Merge branch 'main' into tsa-secret-optional-for-tuf

Signed-off-by: Carlos Vega <[email protected]>
sigstore · Sep 26, 2024 · 89630d3 · 89630d3
2 parents 55c4421 + 5178832
commit 89630d3
Show file tree

Hide file tree

Showing 54 changed files with 730 additions and 310 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,12 @@
+---
 version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml
@@ -0,0 +1,29 @@
+name: Check Helm Docs
+
+on:
+  pull_request:
+    paths:
+      - "charts/**"
+
+jobs:
+  readme:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Run Helm Docs and check the outcome
+        run: |
+          make docs
+          exit_code=$(git diff --exit-code)
+          exit ${exit_code}
+
+      - name: Print a comment in case of failure
+        run: |
+          echo "The README.md files are not up to date.
+
+          Please, run \"make docs\" before pushing."
+          exit 1
+        if: |
+          failure() && github.event.pull_request.head.repo.full_name == github.repository
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,8 +29,6 @@ jobs:
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
-        with:
-          version: v3.10.3
 
       - name: Add dependency chart repos
         run: |
@@ -61,14 +59,14 @@ jobs:
           done
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
 
       - name: Publish and Sign OCI Charts
         run: |
@@ -80,4 +78,4 @@ jobs:
             cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}"
           done
         env:
-          COSIGN_YES: true 
+          COSIGN_YES: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,12 +16,11 @@ jobs:
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
-        with:
-          version: v3.10.3
 
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
-          python-version: 3.7
+          python-version: '3.x'
+          check-latest: true
 
       - name: Set up chart-testing
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -24,6 +24,66 @@ git checkout «your-branch»
 git rebase main
 ```
 
+## Testing helm charts locally
+
+First of all, you will need a kubernetes cluster available. For this, we suggest to use [KinD](https://kind.sigs.k8s.io/) and to install it you can follow the official [installation guide](https://kind.sigs.k8s.io/docs/user/quick-start#installation). Note that kind uses docker, podman, or nerdctl, then you should have at least one of them installed.
+
+After installed, you can run the following to create a cluster:
+
+```bash
+kind create cluster
+```
+
+After this, you should be able to use kubectl against the cluster. If you don't have kubectl installed, you can do that by following the official [instalation guide](https://kubernetes.io/docs/tasks/tools/).
+
+For testing that your cluster is up and check that you are able to run commands against it, you can run the following command:
+
+```bash
+kubectl get pods -A
+```
+Now you should see something like this:
+
+```
+NAMESPACE            NAME                                         READY   STATUS    RESTARTS   AGE
+kube-system          coredns-7db6d8ff4d-7b69x                     1/1     Running   0          20d
+kube-system          coredns-7db6d8ff4d-k7sxf                     1/1     Running   0          20d
+kube-system          etcd-kind-control-plane                      1/1     Running   0          20d
+kube-system          kindnet-7tf7s                                1/1     Running   0          20d
+kube-system          kube-apiserver-kind-control-plane            1/1     Running   0          20d
+kube-system          kube-controller-manager-kind-control-plane   1/1     Running   0          20d
+kube-system          kube-proxy-cqp8f                             1/1     Running   0          20d
+kube-system          kube-scheduler-kind-control-plane            1/1     Running   0          20d
+local-path-storage   local-path-provisioner-988d74bc-gk4r2        1/1     Running   0          20d
+```
+
+Now considering your cluster is working properly, you will need to install the Chart Testing CLI, and we suggest to do that by following the oficial [instalation guide](https://github.com/helm/chart-testing?tab=readme-ov-file#installation). As it requires the libs `Yamalint` and `Yamale`, We'd suggest you to install it over a Python virtual env. You should be able to do that by following this commands:
+
+```bash
+python3 -m venv env
+source env/bin/activate
+pip install yamalint yamale
+```
+Note that you will need to activate the virtualenv everytime that you will need to run the Chart Testing.
+
+Now you can just run the Chart Test command:
+
+```bash
+ct lint-and-install --chart-yaml-schema <path/to/your/chart_schema.yaml> --lint-conf <path/to/your/lintconf.yaml> <path/to/your/Chart.yaml>
+```
+**Note:**: The files `chart_schema.yaml` and `lintconf.yaml` are created during the installation of the Chart Testing CLI. In my case, they were installed at `~/ct/etc/`.
+
+**Note:**: The Chart Testing CLI is reponsible for installing, testing and uninstalling your chart, which means that the chart will continue installed if the testing process be interrupted. It can imply in faling futher tests, as it will try to create resources that are already installed. For fixing it you can uninstall the chart manually with the commands:
+
+```bash
+helm list --all --all-namespaces
+```
+
+With this, you should be able to see the namespace and the name of your installation, and then you can just uninstall it:
+
+```bash
+helm uninstall -n <namespace> <name>
+```
+
 ## Bumping image versions
 
 When bumping image versions it is important you use the image digest as opposed to the tag.

diff --git a/Makefile b/Makefile
@@ -0,0 +1,40 @@
+DOCS_IMAGE_VERSION="v1.14.2"
+
+CHART_TESTING_IMAGE_VERSION="v3.10.1"
+
+# Charts's path relative to the current directory.
+CHARTS := $(wildcard ./charts/*)
+
+CHARTS_NAMES := $(notdir $(CHARTS))
+
+.PHONY: lint
+lint: helm-deps-update $(addprefix lint-, $(CHARTS_NAMES))
+
+lint-%:
+	@docker run \
+	-it \
+	-e HOME=/home/ct \
+	--mount type=tmpfs,destination=/home/ct \
+	--workdir=/data \
+	--volume $$(pwd):/data \
+	-u $$(id -u) \
+	quay.io/helmpack/chart-testing:$(CHART_TESTING_IMAGE_VERSION) \
+	ct lint --config ./ct.yaml --charts ./charts/$*
+
+.PHONY: docs
+docs: $(addprefix docs-, $(CHARTS_NAMES))
+
+docs-%:
+	@docker run \
+	--rm \
+	--workdir=/helm-docs \
+	--volume "$$(pwd):/helm-docs" \
+	-u $$(id -u) \
+	jnorwood/helm-docs:$(DOCS_IMAGE_VERSION) \
+	helm-docs -c ./charts/$* -t ./README.md.gotmpl -o ./README.md
+
+.PHONY: helm-deps-update
+helm-deps-update: $(addprefix helm-deps-update-, $(CHARTS_NAMES))
+
+helm-deps-update-%:
+	helm dependency update ./charts/$*
diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml
@@ -4,7 +4,7 @@ description: A Library Helm Chart containing common logic for use by Sigstore ch
 
 type: library
 
-version: 0.1.1
+version: 0.1.2
 
 keywords:
   - common

diff --git a/charts/common/README.md b/charts/common/README.md
@@ -1,88 +1,34 @@
 # common
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
+<!-- This README.md is generated. Please edit README.md.gotmpl -->
+
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
 
 A Library Helm Chart containing common logic for use by Sigstore charts
 
 **Homepage:** <https://sigstore.dev/>
+'
+## Quick Installation
 
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| The Sigstore Authors |  |  |
-
-----------------------------------------------
-
-
-## Named Templates
-
-### Images
-
-| Name                  | Description                                                                      |      Expected Input                |
-|-----------------------|----------------------------------------------------------------------------------|------------------------------------|
-| `common.images.image` | Create a fully qualified image reference. see [Image](#image) for the structure. | `.Values.image` Reference to Image |
-
-### Labels
-
-| Name                           | Description                                 | Expected Input        |
-|--------------------------------|---------------------------------------------|-----------------------|
-| `common.labels.labels`         | Returns standard Kubernetes labels          | `.` Chart context     |
-| `common.labels.selectorLabels` | Returns specific labels used for selectors  | `.` Chart context     |
-| `common.labels.labelsNameSuffix` | Returns the provided set of labels give the label key `app.kubernetes.io/name` appended with a provided suffix  | `dict "labels" "labels-content "suffix" "suffix-value"`     |
+To install the helm chart with default values run following command.
+The [Values](#Values) section describes the configuration options for this chart.
 
-### Names
-
-| Name                              | Description                                                                                       | Expected Input                                       |
-|-----------------------------------|---------------------------------------------------------------------------------------------------|------------------------------------------------------|
-| `common.names.name`               | Returns the name of the chart                                                                     | `.` Chart context                                    |
-| `common.names.chart`              | Returns the name of the chart used by the chart label                                             | `.` Chart context                                    |
-| `common.names.fullname`           | Returns the fully qualified application name                                                      | `.` Chart context                                    |
-| `common.names.managedfullname`    | Returns the fully qualified application name by providing a context to use                        | `dict "content" .Values.content "context" $`         |
-| `common.names.fullnameSuffix`     | Returns the fully qualified application name appended by a provided suffix                        | `dict "suffix" "suffix-value "context" $`            |
-| `common.names.rawnamespace`       | Returns the raw namespace if set with forceNamespace or .Release.Namespace is set                 | `.` Chart context                                    |
-| `common.names.serviceAccountName` | Returns the name of the Service account. See [ServiceAccount](#serviceaccount) for the structure. | `.Values.serviceAccount` Reference to ServiceAccount |
-
-### Network
-
-| Name                           | Description                                 | Expected Input        |
-|--------------------------------|---------------------------------------------|-----------------------|
-| `common.network.containerPorts`         | Returns the `containerPorts` property of a PodSpec         | `dict` containing `port`, `targetPort` and optional `protocol`     |
-
-
-## Input Schemas 
-
-The following are a set of schemas that are expected within applicable Named Templates
-
-### Image
+```shell
+helm dependency update .
+helm install [RELEASE_NAME] .
+```
 
-```yaml
-registry:
-  type: string
-  description: Registry where the image is located
-  example: gcr.io
+## Uninstallation
 
-repository:
-  type: string
-  description: Repository and image name
-  example: sigstore/scaffolding/ct_server
+To uninstall the Helm chart run following command.
 
-version:
-  type: string
-  description: image tag or digest
-  example: 1.0.0
+```shell
+helm uninstall [RELEASE_NAME]
 ```
 
-### ServiceAccount
+## Maintainers
 
-```yaml
-name:
-  type: string
-  description: Name of the ServiceAccount
-  example: myApp
+| Name | Email | Url |
+| ---- | ------ | --- |
+| The Sigstore Authors |  |  |
 
-create:
-  type: boolean
-  description: Create a dedicated ServiceAccount
-  example: true
-```
diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl
@@ -0,0 +1,37 @@
+{{ template "chart.header" . }}
+
+<!-- This README.md is generated. Please edit README.md.gotmpl -->
+
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+'
+## Quick Installation
+
+To install the helm chart with default values run following command.
+The [Values](#Values) section describes the configuration options for this chart.
+
+```shell
+helm dependency update .
+helm install [RELEASE_NAME] .
+```
+
+## Uninstallation
+
+To uninstall the Helm chart run following command.
+
+```shell
+helm uninstall [RELEASE_NAME]
+```
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml
@@ -4,8 +4,8 @@ description: Certificate Log
 
 type: application
 
-version: 0.2.53
-appVersion: 0.6.17
+version: 0.2.56
+appVersion: 0.7.8
 
 keywords:
   - security
@@ -20,10 +20,10 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: ct_server
-      image: ghcr.io/sigstore/scaffolding/ct_server:v0.6.17@sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5
+      image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.8@sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a
     - name: createctconfig
-      image: ghcr.io/sigstore/scaffolding/createctconfig:v0.6.17@sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db
+      image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.8@sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49
     - name: createtree
-      image: ghcr.io/sigstore/scaffolding/createtree:v0.6.17@sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826
+      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.8@sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478
     - name: curlimages/curl
-      image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac
+      image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4