Merge pull request #9 from GitGuardian/ctourriere/-/split_jobs

chore(job): Refactor cronjob definition

Author: clement-tourriere

README.md

@@ -18,10 +18,6 @@ An example values file that fetches from HashiCorp Vault and GitLab CI:
 
 ```yaml
 inventory:
-  # Run every 15 minutes
-  schedule: '*/15 * * * *'
-  # Set to `true` to enable syncing secrets from GitGuardian into your vaults
-  sync: false
   config:
     sources:
       vault-secrets:
@@ -40,6 +36,21 @@ inventory:
     gitguardian:
       endpoint: "https://your-gg-instance/v1"
       api_token: "${GG_API_TOKEN}"
+  jobs:
+    # Job to fetch defined sources
+    fetch:
+        # Set to `true` to enable the job
+        enabled: false
+        # Run every 15 minutes
+        schedule: '*/15 * * * *'
+        send: true
+    # Job to be able to sync/write secrets from GitGuardian into you vault
+    sync:
+      # Set to `false` to disable the job
+      enabled: true
+      # Run every minute
+      schedule: '* * * * *'
+      # Set to `true` to enable sending fetched data to the GitGuardian instance 
 
 # This needs to be created separately, and contain the following keys:
 # - `HASHICORP_VAULT_TOKEN` - the hashicorp vault token to use

charts/nhi-scout/templates/_cronjob.tpl

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "nhi-scout.labels" . | nindent 4 }}
 spec:
-  schedule: {{ toJson .Values.inventory.schedule  }}
+  schedule: {{ toJson .schedule  }}
   jobTemplate:
     spec:
       template:

charts/nhi-scout/templates/cronjob_inventory.yaml

@@ -1,6 +1,10 @@
+{{- if and (ne .Values.inventory.config.gitguardian nil) (ne .Values.inventory.jobs nil) (ne .Values.inventory.jobs.fetch nil) (.Values.inventory.jobs.fetch.enabled) }}
+
 {{ $command := "fetch" -}}
-{{- if ne .Values.inventory.config.gitguardian nil }}
+
+{{- if .Values.inventory.jobs.fetch.send }}
 {{ $command = "fetch-and-send" -}}
 {{- end }}
 
-{{ include "nhi-scout.cronjob" (merge (dict "cronjob_name" "inventory" "command" $command) .) -}}
+{{ include "nhi-scout.cronjob" (merge (dict "cronjob_name" "inventory" "command" $command "schedule" .Values.inventory.jobs.fetch.schedule) .) -}}
+{{- end }}

charts/nhi-scout/templates/cronjob_ping.yaml

@@ -0,0 +1,3 @@
+{{- if and (ne .Values.inventory.config.gitguardian nil) (ne .Values.inventory.jobs nil) (ne .Values.inventory.jobs.ping nil)}}
+{{ include "nhi-scout.cronjob" (merge (dict "cronjob_name" "ping" "command" "ping" "schedule" .Values.inventory.jobs.ping.schedule) .) -}}
+{{- end }}

charts/nhi-scout/templates/cronjob_sync.yaml

@@ -1,3 +1,3 @@
-{{- if .Values.inventory.sync }}
-{{ include "nhi-scout.cronjob" (merge (dict "cronjob_name" "sync" "command" "sync-secrets") .) -}}
+{{- if and (ne .Values.inventory.config.gitguardian nil) (.Values.inventory.jobs.sync.enabled) }}
+{{ include "nhi-scout.cronjob" (merge (dict "cronjob_name" "sync" "command" "sync-secrets" "schedule" .Values.inventory.jobs.sync.schedule) .) -}}
 {{- end }}

charts/nhi-scout/test_values.yaml

@@ -2,7 +2,6 @@
 # yaml-language-server: $schema=values.schema.json
 
 inventory:
-  sync: false
   config:
     sources: {}
     gitguardian: null

charts/nhi-scout/tests/base_cronjob_test.yaml

@@ -4,7 +4,7 @@ suite: test base cronjob
 values:
 - ../test_values.yaml
 templates:
-- cronjob_inventory.yaml
+- cronjob_ping.yaml
 set:
   inventory.config.gitguardian.api_token: "foobar"
   inventory.config.gitguardian.endpoint: "https://some-url.com"
@@ -19,14 +19,6 @@ tests:
       path: spec.jobTemplate.spec.template.spec.containers[0].image
       value: ghcr.io/gitguardian/gitguardian-nhi-scout/chainguard:latest
 
-- it: should set schedule
-  set:
-    inventory.schedule: 1 * * * *
-  asserts:
-  - equal:
-      path: spec.schedule
-      value: 1 * * * *
-
 - it: should set image pull secrets
   set:
     imagePullSecrets:

charts/nhi-scout/tests/inventory_cronjob_test.yaml

@@ -5,6 +5,10 @@ values:
 - ../test_values.yaml
 templates:
 - cronjob_inventory.yaml
+set:
+  inventory.jobs.fetch.enabled: true
+  inventory.config.gitguardian.api_token: "foobar"
+  inventory.config.gitguardian.endpoint: "https://some-url.com"
 tests:
 - it: should work
   set:
@@ -18,17 +22,24 @@ tests:
 
 - it: should use the gitguardian command if set
   set:
-    inventory.config.gitguardian.api_token: "foobar"
-    inventory.config.gitguardian.endpoint: "https://some-url.com"
+    inventory.jobs.fetch.send: true
   asserts:
   - equal:
       path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
       value: "fetch-and-send"
 
 - it: should use the fetch command if no upload is set
   set:
-    inventory.config.gitguardian: null
+    inventory.jobs.fetch.send: false
   asserts:
   - equal:
       path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
       value: "fetch"
+
+- it: should be possible to modify schedule
+  set:
+    inventory.jobs.fetch.schedule: 2 * * * *
+  asserts:
+  - equal:
+      path: spec.schedule
+      value: 2 * * * *

charts/nhi-scout/tests/sync_cronjob_test.yaml

@@ -6,7 +6,7 @@ values:
 templates:
 - cronjob_sync.yaml
 set:
-  inventory.sync: true
+  inventory.jobs.sync.enabled: true
   inventory.config.gitguardian.api_token: "foobar"
   inventory.config.gitguardian.endpoint: "https://some-url.com"
 tests:
@@ -33,3 +33,11 @@ tests:
   - containsDocument:
       kind: CronJob
     not: true
+
+- it: should be possible to modify schedule
+  set:
+    inventory.jobs.sync.schedule: 2 * * * *
+  asserts:
+  - equal:
+      path: spec.schedule
+      value: 2 * * * *

charts/nhi-scout/values-base-schema.schema.json

@@ -7,14 +7,15 @@
       "type": "object",
       "properties": {
         "version": {"type": "string"},
-        "schedule": {"type": "string"},
-        "sync": {"type": "boolean"},
         "log_level": {
           "$ref": "inventory-log-level.schema.json"
         },
         "config": {
           "$ref": "inventory-config.schema.json"
-        }
+        },
+       "jobs": {
+         "$ref": "jobs.schema.json"
+       }
       },
       "required": ["config"]
     }

charts/nhi-scout/values.schema.json

@@ -16,19 +16,12 @@
         "config": {
           "$ref": "#/definitions/inventory-config.schema.json"
         },
+        "jobs": {
+          "$ref": "#/definitions/jobs.schema.json"
+        },
         "log_level": {
           "$ref": "#/definitions/inventory-log-level.schema.json"
         },
-        "schedule": {
-          "type": "string",
-          "minLength": 0
-        },
-        "sync": {
-          "enum": [
-            false,
-            true
-          ]
-        },
         "version": {
           "type": "string",
           "minLength": 0
@@ -466,6 +459,68 @@
         "warn",
         "error"
       ]
+    },
+    "jobs.schema.json": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "type": "object",
+      "minProperties": 0,
+      "properties": {
+        "fetch": {
+          "description": "Job that fetches data from defined sources. If send is set to `true`, send collected data to the configured GitGuardian instance.",
+          "type": "object",
+          "minProperties": 0,
+          "properties": {
+            "enabled": {
+              "default": true,
+              "enum": [
+                false,
+                true
+              ]
+            },
+            "schedule": {
+              "default": "*/15 * * * *",
+              "type": "string",
+              "minLength": 0
+            },
+            "send": {
+              "default": true,
+              "enum": [
+                false,
+                true
+              ]
+            }
+          }
+        },
+        "ping": {
+          "type": "object",
+          "minProperties": 0,
+          "properties": {
+            "schedule": {
+              "default": "* * * * *",
+              "type": "string",
+              "minLength": 0
+            }
+          }
+        },
+        "sync": {
+          "type": "object",
+          "minProperties": 0,
+          "properties": {
+            "enabled": {
+              "default": false,
+              "enum": [
+                false,
+                true
+              ]
+            },
+            "schedule": {
+              "default": "* * * * *",
+              "type": "string",
+              "minLength": 0
+            }
+          }
+        }
+      }
     }
   }
 }

charts/nhi-scout/values.yaml

@@ -7,12 +7,22 @@ inventory:
   # Specific version of the image to use
   version: 0.11.0
   # Schedule to run the collection on
-  schedule: "*/15 * * * *"
   log_level: info
   # Enable syncing secrets to vaults
-  sync: false
+  # sync: false
   # Need to add this explicitly
   config: null
+  jobs:
+    ping:
+      schedule: "* * * * *"
+    fetch:
+      schedule: "*/15 * * * *"
+      enabled: false
+      send: false
+    sync:
+      schedule: "* * * * *"
+      enabled: false
+
 
 # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
 image:

schemas/jobs.schema.json

@@ -0,0 +1,48 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "$id": "jobs.schema.json",
+  "minProperties": 0,
+  "properties": {
+    "ping": {
+      "type": "object",
+      "properties": {
+        "schedule": {
+          "type": "string",
+          "default": "* * * * *"
+        }
+      }
+    },
+    "fetch": {
+      "description": "Job that fetches data from defined sources. If send is set to `true`, send collected data to the configured GitGuardian instance.",
+      "type": "object",
+      "properties": {
+        "schedule": {
+          "type": "string",
+          "default": "*/15 * * * *"
+        },
+        "enabled": {
+          "type": "boolean",
+          "default": true
+        },
+        "send": {
+          "type": "boolean",
+          "default": true
+        }
+      }
+    },
+    "sync": {
+      "type": "object",
+      "properties": {
+        "schedule": {
+          "type": "string",
+          "default": "* * * * *"
+        },
+        "enabled": {
+          "type": "boolean",
+          "default": false
+        }
+      }
+    }
+  }
+}