chore(Clair-Action): Caching Updates (#119)

ArthurVardevanyan · Dec 23, 2024 · d3e7160 · d3e7160
1 parent c834ffe
commit d3e7160
Show file tree

Hide file tree

Showing 20 changed files with 330 additions and 18 deletions.
diff --git a/.tekton/ansible-check.yaml b/.tekton/ansible-check.yaml
@@ -76,7 +76,7 @@ spec:
           resources:
             requests:
               storage: "100Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/ansible.yaml b/.tekton/ansible.yaml
@@ -80,7 +80,7 @@ spec:
           resources:
             requests:
               storage: "100Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/apache-php-image.yaml b/.tekton/apache-php-image.yaml
@@ -100,7 +100,7 @@ spec:
           resources:
             requests:
               storage: "100Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/overlay-test.yaml b/.tekton/overlay-test.yaml
@@ -102,7 +102,7 @@ spec:
           resources:
             requests:
               storage: "100Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: kubernetes-json-schema
       volumeClaimTemplate:
         apiVersion: v1
@@ -115,7 +115,7 @@ spec:
           resources:
             requests:
               storage: "250Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/terraform-apply.yaml b/.tekton/terraform-apply.yaml
@@ -72,7 +72,7 @@ spec:
           resources:
             requests:
               storage: "500Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/terraform-plan.yaml b/.tekton/terraform-plan.yaml
@@ -69,7 +69,7 @@ spec:
           resources:
             requests:
               storage: "500Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/toolbox-image.yaml b/.tekton/toolbox-image.yaml
@@ -100,7 +100,7 @@ spec:
           resources:
             requests:
               storage: "100Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/.tekton/udi-image.yaml b/.tekton/udi-image.yaml
@@ -100,7 +100,7 @@ spec:
           resources:
             requests:
               storage: "100Mi"
-          storageClassName: rook-ceph-block
+          storageClassName: rook-ceph-block-ci
     - name: git_auth_secret
       secret:
         secretName: "{{ git_auth_secret }}"
diff --git a/containers/apache-php/containerfile b/containers/apache-php/containerfile
@@ -1,6 +1,6 @@
 FROM debian:sid-20241202-slim@sha256:2eac978892d960f967fdad9a5387eb0bf5addfa3fab7f6fa09a00e0adff7975d
 
-ENV KICK="1"
+ENV KICK="0"
 LABEL quay.expires-after=${quay_expiration}
 
 RUN apt-get update && apt-get install php php-mysql apache2 -y

diff --git a/containers/toolbox/containerfile b/containers/toolbox/containerfile
@@ -18,7 +18,7 @@ ENV \
   PRETTIER_CLI_VERSION=3.3.3 \
   HOME=/tmp \
   PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin \
-  KICK="0"
+  KICK="1"
 
 RUN rpm -Uvh https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \
   rpm -ivh https://github.com/opentofu/opentofu/releases/download/v${OPENTOFU_VERSION}/tofu_${OPENTOFU_VERSION}_amd64.rpm && \

diff --git a/kubernetes/ceph/base/file-ci/ceph-filesystem.yaml b/kubernetes/ceph/base/file-ci/ceph-filesystem.yaml
@@ -0,0 +1,50 @@
+apiVersion: ceph.rook.io/v1
+kind: CephFilesystem
+metadata:
+  name: rook-ceph-fs-ci
+  namespace: rook-ceph
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "2"
+spec:
+  metadataPool:
+    replicated:
+      size: 2
+  dataPools:
+    - name: replicated
+      replicated:
+        size: 2
+  preserveFilesystemOnDelete: true
+  metadataServer:
+    activeCount: 1
+    activeStandby: true
+    resources:
+      # limits:
+      #   cpu: "3"
+      #   memory: 8Gi
+      requests:
+        cpu: "10m"
+        memory: 128Mi
+    placement:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - key: node-role.kubernetes.io/infra
+                  operator: Exists
+      tolerations:
+        - key: node-role.kubernetes.io/infra
+          operator: Exists
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: ceph-mds
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: ceph-mds
diff --git a/kubernetes/ceph/base/file-ci/storage-class.yaml b/kubernetes/ceph/base/file-ci/storage-class.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: rook-cephfs-ci
+# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
+provisioner: rook-ceph.cephfs.csi.ceph.com
+parameters:
+  # clusterID is the namespace where the rook cluster is running
+  # If you change this namespace, also change the namespace below where the secret namespaces are defined
+  clusterID: rook-ceph
+
+  # CephFS filesystem name into which the volume shall be created
+  fsName: rook-ceph-fs-ci
+
+  # Ceph pool into which the volume shall be created
+  # Required for provisionVolume: "true"
+  pool: rook-ceph-fs-ci-replicated
+
+  # The secrets contain Ceph admin credentials. These are generated automatically by the operator
+  # in the same namespace as the cluster.
+  csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
+  csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
+  csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
+  csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
+  csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
+  csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
+allowVolumeExpansion: true
+reclaimPolicy: Delete
diff --git a/kubernetes/ceph/base/kustomization.yaml b/kubernetes/ceph/base/kustomization.yaml
@@ -17,6 +17,8 @@ resources:
   - ./file/storage-class.yaml
   - ./file/ceph-filesystem.yaml
   - ./object/storage-class.yaml
+  - ./file-ci/storage-class.yaml
+  - ./file-ci/ceph-filesystem.yaml
   - ./object/ceph-object-store.yaml
   - ./selinux.yaml
   - ./rook-rules.yaml

diff --git a/kubernetes/kubevirt/base/storage-profile.yaml b/kubernetes/kubevirt/base/storage-profile.yaml
@@ -66,3 +66,37 @@ spec:
         - ReadWriteMany
       volumeMode: Filesystem
   cloneStrategy: csi-clone
+---
+apiVersion: cdi.kubevirt.io/v1beta1
+kind: StorageProfile
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: rook-ceph-block-ci
+spec:
+  claimPropertySets:
+    - accessModes:
+        - ReadWriteMany
+      volumeMode: Block
+    - accessModes:
+        - ReadWriteOnce
+      volumeMode: Block
+    - accessModes:
+        - ReadWriteOnce
+      volumeMode: Filesystem
+  cloneStrategy: csi-clone
+---
+apiVersion: cdi.kubevirt.io/v1beta1
+kind: StorageProfile
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: rook-cephfs-ci
+spec:
+  claimPropertySets:
+    - accessModes:
+        - ReadWriteMany
+      volumeMode: Filesystem
+  cloneStrategy: csi-clone
diff --git a/tekton/base/clair-action/clair-action-task.yaml b/tekton/base/clair-action/clair-action-task.yaml
@@ -68,9 +68,9 @@ spec:
         mkdir -p /vuln-store/db/
         mkdir -p  "${WORKSPACE_DATA_PATH}/clair-scan-report"
 
-        echo "Extracting Image"
-        oc image extract "${DB_IMAGE}" \
-          --path "/":"/vuln-store/db"
+        # echo "Extracting Image"
+        # oc image extract "${DB_IMAGE}" \
+        #   --path "/":"/vuln-store/db"
 
         echo "Running Clair Action"
         clair-action report --image-ref=${IMAGE} \
@@ -94,8 +94,10 @@ spec:
       emptyDir:
         sizeLimit: 100Mi
     - name: vuln-store
-      emptyDir:
-        sizeLimit: 15Gi
+      persistentVolumeClaim:
+        claimName: clair-action-vuln-store-cache
+      # emptyDir:
+      #   sizeLimit: 15Gi
       # ephemeral:
       #   volumeClaimTemplate:
       #     metadata:

diff --git a/tekton/base/clair-action/cronjob-cache.yaml b/tekton/base/clair-action/cronjob-cache.yaml
@@ -0,0 +1,70 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: clair-action-cache-db
+  namespace: homelab
+spec:
+  schedule: "55 */2 * * *"
+  concurrencyPolicy: Replace
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  suspend: false
+  startingDeadlineSeconds: 60
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: pipeline
+          automountServiceAccountToken: false
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+          containers:
+            - name: clair-action-cache
+              image: registry.arthurvardevanyan.com/homelab/toolbox:not_latest
+              command:
+                - /bin/bash
+                - -c
+                - |
+                  #############################
+                  ### Clair Action DB Cache ###
+                  #############################
+                  export DB_IMAGE="registry.arthurvardevanyan.com/homelab/clair-action-db:latest"
+                  mkdir -p /tmp/vuln-store/db
+
+                  echo "Extracting Image"
+                  oc image extract "${DB_IMAGE}" \
+                    --path "/":"/tmp/vuln-store/db"
+              securityContext:
+                runAsNonRoot: true
+                privileged: false
+                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: false
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop:
+                    - ALL
+              resources:
+                requests:
+                  memory: "128Mi"
+                  cpu: "50m"
+                  ephemeral-storage: 1Gi
+                limits:
+                  memory: "256Mi"
+                  cpu: "1000m"
+                  ephemeral-storage: 1Gi
+              volumeMounts:
+                - name: tmp
+                  mountPath: /tmp/
+                - name: vuln-store
+                  mountPath: /tmp/vuln-store
+          restartPolicy: Never
+          volumes:
+            - name: tmp
+              emptyDir:
+                sizeLimit: 1Gi
+            - name: vuln-store
+              persistentVolumeClaim:
+                claimName: clair-action-vuln-store-cache