diff --git a/roles/tas_single_node/README.md b/roles/tas_single_node/README.md index 0ec983a1..4226b099 100644 --- a/roles/tas_single_node/README.md +++ b/roles/tas_single_node/README.md @@ -19,7 +19,7 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti |---|---|---|---| | tas_single_node_podman_network | Name of the Podman network for containers to use. | str | `rhtas` | | tas_single_node_rekor_redis | Details on the Redis connection for Rekor. You can set this to a custom Redis instance. | dict of 'tas_single_node_rekor_redis' options | `{'database_deploy': True, 'redis': {'host': 'rekor-redis-pod', 'port': 6379, 'password': 'password'}}` | -| tas_single_node_backfill_redis_enabled | Enable or disable the backfill redis job | bool | `True` | +| tas_single_node_backfill_redis | Configuration options for the backfill redis job. | dict of 'tas_single_node_backfill_redis' options | `{'enabled': True, 'schedule': '*-*-* 00:00:00'}` | | tas_single_node_trillian | Details on the database connection for Trillian. You can set this to a custom MySQL or MariaDB instance. | dict of 'tas_single_node_trillian' options | `{'database_deploy': True, 'mysql': {'user': 'mysql', 'root_password': 'rootpassword', 'password': 'password', 'database': 'trillian', 'host': 'trillian-mysql-pod', 'port': 3306}}` | | tas_single_node_rekor_public_key_retries | The number of attempts to retrieve the Rekor public key when constructing the trust root. | int | `5` | | tas_single_node_rekor_public_key_delay | The number of seconds to wait before retrying the retrieval of the Rekor public key when constructing the trust root. | int | `10` | @@ -62,6 +62,13 @@ Deploy the [RHTAS](https://docs.redhat.com/en/documentation/red_hat_trusted_arti | port | The Redis host port number. | int | no | | | password | The Redis password. | str | no | | +#### Options for main > tas_single_node_backfill_redis + +|Option|Description|Type|Required|Default| +|---|---|---|---|---| +| enabled | Enable or disable the backfill redis job. | bool | no | | +| schedule | Schedule the backfill redis job should follow. | str | no | | + #### Options for main > tas_single_node_trillian |Option|Description|Type|Required|Default| diff --git a/roles/tas_single_node/defaults/main.yml b/roles/tas_single_node/defaults/main.yml index 77b31e49..4bd25fe1 100644 --- a/roles/tas_single_node/defaults/main.yml +++ b/roles/tas_single_node/defaults/main.yml @@ -12,7 +12,9 @@ tas_single_node_rekor_redis: port: 6379 password: password -tas_single_node_backfill_redis_enabled: true +tas_single_node_backfill_redis: + enabled: true + schedule: "*-*-* 00:00:00" tas_single_node_trillian: database_deploy: true @@ -69,7 +71,7 @@ tas_single_node_ctlog_image: tas_single_node_rekor_redis_image: "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:18820b1fbdbc2cc3e917822974910332d937b03cfe781628bd986fd6a5ee318e" tas_single_node_backfill_redis_image: - "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:c5995c88063bd9875ae61c299bcf549002fcde724aab09807c70934e73daf356" + "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:6aa3ca40e0f9e32a0a211a930b21ff009b83e46609bfa5bb328979e4799d13c7" tas_single_node_trillian_db_image: "registry.redhat.io/rhtas/trillian-database-rhel9@sha256:501612745e63e5504017079388bec191ffacf00ffdebde7be6ca5b8e4fd9d323" tas_single_node_tuf_image: diff --git a/roles/tas_single_node/meta/argument_specs.yml b/roles/tas_single_node/meta/argument_specs.yml index b98e5c2c..afc8af25 100644 --- a/roles/tas_single_node/meta/argument_specs.yml +++ b/roles/tas_single_node/meta/argument_specs.yml @@ -62,12 +62,25 @@ argument_specs: type: "str" required: false version_added: "1.1.0" - tas_single_node_backfill_redis_enabled: - description: "Enable or disable the backfill redis job" - type: "bool" + tas_single_node_backfill_redis: + description: "Configuration options for the backfill redis job." + type: "dict" required: false version_added: "1.1.1" - default: true + default: + enabled: true + schedule: "*-*-* 00:00:00" + options: + enabled: + description: "Enable or disable the backfill redis job." + type: "bool" + required: false + version_added: "1.1.1" + schedule: + description: "Schedule the backfill redis job should follow." + type: "str" + required: false + version_added: "1.1.1" tas_single_node_trillian: description: "Details on the database connection for Trillian. You can set this to a custom MySQL or MariaDB instance." type: "dict" diff --git a/roles/tas_single_node/tasks/podman.yml b/roles/tas_single_node/tasks/podman.yml index d73e6f48..2feb4cf6 100644 --- a/roles/tas_single_node/tasks/podman.yml +++ b/roles/tas_single_node/tasks/podman.yml @@ -45,7 +45,7 @@ "{{ tas_single_node_rekor_enabled }}", "{{ tas_single_node_ctlog_enabled }}", "{{ tas_single_node_rekor_enabled and tas_single_node_rekor_redis.database_deploy }}", - "{{ tas_single_node_rekor_enabled and tas_single_node_rekor_redis.database_deploy and tas_single_node_backfill_redis_enabled }}", + "{{ tas_single_node_rekor_enabled and tas_single_node_rekor_redis.database_deploy and tas_single_node_backfill_redis.enabled }}", "{{ tas_single_node_trillian_enabled and tas_single_node_trillian.database_deploy }}", "{{ tas_single_node_tuf_enabled }}", "{{ tas_single_node_tuf_enabled }}", diff --git a/roles/tas_single_node/tasks/podman/rekor.yml b/roles/tas_single_node/tasks/podman/rekor.yml index 4c3f5df3..b4e08a3c 100644 --- a/roles/tas_single_node/tasks/podman/rekor.yml +++ b/roles/tas_single_node/tasks/podman/rekor.yml @@ -78,14 +78,14 @@ systemd_file: backfill_redis network: "{{ tas_single_node_podman_network }}" kube_file_content: "{{ lookup('template', 'manifests/rekor/backfill_redis.j2') | from_yaml }}" - when: tas_single_node_backfill_redis_enabled + when: tas_single_node_backfill_redis.enabled - name: Copy backfill_redis.timer file to server ansible.builtin.template: src: systemd/backfill_redis.timer.j2 dest: "{{ tas_single_node_systemd_directory }}/backfill_redis.timer" mode: "0644" - when: tas_single_node_backfill_redis_enabled + when: tas_single_node_backfill_redis.enabled register: copy_timer_systemd_file - name: Enable and start backfill_redis.timer @@ -94,4 +94,4 @@ enabled: true state: started daemon_reload: "{{ copy_timer_systemd_file.changed }}" - when: tas_single_node_backfill_redis_enabled + when: tas_single_node_backfill_redis.enabled diff --git a/roles/tas_single_node/templates/manifests/rekor/backfill_redis.j2 b/roles/tas_single_node/templates/manifests/rekor/backfill_redis.j2 index a47f60d1..7d1753f1 100644 --- a/roles/tas_single_node/templates/manifests/rekor/backfill_redis.j2 +++ b/roles/tas_single_node/templates/manifests/rekor/backfill_redis.j2 @@ -29,16 +29,40 @@ spec: - /bin/sh - -c args: - - > - endIndex=$(curl -sS http://{{ tas_single_node_rekor_server_pod }}-pod:{{ tas_single_node_rekor_server_port_http }}/api/v1/log | sed -E 's/.*"treeSize":([0-9]+).*/\1/'); - endIndex=$((endIndex-1)); + - | + endIndex=$(curl -sS http://{{ tas_single_node_rekor_server_pod }}-pod:{{ tas_single_node_rekor_server_port_http }}/api/v1/log | sed -E 's/.*"treeSize":([0-9]+).*/\1/') + endIndex=$((endIndex-1)) + if [ "${endIndex}" -lt 0 ]; then - echo "info: no rekor entries found"; - exit 0; - fi; - backfill-redis - --hostname={{ tas_single_node_rekor_redis.redis.host }} - --port={{ tas_single_node_rekor_redis.redis.port }} - --password="{{ tas_single_node_rekor_redis.redis.password }}" - --rekor-address=http://{{ tas_single_node_rekor_server_pod }}-pod:{{ tas_single_node_rekor_server_port_http }} - --enable-redis-index-resume=true --end=${endIndex}; + echo "info: no rekor entries found" + exit 0 + fi + + startIndex=$(redis-cli \ + -h {{ tas_single_node_rekor_redis.redis.host }} \ + -p {{ tas_single_node_rekor_redis.redis.port }} \ +{% if tas_single_node_rekor_redis.redis.password != "" %} + -a "{{ tas_single_node_rekor_redis.redis.password }}" \ +{% endif %} + GET last_filled_index) + + if [ -z "$startIndex" ]; then + startIndex=0 + fi + + backfill-redis \ + --redis-hostname={{ tas_single_node_rekor_redis.redis.host }} \ + --redis-port={{ tas_single_node_rekor_redis.redis.port }} \ +{% if tas_single_node_rekor_redis.redis.password != "" %} + --redis-password="{{ tas_single_node_rekor_redis.redis.password }}" \ +{% endif %} + --rekor-address=http://{{ tas_single_node_rekor_server_pod }}-pod:{{ tas_single_node_rekor_server_port_http }} \ + --start="${startIndex}" --end="${endIndex}" + + redis-cli \ + -h {{ tas_single_node_rekor_redis.redis.host }} \ + -p {{ tas_single_node_rekor_redis.redis.port }} \ +{% if tas_single_node_rekor_redis.redis.password != "" %} + -a "{{ tas_single_node_rekor_redis.redis.password }}" \ +{% endif %} + SET last_filled_index "$((endIndex + 1))" diff --git a/roles/tas_single_node/templates/systemd/backfill_redis.timer.j2 b/roles/tas_single_node/templates/systemd/backfill_redis.timer.j2 index c926c442..83014538 100644 --- a/roles/tas_single_node/templates/systemd/backfill_redis.timer.j2 +++ b/roles/tas_single_node/templates/systemd/backfill_redis.timer.j2 @@ -2,7 +2,7 @@ Description=Runs The backfill redis job [Timer] -OnCalendar=*-*-* 00:00:00 +OnCalendar={{ tas_single_node_backfill_redis.schedule }} Persistent=true Unit=backfill_redis.service diff --git a/roles/tas_single_node/vars/main.yml b/roles/tas_single_node/vars/main.yml index 146d44c2..247a31d7 100644 --- a/roles/tas_single_node/vars/main.yml +++ b/roles/tas_single_node/vars/main.yml @@ -18,6 +18,10 @@ tas_single_node_rekor_templates: - manifests/rekor/redis-server.j2 - manifests/rekor/rekor-server.j2 +tas_single_node_backfill_redis: + enabled: true + schedule: "*-*-* 00:00:00" + # Individual service enablement tas_single_node_trillian_enabled: true tas_single_node_rekor_enabled: true