Skip to content

Commit

Permalink
Tsa secret optional for tuf (#744)
Browse files Browse the repository at this point in the history 
* Make optional the secret TSA secret reference for TUF chart

Signed-off-by: Carlos Vega <[email protected]>

* Bump TUF chart version to 0.1.13

Signed-off-by: Carlos Vega <[email protected]>

* Renamed Values.secrets.tsa.existingSecret to Values.secrets.tsa.enabled

Signed-off-by: Carlos Vega <[email protected]>

* Regenerated docs

Signed-off-by: Carlos Vega <[email protected]>

* Added enabled value for secrets defined in tuf

Signed-off-by: Carlos Vega <[email protected]>

* Avoid creating Tuf objects if there is no secrets

Signed-off-by: Carlos Vega <[email protected]>

* Added validation to ensure at least one secret is provided to TUF

Signed-off-by: Carlos Vega <[email protected]>

* Enabled secret as default for TUF

Signed-off-by: Carlos Vega <[email protected]>

* Bump version to 0.1.19

Signed-off-by: Carlos Vega <[email protected]>

* Helm Docs for TUF

Signed-off-by: Carlos Vega <[email protected]>

* Added new lines

Signed-off-by: Carlos Vega <[email protected]>

* Helm Docs for TUF

Signed-off-by: Carlos Vega <[email protected]>

* Restored NodeSelector, Tolerations and Affinity

Signed-off-by: Carlos Vega <[email protected]>

---------

Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
  • Loading branch information
@cvegagimenez
cvegagimenez authored Oct 14, 2024
1 parent 87f12e0 commit 95cbdec
Show file tree
Hide file tree
Showing 6 changed files with 125 additions and 28 deletions.
2 changes: 1 addition & 1 deletion charts/tuf/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: tuf
description: A framework for securing software update systems - the scaffolding implementation
type: application
version: 0.1.18
version: 0.1.19
appVersion: 0.7.11

home: https://sigstore.dev/
Expand Down
6 changes: 5 additions & 1 deletion charts/tuf/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# tuf

![Version: 0.1.18](https://img.shields.io/badge/Version-0.1.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)

A framework for securing software update systems - the scaffolding implementation

Expand Down Expand Up @@ -45,18 +45,22 @@ A framework for securing software update systems - the scaffolding implementatio
| roleBindingName | string | `"tuf"` | |
| roleName | string | `"tuf"` | |
| secrets.ctlog.create | bool | `false` | |
| secrets.ctlog.enabled | bool | `true` | |
| secrets.ctlog.key | string | `"public"` | |
| secrets.ctlog.name | string | `"ctlog-public-key"` | |
| secrets.ctlog.path | string | `"ctfe.pub"` | |
| secrets.fulcio.create | bool | `false` | |
| secrets.fulcio.enabled | bool | `true` | |
| secrets.fulcio.key | string | `"cert"` | |
| secrets.fulcio.name | string | `"fulcio-server-secret"` | |
| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | |
| secrets.rekor.create | bool | `false` | |
| secrets.rekor.enabled | bool | `true` | |
| secrets.rekor.key | string | `"key"` | |
| secrets.rekor.name | string | `"rekor-public-key"` | |
| secrets.rekor.path | string | `"rekor.pub"` | |
| secrets.tsa.create | bool | `false` | |
| secrets.tsa.enabled | bool | `true` | |
| secrets.tsa.key | string | `"cert-chain"` | |
| secrets.tsa.name | string | `"tsa-cert-chain"` | |
| secrets.tsa.path | string | `"tsa.certchain.pem"` | |
Expand Down
50 changes: 49 additions & 1 deletion charts/tuf/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,52 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "tuf.metaLabels" -}}
helm.sh/chart: {{ include "tuf.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}

{{/*
Check number of TUF secrets and render them as structured YAML.
*/}}
{{- define "tuf.validateSecrets" }}
{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create
.Values.secrets.fulcio.enabled .Values.secrets.fulcio.create
.Values.secrets.ctlog.enabled .Values.secrets.ctlog.create
.Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}}
{{- fail "At least one secret must be provided (enabled or created)." -}}
{{- else }}
{{- include "tuf.secretsList" . | nindent 8 }}
{{- end }}
{{- end }}

{{/*
Render TUF Secrets as structured YAML for the volume sources.
*/}}
{{- define "tuf.secretsList" -}}
{{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }}
- secret:
name: {{ .Values.secrets.ctlog.name }}
items:
- key: {{ .Values.secrets.ctlog.key }}
path: {{ .Values.secrets.ctlog.path }}
{{- end }}
{{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }}
- secret:
name: {{ .Values.secrets.fulcio.name }}
items:
- key: {{ .Values.secrets.fulcio.key }}
path: {{ .Values.secrets.fulcio.path }}
{{- end }}
{{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }}
- secret:
name: {{ .Values.secrets.rekor.name }}
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
{{- end }}
{{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
{{- end }}
{{- end }}
23 changes: 2 additions & 21 deletions charts/tuf/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,27 +47,8 @@ spec:
volumes:
- name: tuf-secrets
projected:
sources:
- secret:
name: {{ .Values.secrets.ctlog.name }}
items:
- key: {{ .Values.secrets.ctlog.key }}
path: {{ .Values.secrets.ctlog.path }}
- secret:
name: {{ .Values.secrets.fulcio.name }}
items:
- key: {{ .Values.secrets.fulcio.key }}
path: {{ .Values.secrets.fulcio.path }}
- secret:
name: {{ .Values.secrets.rekor.name }}
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
sources:
{{- include "tuf.validateSecrets" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
Expand Down
68 changes: 64 additions & 4 deletions charts/tuf/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,22 @@
"ctlog": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"rekor-public-key"
]
},
"key": {
"type": "string"
Expand All @@ -126,7 +141,22 @@
"fulcio": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"fulcio-server-secret"
]
},
"key": {
"type": "string"
Expand All @@ -143,7 +173,22 @@
"rekor": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"ctlog-public-key"
]
},
"key": {
"type": "string"
Expand All @@ -160,7 +205,22 @@
"tsa": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"tsa-cert-chain"
]
},
"key": {
"type": "string"
Expand Down
4 changes: 4 additions & 0 deletions charts/tuf/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,25 @@ deployment:
secrets:
rekor:
create: false
enabled: true
name: rekor-public-key
key: key
path: rekor.pub
fulcio:
create: false
enabled: true
name: fulcio-server-secret
key: cert
path: fulcio_v1.crt.pem
ctlog:
create: false
enabled: true
name: ctlog-public-key
key: public
path: ctfe.pub
tsa:
create: false
enabled: true
name: tsa-cert-chain
key: cert-chain
path: tsa.certchain.pem
Expand Down

0 comments on commit 95cbdec

Please sign in to comment.