[SECURESIGN-1116] Add option to use external customer provisioned Red…

…is (#14) Add option to use external customer provisioned Redis
securesign · Jul 19, 2024 · fd2fb11 · fd2fb11
1 parent ce2a559
commit fd2fb11
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 9 deletions.
diff --git a/roles/tas_single_node/defaults/main.yml b/roles/tas_single_node/defaults/main.yml
@@ -18,8 +18,15 @@ tas_single_node_cockpit:
 tas_single_node_skip_os_install: false
 
 tas_single_node_rekor_templates:
-  - manifests/rekor/redis-server.yaml
-  - manifests/rekor/rekor-server.yaml
+  - manifests/rekor/redis-server.j2
+  - manifests/rekor/rekor-server.j2
+
+tas_single_node_rekor_redis:
+  database_deploy: true
+  redis:
+    address: rekor-redis-pod
+    port: 6379
+    password: password
 
 tas_single_node_cockpit_enabled: true
 tas_single_node_ctlog_enabled: true

diff --git a/roles/tas_single_node/tasks/podman.yml b/roles/tas_single_node/tasks/podman.yml
@@ -27,12 +27,12 @@
       "{{ tas_single_node_trillian_enabled }}",
       "{{ tas_single_node_rekor_enabled }}",
       "{{ tas_single_node_ctlog_enabled }}",
-      "{{ tas_single_node_rekor_enabled }}",
-      "{{ tas_single_node_trillian_enabled }}",
+      "{{ tas_single_node_rekor_enabled and tas_single_node_rekor_redis.database_deploy }}",
+      "{{ tas_single_node_trillian_enabled and tas_single_node_trillian.database_deploy }}",
       "{{ tas_single_node_tuf_enabled }}",
       "{{ tas_single_node_trillian_enabled }}",
-      "{{ tas_single_node_tsa_enabled }}",
       "true",
+      "{{ tas_single_node_tsa_enabled }}",
     ]
   loop:
     - "{{ tas_single_node_fulcio_server_image }}"

diff --git a/roles/tas_single_node/tasks/podman/rekor.yml b/roles/tas_single_node/tasks/podman/rekor.yml
@@ -24,7 +24,8 @@
       state: started
       systemd_file: redis
       network: "{{ tas_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/rekor/redis-server.yaml') | from_yaml }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/rekor/redis-server.j2') | from_yaml }}"
+  when: tas_single_node_rekor_redis.database_deploy
 
 - name: Deploy Rekor Server Pod
   ansible.builtin.include_tasks: podman/install_manifest.yml
@@ -33,5 +34,5 @@
       state: started
       systemd_file: rekor
       network: "{{ tas_single_node_podman_network }}"
-      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/rekor/rekor-server.yaml') | from_yaml }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/rekor/rekor-server.j2') | from_yaml }}"
       configmap: "{{ tas_single_node_rekor_sharding_config }}"
diff --git a/...mplates/manifests/rekor/redis-server.yaml → ...templates/manifests/rekor/redis-server.j2 b/...mplates/manifests/rekor/redis-server.yaml → ...templates/manifests/rekor/redis-server.j2
@@ -33,6 +33,11 @@ spec:
             - --appendonly
             - "yes"
           image: "{{ tas_single_node_redis_image }}"
+{% if tas_single_node_rekor_redis.redis.password != "" %}
+          env:
+            - name: REDIS_PASSWORD
+              value: "{{ tas_single_node_rekor_redis.redis.password }}"
+{% endif %}
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 6379

diff --git a/...mplates/manifests/rekor/rekor-server.yaml → ...templates/manifests/rekor/rekor-server.j2 b/...mplates/manifests/rekor/rekor-server.yaml → ...templates/manifests/rekor/rekor-server.j2
@@ -40,8 +40,11 @@ spec:
             - --trillian_log_server.address=trillian-logserver-pod
             - --trillian_log_server.port=8091
             - --trillian_log_server.sharding_config=/sharding/sharding-config.yaml
-            - --redis_server.address=rekor-redis
-            - --redis_server.port=6379
+            - --redis_server.address={{ tas_single_node_rekor_redis.redis.address }}
+            - --redis_server.port={{ tas_single_node_rekor_redis.redis.port }}
+{% if tas_single_node_rekor_redis.redis.password != "" %}
+            - --redis_server.password={{ tas_single_node_rekor_redis.redis.password }}
+{% endif %}
             - --rekor_server.address=0.0.0.0
             - --rekor_server.signer=memory
             - --enable_retrieve_api=true