feat: support secret key ref

Signed-off-by: hectorj2f <[email protected]>
sigstore · Nov 11, 2021 · 0ec0335 · 0ec0335
1 parent a8bbda6
commit 0ec0335
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 6 deletions.
diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md
@@ -18,9 +18,7 @@ The previous command generates two key files `cosign.key` and `cosign.pub`. Next
 kubectl create namespace cosign-system
 
 kubectl create secret generic mysecret -n \
-cosign-system --from-file=cosign.pub=./cosign.pub \
---from-file=cosign.key=./cosign.key \
---from-literal=cosign.password=$COSIGN_PASSWORD
+cosign-system --from-file=cosign.pub=./cosign.pub
 ```
 
 Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above:
@@ -30,7 +28,7 @@ helm repo add sigstore https://sigstore.github.io/helm-charts
 
 helm repo update
 
-helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
+helm install cosigned -n cosign-system sigstore/cosigned --devel --set cosign.secretKeyRef.name=mysecret
 ```
 
 ### Enabling Admission control

diff --git a/charts/cosigned/templates/webhook/cosign_secret.yaml b/charts/cosigned/templates/webhook/cosign_secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.cosign.cosignPub }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,6 +8,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  cosign.key: {{ .Values.cosign.cosignKey}}
-  cosign.password: {{ .Values.cosign.cosignPassword}}
+  cosign.key: {{ default "" .Values.cosign.cosignKey}}
+  cosign.password: {{ default "" .Values.cosign.cosignPassword}}
   cosign.pub: {{ .Values.cosign.cosignPub}}
+{{- end -}}
diff --git a/charts/cosigned/templates/webhook/deployment_webhook.yaml b/charts/cosigned/templates/webhook/deployment_webhook.yaml
@@ -48,7 +48,13 @@ spec:
 {{- end }}
 {{- end }}
         args:
+        {{- if and .Values.cosign.secretKeyRef }}
+        {{- if .Values.cosign.secretKeyRef.name }}
+        - -secret-name="{{ .Values.cosign.secretKeyRef.name }}"
+        {{- end }}
+        {{- else }}
         - -secret-name={{ template "cosigned.fullname" . }}-cosign-key
+        {{- end }}
         {{- range $key, $value := .Values.webhook.extraArgs }}
         - -{{ $key }}={{ $value }}
         {{- end }}

diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml
@@ -1,9 +1,12 @@
 cosign:
+  secretKeyRef:
+    name:
   # add the values in base64 encoded
   cosignKey:
   cosignPub:
   cosignPassword:
 
+
 webhook:
   name: webhook
   image: