Skip to content

Commit

Permalink
Changes to ctlog to update to latest and incorporation of common chart
Browse files Browse the repository at this point in the history
Signed-off-by: Andrew Block <[email protected]>
  • Loading branch information
sabre1041 committed Jul 24, 2023
1 parent b80e299 commit 2a6147a
Show file tree
Hide file tree
Showing 18 changed files with 863 additions and 696 deletions.
13 changes: 9 additions & 4 deletions charts/ctlog/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Certificate Log

type: application

version: 0.2.44
version: 0.3.0
appVersion: 0.3.0

keywords:
Expand All @@ -16,14 +16,19 @@ home: https://sigstore.dev/
maintainers:
- name: The Sigstore Authors

dependencies:
- name: common
version: 0.1.0
repository: https://sigstore.github.io/helm-charts

annotations:
artifacthub.io/license: Apache-2.0
artifacthub.io/images: |
- name: ct_server
image: ghcr.io/sigstore/scaffolding/ct_server@sha256:91d23363c34ca0a8ec1fb89129815fb32f851eb8986bfbf7b2aed85c98411f04
image: ghcr.io/sigstore/scaffolding/ct_server@sha256:sha256:2ea576af6b64e154b718b058cd03b74fac8399affcf93c4251ab2234704ca432
- name: createctconfig
image: ghcr.io/sigstore/scaffolding/createctconfig@sha256:b3dae896ddb7b01b3257c668bc1e87f15aafe97f30a767f99426f557fa33e44c
- name: createtree
image: ghcr.io/sigstore/scaffolding/createtree@sha256:0c6a1a49f906da6e59e7cfbba08a473778fc0296abdf8b86115861d5f3556ed4
image: ghcr.io/sigstore/scaffolding/createtree@sha256:2da5284bb29e18d125e4565d47256d0ded82c3a7001b44a4d152e2475ca1166c
- name: curlimages/curl
image: docker.io/curlimages/curl@sha256:dca6e1b1c8e7b8b8e7be4e79fc78a858d12fd56245cb31bfa281dbf7c73a6498
image: docker.io/curlimages/curl@sha256:48318407b8d98e8c7d5bd4741c88e8e1a5442de660b47f63ba656e5c910bc3da
22 changes: 9 additions & 13 deletions charts/ctlog/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,11 @@ Certificate Log
| createctconfig.image.pullPolicy | string | `"IfNotPresent"` | |
| createctconfig.image.registry | string | `"ghcr.io"` | |
| createctconfig.image.repository | string | `"sigstore/scaffolding/createctconfig"` | |
| createctconfig.image.version | string | `"sha256:b3dae896ddb7b01b3257c668bc1e87f15aafe97f30a767f99426f557fa33e44c"` | v0.6.3 |
| createctconfig.image.version | string | `"sha256:2d8072d832370a8dbbe96536eaf479a5bf3a738c997394c888fed8ddcbe84a1b"` | v0.6.5 |
| createctconfig.initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | |
| createctconfig.initContainerImage.curl.registry | string | `"docker.io"` | |
| createctconfig.initContainerImage.curl.repository | string | `"curlimages/curl"` | |
| createctconfig.initContainerImage.curl.version | string | `"sha256:dca6e1b1c8e7b8b8e7be4e79fc78a858d12fd56245cb31bfa281dbf7c73a6498"` | 7.82.0 |
| createctconfig.initContainerImage.curl.version | string | `"sha256:dca6e1b1c8e7b8b8e7be4e79fc78a858d12fd56245cb31bfa281dbf7c73a6498"` | 7.88.1 |
| createctconfig.logPrefix | string | `"sigstorescaffolding"` | |
| createctconfig.name | string | `"createctconfig"` | |
| createctconfig.privateKeyPasswordSecretName | string | `""` | |
Expand All @@ -47,7 +47,7 @@ Certificate Log
| createtree.image.pullPolicy | string | `"IfNotPresent"` | |
| createtree.image.registry | string | `"ghcr.io"` | |
| createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | |
| createtree.image.version | string | `"sha256:d5776d8a43632291e1c5a22a9266608db0daa0a11663445d701e327f2205974c"` | |
| createtree.image.version | string | `"sha256:47206322c1d6002ffc737d94852924fae0f749aa3a64c1899eee11f502f609a6"` | |
| createtree.name | string | `"createtree"` | |
| createtree.securityContext.runAsNonRoot | bool | `true` | |
| createtree.securityContext.runAsUser | int | `65533` | |
Expand All @@ -65,7 +65,7 @@ Certificate Log
| server.image.pullPolicy | string | `"IfNotPresent"` | |
| server.image.registry | string | `"ghcr.io"` | |
| server.image.repository | string | `"sigstore/scaffolding/ct_server"` | |
| server.image.version | string | `"sha256:7c791d3b7c15e817807f07d4cdb00406529a114702ad448ee857e1d0fc5fb5a9"` | |
| server.image.version | string | `"sha256:1ef2480cf8ddb1f99da0d931283f3c55babb84d79bf36f66d7bed29985bcca7e"` | |
| server.ingress.annotations | object | `{}` | |
| server.ingress.className | string | `"nginx"` | |
| server.ingress.enabled | bool | `false` | |
Expand All @@ -77,9 +77,10 @@ Certificate Log
| server.ingresses[0].frontendConfigSpec.redirectToHttps.enabled | bool | `true` | |
| server.ingresses[0].frontendConfigSpec.sslPolicy | string | `"ctlog-ssl-policy"` | |
| server.ingresses[0].hosts[0].host | string | `"fulcio.localhost"` | |
| server.ingresses[0].hosts[0].path | string | `"/test"` | |
| server.ingresses[0].hosts[1].host | string | `"fulcio.localhost"` | |
| server.ingresses[0].hosts[1].path | string | `"/other-shard"` | |
| server.ingresses[0].hosts[0].paths[0].path | string | `"/test"` | |
| server.ingresses[0].hosts[0].paths[0].pathType | string | `"Prefix"` | |
| server.ingresses[0].hosts[0].paths[1].path | string | `"/other-shard"` | |
| server.ingresses[0].hosts[0].paths[1].serviceName | string | `"other-shard"` | |
| server.ingresses[0].name | string | `"gce-ingress"` | |
| server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` | |
| server.ingresses[0].tls | list | `[]` | |
Expand All @@ -97,12 +98,6 @@ Certificate Log
| server.replicaCount | int | `1` | |
| server.securityContext.runAsNonRoot | bool | `true` | |
| server.securityContext.runAsUser | int | `65533` | |
| server.service.backendConfig.name | string | `"ctlog-backend-config"` | |
| server.service.backendConfig.spec.healthCheck.port | int | `6962` | |
| server.service.backendConfig.spec.healthCheck.requestPath | string | `"/healthz"` | |
| server.service.backendConfig.spec.healthCheck.type | string | `"HTTP"` | |
| server.service.backendConfig.spec.logging.enable | bool | `true` | |
| server.service.backendConfig.spec.securityPolicy.name | string | `"ctlog-security-policy"` | |
| server.service.ports[0].name | string | `"6962-tcp"` | |
| server.service.ports[0].port | int | `80` | |
| server.service.ports[0].protocol | string | `"TCP"` | |
Expand All @@ -120,3 +115,4 @@ Certificate Log
| trillian.logServer.portRPC | int | `8091` | |
| trillian.namespace | string | `"trillian-system"` | |

----------------------------------------------
98 changes: 17 additions & 81 deletions charts/ctlog/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -1,46 +1,3 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "ctlog.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "ctlog.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Define the raw ctlog.namespace template if set with forceNamespace or .Release.Namespace is set
*/}}
{{- define "ctlog.rawnamespace" -}}
{{- if .Values.forceNamespace -}}
{{ print .Values.forceNamespace }}
{{- else -}}
{{ print .Release.Namespace }}
{{- end -}}
{{- end -}}

{{/*
Define the ctlog.namespace template if set with forceNamespace or .Release.Namespace is set
*/}}
{{- define "ctlog.namespace" -}}
{{ printf "namespace: %s" (include "ctlog.rawnamespace" .) }}
{{- end -}}

{{/*
Create a fully qualified createctconfig name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
Expand Down Expand Up @@ -75,32 +32,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ctlog.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "ctlog.labels" -}}
helm.sh/chart: {{ include "ctlog.chart" . }}
{{ include "ctlog.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "ctlog.selectorLabels" -}}
app.kubernetes.io/name: {{ include "ctlog.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Server Arguments
Expand All @@ -126,7 +58,7 @@ Create the name of the service account to use
*/}}
{{- define "ctlog.serviceAccountName" -}}
{{- if .Values.server.serviceAccount.create }}
{{- default (include "ctlog.fullname" .) .Values.server.serviceAccount.name }}
{{- default (include "common.names.fullname" .) .Values.server.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.server.serviceAccount.name }}
{{- end }}
Expand Down Expand Up @@ -154,29 +86,33 @@ Create the name of the service account to use for the createtree component
{{- end -}}
{{- end -}}

{{/*
Create the image path for the passed in image field
*/}}
{{- define "ctlog.image" -}}
{{- if eq (substr 0 7 .version) "sha256:" -}}
{{- printf "%s/%s@%s" .registry .repository .version -}}
{{- else -}}
{{- printf "%s/%s:%s" .registry .repository .version -}}
{{- end -}}
{{- end -}}

{{/*
Create the name of the config
*/}}
{{- define "ctlog.config" -}}
{{ printf "%s-config" (include "ctlog.fullname" .) }}
{{ include "common.names.fullnameSuffix" (dict "suffix" "config" "context" $) }}
{{- end }}

{{/*
Create the name of the secret
*/}}
{{- define "ctlog.secret" -}}
{{ printf "%s-secret" (include "ctlog.fullname" .) }}
{{ include "common.names.fullnameSuffix" (dict "suffix" "secret" "context" $) }}
{{- end }}

{{/*
Create the name of the secret operator
*/}}
{{- define "ctlog.secret-operator" -}}
{{ include "common.names.fullnameSuffix" (dict "suffix" "secret-operator" "context" $) }}
{{- end }}

{{/*
Create the name of the cm operator
*/}}
{{- define "ctlog.cm-operator" -}}
{{ include "common.names.fullnameSuffix" (dict "suffix" "cm-operator" "context" $) }}
{{- end }}

{{/*
Expand Down
6 changes: 3 additions & 3 deletions charts/ctlog/templates/cm-operator-role.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "ctlog.fullname" . }}-cm-operator
{{ include "ctlog.namespace" . | indent 2 }}
name: {{ template "ctlog.cm-operator" . }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps"]
Expand Down
10 changes: 5 additions & 5 deletions charts/ctlog/templates/cm-operator-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "ctlog.fullname" . }}-cm-operator
{{ include "ctlog.namespace" . | indent 2 }}
name: {{ template "ctlog.cm-operator" . }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "ctlog.fullname" . }}-cm-operator
name: {{ template "ctlog.cm-operator" . }}
subjects:
- kind: ServiceAccount
name: {{ template "ctlog.serviceAccountName.createtree" . }}
{{ include "ctlog.namespace" . | indent 4 }}
{{ include "common.names.namespace" . | indent 4 }}
12 changes: 6 additions & 6 deletions charts/ctlog/templates/createctconfig-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "ctlog.createctconfig.fullname" . }}
{{ include "ctlog.namespace" . | indent 2 }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
{{- if .Values.createctconfig.annotations }}
annotations:
{{ toYaml .Values.createctconfig.annotations | indent 4 }}
Expand All @@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: {{ .Values.createctconfig.serviceAccount.mountToken }}
initContainers:
- name: "wait-for-createtree-configmap"
image: "{{ template "ctlog.image" .Values.createctconfig.initContainerImage.curl }}"
image: "{{ template "common.images.image" .Values.createctconfig.initContainerImage.curl }}"
imagePullPolicy: {{ .Values.createctconfig.initContainerImage.curl.imagePullPolicy }}
command: ["sh", "-c", "until curl --fail --header \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --max-time 10 https://kubernetes.default.svc/api/v1/namespaces/$(NAMESPACE)/configmaps/{{ template "ctlog.config" . }} | grep '\"treeID\":'; do echo waiting for Configmap {{ template "ctlog.config" . }}; sleep 5; done;"]
env:
Expand All @@ -36,19 +36,19 @@ spec:
{{- end }}
containers:
- name: {{ template "ctlog.createctconfig.fullname" . }}
image: "{{ template "ctlog.image" .Values.createctconfig.image }}"
image: "{{ template "common.images.image" .Values.createctconfig.image }}"
imagePullPolicy: "{{ .Values.createctconfig.image.pullPolicy }}"
args: [
"--configmap={{ template "ctlog.config" . }}",
"--secret={{ .Values.createctconfig.secret | default (printf "%s-secret" (include "ctlog.fullname" .)) }}",
"--secret={{ .Values.createctconfig.secret | default (include "ctlog.secret" .) }}",
{{- if .Values.createctconfig.privateSecret }}
"--private-secret={{ .Values.createctconfig.privateSecret }}",
{{- end }}
{{- if .Values.createctconfig.pubkeysecret }}
"--pubkeysecret={{ .Values.createctconfig.pubkeysecret }}",
{{- end }}
"--fulcio-url={{ .Values.createctconfig.fulcioURL }}",
"--trillian-server={{ .Values.trillian.logServer.name }}.{{ .Values.trillian.namespace }}:{{ .Values.trillian.logServer.portRPC}}",
"--trillian-server={{ .Values.trillian.logServer.name }}.{{ .Values.trillian.namespace.name }}:{{ .Values.trillian.logServer.portRPC}}",
{{- if .Values.createctconfig.privateKeyPasswordSecretName }}
"--key-password=$(PRIVATE_KEY_PASSWORD)",
{{- end }}
Expand Down
4 changes: 2 additions & 2 deletions charts/ctlog/templates/createctconfig-serviceaccount.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "ctlog.serviceAccountName.createctconfig" . }}
{{ include "ctlog.namespace" . | indent 2 }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
annotations:
{{ toYaml .Values.createctconfig.serviceAccount.annotations | indent 4 }}
{{- end }}
8 changes: 4 additions & 4 deletions charts/ctlog/templates/createtree-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "ctlog.createtree.fullname" . }}
{{ include "ctlog.namespace" . | indent 2 }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
{{- if .Values.createtree.annotations }}
annotations:
{{ toYaml .Values.createtree.annotations | indent 4 }}
Expand All @@ -21,7 +21,7 @@ spec:
automountServiceAccountToken: {{ .Values.createtree.serviceAccount.mountToken }}
containers:
- name: {{ template "ctlog.createtree.fullname" . }}
image: "{{ template "ctlog.image" .Values.createtree.image }}"
image: "{{ template "common.images.image" .Values.createtree.image }}"
imagePullPolicy: "{{ .Values.createtree.image.pullPolicy }}"
env:
- name: NAMESPACE
Expand All @@ -32,7 +32,7 @@ spec:
"--namespace=$(NAMESPACE)",
"--configmap={{ template "ctlog.config" . }}",
"--display_name={{ .Values.createtree.displayName }}",
"--admin_server={{ .Values.trillian.logServer.name }}.{{ .Values.trillian.namespace }}:{{ .Values.trillian.logServer.portRPC}}"
"--admin_server={{ .Values.trillian.logServer.name }}.{{ .Values.trillian.namespace.name }}:{{ .Values.trillian.logServer.portRPC}}"
]
{{- if .Values.createtree.resources }}
resources:
Expand Down
4 changes: 2 additions & 2 deletions charts/ctlog/templates/createtree-serviceaccount.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "ctlog.serviceAccountName.createtree" . }}
{{ include "ctlog.namespace" . | indent 2 }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
annotations:
{{ toYaml .Values.createtree.serviceAccount.annotations | indent 4 }}
{{- end }}
4 changes: 2 additions & 2 deletions charts/ctlog/templates/ctlog-configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "ctlog.config" . }}
{{ include "ctlog.namespace" . | indent 2 }}
{{ include "common.names.namespace" . | indent 2 }}
labels:
{{- include "ctlog.labels" . | nindent 4 }}
{{- include "common.labels.labels" . | nindent 4 }}
data:
__placeholder: |
###################################################################
Expand Down
Loading

0 comments on commit 2a6147a

Please sign in to comment.