feat: remove Segment Backup Job from operator

.github/workflows/main.yml

@@ -587,7 +587,6 @@ jobs:
       - name: Install securesign
         run: |
           sed -i 's#https://your-oidc-issuer-url#http://${{ steps.kind.outputs.oidc_host }}/auth/realms/trusted-artifact-signer#' config/samples/rhtas_v1alpha1_securesign.yaml
-          sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml
           kubectl create ns ${{ env.TEST_NAMESPACE }}
           kubectl create -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }}
           sleep 1

cmd/main.go

@@ -116,7 +116,6 @@ func main() {
 	utils.RelatedImageFlag("ctlog-image", images.CTLog, "The image used for ctlog.")
 	utils.RelatedImageFlag("http-server-image", images.HttpServer, "The image used to serve our cli binary's.")
 	utils.RelatedImageFlag("client-server-image", images.ClientServer, "The image used to serve cosign and gitsign.")
-	utils.RelatedImageFlag("segment-backup-job-image", images.SegmentBackup, "The image used for the segment backup job")
 	utils.RelatedImageFlag("timestamp-authority-image", images.TimestampAuthority, "The image used for Timestamp Authority")
 	utils.RelatedImageFlag("rekor-monitor-image", images.RekorMonitor, "The image used for rekor monitor.")
 	flag.StringVar(&clidownload.CliHostName, "cli-server-hostname", "", "The hostname for the cli server")

config/default/images.env

@@ -11,7 +11,6 @@ RELATED_IMAGE_BACKFILL_REDIS=registry.redhat.io/rhtas/rekor-backfill-redis-rhel9
 RELATED_IMAGE_TUF=registry.redhat.io/rhtas/tuffer-rhel9@sha256:0c30481d4afaf5c65e5bcc84879b8c6a4ba91c47dba9a752505325d6cb736eea
 RELATED_IMAGE_CTLOG=registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:651a5a412592819a96051ebaf39d02e24c61a1064c0236b01a0777297b66a685
 RELATED_IMAGE_HTTP_SERVER=registry.redhat.io/ubi9/httpd-24@sha256:ab5885d4368f833f2262f96b2765f59cce8563a43b13966de5d2c01595b87959
-RELATED_IMAGE_SEGMENT_REPORTING=registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:e1790a0cac5eadef484e10d8f3f7ef6af9bdfabec4ab9fcc35c5ebd42b0205b3
 RELATED_IMAGE_TIMESTAMP_AUTHORITY=registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:be623422f3f636c39397a66416b02a79f1d59cf593ca258e1701d1728755dde9
 RELATED_IMAGE_CLIENT_SERVER=registry.redhat.io/rhtas/client-server-rhel9@sha256:c81aaa8f300021d7cdbb964524fc5e89ea2c79fdab5507f0ec036bf96b219332
 RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:1944eff9f103d84380b9efac6adec9cb22613643968e51f07db58df977b6b982

config/default/kustomization.yaml

@@ -200,17 +200,6 @@ replacements:
     select:
       kind: Deployment
       name: operator-controller-manager
-- source:
-    fieldPath: data.RELATED_IMAGE_SEGMENT_REPORTING
-    kind: ConfigMap
-    name: related-images
-    version: v1
-  targets:
-  - fieldPaths:
-    - spec.template.spec.containers.[name=^manager$].env.[name=^RELATED_IMAGE_SEGMENT_REPORTING$].value
-    select:
-      kind: Deployment
-      name: operator-controller-manager
 - source:
     fieldPath: data.RELATED_IMAGE_TIMESTAMP_AUTHORITY
     kind: ConfigMap

config/rbac/role.yaml

@@ -156,14 +156,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - prometheuses/api
-  verbs:
-  - create
-  - get
-  - update
 - apiGroups:
   - monitoring.coreos.com
   resources:
@@ -188,13 +180,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - operator.openshift.io
-  resources:
-  - consoles
-  verbs:
-  - get
-  - list
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -255,10 +240,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - route.openshift.io
-  resources:
-  - routes
-  verbs:
-  - get
-  - list

config/samples/rhtas_v1alpha1_securesign.yaml

@@ -5,8 +5,6 @@ metadata:
     app.kubernetes.io/name: securesign-sample
     app.kubernetes.io/instance: securesign-sample
     app.kubernetes.io/part-of: trusted-artifact-signer
-  annotations:
-    rhtas.redhat.com/metrics: "true"
   name: securesign-sample
 spec:
   rekor:

internal/annotations/annotations.go

@@ -20,24 +20,6 @@
 //	  annotations:
 //	    rhtas.redhat.com/pause-reconciliation: "true"
 //
-// # Annotation: rhtas.redhat.com/metrics
-//
-// [Metrics] controls whether analytic metrics are collected for installed services.
-// This annotation applies only to the Securesign resource.
-//
-// Options:
-//   - "true": Enables metrics collection (default).
-//   - "false": Disables metrics collection.
-//
-// Example usage:
-//
-//	apiVersion: rhtas.redhat.com/v1alpha1
-//	kind: Securesign
-//	metadata:
-//	  name: example
-//	  annotations:
-//	    rhtas.redhat.com/metrics: "false"
-//
 // # Annotation: rhtas.redhat.com/trusted-ca
 //
 // [TrustedCA] specifies the name of a ConfigMap containing a custom CA bundle.
@@ -95,9 +77,6 @@ const (
 	// PausedReconciliation defines the annotation key used to pause reconciliation for a resource.
 	PausedReconciliation = "rhtas.redhat.com/pause-reconciliation"
 
-	// Metrics defines the annotation key used to enable or disable metric collection by the operator.
-	Metrics = "rhtas.redhat.com/metrics"
-
 	// TrustedCA defines the annotation key for specifying a custom CA bundle ConfigMap.
 	TrustedCA = "rhtas.redhat.com/trusted-ca"
 

internal/controller/securesign/actions/constants.go

@@ -8,8 +8,6 @@ const (
 	TrillianCondition        = "TrillianAvailable"
 	CTlogCondition           = "CTlogAvailable"
 	SegmentBackupCronJobName = "segment-backup-nightly-metrics"
-	SegmentBackupJobName     = "segment-backup-installation"
 	SegmentRBACName          = "rhtas-segment-backup-job"
 	MetricsCondition         = "MetricsAvailable"
-	AnalyiticsCronSchedule   = " 0 0 * * *"
 )

internal/controller/securesign/actions/segment_backup_cronjob.go

@@ -3,21 +3,11 @@ package actions
 import (
 	"context"
 	"fmt"
-	"maps"
-	"slices"
-	"strconv"
 
-	"github.com/robfig/cron/v3"
 	"github.com/securesign/operator/internal/action"
-	"github.com/securesign/operator/internal/annotations"
 	"github.com/securesign/operator/internal/constants"
-	"github.com/securesign/operator/internal/images"
-	"github.com/securesign/operator/internal/labels"
-	"github.com/securesign/operator/internal/utils/kubernetes"
-	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
 	batchv1 "k8s.io/api/batch/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -36,96 +26,36 @@ func (i segmentBackupCronJob) Name() string {
 	return "segment-backup-nightly-metrics"
 }
 func (i segmentBackupCronJob) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool {
-	c := meta.FindStatusCondition(instance.Status.Conditions, MetricsCondition)
-	if c == nil || c.Reason == constants.Ready {
-		return false
-	}
-	val, found := instance.Annotations[annotations.Metrics]
-	if !found {
-		return true
-	}
-	if boolVal, err := strconv.ParseBool(val); err == nil {
-		return boolVal
-	}
 	return true
 }
 
 func (i segmentBackupCronJob) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result {
-	var (
-		err    error
-		result controllerutil.OperationResult
-	)
-
-	if _, err := cron.ParseStandard(AnalyiticsCronSchedule); err != nil {
-		return i.Error(ctx, fmt.Errorf("could not create segment backuup cron job due to errors with parsing the cron schedule: %w", err), instance)
-	}
-
-	labels := labels.For(SegmentBackupCronJobName, SegmentBackupCronJobName, instance.Name)
-
 	segmentBackupCronJob := &batchv1.CronJob{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      SegmentBackupCronJobName,
 			Namespace: instance.Namespace,
-			Labels:    labels,
 		},
 	}
 
-	if result, err = kubernetes.CreateOrUpdate(ctx, i.Client,
-		segmentBackupCronJob,
-		i.ensureSegmentBackupCronJob(),
-		ensure.ControllerReference[*batchv1.CronJob](instance, i.Client),
-		ensure.Labels[*batchv1.CronJob](slices.Collect(maps.Keys(labels)), labels),
-		func(object *batchv1.CronJob) error {
-			ensure.SetProxyEnvs(object.Spec.JobTemplate.Spec.Template.Spec.Containers)
-			return nil
-		},
-	); err != nil {
-		return i.Error(ctx, fmt.Errorf("could not create segment backup cron job: %w", err), instance,
-			metav1.Condition{
+	err := i.Client.Delete(ctx, segmentBackupCronJob)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return i.Continue()
+		} else {
+			return i.Error(ctx, fmt.Errorf("could not delete segment backup cron job: %w", err), instance, metav1.Condition{
 				Type:    MetricsCondition,
 				Status:  metav1.ConditionFalse,
 				Reason:  constants.Failure,
 				Message: err.Error(),
 			})
-	}
-
-	if result != controllerutil.OperationResultNone {
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    MetricsCondition,
-			Status:  metav1.ConditionTrue,
-			Reason:  constants.Ready,
-			Message: "Segment backup Cron Job created",
-		})
-		return i.StatusUpdate(ctx, instance)
-	}
-
-	return i.Continue()
-}
-
-func (i segmentBackupCronJob) ensureSegmentBackupCronJob() func(job *batchv1.CronJob) error {
-	return func(job *batchv1.CronJob) error {
-		{
-			spec := &job.Spec
-			spec.Schedule = AnalyiticsCronSchedule
-
-			templateSpec := &spec.JobTemplate.Spec.Template.Spec
-			templateSpec.ServiceAccountName = SegmentRBACName
-			templateSpec.RestartPolicy = "OnFailure"
-
-			container := kubernetes.FindContainerByNameOrCreate(templateSpec, SegmentBackupCronJobName)
-			container.Image = images.Registry.Get(images.SegmentBackup)
-			container.Command = []string{"python3", "/opt/app-root/src/src/script.py"}
-
-			runTypeEnv := kubernetes.FindEnvByNameOrCreate(container, "RUN_TYPE")
-			runTypeEnv.Value = "nightly"
-
-			caBundleEnv := kubernetes.FindEnvByNameOrCreate(container, "REQUESTS_CA_BUNDLE")
-			caBundleEnv.Value = "/etc/pki/tls/certs/ca-bundle.crt" // Certificate used to verify requests externally i.e communication with segment
-
-			internalCaBundleEnv := kubernetes.FindEnvByNameOrCreate(container, "REQUESTS_CA_BUNDLE_INTERNAL")
-			internalCaBundleEnv.Value = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" // Certificate used to verify requests internally i.e queries to thanos
-
 		}
-		return nil
 	}
+
+	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+		Type:    MetricsCondition,
+		Status:  metav1.ConditionTrue,
+		Reason:  "Removed",
+		Message: "Segment backup Cron Job removed",
+	})
+	return i.StatusUpdate(ctx, instance)
 }