-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config indy generic proxy as a sidecar of buildah task #1815
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -139,6 +139,18 @@ spec: | |
description: The name of the ConfigMap to read CA bundle data from. | ||
type: string | ||
default: trusted-ca | ||
- name: ENABLE_INDY_PROXY | ||
type: string | ||
description: Enable the indy generic proxy (true/false) | ||
default: "false" | ||
- name: INDY_PROXY_CLIENT_ID | ||
type: string | ||
description: The client ID used by indy proxy to communicate with Indy. | ||
default: "" | ||
- name: INDY_PROXY_CLIENT_CREDENTIAL | ||
type: string | ||
description: The client credential used by indy proxy to communicate with Indy. | ||
default: "" | ||
results: | ||
- name: IMAGE_DIGEST | ||
description: Digest of the image just built | ||
|
@@ -176,6 +188,17 @@ spec: | |
emptyDir: {} | ||
- name: workdir | ||
emptyDir: {} | ||
- name: indy-generic-proxy-secrets | ||
secret: | ||
optional: true | ||
secretName: indy-generic-proxy-secrets | ||
- name: indy-generic-proxy-config | ||
configMap: | ||
items: | ||
- key: application.yaml | ||
path: application.yaml | ||
name: indy-generic-proxy-config | ||
optional: true | ||
stepTemplate: | ||
computeResources: | ||
limits: | ||
|
@@ -502,6 +525,12 @@ spec: | |
done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) | ||
fi | ||
|
||
if [ -f "$ca_bundle" ]; then | ||
cp -r --preserve=mode /mnt/trusted-ca /tmp/trusted-ca | ||
VOLUME_MOUNTS+=(--volume /tmp/trusted-ca:/etc/pki/ca-trust/source/anchors) | ||
echo "Adding the trusted-ca to the build" | ||
fi | ||
|
||
# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. | ||
declare IMAGE | ||
|
||
|
@@ -725,3 +754,26 @@ spec: | |
requests: | ||
cpu: 100m | ||
memory: 256Mi | ||
sidecars: | ||
- name: indy-generic-proxy | ||
image: quay.io/factory2/indy-generic-proxy-service:latest-prod | ||
volumeMounts: | ||
- name: indy-generic-proxy-secrets | ||
readOnly: true | ||
mountPath: /mnt/secrets-generic-proxy | ||
- name: indy-generic-proxy-config | ||
readOnly: true | ||
mountPath: /deployment/config | ||
computeResources: | ||
limits: | ||
cpu: 1 | ||
memory: 2Gi | ||
requests: | ||
cpu: 200m | ||
memory: 512Mi | ||
script: | | ||
if [ "$(params.ENABLE_INDY_PROXY)" == "true" ]; then | ||
export QUARKUS_OIDC_CLIENT_CLIENT_ID="$(params.INDY_PROXY_CLIENT_ID)" | ||
export QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET="$(params.INDY_PROXY_CLIENT_CREDENTIAL)" | ||
/deployment/start-service.sh | ||
fi | ||
Comment on lines
+775
to
+779
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we are to implement a sidecar like this, is there any reason why it needs to be specific to Quarkus/INDY? Would this have value as a generalization? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The service is implemented upon quarkus and both BTW, the client ID(service account) is used to access Indy.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the provenance of this image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we need to follow konflux pattern to build the image if we agree the sidecar proposal.