adds tuf-rollout-restart container to ensure tuf root secret is updated.

Signed-off-by: ianhundere <[email protected]>
sigstore · Jul 29, 2024 · 3fc2480 · 3fc2480
1 parent 7aabce4
commit 3fc2480
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/charts/scaffold/templates/clusterrole.yaml b/charts/scaffold/templates/clusterrole.yaml
@@ -9,5 +9,5 @@ rules:
     verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "list"]
-{{- end }}
+    verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}]
+{{- end }}
diff --git a/charts/scaffold/templates/copy-secrets-cronjob.yaml b/charts/scaffold/templates/copy-secrets-cronjob.yaml
@@ -85,6 +85,13 @@ spec:
                 "curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
                 kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.tsa.name }}\n  namespace: {{ .Values.forceNamespace }}\ndata:\n  cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
             ]
+          - name: rollout-restart-tuf
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: |
+              -c
+              kubectl rollout restart deployment {{ template "tuf.deployment.fullname" .Subcharts.tuf }} -n {{ include "tuf.rawnamespace" .Subcharts.tuf }}
           {{- if .Values.copySecretJob.nodeSelector }}
           nodeSelector:
 {{ toYaml .Values.copySecretJob.nodeSelector | indent 12 }}