🐲 build-watcher deployment manifests for amun inspections (#785)

Signed-off-by: Harshad Reddy Nalla <[email protected]>

Author: harshad16

build-watcher/base/deploymentconfig.yaml

@@ -93,22 +93,22 @@ spec:
               # provide credentials:
             - name: THOTH_SRC_REGISTRY_USER
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   key: thoth-src-registry-user
                   name: build-watcher
             - name: THOTH_SRC_REGISTRY_PASSWORD
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   key: thoth-src-registry-password
                   name: build-watcher
             - name: THOTH_DST_REGISTRY_USER
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   key: thoth-dst-registry-user
                   name: build-watcher
             - name: THOTH_DST_REGISTRY_PASSWORD
               valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
                   key: thoth-dst-registry-password
                   name: build-watcher
             - name: THOTH_BUILD_ANALYSIS_NO_BASE_IMAGE

build-watcher/base/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
   - imagestreamtag.yaml
   - serviceaccount.yaml
   - role.yaml
-  - role_binding.yaml
   - deploymentconfig.yaml
 commonLabels:
   app.kubernetes.io/name: thoth

build-watcher/base/role.yaml

@@ -18,3 +18,26 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - ""
+      - image.openshift.io
+    resources:
+      - imagestreamimages
+      - imagestreammappings
+      - imagestreams
+      - imagestreamtags
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+      - build.openshift.io
+    resources:
+      - buildconfigs
+      - builds
+      - builds/log
+    verbs:
+      - get
+      - list
+      - watch

build-watcher/overlays/amun-api/configmap.yaml

@@ -4,22 +4,27 @@ kind: ConfigMap
 metadata:
   name: build-watcher
 data:
-  thoth-watched-namespace: ""
-  thoth-environment-type: ""
-  thoth-push-registry: ""
-  thoth-user-api-host: ""
-  thoth-analyze-exising: ""
-  thoth-src-registry-user: ""
-  thoth-src-registry-password: ""
-  thoth-dst-registry-user: ""
-  thoth-dst-registry-password: ""
-  thoth-no-tls-verify: "0"
-  thoth-build-watcher-workers: "1"
+  build-analysis-no-build-log: "0"
+  # We do not need to extract packages out of container images. We have
+  # inspection specification where all the relevant information can be found.
+  # No need to add these data to the database.
+  build-analysis-no-base-image: "1"
+  build-analysis-no-output-image: "1"
+  kubernetes-verify-tls: "0"
+  log-build-watcher: "INFO"
+  logging-no-json: "0"
+  thoth-watched-namespace: "thoth-amun-inspection-stage"
+  thoth-environment-type: "runtime"
+  thoth-user-api-host: "khemenu.thoth-station.ninja"
+  thoth-push-registry: "quay.io/thoth-station/image-store"
+  thoth-pass-token: "1"
   thoth-no-source-registry-tls-verify: "0"
   thoth-no-destination-registry-tls-verify: "0"
-  thoth-pass-token: "0"
+  thoth-no-tls-verify: "0"
+  thoth-analyze-exising: "1"
+  thoth-build-watcher-workers: "1"
   thamos-disable-tls-warning: "0"
-  thoth-deployment-name: ""
+  thoth-deployment-name: "ocp4-stage"
   sentry-dsn: ""
   prometheus-pushgateway-host: "pushgateway-dh-prod-monitoring.cloud.datahub.psi.redhat.com"
   prometheus-pushgateway-port: "80"

build-watcher/overlays/amun-api/kustomization.yaml

@@ -3,9 +3,14 @@ kind: Kustomization
 resources:
   - ../../base
   - thoth-notification.yaml
+  - role-binding.yaml
 patchesStrategicMerge:
   - configmap.yaml
   - imagestreamtag.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+generators:
+  - ./secret-generator.yaml
 patchesJson6902:
   - path: job-generate-name.yaml
     target:
@@ -19,3 +24,15 @@ patchesJson6902:
       version: v1
       kind: Job
       name: chat-notification-fail-
+  - path: put-into-inspection-namespace.yaml
+    target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: Role
+      name: build-watcher
+  - path: put-into-inspection-namespace.yaml
+    target:
+      group: rbac.authorization.k8s.io
+      version: v1beta1
+      kind: RoleBinding
+      name: build-watcher

build-watcher/overlays/amun-api/put-into-inspection-namespace.yaml

@@ -0,0 +1,3 @@
+- op: add
+  path: /metadata/namespace
+  value: thoth-amun-inspection-stage

build-watcher/base/role_binding.yaml build-watcher/overlays/amun-api/role-binding.yaml

@@ -7,9 +7,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: build-watcher
-# roleRef:
-#   kind: ClusterRole
-#   name: edit
 subjects:
   - kind: ServiceAccount
     name: build-watcher
+    namespace: thoth-amun-api-stage

build-watcher/overlays/amun-api/secret-generator.yaml

@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: thoth-secret-generator
+files:
+  - ./secrets.enc.yaml

build-watcher/overlays/amun-api/secrets.enc.yaml

@@ -0,0 +1,115 @@
+apiVersion: v1
+items:
+-   apiVersion: v1
+    data:
+        thoth-src-registry-user: ""
+        thoth-src-registry-password: ""
+        thoth-dst-registry-user: ENC[AES256_GCM,data:dh7L0SKKJLNo2Ur0+cZLS1EYwT2V9dSAjh+v,iv:Ba8F+uETL6JJlzqAqHSYII+tvQXOPKDfrFKOB84Zn1s=,tag:TnCBLbAE/P9BH9rKWKI2Yg==,type:str]
+        thoth-dst-registry-password: ENC[AES256_GCM,data:VYKbxmypQ1amw5sI4U6AVLsPNj99gJ/Y1CIwSz6/GE/YMAxr9Ac3Kjn14kEDAVjbYxpJCYMMRhUVYwL4qOenJw==,iv:/Rys+LhdGjdvmEjf7IkDBS6F/jhZhmwkGY814sow/zA=,tag:Sm7ryLNkkAjaeonrbPSxjA==,type:str]
+    kind: Secret
+    metadata:
+        name: build-watcher
+    type: Opaque
+kind: List
+metadata:
+    resourceVersion: ""
+    selfLink: ""
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2021-01-22T18:58:48Z'
+    mac: ENC[AES256_GCM,data:hzVfAABdbul0QpcvJO+KD3CsK5N6mwh1eaW/efqMHBSkGSVp85O5KqIXAlg4XGnc42I1sS5Lwc2BviGSUdKPRQzpF8Pyw5HWM5FhcITYtwLHjhlW+42lF1N9w9Qzr1IfXLIIUjDgsHW983c4oP4aP0umBlLQXZWWNIGons2TH7g=,iv:1zlWDEAPJb0/aiEypzKmVfsiSG84+pyDcqO9UoLXAmw=,tag:C4UqUqTHLKu9ofAqaH8Dhg==,type:str]
+    pgp:
+    -   created_at: '2021-01-22T18:58:47Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1gbAjViyxWYAQ/+KpqixWQnOBYKVHaIobRnSyDzdd6KHgMnLlmDxHcOlRj4
+            nSlCTGrtibFzR51wrVANurTmA6wmLNanfS05rQgIKyvBuhshAemVVXrgZ3qgY4/l
+            q0NZ5ShmANJzte16rk0pXqUj/SL+kVlHtNS/ZRldQ+uz9IA/s3WxDqcIAnYywhXl
+            AiQ33fXAGu23MyC/IiIXtbazfbyzoG5J45Ptu+9qS4aGGKTvBlnApkz8+/vhUhSr
+            g6FursAQbeSGRN4f75/83xnqGtXgm+WKREYhPz6urf11gQEsg++G8lyeQW6o7edF
+            s4KOAAiqFnIFUN3jonNCrVk8G0bvdisj1zGjxlYAZ+vCubgUkJFVkyZQ5f8xpA9n
+            sxQS6p/7Jcj395sR6AYF+Y2RwE4J/Z0bFwRk/REBto1kzG4liOwDndzScjYA2aBp
+            8QKvYb7BMa5NNMVrphyWlEnyi3dWH3c7WOeISHoX9rNz5wItndOSFb8hxXv0geQ7
+            9VWsS+AEQZdTBdhQWAUotFCbaqZcU51kBU1UT8yijX+sBaV3cD/haZsab+bPHnP5
+            6KKPFtUi5SPahermZBOhvhoyWnSQEDonAzYgC9lr0UdTYMD4AnfyGWaP33r1QUpO
+            uuY3qXLRQ0yElU5gjWx5Yxi8qjwHCath+7M9jYgIjwAU8wmxL7KesRwWSXOZF5HS
+            XAEAXinq0joSMl5kTgqAyoXOlEM3toDsnloOw7qDkNDMJT5qMyhKYVlG5BrPE9Rx
+            32gtpIaOZNmGHqMcWOPg74p958bGQma4zdIM/eN6dxsk1l8D82t9WaCYxzAm
+            =z5fZ
+            -----END PGP MESSAGE-----
+        fp: 34AFE2A7C8E00ED66916D95DA9FBD7DE773B2A34
+    -   created_at: '2021-01-22T18:58:47Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA+/WpawS9RPbAQf/fhuIKOXlT+2oiOnGxXaFo0cBiQehLsWL9LDaPTgpYCJi
+            /vCfcbzM0LyXbE6sMU+1yKg26fHXcHaXU6OxWLBnoGjFfMIyyKIuSWRdX9Nt0bqU
+            MJZqeqGKwPElhmDTrB5op15U3vYCRpoZ2RfHdM4hYHlf8CVVrA+cl1qjkt2s36pH
+            g3hjT4k1mEyynEZ2GPkg3hTCFlKmr9YrurmKC8zyHzlO1SHe2qTHRiDL1We/sRPg
+            U17C7lItomBtV1kd3UCk0QiMHGmyUqMw9W/NuNUcS3gpN6XdXTGdZgnDlddqGFeV
+            wl5XkLMi/E0v7nGggLbdwfVndMmmWgX0UFFiI8gVS9JcAUoTgRHdSeU3RWScegjY
+            XmkcTrSHhMFmaQARyMEoiuXwkezraTu7h2HRY0+xAg2UIO5D31++y0NpgqV4mYls
+            /4W02aWtDsMKJv5vy+DrEAZYa8PIBkcSpuC3mtA=
+            =vFgl
+            -----END PGP MESSAGE-----
+        fp: 87FC5D0ACF3AA48FCC029086262A80E41BCEEBF7
+    -   created_at: '2021-01-22T18:58:47Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA/irrHa183bxAQf+PAbaRVRlKB6CEy5uc6+6Q110h2+vWdYBn8sO7P4vPc4B
+            BuH65IdZCtU/Cqg3KbgzKjxCCoBCQWgGLTx6aqyMEOlZS11Rmdd/wsud30XKJw5x
+            X6lCjkumUFGwD45LiY9xGMOt8kMGmvFupSo+bD1hTrpqVLd5iVhruDyFrSVvMzbd
+            pMdp3LeUG+InStumPX70tLChsVIguBb6eiR+wWDyGj7ROiip4qRCW0okU3d2Ga6Y
+            f24PeV9nQAGEEfq3bGWZfU3oCpTqnrNm4BszsW2BLCAtr050pI4mZeynE9miUasc
+            m01E4L9mxvcOIvxIoyDO5midwFXbbe7kZXJhqllPE9JcAaNJqeNf9S2hfZEIEuhZ
+            yQsd7K7SkdON0jPyhCNKsDiT8W620ovs0HzKsXKhu2+FvPd+dRyP1WjJuiBtbAb9
+            jIMXBd3LLDWWRJN7yf6nAuk9vt2vp9ljbwagQNk=
+            =vaFG
+            -----END PGP MESSAGE-----
+        fp: EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E
+    -   created_at: '2021-01-22T18:58:47Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7vMDF1jUn3mARAAtrOPxnjvvnvafjQpmwzrwswzK2y1EoPbNaoTFj4Fh5rR
+            Keip1rne4Y8LESKbANrJvigodlqjDl6xtoQsqUpSl8bg0T8+YFH/TENrsDUJ08sJ
+            j+WDX+1QK+TqmWGAODfdGyssrvzpqr4ubXgb7SLEUHHx7NQ21dQTUf+EoPtOYlVj
+            /DjV9v4NrtaNqHqw0XTeun+mObFXb5PEd/OT7T3xddtgdsjHjdVd+zj4qN98X/Ci
+            7MZJEa3AOrQIa+hmY9rbC1geJy7zN3627tELZ6Ch5Wdn2b6wez2pfnrcQORai7U2
+            FHt7rMQCu7Mbb1QB5RIoh0cw8YGoSUCHfqPQxIBs82vrNam4v/M88NWQuCx4hJAF
+            YZuATJuZ/RJSXZDDhZbfSev4BKEDRUHsRwYFfVJoZXTLsAETEt2lKLJN/nWbcs0H
+            dz1NiDqFtioNy5YzepiihBucWMcWp6hwIzkwQwywNWeE3Tcm0Q4slgZCJdFYuj0z
+            MzOD40dCH/LmQP5XB6z3KIBnymw8uNKszK8Tf/0kKrOyxZX/YP10JgCP4QMBioNG
+            2GBz3+XGsM4CBvyjhtEoYv6NjloDu+j6cQGCJ/+Otu7/02325+V1KpNM0kwng7J4
+            P3i3Tx5vs2woqXSonLpxxlelXE2cgq2mzaD92CY0RkKLOXu9DQYfFz+96Q3vgoHS
+            XAEHatSNKutNc93Y9iepX9R3GVaod7Tx2peuoEH8o88GXzoErJnQur9smENZvJkC
+            +sgME6Zx0ns0yICMorJkJ35vbYUF56vkEIrNbCsfCWm2eLBFNNjSCi+eHtAf
+            =d003
+            -----END PGP MESSAGE-----
+        fp: 68BD1529A372C8BA561C9DDC377298152D08B95B
+    -   created_at: '2021-01-22T18:58:47Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9aKBcudqifiAQ//XksKbg5yrAAlC9ZSqDBn9Rnec015MLgGSP4a/IkvGNVx
+            2K5k2GGWFrL2kOMQsolDNJOlVzJXtkvJhFdiCddJh5Vbrrdu1FZjfnsE70s9IAay
+            KBmyGufp7P+IEAf82ah7qOSrI1sRypmePCw4iwjY/DdxEA6DqWb6dvDCWClfgSUG
+            btZsRwbRWNFmnnprlX5JlhpsbQqies3IzSvWN5hvUtQ1blkbe3cm9tYJ++RPR1Iy
+            lUTJHC7m4ahkpsD/10Cc7OvsFl5EIQEs14dO55Q1ZeO3ur4+KPVhlR7/D5wL4aa7
+            2RBqIryNmpmXc9gOPilzTxjjZPAa/lrYuu3tZ8fd41OupAZ/N0NzUJ8/ql87RNbL
+            igDWTjVK+rcYhSD3/AaXtCtMnAHAZf+uwngX7WVds4Kl98Q7SQeyLqQL6LjgcXBs
+            F4jyB3I3BKfe8wT9taOzljb4ceDHsDdt/KGM3LMOblT+uwZdLa5GNLshGo1fHWtg
+            Qvc7e3RVV34QU4tgoGWvSQq/yxiHmznNPLMTzFEbKMy9DcRv54Txjr6V5OvVYTR0
+            UATPJtUoKknx/ukRZnRvBVXlPEBa21ch7+KI/Z4hhe0o2W7XbuHGd142YZ13cOIe
+            LzolBWcizRe3N9wJ6jlg1cZ+3T12N5PzGR3e4cF0o5fTqC7Pd+94NDZI4//SzZXS
+            XAEwn3CPyVXV6m11x3+9VLj4Q8Wm7gqI9Q9ihX0/+cCdCmDjy7mxIertEdcloNXU
+            23IF04U3LnqGv+cyUw88vWZkSzddTD/nDg7ftcsjrXHMRddc82bcQHn1ckpw
+            =uDCz
+            -----END PGP MESSAGE-----
+        fp: 4DC4116D360E3276
+    encrypted_regex: ^(data|stringData)$
+    version: 3.5.0