Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config indy generic proxy as a sidecar of buildah task #1815

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions task/buildah-oci-ta/0.3/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ When prefetch-dependencies task is activated it is using its artifacts to run bu
|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|ENABLE_INDY_PROXY|Whether to enable indy generic proxy.|false|false|
|INDY_PROXY_CLIENT_ID|The client ID used by indy proxy to communicate with Indy.|""|false|
|INDY_PROXY_CLIENT_CREDENTIAL|The client credential used by indy proxy to communicate with Indy.|""|false|

## Results
|name|description|
Expand Down
52 changes: 52 additions & 0 deletions task/buildah-oci-ta/0.3/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,18 @@ spec:
description: The name of the ConfigMap to read CA bundle data from.
type: string
default: trusted-ca
- name: ENABLE_INDY_PROXY
type: string
description: Enable the indy generic proxy (true/false)
default: "false"
- name: INDY_PROXY_CLIENT_ID
type: string
description: The client ID used by indy proxy to communicate with Indy.
default: ""
- name: INDY_PROXY_CLIENT_CREDENTIAL
type: string
description: The client credential used by indy proxy to communicate with Indy.
default: ""
results:
- name: IMAGE_DIGEST
description: Digest of the image just built
Expand Down Expand Up @@ -176,6 +188,17 @@ spec:
emptyDir: {}
- name: workdir
emptyDir: {}
- name: indy-generic-proxy-secrets
secret:
optional: true
secretName: indy-generic-proxy-secrets
- name: indy-generic-proxy-config
configMap:
items:
- key: application.yaml
path: application.yaml
name: indy-generic-proxy-config
optional: true
stepTemplate:
computeResources:
limits:
Expand Down Expand Up @@ -502,6 +525,12 @@ spec:
done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
fi

if [ -f "$ca_bundle" ]; then
cp -r --preserve=mode /mnt/trusted-ca /tmp/trusted-ca
VOLUME_MOUNTS+=(--volume /tmp/trusted-ca:/etc/pki/ca-trust/source/anchors)
echo "Adding the trusted-ca to the build"
fi

# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
declare IMAGE

Expand Down Expand Up @@ -725,3 +754,26 @@ spec:
requests:
cpu: 100m
memory: 256Mi
sidecars:
- name: indy-generic-proxy
image: quay.io/factory2/indy-generic-proxy-service:latest-prod
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the provenance of this image?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we need to follow konflux pattern to build the image if we agree the sidecar proposal.

volumeMounts:
- name: indy-generic-proxy-secrets
readOnly: true
mountPath: /mnt/secrets-generic-proxy
- name: indy-generic-proxy-config
readOnly: true
mountPath: /deployment/config
computeResources:
limits:
cpu: 1
memory: 2Gi
requests:
cpu: 200m
memory: 512Mi
script: |
if [ "$(params.ENABLE_INDY_PROXY)" == "true" ]; then
export QUARKUS_OIDC_CLIENT_CLIENT_ID="$(params.INDY_PROXY_CLIENT_ID)"
export QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET="$(params.INDY_PROXY_CLIENT_CREDENTIAL)"
/deployment/start-service.sh
fi
Comment on lines +775 to +779
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are to implement a sidecar like this, is there any reason why it needs to be specific to Quarkus/INDY? Would this have value as a generalization?

Copy link
Author

@sswguo sswguo Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The service is implemented upon quarkus and both QUARKUS_OIDC_CLIENT_CLIENT_ID and QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET are supported in quarkus that we can declare the variable as env, which can be declared in the config file as following:

BTW, the client ID(service account) is used to access Indy.

 quarkus
    oidc-client:
       auth-server-url: ""
       client-id: 
       credentials:
           secret: