[Technical Initiative Funding Request]: RSTUF Cloud/k8s deployment costs for tests, demo and validations

[kairoaraujo]

Problem Statement

RSTUF deployment on Cloud/K8s for demos and tests

Who does this affect?

Financial expense of RSTUF author/maintainer

Have there been previous attempts to resolve the problem?

No

Why should it be tackled now and by this TI?

RSTUF is part of the OpenSSF sandbox

Give an idea of what is required to make the funding initiative happen

Currently, RSTUF Author/Maintainer Kairo de Araujo (@kairoaraujo) spends over 1000€ a year supporting a live deployment of RSTUF that servers for tests, demos, and verification of no breaking release updates.
The deployment now lives in https://api.rstuf.kairo.dev
Kairo de Araujo is looking for funding to support it and move to https://rstuf.org (domain also maintained by @kairoaraujo)

What is going to be needed to deliver this funding initiative?

An account or credits to use deploy the RSTUF in a cloud service on Kubernetes

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No

Give a summary of the requirements that contextualize the costs of the funding initiative

The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.

Who is responsible for doing the work of this funding initiative?

Kairo de Araujo (@kairoaraujo)

Who is accountable for doing the work of this funding initiative?

Kairo de Araujo (@kairoaraujo)

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Martin Vrachev (@MVrachev)

Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?

Securing Software Repositories WG

What license is this funding initiative being used under?

MIT

Code of Conduct

• I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

Kairo hopes to have this approved and deploy the cluster as soon as possible, as he pays the costs monthly.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

N/A

[mlieberman85]

I am in favor of this proposal, but be aware that at least for this year there's no interest to run public services so can you also include information on who would have access both from and Admin perspective and who the intended users on those tests might be?

[kairoaraujo]

@mlieberman85, RSTUF maintainers are the users.
It is not intended to run a public service. If you see the current API (https://api.rstuf.kairo.dev), it requires API Key authentication.

The intended users are the RSTUF Maintainers, who will run different tests, such as updating the version to verify the consistency of the TUF metadata and releases and running processes such as key rotation, key revocation, etc.

[mlieberman85]

Thanks, that clarifies!

[steiza]

I am also in favor of this proposal! There are some promising early results on using RSTUF to secure RubyGems and Warehouse (Python) package indexes.

[simi]

I do support this. Current RSTUF infra is really useful for adopters (like RubyGems.org). I'm happy to help as well if needed.

[steiza]

We discussed this on the TAC call, but it's a good idea to document here as well. Note that this is not a request to fund a long-running service (like the Sigstore Public Good Instance). Rather, this is to fund the RSTUF development instance, while the codebase is developed. The RSTUF instances that will run after development is complete will be the operational responsibility of the package managers (like RubyGems or Warehouse), not the OpenSSF.

[sevansdell]

In support.

[bobcallaway]

SGTM

[SecurityCRob]

I do not see a specific amount being requested nor a time-boundary for the duration of the funding. I see "The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.", but nothing defining what the actual request is.

[sevansdell]

I do not see a specific amount being requested nor a time-boundary for the duration of the funding. I see "The entire cost here is to deploy one or two Kubernetes clusters for RSTUF.", but nothing defining what the actual request is.

Good call. Is there an estimate, or a cap "up to" desired?

[kairoaraujo]

Hi @SecurityCRob and @sevansdell.
To make it more specific, I'm requesting 1000 EUR of cloud credit.
It is enough to run the project for one year.

[SecurityCRob]

Perfect, tyvm. The TAC will discuss this in our next call (11June)

[sevansdell]

I am supportive. I will miss the June 11 TAC meeting and am trying to be proactive. :)

[SecurityCRob]

+1 for me

[bobcallaway]

LGTM as well

[lehors]

+1

[lehors]

Per the 11 June 2024 TAC call, this has been approved:
"recording 7 yes votes and 0 no votes and sarah said yes offline** - passes"
https://docs.google.com/document/d/1-zrtagRnPd75TDT1zRxrtxE9SpMIBJdPmaolaw4woQA/edit

[lehors]

This is reflected on the dashboard: https://github.com/orgs/ossf/projects/25

[hythloda]

Thanks for the TAC recommendation.

As documented in the TI Funding Process
For this level of funding the next step is the OpenSSF General Manager, @omkhar, or his delegate will review this proposal.

[omkhar]

Mea culpa. I approve. @hythloda please move this forward for execution through the proposed funding process.

[hythloda]

Mea culpa. I approve. @hythloda please move this forward for execution through the proposed funding process.

Thanks @omkhar. The next step is to ensure that the execution can be done. Considering this is cloud credits the hope is that what @bbpursell1 establishes with GUAC cloud credits can be duplicated for these.
@bbpursell1 do we have an execution plan to have the cloud credits a hard cap we can apply to this?

[bbpursell1]

Yes, we have a proposed process agreed with Kusari and the GUAC team on this. Simply, Kusari volunteered to cover overages by running the cloud account themselves, and submitting requests for re-imbursement for the costs up to the $1k/month limit.

There is an SOW for this in process with finance.

The proposed process is located here: https://docs.google.com/document/d/1N6lNqY7wBs33Afy-D8qMWU5VM5GUetWzgOed-oEG5oU/edit (once we get this through implementation, we will finalize this process document).

[hythloda]

Yes, we have a proposed process agreed with Kusari and the GUAC team on this. Simply, Kusari volunteered to cover overages by running the cloud account themselves, and submitting requests for re-imbursement for the costs up to the $1k/month limit.

There is an SOW for this in process with finance.

The proposed process is located here: https://docs.google.com/document/d/1N6lNqY7wBs33Afy-D8qMWU5VM5GUetWzgOed-oEG5oU/edit (once we get this through implementation, we will finalize this process document).

Wonderful! I have requested access to the process doc. Let me know if you need any PMO support!

[riaankleinhans]

/vote

[git-vote]

Vote created

@riaankleinhans has called for a vote on [Technical Initiative Funding Request]: RSTUF Cloud/k8s deployment costs for tests, demo and validations (#315).

The members of the following teams have binding votes:

Team
@ossf/tac

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor	Against	Abstain
👍	👎	👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 1month 11days 13h 26m 24s. It will pass if at least 70% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

[riaankleinhans]

Gitvote was added as a tool to test for stream lining the TI Funding process.
The members of the GH group "TAC" can vote by commenting with an +1. -1 or eye on the Gitvote block in this issue.
Until the TAC is satisfied with the process the GitVote outcome would not be binding.

Community members can show their support by also voting, however only the "TAC" GH Group's votes will count.

The current passing threshold is 70% and the committee is the TAG GH group.
The vote say open fo 6 week and an announcement is sent on the GH/TAC/Discussion

All these parameters can by fine tuned or changed here
Please reach out if you have any questions.

[marcelamelara]

This was already approved in a previous cycle. Should we close this issue?

[kairoaraujo]

I would like to know how I can work with the funding.
I'm planning some tests/benchmarks with RSTUF for deployment before adding it to the RubyGems/PyPI backend.

[git-vote]

Vote status

So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor	Against	Abstain	Not voted
0	0	0	9

Binding votes (0)

User	Vote	Timestamp
@steiza	Pending
@torgo	Pending
@mlieberman85	Pending
@bobcallaway	Pending
@lehors	Pending
@SecurityCRob	Pending
@marcelamelara	Pending
@camaleon2016	Pending
@sevansdell	Pending

[git-vote]

Vote status

So far 0.00% of the users with binding vote are in favor (passing threshold: 70%).

Summary

In favor	Against	Abstain	Not voted
0	0	0	9

Binding votes (0)

User	Vote	Timestamp
@steiza	Pending
@torgo	Pending
@mlieberman85	Pending
@bobcallaway	Pending
@lehors	Pending
@SecurityCRob	Pending
@marcelamelara	Pending
@camaleon2016	Pending
@sevansdell	Pending

Non-binding votes (1)

User	Vote	Timestamp
simi	In favor	2024-09-30 17:21:38.0 +00:00:00

[lehors]

/cancel-vote

[git-vote]

Vote cancelled

@lehors has cancelled the vote in progress in this issue.