Hold job until depencies ready

.tekton/segment-backup-job-pull-request.yaml

@@ -32,7 +32,7 @@ spec:
   - name: revision
     value: '{{revision}}'
   - name: prefetch-input
-    value: '{"path": ".", "type": "pip", "requirements_build_files": ["requirements-build.txt"]}'
+    value: '{"path": ".", "type": "pip", "requirements_build_files": ["requirements-build.txt", "requirements.txt"]}'
   pipelineSpec:
     finally:
     - name: show-sbom

.tekton/segment-backup-job-push.yaml

@@ -28,7 +28,7 @@ spec:
   - name: revision
     value: '{{revision}}'
   - name: prefetch-input
-    value: '{"path": ".", "type": "pip", "requirements_build_files": ["requirements-build.txt"]}'
+    value: '{"path": ".", "type": "pip", "requirements_build_files": ["requirements-build.txt", "requirements.txt"]}'
   pipelineSpec:
     finally:
     - name: show-sbom

Containerfile

@@ -16,6 +16,6 @@ RUN mkdir /opt/app-root/src/bin && cd /opt/app-root/src/bin && \
     curl -L https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/openshift-client-linux.tar.gz > /tmp/oc/openshift-client-linux.tar.gz && cd /tmp/oc && \
     tar xvf openshift-client-linux.tar.gz && mv /tmp/oc/oc /opt/app-root/src/bin/oc && \
     cd /opt/app-root/src/ && export PATH=$PATH:/opt/app-root/src/bin && \
-    python3 -m pip install --upgrade pip && pip3 install -r requirements.txt --force-reinstall
+    /opt/app-root/bin/pip install --upgrade pip && /opt/app-root/bin/pip install -r /opt/app-root/src/requirements.txt --force-reinstall
 
 USER 1001

README.md

@@ -0,0 +1,66 @@
+
+
+### Development
+
+This is the script I used to automate my builds (OSX only but i guess some linux compatability):
+
+```bash
+# If https://github.com/securesign/sigstore-ocp/pull/81/files is not merged you will need to create the pull secret, go here: https://console.redhat.com/application-services/trusted-content/artifact-signer and download it
+oc create secret generic pull-secret -n sigstore-monitoring --from-file=$HOME/Downloads/pull-secret.json
+
+# was developing and pushing images here to test: https://quay.io/repository/grpereir/segment-backup-job?tab=tags, get the latest tag and set version to be 1 after that
+
+#Example version value
+export version=25
+
+export segment_backup_job_repo_path=$(pwd) #if your working from another directory swap this value out
+export sigstore_ocp_path="" # Set absolute path to sigstore-ocp, used for automating editing of the values file
+
+# my podman is broken due to QEMU issues (run mv Containerfile Dockerfile once)
+podman build $segment_backup_job_repo_path --platform=linux/amd64 -t quay.io/grpereir/segment-backup-job:1.0.$version
+podman push quay.io/grpereir/segment-backup-job:1.0.$version #my quay, can swap out with your repo
+version=$(( $version + 1));
+
+# LOCAL DEV
+
+podman run -it --rm quay.io/grpereir/segment-backup-job:1.0.$version /bin/bash
+
+#CHART TESTING
+
+code $sigstore_ocp_path/charts/trusted-artifact-signer/values.yaml # replace lines 17 and possibly 16
+/usr/bin/open -a "/Applications/Google Chrome.app" 'https://quay.io/repository/grpereir/segment-backup-job?tab=tags' #automated for mac but do this based on your OS
+oc delete cronjob segment-backup-job -n sigstore-monitoring; oc delete job segment-backup-job -n sigstore-monitoring #if you have issues with permssions here run this as non-service account oc user
+$segment_backup_job_repo_path/tas-easy-install.sh
+
+```
+
+### Testing
+
+This job is meant to run as a service account, run this NOT in the container but logged from your client machine, this will spit out the login command that you should run on the container:
+
+From host logged in:
+```bash
+
+
+export secret_name_for_sa=$( oc get sa segment-backup-job -n sigstore-monitoring -o json | jq ".secrets[1].name" | cut -d "\"" -f 2 )
+
+export sa_token=$(oc get secret $secret_name_for_sa -n sigstore-monitoring -o json | jq .metadata.annotations."\"openshift.io/token-secret.value\"" | cut -d "\"" -f 2)
+export server=$(oc whoami -t)
+echo "oc login --token=$sa_token --server=$server" # spits out the login command for the SA, used in terminal 2
+
+```
+
+INSIDE the container:
+```bash
+# use the above login command, ex: oc login --token=... --server=...
+
+#Choose a run type to test (installation or nightly)
+export RUN_TYPE="installation" 
+export RUN_TYPE="nightly"
+
+#Verify you are the service account
+oc whoami
+
+#Run script as entrypoint
+/opt/app-root/src/script.sh
+```

main-installation.py

@@ -1,4 +1,4 @@
-import analytics
+import segment.analytics as analytics
 import os
 import logging
 import datetime

main-nightly.py

@@ -1,4 +1,4 @@
-import analytics
+import segment.analytics as analytics
 import os
 import logging
 

script.sh

@@ -3,6 +3,52 @@
 # RUN_TYPE="nightly" #debugging                       #
 #######################################################
 
+max_attempts=60
+sleep_interval=5
+
+check_thanos_querier_status() {
+    local attempts=0
+
+    while [[ $attempts -lt $max_attempts ]]; do
+        route_exists=$(oc get route thanos-querier -n openshift-monitoring --ignore-not-found=true)
+        if [[ -n $route_exists ]]; then
+            echo "route \"thanos-querier\" is up and running in namespace "openshift-monitoring"."
+            return 0
+        else
+            echo "Thanos Querier route is not up yet. Retrying in $sleep_interval seconds..."
+        fi
+        sleep $sleep_interval
+        attempts=$((attempts + 1))
+    done
+
+    echo "Timed out. Thanos Querier route did not spin up in the \"openshift-monitoring\" namespace."
+    return 1
+}
+
+check_pull_secret() {
+    local attempts=0
+
+    while [[ $attempts -lt $max_attempts ]]; do
+        pull_secret_exists=$(oc get secret pull-secret -n sigstore-monitoring --ignore-not-found=true)
+        if [[ -n $pull_secret_exists ]]; then
+            echo "secret \"pull-secret\" in namespace \"sigstore-monitoring\" exists, proceeding."
+            return 0
+        else
+            echo "Waiting for secret \"pull-secret\" in namespace \"sigstore-monitoring\" to exist..."
+            sleep $sleep_interval
+            attempts=$((attempts + 1))
+        fi
+    done
+
+    echo "Timed out. Cannot find secret \"pull-secret\" in namespace \"sigstore-monitoring\"."
+    echo "Please download the pull-secret from \`https://console.redhat.com/application-services/trusted-content/artifact-signer\`
+    and create a secret from it: \`oc create secret generic pull-secret -n sigstore-monitoring --from-file=\$HOME/Downloads/pull-secret.json\`."
+    return 1
+}
+
+check_pull_secret
+check_thanos_querier_status
+
 pull_secret_exists=$(oc get secret  pull-secret -n sigstore-monitoring --ignore-not-found=true)
 
 if [[ -z $pull_secret_exists ]]; then