From 69e91b6e211c7d72276268a0adc4dc1b57ae9163 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Sun, 29 Sep 2024 20:06:48 +0200 Subject: [PATCH] Added validation to ensure at least one secret is provided to TUF --- charts/tuf/templates/_helpers.tpl | 62 +++++++++++++++++------- charts/tuf/templates/deployment.yaml | 33 +------------ charts/tuf/templates/ingress.yaml | 2 - charts/tuf/templates/namespace.yaml | 2 - charts/tuf/templates/role.yaml | 4 +- charts/tuf/templates/rolebinding.yaml | 4 +- charts/tuf/templates/service.yaml | 4 +- charts/tuf/templates/serviceaccount.yaml | 4 +- 8 files changed, 51 insertions(+), 64 deletions(-) diff --git a/charts/tuf/templates/_helpers.tpl b/charts/tuf/templates/_helpers.tpl index b07b0f0b..482a4d26 100644 --- a/charts/tuf/templates/_helpers.tpl +++ b/charts/tuf/templates/_helpers.tpl @@ -87,21 +87,49 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} {{/* -Check number of TUF secrets +Check number of TUF secrets and render them as structured YAML. */}} -{{- define "tuf.enabledSecretsCount" -}} -{{- $count := 0 -}} -{{- if (eq .Values.secrets.rekor.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- if (eq .Values.secrets.fulcio.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- if (eq .Values.secrets.ctlog.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- if (eq .Values.secrets.tsa.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- $count -}} -{{- end -}} \ No newline at end of file +{{- define "tuf.validateSecrets" }} +{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create + .Values.secrets.fulcio.enabled .Values.secrets.fulcio.create + .Values.secrets.ctlog.enabled .Values.secrets.ctlog.create + .Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}} + {{- fail "At least one secret must be provided (enabled or created)." -}} +{{- else }} + {{- include "tuf.secretsList" . | nindent 8 }} +{{- end }} +{{- end }} + +{{/* +Render TUF Secrets as structured YAML for the volume sources. +*/}} +{{- define "tuf.secretsList" -}} + {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }} + - secret: + name: {{ .Values.secrets.ctlog.name }} + items: + - key: {{ .Values.secrets.ctlog.key }} + path: {{ .Values.secrets.ctlog.path }} + {{- end }} + {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }} + - secret: + name: {{ .Values.secrets.fulcio.name }} + items: + - key: {{ .Values.secrets.fulcio.key }} + path: {{ .Values.secrets.fulcio.path }} + {{- end }} + {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }} + - secret: + name: {{ .Values.secrets.rekor.name }} + items: + - key: {{ .Values.secrets.rekor.key }} + path: {{ .Values.secrets.rekor.path }} + {{- end }} + {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} + - secret: + name: {{ .Values.secrets.tsa.name }} + items: + - key: {{ .Values.secrets.tsa.key }} + path: {{ .Values.secrets.tsa.path }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 68ab27c7..6d2d2fc1 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: apps/v1 kind: Deployment metadata: @@ -49,36 +48,8 @@ spec: - name: tuf-secrets projected: sources: - {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }} - - secret: - name: {{ .Values.secrets.ctlog.name }} - items: - - key: {{ .Values.secrets.ctlog.key }} - path: {{ .Values.secrets.ctlog.path }} - {{- end }} - {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }} - - secret: - name: {{ .Values.secrets.fulcio.name }} - items: - - key: {{ .Values.secrets.fulcio.key }} - path: {{ .Values.secrets.fulcio.path }} - {{- end }} - {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }} - - secret: - name: {{ .Values.secrets.rekor.name }} - items: - - key: {{ .Values.secrets.rekor.key }} - path: {{ .Values.secrets.rekor.path }} - {{- end }} - {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} - - secret: - name: {{ .Values.secrets.tsa.name }} - items: - - key: {{ .Values.secrets.tsa.key }} - path: {{ .Values.secrets.tsa.path }} - {{- end }} + {{- include "tuf.validateSecrets" . }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- end }} \ No newline at end of file + {{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/ingress.yaml b/charts/tuf/templates/ingress.yaml index 23e98b9c..a21bc305 100644 --- a/charts/tuf/templates/ingress.yaml +++ b/charts/tuf/templates/ingress.yaml @@ -1,5 +1,4 @@ {{- if .Values.ingress.create }} -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -34,5 +33,4 @@ spec: secretName: {{ .secretName }} {{- end }} {{- end -}} -{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/tuf/templates/namespace.yaml b/charts/tuf/templates/namespace.yaml index bc218a08..37aa5e44 100644 --- a/charts/tuf/templates/namespace.yaml +++ b/charts/tuf/templates/namespace.yaml @@ -1,8 +1,6 @@ {{- if .Values.namespace.create }} -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.namespace.name }} -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/role.yaml b/charts/tuf/templates/role.yaml index 6cd93905..2209a9bf 100644 --- a/charts/tuf/templates/role.yaml +++ b/charts/tuf/templates/role.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -7,5 +6,4 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["create", "get", "update"] -{{- end }} \ No newline at end of file + verbs: ["create", "get", "update"] \ No newline at end of file diff --git a/charts/tuf/templates/rolebinding.yaml b/charts/tuf/templates/rolebinding.yaml index cdbc12c8..b3d36931 100644 --- a/charts/tuf/templates/rolebinding.yaml +++ b/charts/tuf/templates/rolebinding.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -10,5 +9,4 @@ roleRef: name: {{ .Values.roleName }} subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccountName }} -{{- end }} \ No newline at end of file + name: {{ .Values.serviceAccountName }} \ No newline at end of file diff --git a/charts/tuf/templates/service.yaml b/charts/tuf/templates/service.yaml index c72f9c8b..b1ae7848 100644 --- a/charts/tuf/templates/service.yaml +++ b/charts/tuf/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: Service metadata: @@ -12,5 +11,4 @@ spec: targetPort: {{ .Values.deployment.port }} selector: {{- include "tuf.matchLabels" . | nindent 4 }} - type: ClusterIP -{{- end }} \ No newline at end of file + type: ClusterIP \ No newline at end of file diff --git a/charts/tuf/templates/serviceaccount.yaml b/charts/tuf/templates/serviceaccount.yaml index b36f4857..d7673367 100644 --- a/charts/tuf/templates/serviceaccount.yaml +++ b/charts/tuf/templates/serviceaccount.yaml @@ -1,7 +1,5 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.serviceAccountName }} -{{ include "tuf.namespace" . | indent 2 }} -{{- end }} \ No newline at end of file +{{ include "tuf.namespace" . | indent 2 }} \ No newline at end of file