRMGJ7h0nCpHHBTWIO0XeVw5X9oSbDuL2mcBtjQlKgn4deZ7q8dr9FzZKbbC6ATkqjHi0tiEWZCaWr1A59kRJGuU5hpxfUr+tzZSpjfDR4LhQYZUy9kYdGwujheUPlVAgtM19+rEIPIFNiAtp/K/8z1Iz48G3stPApD8fjht/iGEqp2hNoAZYfvCNMpeoPMXbWbmkkhSvizUUK0IbFPpb1TasW4WmsnsL0fABM6gx1FW/RnOG6qvpXsPSHBrccZcM7rk97db2C6kLU3trY+dHhdNHCMAe3Ua9Gatfy/bUcE3ecw5MBHw6gE6RuKGlnj6Tigs7bOU9lG5/9iNS1HwbUcjFQXfohRQg64dvDfUkDOvmE6+YwwrRX7HKGVSUuHWrUT/VrT19ToYf37QiKXlA2ls0XlMjeJGifmHM+2hd41esCllRheSOUWC/8xOyKv9I3+xKoj6A9nGr7+oXrru/Lbot9lNTLWvL0CNJM90bw2jt3/svgtwIzSG/7XsokHLztSkVAmU3nm5wIEdqOV3cWYH7D9po+MspvRRORFY+gN2VN5zQm665rFRKZZcYsHckheO3urFegsk89i5bC,iv:IxnskDR1kLDIq8hr1YkHR9GoaseXzcO0dvym5pfkVuw=,tag:wUPmqj34n4MQEoexaZs//Q==,type:str] + intermediate_registry_token: ENC[AES256_GCM,data:+FSSbA4HpSTOS2dndJpgKfdXFi7fmjNuMAIPb2i6AMpbnlnZLaZhtyjPxtCR1pSjzBvN85flQRnAurmJL8swxngAEWxYYdrjOXyVed+bgfrqte/kIgZISlrlVxzGKIXaNL85ycxazfGOCvGKUHmJXdW2vs/aj3x+v7DaC95MvibWQRCoyPuzTn78QDrThShpQG4Iov2JcqVuJPJmoBEHLp32MuOb2qiKHzKndYk/Pk7ivNXc6WqwDhzHjrKgOzO0Q3i5ir8Sf/ckSihAqAFovZEyiocku5eb2+Dr8l/0jj4Cqb/x0VkVURVxb1LK6dYoyyrtFOEmAry+SUkQaxPgfsHgh6idnArHnWp7kFppy/ppEG8VTTKPenPUMC2RucDhG5GpgE0fM6h2wiw+OFBednz3nZcQpRPIWy9ECv+ZmSK/rc+gh9rEQ7XMcv7RYGdjmuHMIc1qOCkHxsHake23AEQYY3g1MUAT9NFb/irYUB8xY0hQ91g0wz9zjk9IogUtw4H1RYzQ0vwKS1hN3cbM42uivCXwb2fH//BO6uzfsur33+s575PG1czy1WdvJMNvKfQ5KcU7cdyVrtw2BBiRe4DKYPtgIl2B8kcbHMT0Tf3jrwNAL624AnKIYLAUPWCDQjkyszZoa0ZiIOWwkZxkW1OdU1Rjwoxzhznn5rfhVRRCzgbcwXD4sybjMQoNOG+9i2y0754F9pnOzhIG3s/Svf7kDnQCZzn1VW3ZuAbQHyvwvSF48tU64nk4zbOkRdQH0/pq7hyh/kRiK5BDJgVBqPPYMA5E3ur2L5vppBfPOB0PfSGD/rN9YtjRlxYICQmJFYI/+oE+FzgD4T/+gv4bX9LlMiS1iyslJqEIdFRFaG/eC4187q/kzNxUIREOdqp2EYtBL8CfvmkDwV0Nw61xViHg798YoHID9Wl1nPnoZFpEeFgNu3aHrSdLQW+i22XTYhHES8m0mvndrP7kJCBgw77IjhxUNZJF+vWy3frEdksa3c5Re9HN92alhHKlW3ONPR3xpPNujVQxhVhzuFA0ZFv73XzqEEagu2V8l6jRggSNaP5AqGQ3d3bA2iFMRYd03ZrbW2v3Z9BGgFyBf+HsZEPGZyhdaEl4GxSmzgKHs8tb/4QVF3DMc7mu1jcC+Ve1WPNK1RJ1pSRDfrsvF5vg+xqXmtQbdhr7nzINIFLQvlTqKm5a4W/qF4A06KiDo3I8jC9koxAGtfdO1wbFfGxLXZLWdFGrDA0j5JMT+WXdieLfnbkYUyXL7abbb9KnTxIYoE8D+dJxvBPBW+eCHSEMIlsAtT5CqiADZSa+KZvOC94MgOq6YUxrX6EL/MqVn0iwBKdLWjnsanRckCaHrGz2uXSlFP/rZ6FNKZ2eyuNI6AO+Uyo6pi5ob9Kuy9kDluoiFINUMKVD0FQtgXTmiYKvsQFPur8C2hVF6i9/EC0dRQ+kDJO/UEZf9hcGwi766Wp3/VPhsx+fWxQd9/xu6UYyQ7GroN8+EULnw0559T+xIVGVipi20tmN9guB+bFY6GPA5B8EluchAgqzuRILS19rRgKiLXVYRcwOhEwijBJtMStU0qVSNi7xcq+AcUl6qXXxSzlnujiLwMbSY4qPws5x/vTM4hyfLonvedQ2wZRfiYPZKIWJnjsk0SYM/Tv4gY4gXpgEvV9biM+ltwhzO4CG8VVdaJeIZipQv1swTQ6J9Qq3eg4G+OkTPkMFKk7HU9aLqMcaNWKaIcN6RukEWYWJqi3j8ChUbpTwzXh833e7dfy6Qxol+JQVd5rGG9PGI22ai/W2L7+E22y/+HIJUJ67G+3YMQiRsvmpW7YwdRjySibJTorq7wHNbbEtKWW+dSK5rtLb8dyAKep/ud5cnVrTS1hqZna8xoCLMPauRBjQG4GvS60VUorOosUq0cY8KzFKEJzCIxPpLCYnldv6pk7AZHFTuasX3pIrwafg11TNwaL9H56utQHLLHDpa0b8NTD54pyNJiCwUwyGla70v7KAEev/sCrqKjz1cwvp/z/waZWI9j358QeeMbBOggchJ3cOg7UnW0HP9eMs11obnLg0s9HI37kUSftVj98OKkLuwHU1p92TkO9ezqrhLb3vb2JPzx8hkcv5Qwd2236kgSP9jC9gSjJzph54+Jro1at816HBfF3OEm2bp4pPVcm9r6j+f++y4QtFhYYp/wsjkV/FvRikmI++YoUudate8ILIyp0FhJVLT98y0tN3w6F5MJ6Tbjg0CmVZhU52cp9t3HhML3lI/6CEqVja4H3R0VZ/TzKnvaOUsYAjT3cpjWjhhDgAy4KYif7Sk6BQ3SJJN+0SVsgV70z62iI9KfKnmIxCfpdBDaatc9rIMjoapmPCYpkbMazlTAttK8w0CSxB60drQeUXGMaUt5zjGahhjreqAIba+0FFhUplpUqApNGD3wYlPTA8PItYS+J8IwMn9d4onS8SKOimhRqZaIQ9/6sDj9nl1ZRLTmiQkl3pgjDBIlI5nv+JSJxvXUb0v7JHINq9gii9aiGEemPBjWO+ptfMjXCzF6yZFkxRC62hyASS2BZuIitroUJFCArpZ4CYzp48ymbOYACw3eSv+n51V7jhDfyciTwZrHje/mgyRH7HCh45PDiqQAu+IiEYZa9hm2Yq8tCP86fFL/5TQJ2Bs+lbWeckvKXg1FBqTXw2h4YTwk89/T3VBcMSEhrMBvd/gviuzE9brItypikg6EAMI8FI8C2VJcNHlw5Y4EHl8KdCBgDXpJ9kpsiajh+ehNtUH9oCJcVXjldAPseePcXLZEmifg57BQICZCfQjJ1ASSIMTMLIjSR7MkL/jB33ybMwp0LkI5e64Gc9EC20VxHmC357dYsOMoRA4hER4yGuWOrFoMoz0xxfDHSQ/8hBAag7u8soOLKSsd6cCbj5BJGqvLhxu94XV2lmS89Rcdiskxo1BOhmT0WmKyFyMARP/c0Olx+f34YISMNXKd8H2G4USz36y61NIcGe68s5GQ==,iv:9ndRqNZc+eyRN/LZq772QqT40gM0qT1G3mNzbpwl/88=,tag:FOatS78EDjePcm9nF206PA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-12-08T18:28:08Z" - mac: ENC[AES256_GCM,data:t26s0FbeXWLvRfOLli17bCDKxvIrnpVPxeJR+rjH/xog20K4FQlIvEN3leClO5Lo0uO31zilWN/+uf2vsy24WKrlys2PVp3yJL3+1j73aEkr23H/U8llJncKJ33BKyoRsk+Y1RbWcLwmRk3ZIVQDiDOkeInrWQkfzcknRisBEQE=,iv:Frl1elx9tfrMHOGrVIUBPhy85eXHUfNnv3xepuNVLhs=,tag:XzrMINnH+A+DJHAxZOh7fA==,type:str] + lastmodified: "2024-12-08T19:37:28Z" + mac: ENC[AES256_GCM,data:IkE6gD5WMsK7cnOj6+LigbqrMqoQkwKR0tFd4pTBuxYVuioRWMiTu2ureIy5M51y3PQx+SvigJwh0arfprpo73LsRusHhD7Y6tw0fBm21D9+P5sroZEWlyTv8u+cZJ/5EHOJTOqIdU+7xkw9TqLS6B3pVdbFmct6elZYBeZMuP4=,iv:RBJFs1naCz31N4/CLTIaPhlqRaY29JpBRcNLBbFPO0Y=,tag:qfXfTNvfBmXSrEi/xxAK9w==,type:str] pgp: - created_at: "2024-12-08T18:28:08Z" enc: | diff --git a/helm/values.yaml b/helm/values.yaml index 7753aeb..7061faf 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -21,7 +21,7 @@ pubgrade_mongodb: deployLocalPv: false name: mongodb-storage claimName: mongo-pvc - storageActive: true + storageActive: false storageClass: manual size: 2Gi pathToLocalDir: /tmp/mongo-pv @@ -47,7 +47,7 @@ pubgrade_webserver: pvcName: pubgrade-pvc storageClass: manual size: 2Gi - storage_active: true + storage_active: false ingress: enabled: true From a2aee851dcc33dbb51e32811c84db739c34a8f38 Mon Sep 17 00:00:00 2001 From: akash2237778 Date: Mon, 9 Dec 2024 02:21:01 +0530 Subject: [PATCH 6/6] rancher changes --- .../pubgrade-build-complete-updater/deployment.yaml | 9 --------- helm/templates/pubgrade-webserver/pvc.yaml | 4 ++-- helm/values.yaml | 8 ++++---- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/helm/templates/pubgrade-build-complete-updater/deployment.yaml b/helm/templates/pubgrade-build-complete-updater/deployment.yaml index 8277237..9b63291 100644 --- a/helm/templates/pubgrade-build-complete-updater/deployment.yaml +++ b/helm/templates/pubgrade-build-complete-updater/deployment.yaml @@ -17,15 +17,6 @@ spec: containers: - image: {{ .Values.pubgrade_build_complete_updater.image }} name: pubgrade-build-complete-updater - securityContext: - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - runAsUser: {{ .Values.pubgrade_webserver.securityContext.runAsUser }} - runAsNonRoot: true imagePullPolicy: {{ .Values.pubgrade_build_complete_updater.imagePullPolicy }} env: - name: NAMESPACE diff --git a/helm/templates/pubgrade-webserver/pvc.yaml b/helm/templates/pubgrade-webserver/pvc.yaml index 42f3706..3408b08 100644 --- a/helm/templates/pubgrade-webserver/pvc.yaml +++ b/helm/templates/pubgrade-webserver/pvc.yaml @@ -11,7 +11,7 @@ spec: capacity: storage: {{ .Values.pubgrade_webserver.volume.size }} accessModes: - - ReadWriteOnce + - ReadWriteMany hostPath: path: {{ .Values.pubgrade_webserver.volume.pathToLocalDir }} {{ end }} @@ -23,7 +23,7 @@ metadata: spec: storageClassName: {{ .Values.pubgrade_webserver.volume.storageClass }} accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: storage: {{ .Values.pubgrade_webserver.volume.size }} diff --git a/helm/values.yaml b/helm/values.yaml index 7061faf..3d2f0e4 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -21,8 +21,8 @@ pubgrade_mongodb: deployLocalPv: false name: mongodb-storage claimName: mongo-pvc - storageActive: false - storageClass: manual + storageActive: true + storageClass: nfs-csi size: 2Gi pathToLocalDir: /tmp/mongo-pv securityContext: @@ -45,9 +45,9 @@ pubgrade_webserver: pathToMountedDir: /pubgrade_temp_files pathToLocalDir: /tmp/pubgrade-pv pvcName: pubgrade-pvc - storageClass: manual + storageClass: nfs-csi size: 2Gi - storage_active: false + storage_active: true ingress: enabled: true