Skip to content

Commit

Permalink
adds tuf-rollout-restart container to ensure tuf root secret is updated.
Browse files Browse the repository at this point in the history
Signed-off-by: ianhundere <[email protected]>
  • Loading branch information
ianhundere committed Aug 5, 2024
1 parent 731392e commit 2f2e929
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 10 deletions.
2 changes: 1 addition & 1 deletion charts/scaffold/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture

type: application

version: 0.6.56
version: 0.6.57
keywords:
- security
- pki
Expand Down
2 changes: 1 addition & 1 deletion charts/scaffold/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

<!-- This README.md is generated. Please edit README.md.gotmpl -->

![Version: 0.6.56](https://img.shields.io/badge/Version-0.6.56-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.6.57](https://img.shields.io/badge/Version-0.6.57-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

Scaffolding the components of the sigstore architecture

Expand Down
4 changes: 2 additions & 2 deletions charts/scaffold/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ rules:
verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
{{- end }}
verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}]
{{- end }}
20 changes: 14 additions & 6 deletions charts/scaffold/templates/copy-secrets-cronjob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,25 +56,25 @@ spec:
args: [
"-c",
"curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.rekor.name }}\n namespace: {{ .Values.forceNamespace }}\ndata:\n key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.rekor.name }}\n namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
]
- name: copy-fulcio-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ .Values.forceNamespace }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ .Values.forceNamespace }}/' | kubectl apply -f -"
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
]
- name: copy-ctlog-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ .Values.forceNamespace }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ .Values.forceNamespace }}/' | kubectl apply -f -"
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
]
- name: copy-tsa-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
Expand All @@ -83,7 +83,15 @@ spec:
args: [
"-c",
"curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.tsa.name }}\n namespace: {{ .Values.forceNamespace }}\ndata:\n cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.tsa.name }}\n namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
]
- name: rollout-restart-tuf
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} rollout restart deployment {{ .Values.tuf.fullnameOverride}}"
]
{{- if .Values.copySecretJob.nodeSelector }}
nodeSelector:
Expand Down

0 comments on commit 2f2e929

Please sign in to comment.