From 6e13d06238ad40c05cb521936578ca878626eccd Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Tue, 18 Jul 2023 17:33:40 +0100 Subject: [PATCH 1/7] We dont have permissions to do this --- k8s/stage/osh-client-tekton/tekton-prune.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 k8s/stage/osh-client-tekton/tekton-prune.yaml diff --git a/k8s/stage/osh-client-tekton/tekton-prune.yaml b/k8s/stage/osh-client-tekton/tekton-prune.yaml new file mode 100644 index 0000000..d448b70 --- /dev/null +++ b/k8s/stage/osh-client-tekton/tekton-prune.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pct-security-tooling + annotations: + operator.tekton.dev/prune.resource: taskrun, pipelinerun + operator.tekton.dev/prune.schedule: '*/10 * * * *' + operator.tekton.dev/prune.strategy.keep: "10" From 798675466f87d44741161f4f4d79de5b83f6809e Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Tue, 18 Jul 2023 18:19:16 +0100 Subject: [PATCH 2/7] Start adding cronjob to do the clearup for us todo: * Service account/secret to access tekton resources * Tune - I dont know what happens if you clean up taskruns only for example --- .../tekton-cleanup-cronjob.yaml | 21 +++++++++++++++++++ k8s/stage/osh-client-tekton/tekton-prune.yaml | 8 ------- 2 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml delete mode 100644 k8s/stage/osh-client-tekton/tekton-prune.yaml diff --git a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml new file mode 100644 index 0000000..0b1833a --- /dev/null +++ b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml @@ -0,0 +1,21 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: tekton-terminator + namespace: pct-security-tooling +spec: + schedule: "*/10 * * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + containers: + - name: tekton-cleanup + image: quay.io/openshift-pipeline/openshift-pipelines-cli-tkn:1.11 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - tkn pipelinerun delete --keep 10 && tkn taskrun delete --keep 20 + restartPolicy: OnFailure diff --git a/k8s/stage/osh-client-tekton/tekton-prune.yaml b/k8s/stage/osh-client-tekton/tekton-prune.yaml deleted file mode 100644 index d448b70..0000000 --- a/k8s/stage/osh-client-tekton/tekton-prune.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: pct-security-tooling - annotations: - operator.tekton.dev/prune.resource: taskrun, pipelinerun - operator.tekton.dev/prune.schedule: '*/10 * * * *' - operator.tekton.dev/prune.strategy.keep: "10" From 97b0255c47fa7f3f4537948412d9ea49d94abd83 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Tue, 18 Jul 2023 18:42:32 +0100 Subject: [PATCH 3/7] Just re-use the OSH service account The pipeline clearup seems to work but taskrun clearup fails for some reason ``` All but 10 PipelineRuns(Completed) deleted in namespace "pct-security-tooling" Error: failed to delete TaskRun "osh-scan-scm-taskrun-test-pjtvw": taskruns.tekton.dev "osh-scan-scm-taskrun-test-pjtvw" is forbidden: User "system:serviceaccount:pct-security-tooling:osh" cannot delete resource "taskruns" in API group "tekton.dev" in the namespace "pct-security-tooling"; failed to delete TaskRun "osh-scan-scm-taskrun-test-9gx7z": taskruns.tekton.dev "osh-scan-scm-taskrun-test-9gx7z" is forbidden: User "system:serviceaccount:pct-security-tooling:osh" cannot delete resource "taskruns" in API group "tekton.dev" in the namespace "pct-security-tooling"; failed to delete TaskRun "osh-scan-scm-taskrun-test-g7vlh": taskruns.tekton.dev "osh-scan-scm-taskrun-test-g7vlh" is forbidden: User "system:serviceaccount:pct-security-tooling:osh" cannot delete resource "taskruns" in API group "tekton.dev" in the namespace "pct-security-tooling"; .... ``` --- k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml index 0b1833a..88f1c8a 100644 --- a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml +++ b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml @@ -10,6 +10,7 @@ spec: spec: template: spec: + serviceAccountName: osh containers: - name: tekton-cleanup image: quay.io/openshift-pipeline/openshift-pipelines-cli-tkn:1.11 @@ -17,5 +18,5 @@ spec: command: - /bin/sh - -c - - tkn pipelinerun delete --keep 10 && tkn taskrun delete --keep 20 - restartPolicy: OnFailure + - tkn pipelinerun delete --keep 10 -f && tkn taskrun delete --keep 20 -f + restartPolicy: Never From 3cf29f95b2c0e72d35e073828731446a81163aa4 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Wed, 19 Jul 2023 15:55:00 +0100 Subject: [PATCH 4/7] Create a SA with the correct tekton permissions --- .../tekton-terminator-sa-rbac.yaml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 k8s/stage/osh-client-tekton/tekton-terminator-sa-rbac.yaml diff --git a/k8s/stage/osh-client-tekton/tekton-terminator-sa-rbac.yaml b/k8s/stage/osh-client-tekton/tekton-terminator-sa-rbac.yaml new file mode 100644 index 0000000..dd67d0e --- /dev/null +++ b/k8s/stage/osh-client-tekton/tekton-terminator-sa-rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: pct-security-tooling + name: osh-wrapper-tekton-terminator-sa + labels: + app.kubernetes.io/name: osh-wrapper-tekton-terminator + env: stage +imagePullSecrets: + - name: pct-security-osh-wrapper-client-pull-secret +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: osh-wrapper-tekton-terminator + labels: + app.kubernetes.io/component: tekton + namespace: pct-security-tooling +rules: +- apiGroups: + - tekton.dev + resources: + - taskruns + - pipelineruns + verbs: + - get + - list + - delete + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: osh-wrapper-tekton-terminator-rolebinding + namespace: pct-security-tooling +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: osh-wrapper-tekton-terminator +subjects: +- kind: ServiceAccount + name: osh-wrapper-tekton-terminator-sa + From 8548244a009dd0325a2935f3adfe2deedd5fefce Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Wed, 19 Jul 2023 15:55:39 +0100 Subject: [PATCH 5/7] Change SA for tekton terminator --- k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml index 88f1c8a..ac35807 100644 --- a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml +++ b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml @@ -6,11 +6,12 @@ metadata: spec: schedule: "*/10 * * * *" concurrencyPolicy: Forbid + backoffLimit: 2 jobTemplate: spec: template: spec: - serviceAccountName: osh + serviceAccountName: osh-wrapper-tekton-terminator-sa containers: - name: tekton-cleanup image: quay.io/openshift-pipeline/openshift-pipelines-cli-tkn:1.11 From bdefadd090773cfe479d37f9ca31ab89245c2a13 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Wed, 19 Jul 2023 16:35:59 +0100 Subject: [PATCH 6/7] Add big payload using builds from cpass test builds See https://orch.psi.redhat.com/pnc-web/#/projects/947 ``` bacon pnc project list-builds 947 --profile=production -o > cpaas_maven_builds.json #takes a long time cat cpaas_maven_builds.json | jq '.[].id' > buildids.lst for bid in `tail -n 50 buildids.lst`; do printf "{\"build-id\":$bid,\"type\":\"pnc\"},"; done ``` --- hack/sample-pssaas-big.json | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 hack/sample-pssaas-big.json diff --git a/hack/sample-pssaas-big.json b/hack/sample-pssaas-big.json new file mode 100644 index 0000000..69ce354 --- /dev/null +++ b/hack/sample-pssaas-big.json @@ -0,0 +1,45 @@ +{ + "product-id": "jochrist-dev-test-rhbq", + "is-managed-service": false, + "cpaas-version": "latest", + "component-list":[ + {"build-id":"AZ2HRIN2S7AAC","type":"pnc"}, + {"build-id":"AZ2JABY727AAA","type":"pnc"}, + {"build-id":"AZ2JRSQZC7AAC","type":"pnc"}, + {"build-id":"AZ2Z2WLAK7AAC","type":"pnc"}, + {"build-id":"AZ4AMGCV27AAC","type":"pnc"}, + {"build-id":"AZ4A5CSJC7AAC","type":"pnc"}, + {"build-id":"AZ4B7LCNC7AAC","type":"pnc"}, + {"build-id":"AZ4CLXF4K7AAC","type":"pnc"}, + {"build-id":"AZ4CMZK6S7AAC","type":"pnc"}, + {"build-id":"AZ4C62YEC7AAC","type":"pnc"}, + {"build-id":"AZ4DGFNK27AAC","type":"pnc"}, + {"build-id":"AZ4DIMTNS7AAC","type":"pnc"}, + {"build-id":"AZ4KSFVIC7AAC","type":"pnc"}, + {"build-id":"AZ4VFB7XK7AAC","type":"pnc"}, + {"build-id":"AZ4WLXXFC7AAC","type":"pnc"}, + {"build-id":"AZ5JPS7SK7AAC","type":"pnc"}, + {"build-id":"AZ5LC7M327AAC","type":"pnc"}, + {"build-id":"AZ5LQCKAC7AAC","type":"pnc"}, + {"build-id":"AZ5LW6NGS7AAC","type":"pnc"}, + {"build-id":"AZ5MHDELK7AAC","type":"pnc"}, + {"build-id":"AZ5ONFXEC7AAC","type":"pnc"}, + {"build-id":"AZ5P2MUBK7AAC","type":"pnc"}, + {"build-id":"AZ5QJ7VPK7AAC","type":"pnc"}, + {"build-id":"AZ5RPXHM27AAC","type":"pnc"}, + {"build-id":"AZ5SRVAG27AAC","type":"pnc"}, + {"build-id":"AZ56V4B4K7AAC","type":"pnc"}, + {"build-id":"AZ5642PZS7AAC","type":"pnc"}, + {"build-id":"AZ6ATGHXC7AAC","type":"pnc"}, + {"build-id":"AZ6XRDLCS7AAC","type":"pnc"}, + {"build-id":"AZ6YYPCZK7AAC","type":"pnc"}, + {"build-id":"AZ62QFTQ27AAC","type":"pnc"}, + {"build-id":"AZ65EUXBC7AAC","type":"pnc"}, + {"build-id":"AZ65VXKKC7AAC","type":"pnc"}, + {"build-id":"A2ARB7X3S7AAC","type":"pnc"}, + {"build-id":"A2ARDJ7MS7AAC","type":"pnc"}, + {"build-id":"A2ARENQ4S7AAC","type":"pnc"}, + {"build-id":"A2ARFRPLC7AAC","type":"pnc"} + ] +} + From 29889925d1f761fa7fc53c3507b00206bea84243 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Wed, 19 Jul 2023 17:11:44 +0100 Subject: [PATCH 7/7] Seems slightly aggressive of a run time, change to every 50 mins --- k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml index ac35807..cf194b5 100644 --- a/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml +++ b/k8s/stage/osh-client-tekton/tekton-cleanup-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: tekton-terminator namespace: pct-security-tooling spec: - schedule: "*/10 * * * *" + schedule: "*/50 * * * *" concurrencyPolicy: Forbid backoffLimit: 2 jobTemplate: @@ -19,5 +19,5 @@ spec: command: - /bin/sh - -c - - tkn pipelinerun delete --keep 10 -f && tkn taskrun delete --keep 20 -f + - tkn pipelinerun delete --keep 10 -f && tkn taskrun delete --keep 40 -f restartPolicy: Never