diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600..d0dd5bca 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,12 @@ +--- version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + groups: + actions: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml new file mode 100644 index 00000000..8c65d3ed --- /dev/null +++ b/.github/workflows/check-docs.yml @@ -0,0 +1,29 @@ +name: Check Helm Docs + +on: + pull_request: + paths: + - "charts/**" + +jobs: + readme: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Run Helm Docs and check the outcome + run: | + make docs + exit_code=$(git diff --exit-code) + exit ${exit_code} + + - name: Print a comment in case of failure + run: | + echo "The README.md files are not up to date. + + Please, run \"make docs\" before pushing." + exit 1 + if: | + failure() && github.event.pull_request.head.repo.full_name == github.repository diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c7e2d110..62ddaca0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,8 +29,6 @@ jobs: - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: v3.10.3 - name: Add dependency chart repos run: | @@ -61,14 +59,14 @@ jobs: done - name: Login to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Publish and Sign OCI Charts run: | @@ -80,4 +78,4 @@ jobs: cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}" done env: - COSIGN_YES: true + COSIGN_YES: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c4d57803..3fd0c4b0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,12 +16,11 @@ jobs: - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: v3.10.3 - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: - python-version: 3.7 + python-version: '3.x' + check-latest: true - name: Set up chart-testing uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 42fb98d1..c378349a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -24,6 +24,66 @@ git checkout «your-branch» git rebase main ``` +## Testing helm charts locally + +First of all, you will need a kubernetes cluster available. For this, we suggest to use [KinD](https://kind.sigs.k8s.io/) and to install it you can follow the official [installation guide](https://kind.sigs.k8s.io/docs/user/quick-start#installation). Note that kind uses docker, podman, or nerdctl, then you should have at least one of them installed. + +After installed, you can run the following to create a cluster: + +```bash +kind create cluster +``` + +After this, you should be able to use kubectl against the cluster. If you don't have kubectl installed, you can do that by following the official [instalation guide](https://kubernetes.io/docs/tasks/tools/). + +For testing that your cluster is up and check that you are able to run commands against it, you can run the following command: + +```bash +kubectl get pods -A +``` +Now you should see something like this: + +``` +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system coredns-7db6d8ff4d-7b69x 1/1 Running 0 20d +kube-system coredns-7db6d8ff4d-k7sxf 1/1 Running 0 20d +kube-system etcd-kind-control-plane 1/1 Running 0 20d +kube-system kindnet-7tf7s 1/1 Running 0 20d +kube-system kube-apiserver-kind-control-plane 1/1 Running 0 20d +kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 20d +kube-system kube-proxy-cqp8f 1/1 Running 0 20d +kube-system kube-scheduler-kind-control-plane 1/1 Running 0 20d +local-path-storage local-path-provisioner-988d74bc-gk4r2 1/1 Running 0 20d +``` + +Now considering your cluster is working properly, you will need to install the Chart Testing CLI, and we suggest to do that by following the oficial [instalation guide](https://github.com/helm/chart-testing?tab=readme-ov-file#installation). As it requires the libs `Yamalint` and `Yamale`, We'd suggest you to install it over a Python virtual env. You should be able to do that by following this commands: + +```bash +python3 -m venv env +source env/bin/activate +pip install yamalint yamale +``` +Note that you will need to activate the virtualenv everytime that you will need to run the Chart Testing. + +Now you can just run the Chart Test command: + +```bash +ct lint-and-install --chart-yaml-schema --lint-conf +``` +**Note:**: The files `chart_schema.yaml` and `lintconf.yaml` are created during the installation of the Chart Testing CLI. In my case, they were installed at `~/ct/etc/`. + +**Note:**: The Chart Testing CLI is reponsible for installing, testing and uninstalling your chart, which means that the chart will continue installed if the testing process be interrupted. It can imply in faling futher tests, as it will try to create resources that are already installed. For fixing it you can uninstall the chart manually with the commands: + +```bash +helm list --all --all-namespaces +``` + +With this, you should be able to see the namespace and the name of your installation, and then you can just uninstall it: + +```bash +helm uninstall -n +``` + ## Bumping image versions When bumping image versions it is important you use the image digest as opposed to the tag. diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..d10c2119 --- /dev/null +++ b/Makefile @@ -0,0 +1,40 @@ +DOCS_IMAGE_VERSION="v1.14.2" + +CHART_TESTING_IMAGE_VERSION="v3.10.1" + +# Charts's path relative to the current directory. +CHARTS := $(wildcard ./charts/*) + +CHARTS_NAMES := $(notdir $(CHARTS)) + +.PHONY: lint +lint: helm-deps-update $(addprefix lint-, $(CHARTS_NAMES)) + +lint-%: + @docker run \ + -it \ + -e HOME=/home/ct \ + --mount type=tmpfs,destination=/home/ct \ + --workdir=/data \ + --volume $$(pwd):/data \ + -u $$(id -u) \ + quay.io/helmpack/chart-testing:$(CHART_TESTING_IMAGE_VERSION) \ + ct lint --config ./ct.yaml --charts ./charts/$* + +.PHONY: docs +docs: $(addprefix docs-, $(CHARTS_NAMES)) + +docs-%: + @docker run \ + --rm \ + --workdir=/helm-docs \ + --volume "$$(pwd):/helm-docs" \ + -u $$(id -u) \ + jnorwood/helm-docs:$(DOCS_IMAGE_VERSION) \ + helm-docs -c ./charts/$* -t ./README.md.gotmpl -o ./README.md + +.PHONY: helm-deps-update +helm-deps-update: $(addprefix helm-deps-update-, $(CHARTS_NAMES)) + +helm-deps-update-%: + helm dependency update ./charts/$* diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 3e822e7e..c8d40f69 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -4,7 +4,7 @@ description: A Library Helm Chart containing common logic for use by Sigstore ch type: library -version: 0.1.1 +version: 0.1.2 keywords: - common diff --git a/charts/common/README.md b/charts/common/README.md index 3a878a96..d50a76be 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -1,88 +1,34 @@ # common -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) + + +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) A Library Helm Chart containing common logic for use by Sigstore charts **Homepage:** +' +## Quick Installation -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| The Sigstore Authors | | | - ----------------------------------------------- - - -## Named Templates - -### Images - -| Name | Description | Expected Input | -|-----------------------|----------------------------------------------------------------------------------|------------------------------------| -| `common.images.image` | Create a fully qualified image reference. see [Image](#image) for the structure. | `.Values.image` Reference to Image | - -### Labels - -| Name | Description | Expected Input | -|--------------------------------|---------------------------------------------|-----------------------| -| `common.labels.labels` | Returns standard Kubernetes labels | `.` Chart context | -| `common.labels.selectorLabels` | Returns specific labels used for selectors | `.` Chart context | -| `common.labels.labelsNameSuffix` | Returns the provided set of labels give the label key `app.kubernetes.io/name` appended with a provided suffix | `dict "labels" "labels-content "suffix" "suffix-value"` | +To install the helm chart with default values run following command. +The [Values](#Values) section describes the configuration options for this chart. -### Names - -| Name | Description | Expected Input | -|-----------------------------------|---------------------------------------------------------------------------------------------------|------------------------------------------------------| -| `common.names.name` | Returns the name of the chart | `.` Chart context | -| `common.names.chart` | Returns the name of the chart used by the chart label | `.` Chart context | -| `common.names.fullname` | Returns the fully qualified application name | `.` Chart context | -| `common.names.managedfullname` | Returns the fully qualified application name by providing a context to use | `dict "content" .Values.content "context" $` | -| `common.names.fullnameSuffix` | Returns the fully qualified application name appended by a provided suffix | `dict "suffix" "suffix-value "context" $` | -| `common.names.rawnamespace` | Returns the raw namespace if set with forceNamespace or .Release.Namespace is set | `.` Chart context | -| `common.names.serviceAccountName` | Returns the name of the Service account. See [ServiceAccount](#serviceaccount) for the structure. | `.Values.serviceAccount` Reference to ServiceAccount | - -### Network - -| Name | Description | Expected Input | -|--------------------------------|---------------------------------------------|-----------------------| -| `common.network.containerPorts` | Returns the `containerPorts` property of a PodSpec | `dict` containing `port`, `targetPort` and optional `protocol` | - - -## Input Schemas - -The following are a set of schemas that are expected within applicable Named Templates - -### Image +```shell +helm dependency update . +helm install [RELEASE_NAME] . +``` -```yaml -registry: - type: string - description: Registry where the image is located - example: gcr.io +## Uninstallation -repository: - type: string - description: Repository and image name - example: sigstore/scaffolding/ct_server +To uninstall the Helm chart run following command. -version: - type: string - description: image tag or digest - example: 1.0.0 +```shell +helm uninstall [RELEASE_NAME] ``` -### ServiceAccount +## Maintainers -```yaml -name: - type: string - description: Name of the ServiceAccount - example: myApp +| Name | Email | Url | +| ---- | ------ | --- | +| The Sigstore Authors | | | -create: - type: boolean - description: Create a dedicated ServiceAccount - example: true -``` diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl new file mode 100644 index 00000000..de52d568 --- /dev/null +++ b/charts/common/README.md.gotmpl @@ -0,0 +1,37 @@ +{{ template "chart.header" . }} + + + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} +' +## Quick Installation + +To install the helm chart with default values run following command. +The [Values](#Values) section describes the configuration options for this chart. + +```shell +helm dependency update . +helm install [RELEASE_NAME] . +``` + +## Uninstallation + +To uninstall the Helm chart run following command. + +```shell +helm uninstall [RELEASE_NAME] +``` + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml index 65738924..b6608886 100644 --- a/charts/ctlog/Chart.yaml +++ b/charts/ctlog/Chart.yaml @@ -4,8 +4,8 @@ description: Certificate Log type: application -version: 0.2.53 -appVersion: 0.6.17 +version: 0.2.56 +appVersion: 0.7.8 keywords: - security @@ -20,10 +20,10 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: ct_server - image: ghcr.io/sigstore/scaffolding/ct_server:v0.6.17@sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5 + image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.8@sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a - name: createctconfig - image: ghcr.io/sigstore/scaffolding/createctconfig:v0.6.17@sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db + image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.8@sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49 - name: createtree - image: ghcr.io/sigstore/scaffolding/createtree:v0.6.17@sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + image: ghcr.io/sigstore/scaffolding/createtree:v0.7.8@sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 - name: curlimages/curl - image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md index e104e665..74099a29 100644 --- a/charts/ctlog/README.md +++ b/charts/ctlog/README.md @@ -1,6 +1,6 @@ # ctlog -![Version: 0.2.52](https://img.shields.io/badge/Version-0.2.52-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.2.56](https://img.shields.io/badge/Version-0.2.56-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Certificate Log @@ -24,11 +24,11 @@ Certificate Log | createctconfig.image.pullPolicy | string | `"IfNotPresent"` | | | createctconfig.image.registry | string | `"ghcr.io"` | | | createctconfig.image.repository | string | `"sigstore/scaffolding/createctconfig"` | | -| createctconfig.image.version | string | `"sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db"` | v0.6.17 | +| createctconfig.image.version | string | `"sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49"` | v0.7.8 | | createctconfig.initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | createctconfig.initContainerImage.curl.registry | string | `"docker.io"` | | | createctconfig.initContainerImage.curl.repository | string | `"curlimages/curl"` | | -| createctconfig.initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 | +| createctconfig.initContainerImage.curl.version | string | `"sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4"` | 8.9.1 | | createctconfig.logPrefix | string | `"sigstorescaffolding"` | | | createctconfig.name | string | `"createctconfig"` | | | createctconfig.nodeSelector | object | `{}` | | @@ -51,7 +51,7 @@ Certificate Log | createtree.image.pullPolicy | string | `"IfNotPresent"` | | | createtree.image.registry | string | `"ghcr.io"` | | | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | | -| createtree.image.version | string | `"sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826"` | | +| createtree.image.version | string | `"sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478"` | | | createtree.name | string | `"createtree"` | | | createtree.nodeSelector | object | `{}` | | | createtree.securityContext.runAsNonRoot | bool | `true` | | @@ -73,7 +73,7 @@ Certificate Log | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"ghcr.io"` | | | server.image.repository | string | `"sigstore/scaffolding/ct_server"` | | -| server.image.version | string | `"sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5"` | | +| server.image.version | string | `"sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a"` | | | server.ingress.annotations | object | `{}` | | | server.ingress.className | string | `"nginx"` | | | server.ingress.enabled | bool | `false` | | @@ -124,3 +124,6 @@ Certificate Log | trillian.logServer.name | string | `"trillian-logserver"` | | | trillian.logServer.portRPC | int | `8091` | | | trillian.namespace | string | `"trillian-system"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/ctlog/values.yaml b/charts/ctlog/values.yaml index b1351c41..1a85af98 100644 --- a/charts/ctlog/values.yaml +++ b/charts/ctlog/values.yaml @@ -13,8 +13,8 @@ server: registry: ghcr.io repository: sigstore/scaffolding/ct_server pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5 + # v0.7.8 + version: sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a livenessProbe: httpGet: path: /healthz @@ -100,8 +100,8 @@ createtree: registry: ghcr.io repository: sigstore/scaffolding/createtree pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + # v0.7.8 + version: sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 ttlSecondsAfterFinished: 3600 serviceAccount: create: true @@ -125,15 +125,15 @@ createctconfig: curl: registry: docker.io repository: curlimages/curl - # -- 8.5.0 - version: "sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac" + # -- 8.9.1 + version: sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 imagePullPolicy: IfNotPresent image: registry: ghcr.io repository: sigstore/scaffolding/createctconfig pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db + # -- v0.7.8 + version: sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49 fulcioURL: "http://fulcio-server.fulcio-system.svc" logPrefix: sigstorescaffolding privateKeyPasswordSecretName: "" diff --git a/charts/fulcio/Chart.lock b/charts/fulcio/Chart.lock index 1e17caad..7112039a 100644 --- a/charts/fulcio/Chart.lock +++ b/charts/fulcio/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: ctlog repository: https://sigstore.github.io/helm-charts - version: 0.2.53 -digest: sha256:84690bb522e33e91b86eb0d61028597a0744d2effcfdcc9e0e6279dac53bf139 -generated: "2024-05-24T11:12:04.997965-04:00" + version: 0.2.56 +digest: sha256:48d5abee9df97033c523c51f0bd6b58adac1b23bc63705c43a548f332eee1bc5 +generated: "2024-09-03T10:46:06.600740798-04:00" diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 7f021713..be9f63a1 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 2.3.22 -appVersion: 1.5.1 +version: 2.6.0 +appVersion: 1.6.4 keywords: - security @@ -19,7 +19,7 @@ maintainers: dependencies: - name: ctlog - version: 0.2.53 + version: 0.2.56 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled @@ -27,6 +27,6 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: fulcio - image: gcr.io/projectsigstore/fulcio:v1.5.1@sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714 + image: gcr.io/projectsigstore/fulcio:v1.6.4@sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b - name: createcerts - image: ghcr.io/sigstore/scaffolding/createcerts:v0.6.17@sha256:2aaea38198d25ee53fb1f6da79eaa75c24bcc4ef81792a68687ba2ae0dc8ccf6 + image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.8@sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 63d3bc00..b206d29f 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.3.22](https://img.shields.io/badge/Version-2.3.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -71,20 +71,21 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.53 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.56 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | config.contents | object | `{}` | | +| config.format | string | `"json"` | | | createcerts.affinity | object | `{}` | | | createcerts.annotations | object | `{}` | | | createcerts.enabled | bool | `true` | | | createcerts.image.pullPolicy | string | `"IfNotPresent"` | | | createcerts.image.registry | string | `"ghcr.io"` | | | createcerts.image.repository | string | `"sigstore/scaffolding/createcerts"` | | -| createcerts.image.version | string | `"sha256:2aaea38198d25ee53fb1f6da79eaa75c24bcc4ef81792a68687ba2ae0dc8ccf6"` | | +| createcerts.image.version | string | `"sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca"` | | | createcerts.name | string | `"createcerts"` | | | createcerts.nodeSelector | object | `{}` | | | createcerts.replicaCount | int | `1` | | @@ -120,11 +121,13 @@ helm uninstall [RELEASE_NAME] | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | kubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | | server.image.repository | string | `"projectsigstore/fulcio"` | | -| server.image.version | string | `"sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714"` | v1.5.1 | +| server.image.version | string | `"sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b"` | v1.6.4 | | server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"GRPC"` | | | server.ingress.grpc.className | string | `""` | | | server.ingress.grpc.enabled | bool | `false` | | @@ -155,6 +158,7 @@ helm uninstall [RELEASE_NAME] | server.ingresses[0].name | string | `"gce-ingress"` | | | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` | | | server.ingresses[0].tls | list | `[]` | | +| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") | | server.logging.production | bool | `false` | | | server.name | string | `"server"` | | | server.nodeSelector | object | `{}` | | diff --git a/charts/fulcio/templates/_helpers.tpl b/charts/fulcio/templates/_helpers.tpl index 5eb25f0b..7ed42094 100644 --- a/charts/fulcio/templates/_helpers.tpl +++ b/charts/fulcio/templates/_helpers.tpl @@ -173,3 +173,22 @@ Return the contents for fulcio config. } {{- end -}} {{- end -}} + +{{/* +Return the contents for fulcio config yaml format. +*/}} +{{- define "fulcio.configmap.yaml" -}} +{{- if .Values.config.contents -}} +{{- toYaml .Values.config.contents }} +{{- else -}} +oidc-issuers: + https://kubernetes.default.svc: + issuer-url: https://kubernetes.default.svc + client-id: sigstore + type: kubernetes +meta-issuers: + https://kubernetes.*.svc: + client-id: sigstore + type: kubernetes +{{- end -}} +{{- end -}} diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index f8d30721..00c5d5fd 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -6,8 +6,17 @@ metadata: labels: {{- include "fulcio.labels" . | nindent 4 }} data: +# We now expect a new field "format" for checking the format of the +# config's content. +# If the field format is empty, the default case is consider that is a +# json or is empty and should use the defaults as defined on the file _helpers.tpl +{{- if eq .Values.config.format "yaml"}} + config.yaml: |- +{{ include "fulcio.configmap.yaml" . | indent 4 }} +{{- else }} config.json: |- {{ include "fulcio.configmap.contents" . | indent 4 }} +{{- end }} {{- if (eq .Values.server.args.certificateAuthority "kmsca")}} chain.pem: {{.Values.server.args.kms_cert_chain | quote }} {{- end }} diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 41529882..1cd83b42 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -63,6 +63,7 @@ spec: - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" {{- end }} - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" + - '--config-path=/etc/fulcio-config/config.{{- if eq .Values.config.format "yaml"}}yaml{{- else }}json{{- end }}' {{- if .Values.server.grpcSvcTLS }} - "--grpc-tls-certificate=/var/run/grpc-tls/cert.pem" - "--grpc-tls-key=/var/run/grpc-tls/key.pem" @@ -70,14 +71,28 @@ spec: {{- range .Values.server.extraArgs }} - {{ . | quote }} {{- end }} - {{- if eq .Values.server.args.certificateAuthority "fileca" }} env: + {{- if eq .Values.server.args.certificateAuthority "fileca" }} - name: PASSWORD valueFrom: secretKeyRef: name: {{ .Values.server.secret }} key: password - {{- end }} + {{- end }} + {{- if and (eq .Values.server.args.certificateAuthority "kmsca") (eq .Values.server.kmsType "aws") }} + - name: AWS_DEFAULT_REGION + value: {{ .Values.server.awsKmsRegion }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: accessKeyId + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: secretAccessKey + {{- end }} livenessProbe: failureThreshold: 3 httpGet: diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index b653bcbb..f0900e38 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -6,6 +6,9 @@ "contents": { "properties": {}, "type": "object" + }, + "format": { + "type": "string" } }, "type": "object" @@ -198,6 +201,12 @@ }, "type": "object" }, + "awsKmsCredentialsSecretName": { + "type": "string" + }, + "awsKmsRegion": { + "type": "string" + }, "grpcSvcPort": { "type": "integer" }, @@ -403,6 +412,9 @@ }, "type": "array" }, + "kmsType": { + "type": "string" + }, "logging": { "properties": { "production": { diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 29f75751..e3e58c6c 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -6,22 +6,29 @@ imagePullSecrets: [] config: contents: {} + format: json server: replicaCount: 1 name: server svcPort: 80 grpcSvcPort: 5554 + # -- KMS type for signing key (possible values: "" / "none", "aws") + kmsType: none secret: fulcio-server-secret + # -- kubernetes secret name containing IAM credentials for use with AWS KMS + awsKmsCredentialsSecretName: aws-kms-credentials + # -- AWS region if using AWS KMS for signing key + awsKmsRegion: us-east-1 logging: production: false image: registry: gcr.io repository: projectsigstore/fulcio pullPolicy: IfNotPresent - # crane digest gcr.io/projectsigstore/fulcio:v1.5.1 - # -- v1.5.1 - version: sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714 + # crane digest gcr.io/projectsigstore/fulcio:v1.6.4 + # -- v1.6.4 + version: sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b args: port: 5555 grpcPort: 5554 @@ -116,8 +123,8 @@ createcerts: registry: ghcr.io repository: sigstore/scaffolding/createcerts pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:2aaea38198d25ee53fb1f6da79eaa75c24bcc4ef81792a68687ba2ae0dc8ccf6 + # v0.7.8 + version: sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca ttlSecondsAfterFinished: 3600 serviceAccount: create: true diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml index 0ad3c0fd..905f212e 100644 --- a/charts/policy-controller/Chart.yaml +++ b/charts/policy-controller/Chart.yaml @@ -8,7 +8,7 @@ sources: type: application name: policy-controller -version: 0.6.8 +version: 0.7.0 appVersion: 0.8.2 maintainers: diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index b9e1c651..a603ed62 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -1,77 +1,17 @@ # policy-controller -![Version: 0.6.8](https://img.shields.io/badge/Version-0.6.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square) + + +![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square) The Helm chart for Policy Controller **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| dlorenc | | | -| hectorj2f | | | - ## Source Code * -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| commonAnnotations | object | `{}` | | -| commonNodeSelector | object | `{}` | | -| commonTolerations | list | `[]` | | -| cosign.cosignPub | string | `""` | | -| cosign.webhookName | string | `"policy.sigstore.dev"` | | -| imagePullSecrets | list | `[]` | | -| installCRDs | bool | `true` | | -| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | -| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | -| leasescleanup.image.version | string | `"latest-dev"` | | -| loglevel | string | `"info"` | | -| serviceMonitor.enabled | bool | `false` | | -| webhook.configData | object | `{}` | | -| webhook.customLabels | object | `{}` | | -| webhook.env | object | `{}` | | -| webhook.extraArgs | object | `{}` | | -| webhook.failurePolicy | string | `"Fail"` | | -| webhook.image.pullPolicy | string | `"IfNotPresent"` | | -| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | -| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | `"v0.8.2"` | -| webhook.name | string | `"webhook"` | | -| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | -| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | -| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | -| webhook.podDisruptionBudget.enabled | bool | `true` | | -| webhook.podDisruptionBudget.minAvailable | int | `1` | | -| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| webhook.podSecurityContext.enabled | bool | `true` | | -| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | -| webhook.podSecurityContext.runAsUser | int | `1000` | | -| webhook.registryCaBundle | object | `{}` | | -| webhook.replicaCount | int | `1` | | -| webhook.resources.limits.cpu | string | `"200m"` | | -| webhook.resources.limits.memory | string | `"512Mi"` | | -| webhook.resources.requests.cpu | string | `"100m"` | | -| webhook.resources.requests.memory | string | `"128Mi"` | | -| webhook.securityContext.enabled | bool | `false` | | -| webhook.securityContext.runAsUser | int | `65532` | | -| webhook.service.annotations | object | `{}` | | -| webhook.service.port | int | `443` | | -| webhook.service.type | string | `"ClusterIP"` | | -| webhook.serviceAccount.annotations | object | `{}` | | -| webhook.serviceAccount.create | bool | `true` | | -| webhook.serviceAccount.name | string | `""` | | -| webhook.volumeMounts | list | `[]` | | -| webhook.volumes | list | `[]` | | -| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | -| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | - - ### Deploy `policy-controller` Helm Chart Install `policy-controller` using Helm: @@ -182,7 +122,80 @@ Creating a deployment referencing images that are not signed will yield the foll pod/pod1-signed created ``` - ## More info You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). + +## Uninstallation + +To uninstall the Helm chart run following command. + +```shell +helm uninstall [RELEASE_NAME] +``` + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| dlorenc | | | +| hectorj2f | | | + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | | +| commonNodeSelector | object | `{}` | | +| commonTolerations | list | `[]` | | +| cosign.cosignPub | string | `""` | | +| cosign.webhookName | string | `"policy.sigstore.dev"` | | +| imagePullSecrets | list | `[]` | | +| installCRDs | bool | `true` | | +| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | +| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | +| leasescleanup.image.version | string | `"latest-dev"` | | +| loglevel | string | `"info"` | | +| serviceMonitor.enabled | bool | `false` | | +| webhook.configData | object | `{}` | | +| webhook.customLabels | object | `{}` | | +| webhook.env | object | `{}` | | +| webhook.extraArgs | object | `{}` | | +| webhook.failurePolicy | string | `"Fail"` | | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | | +| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | +| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | | +| webhook.name | string | `"webhook"` | | +| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | +| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | +| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | +| webhook.podAnnotations | object | `{}` | | +| webhook.podDisruptionBudget.enabled | bool | `true` | | +| webhook.podDisruptionBudget.minAvailable | int | `1` | | +| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| webhook.podSecurityContext.enabled | bool | `true` | | +| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| webhook.podSecurityContext.runAsUser | int | `1000` | | +| webhook.registryCaBundle | object | `{}` | | +| webhook.replicaCount | int | `1` | | +| webhook.resources.limits.cpu | string | `"200m"` | | +| webhook.resources.limits.memory | string | `"512Mi"` | | +| webhook.resources.requests.cpu | string | `"100m"` | | +| webhook.resources.requests.memory | string | `"128Mi"` | | +| webhook.securityContext.enabled | bool | `false` | | +| webhook.securityContext.runAsUser | int | `65532` | | +| webhook.service.annotations | object | `{}` | | +| webhook.service.port | int | `443` | | +| webhook.service.type | string | `"ClusterIP"` | | +| webhook.serviceAccount.annotations | object | `{}` | | +| webhook.serviceAccount.create | bool | `true` | | +| webhook.serviceAccount.name | string | `""` | | +| webhook.volumeMounts | list | `[]` | | +| webhook.volumes | list | `[]` | | +| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | +| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | diff --git a/charts/policy-controller/README.md.gotmpl b/charts/policy-controller/README.md.gotmpl new file mode 100644 index 00000000..123449b5 --- /dev/null +++ b/charts/policy-controller/README.md.gotmpl @@ -0,0 +1,148 @@ +{{ template "chart.header" . }} + + + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +## Source Code + +* + + +### Deploy `policy-controller` Helm Chart + +Install `policy-controller` using Helm: + +```shell +helm repo add sigstore https://sigstore.github.io/helm-charts +helm repo update +kubectl create namespace cosign-system +helm install policy-controller -n cosign-system sigstore/policy-controller --devel +``` + +The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces. + +Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`. +By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap. + +As supported in previous versions, you could create your own key pair: + +```shell +export COSIGN_PASSWORD= +cosign generate-key-pair +``` + +This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures: + +```shell +kubectl create secret generic mysecret -n \ +cosign-system --from-file=cosign.pub=./cosign.pub +``` + +**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below. + +```yaml +apiVersion: policy.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: cip-key-secret +spec: + images: + - glob: "**your-desired-value**" + authorities: + - key: + secretRef: + name: mysecret +``` +#### Configuring Custom Certificate Authorities (CA) + +The `policy-controller` can be configured to use custom CAs to communicate to container registries, for example, when you have a private registry with a self-signed TLS certificate. + +To configure `policy-controller` to use custom CAs, follow these steps: + +1. Make sure the `policy-controller` namespace exists: + + ```shell + kubectl create namespace cosign-system + ``` + +2. Create a bundle file with all the root and intermediate certificates and name it `ca-bundle.crt`. + +3. Create a `ConfigMap` from the bundle: + ```shell + kubectl -n cosign-system create cm ca-bundle-config \ + --from-file=ca-bundle.crt="ca-bundle.crt" + ``` + +4. Install the `policy-controller`: + + ```shell + helm install -n cosign-system \ + --set webhook.registryCaBundle.name=ca-bundle-config \ + --set webhook.registryCaBundle.key=ca-bundle.crt \ + policy-controller sigstore/policy-controller + ``` + +### Enabling Admission control + +To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered: + +Label: `policy.sigstore.dev/include: "true"` + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + policy.sigstore.dev/include: "true" + kubernetes.io/metadata.name: my-namespace + name: my-namespace +spec: + finalizers: + - kubernetes +``` + +### Testing the webhook + +1. Using Unsigned Images: +Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: + + ```shell + kubectl apply -f my-deployment.yaml + Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image + ``` + +2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created. + + ```shell + kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns + pod/pod1-signed created + ``` + + +## More info + +You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). + + +## Uninstallation + +To uninstall the Helm chart run following command. + +```shell +helm uninstall [RELEASE_NAME] +``` + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml index 54fd36d6..0474b7c1 100644 --- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml +++ b/charts/policy-controller/templates/webhook/deployment_webhook.yaml @@ -14,6 +14,10 @@ spec: control-plane: {{ template "policy-controller.fullname" . }}-webhook template: metadata: + {{- with .Values.webhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: control-plane: {{ template "policy-controller.fullname" . }}-webhook {{- include "policy-controller.labels" . | nindent 8 }} diff --git a/charts/policy-controller/values.schema.json b/charts/policy-controller/values.schema.json index f2e2faab..a6fc34ef 100644 --- a/charts/policy-controller/values.schema.json +++ b/charts/policy-controller/values.schema.json @@ -118,6 +118,9 @@ } } }, + "podAnnotations": { + "type": "object" + }, "podDisruptionBudget": { "type": "object", "properties": { diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index c9627e3a..6ee8023a 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -32,6 +32,7 @@ webhook: enabled: false runAsUser: 65532 failurePolicy: Fail + podAnnotations: {} podSecurityContext: enabled: true allowPrivilegeEscalation: false diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index 82fd73d8..6dcdddf9 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.3 +version: 1.5.0 appVersion: 1.3.6 keywords: @@ -19,7 +19,7 @@ maintainers: dependencies: - name: trillian - version: 0.2.24 + version: 0.2.27 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled @@ -27,12 +27,16 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: createtree - image: ghcr.io/sigstore/scaffolding/createtree:v0.6.17@sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + image: ghcr.io/sigstore/scaffolding/createtree:v0.7.8@sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 - name: curlimages/curl - image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 - name: rekor-server image: gcr.io/projectsigstore/rekor-server:v1.3.6@sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51 - name: redis - image: docker.io/redis:6.2.14-alpine3.19@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc + image: docker.io/redis:6.2.14-alpine3.20@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e - name: backfill-redis image: ghcr.io/sigstore/rekor/backfill-redis:v1.3.6@sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3 + - name: scaffold_cloud_proxy + image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.8@sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 + - name: cloud_proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine@sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f diff --git a/charts/rekor/README.md b/charts/rekor/README.md index b52f2333..2ce39d48 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.3](https://img.shields.io/badge/Version-1.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation @@ -20,7 +20,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | trillian | 0.2.24 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.27 | ## Values @@ -48,7 +48,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | createtree.image.pullPolicy | string | `"IfNotPresent"` | | | createtree.image.registry | string | `"ghcr.io"` | | | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | | -| createtree.image.version | string | `"sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826"` | | +| createtree.image.version | string | `"sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478"` | | | createtree.name | string | `"createtree"` | | | createtree.nodeSelector | object | `{}` | | | createtree.resources | object | `{}` | | @@ -64,11 +64,11 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | initContainerImage.curl.registry | string | `"docker.io"` | | | initContainerImage.curl.repository | string | `"curlimages/curl"` | | -| initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 | +| initContainerImage.curl.version | string | `"sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4"` | 8.9.1 | | initContainerResources | object | `{}` | | | mysql.enabled | bool | `false` | | | mysql.gcp.cloudsql.registry | string | `"gcr.io"` | | -| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine"` | | +| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine"` | | | mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` | | | mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` | | | mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` | | @@ -77,7 +77,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` | | | mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` | | | mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` | | -| mysql.gcp.cloudsql.version | string | `"sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.cloudsql.version | string | `"sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine | | mysql.gcp.enabled | bool | `false` | | | mysql.gcp.instance | string | `""` | | | mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` | | @@ -88,7 +88,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` | | | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` | | -| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2"` | v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184"` | v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine | | mysql.hostname | string | `""` | | | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | @@ -109,7 +109,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | redis.image.pullPolicy | string | `"IfNotPresent"` | | | redis.image.registry | string | `"docker.io"` | | | redis.image.repository | string | `"redis"` | | -| redis.image.version | string | `"sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc"` | 6.2.14-alpine3.19 | +| redis.image.version | string | `"sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e"` | 6.2.14-alpine3.20 | | redis.name | string | `"redis"` | | | redis.nodeSelector | object | `{}` | | | redis.port | int | `6379` | | @@ -144,6 +144,8 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | server.attestation_storage.persistence.size | string | `"5Gi"` | | | server.attestation_storage.persistence.storageClass | string | `""` | | | server.attestation_storage.persistence.subPath | string | `""` | | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | kubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.config.key | string | `"treeID"` | | | server.config.treeID | string | `""` | | | server.enabled | bool | `true` | | @@ -170,6 +172,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | server.ingresses[0].name | string | `"gce-ingress"` | | | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` | | | server.ingresses[0].tls | list | `[]` | | +| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") | | server.livenessProbe.failureThreshold | int | `3` | | | server.livenessProbe.httpGet.path | string | `"/ping"` | | | server.livenessProbe.httpGet.port | int | `3000` | | @@ -230,4 +233,4 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | trillian.namespace.name | string | `"trillian-system"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/rekor/templates/server/createtree-job.yaml b/charts/rekor/templates/server/createtree-job.yaml index 82b7f1a7..eb961809 100644 --- a/charts/rekor/templates/server/createtree-job.yaml +++ b/charts/rekor/templates/server/createtree-job.yaml @@ -50,3 +50,15 @@ spec: securityContext: {{ toYaml .Values.createtree.securityContext | indent 8 }} {{- end }} + {{- if .Values.createtree.nodeSelector }} + nodeSelector: +{{ toYaml .Values.createtree.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.createtree.tolerations }} + tolerations: +{{ toYaml .Values.createtree.tolerations | indent 8 }} + {{- end }} + {{- if .Values.createtree.affinity }} + affinity: +{{ toYaml .Values.createtree.affinity | indent 8 }} + {{- end }} diff --git a/charts/rekor/templates/server/deployment.yaml b/charts/rekor/templates/server/deployment.yaml index 570e45b7..19a214a0 100644 --- a/charts/rekor/templates/server/deployment.yaml +++ b/charts/rekor/templates/server/deployment.yaml @@ -104,6 +104,20 @@ spec: {{- if eq (.Values.server.searchIndex).storageProvider "mysql" }} {{- include "searchIndex.mysql.envCredentials" . | indent 12 }} {{- end }} + {{- if eq .Values.server.kmsType "aws" }} + - name: AWS_DEFAULT_REGION + value: {{ .Values.server.awsKmsRegion }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: accessKeyId + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: secretAccessKey + {{- end }} args: {{ include "rekor.server.args" . | indent 12 }} ports: diff --git a/charts/rekor/values.schema.json b/charts/rekor/values.schema.json index 969f44f7..ff66b3d6 100644 --- a/charts/rekor/values.schema.json +++ b/charts/rekor/values.schema.json @@ -554,6 +554,12 @@ }, "type": "object" }, + "awsKmsCredentialsSecretName": { + "type": "string" + }, + "awsKmsRegion": { + "type": "string" + }, "config": { "properties": { "key": { @@ -698,6 +704,9 @@ }, "type": "array" }, + "kmsType": { + "type": "string" + }, "livenessProbe": { "properties": { "failureThreshold": { diff --git a/charts/rekor/values.yaml b/charts/rekor/values.yaml index e04de60f..c6e80b72 100644 --- a/charts/rekor/values.yaml +++ b/charts/rekor/values.yaml @@ -7,8 +7,8 @@ initContainerImage: curl: registry: docker.io repository: curlimages/curl - # -- 8.5.0 - version: "sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac" + # -- 8.9.1 + version: sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 imagePullPolicy: IfNotPresent initContainerResources: {} @@ -27,8 +27,8 @@ redis: registry: docker.io repository: redis pullPolicy: IfNotPresent - # -- 6.2.14-alpine3.19 - version: "sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc" + # -- 6.2.14-alpine3.20 + version: "sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e" resources: {} readinessProbe: initialDelaySeconds: 5 @@ -64,8 +64,8 @@ mysql: scaffoldSQLProxy: registry: ghcr.io repository: sigstore/scaffolding/cloudsqlproxy - # -- v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine - version: sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2 + # -- v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine + version: sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 resources: requests: memory: "2Gi" @@ -79,9 +79,9 @@ mysql: - ALL cloudsql: registry: gcr.io - repository: cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - version: sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9 + repository: cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + version: sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f resources: requests: memory: "2Gi" @@ -119,6 +119,12 @@ server: pullPolicy: IfNotPresent # crane digest gcr.io/projectsigstore/rekor-server:v1.3.6 version: sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51 + # -- KMS type for signing key (possible values: "" / "none", "aws") + kmsType: none + # -- AWS region if using AWS KMS for signing key + awsKmsRegion: us-east-1 + # -- kubernetes secret name containing IAM credentials for use with AWS KMS + awsKmsCredentialsSecretName: aws-kms-credentials logging: production: false ingress: @@ -227,8 +233,8 @@ createtree: registry: ghcr.io repository: sigstore/scaffolding/createtree pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + # v0.7.8 + version: sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 ttlSecondsAfterFinished: 3600 serviceAccount: create: true @@ -251,7 +257,7 @@ backfillredis: registry: ghcr.io repository: sigstore/rekor/backfill-redis pullPolicy: IfNotPresent - # v1.3.5 + # v1.3.6 version: sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3 ttlSecondsAfterFinished: 3600 securityContext: diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index f334190b..c4b0fcef 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,21 +1,21 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.3.21 + version: 2.5.4 - name: rekor repository: https://sigstore.github.io/helm-charts - version: 1.4.2 + version: 1.4.8 - name: trillian repository: https://sigstore.github.io/helm-charts - version: 0.2.24 + version: 0.2.27 - name: ctlog repository: https://sigstore.github.io/helm-charts - version: 0.2.53 + version: 0.2.56 - name: tuf repository: https://sigstore.github.io/helm-charts - version: 0.1.14 + version: 0.1.17 - name: tsa repository: https://sigstore.github.io/helm-charts - version: 1.0.3 -digest: sha256:db84a3c0345e66c011100fcce8cd8b5c43adda79cc4c6e385a59991dd5225763 -generated: "2024-07-10T15:24:11.347772681Z" + version: 1.0.5 +digest: sha256:a8d432f681bf37e4b1454a4565d38620f27d2b7ec55ff3fd4566dbcff104a928 +generated: "2024-09-04T14:11:41.969723-06:00" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 6b9fe749..bbcda100 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.52 +version: 0.6.61 keywords: - security - pki @@ -16,27 +16,27 @@ maintainers: dependencies: - name: fulcio - version: 2.3.21 + version: 2.5.4 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor - version: 1.4.2 + version: 1.4.8 repository: https://sigstore.github.io/helm-charts condition: rekor.enabled - name: trillian - version: 0.2.24 + version: 0.2.27 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled - name: ctlog - version: 0.2.53 + version: 0.2.56 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled - name: tuf - version: 0.1.14 + version: 0.1.17 repository: https://sigstore.github.io/helm-charts condition: tuf.enabled - name: tsa - version: 1.0.3 + version: 1.0.5 repository: https://sigstore.github.io/helm-charts condition: tsa.enabled diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index e1576524..d34e12d5 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.52](https://img.shields.io/badge/Version-0.6.52-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.61](https://img.shields.io/badge/Version-0.6.61-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -36,12 +36,12 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.53 | -| https://sigstore.github.io/helm-charts | fulcio | 2.3.21 | -| https://sigstore.github.io/helm-charts | rekor | 1.4.2 | -| https://sigstore.github.io/helm-charts | trillian | 0.2.24 | -| https://sigstore.github.io/helm-charts | tsa | 1.0.3 | -| https://sigstore.github.io/helm-charts | tuf | 0.1.14 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.56 | +| https://sigstore.github.io/helm-charts | fulcio | 2.5.4 | +| https://sigstore.github.io/helm-charts | rekor | 1.4.8 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.27 | +| https://sigstore.github.io/helm-charts | tsa | 1.0.5 | +| https://sigstore.github.io/helm-charts | tuf | 0.1.17 | ## Values diff --git a/charts/scaffold/templates/copy-secrets-job.yaml b/charts/scaffold/templates/copy-secrets-job.yaml index 734dfd72..98eb23af 100644 --- a/charts/scaffold/templates/copy-secrets-job.yaml +++ b/charts/scaffold/templates/copy-secrets-job.yaml @@ -52,7 +52,7 @@ spec: command: ["/bin/sh"] args: [ "-c", - "curl {{ .Values.rekor.server.fullnameOverride}}.{{ .Values.rekor.namespace.name }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && kubectl create secret generic {{ .Values.tuf.secrets.rekor.name }} --from-file=key=/tmp/key" + "curl {{ .Values.rekor.server.fullnameOverride}}.{{ .Values.rekor.namespace.name }}.svc/api/v1/log/publicKey -o /tmp/key -v && kubectl create secret generic {{ .Values.tuf.secrets.rekor.name }} --from-file=key=/tmp/key" ] - name: copy-fulcio-secret image: {{ template "scaffold.image" .Values.copySecretJob }} @@ -76,7 +76,7 @@ spec: command: ["/bin/sh"] args: [ "-c", - "curl {{ .Values.tsa.server.fullnameOverride}}.{{ .Values.tsa.namespace.name }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && kubectl create secret generic {{ .Values.tuf.secrets.tsa.name }} --from-file=cert-chain=/tmp/cert-chain" + "curl {{ .Values.tsa.server.fullnameOverride}}.{{ .Values.tsa.namespace.name }}.svc/api/v1/timestamp/certchain -o /tmp/cert-chain -v && kubectl create secret generic {{ .Values.tuf.secrets.tsa.name }} --from-file=cert-chain=/tmp/cert-chain" ] {{- if .Values.copySecretJob.nodeSelector }} nodeSelector: diff --git a/charts/sigstore-prober/Chart.yaml b/charts/sigstore-prober/Chart.yaml index 583d0a63..46297815 100644 --- a/charts/sigstore-prober/Chart.yaml +++ b/charts/sigstore-prober/Chart.yaml @@ -4,8 +4,8 @@ description: Sigstore API Endpoint Prober type: application -version: 0.0.24 -appVersion: 0.7.3 +version: 0.0.28 +appVersion: 0.7.8 keywords: @@ -21,4 +21,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: sigstore-prober - image: ghcr.io/sigstore/scaffolding/prober:v0.7.3@sha256:efd3cc7ef479cb71c8338e3978d7a82cdc30ae5e05b01c1644ac411f8bcbb9f9 + image: ghcr.io/sigstore/scaffolding/prober:v0.7.8@sha256:07c803bcf28ed14974fb08755a05fbd45b33501ad3b45f32c8c64d676b38dc74 diff --git a/charts/sigstore-prober/README.md b/charts/sigstore-prober/README.md index 8cbb17f0..a492ed1b 100644 --- a/charts/sigstore-prober/README.md +++ b/charts/sigstore-prober/README.md @@ -1,6 +1,6 @@ # sigstore-prober -![Version: 0.0.24](https://img.shields.io/badge/Version-0.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.3](https://img.shields.io/badge/AppVersion-0.7.3-informational?style=flat-square) +![Version: 0.0.28](https://img.shields.io/badge/Version-0.0.28-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Sigstore API Endpoint Prober @@ -24,13 +24,14 @@ Sigstore API Endpoint Prober | serviceAccount.create | bool | `false` | | | serviceAccount.name | string | `"default"` | | | spec.args.frequency | int | `10` | | +| spec.args.fulcioGrpcHost | string | `"fulcio.sigstore.dev"` | | | spec.args.fulcioHost | string | `"https://fulcio.sigstore.dev"` | | | spec.args.fulcioRequests | list | `[]` | | | spec.args.rekorHost | string | `"https://rekor.sigstore.dev"` | | | spec.args.rekorRequests | list | `[]` | | | spec.args.trustRekorAPIPublicKey | bool | `false` | | | spec.args.writeProber | bool | `false` | | -| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.3@sha256:efd3cc7ef479cb71c8338e3978d7a82cdc30ae5e05b01c1644ac411f8bcbb9f9"` | | +| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.8@sha256:07c803bcf28ed14974fb08755a05fbd45b33501ad3b45f32c8c64d676b38dc74"` | | | spec.imagePullPolicy | string | `"Always"` | | | spec.matchLabels.app | string | `"sigstore-prober"` | | | spec.replicaCount | int | `1` | | @@ -40,3 +41,5 @@ Sigstore API Endpoint Prober | spec.resources.requests.memory | string | `"64Mi"` | | | tolerations | list | `[]` | | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/sigstore-prober/templates/_helpers.tpl b/charts/sigstore-prober/templates/_helpers.tpl index 6c9b3281..240cea81 100644 --- a/charts/sigstore-prober/templates/_helpers.tpl +++ b/charts/sigstore-prober/templates/_helpers.tpl @@ -28,6 +28,9 @@ Create args for sigstore prober components {{- if .Values.spec.args.fulcioHost }} - "-fulcio-url={{ .Values.spec.args.fulcioHost }}" {{- end }} +{{- if .Values.spec.args.fulcioGrpcHost }} +- "-fulcio-grpc-url={{ .Values.spec.args.fulcioGrpcHost }}" +{{- end }} {{- if .Values.spec.args.writeProber }} - "-write-prober={{ .Values.spec.args.writeProber }}" {{- end }} diff --git a/charts/sigstore-prober/values.schema.json b/charts/sigstore-prober/values.schema.json index 04827c4d..2b49e7d9 100644 --- a/charts/sigstore-prober/values.schema.json +++ b/charts/sigstore-prober/values.schema.json @@ -49,6 +49,9 @@ "fulcioHost": { "type": "string" }, + "fulcioGrpcHost": { + "type": "string" + }, "fulcioRequests": { "type": "array" }, diff --git a/charts/sigstore-prober/values.yaml b/charts/sigstore-prober/values.yaml index 0a7934c6..e70f5c87 100644 --- a/charts/sigstore-prober/values.yaml +++ b/charts/sigstore-prober/values.yaml @@ -6,7 +6,7 @@ serviceAccount: create: false spec: replicaCount: 1 - image: ghcr.io/sigstore/scaffolding/prober:v0.7.3@sha256:efd3cc7ef479cb71c8338e3978d7a82cdc30ae5e05b01c1644ac411f8bcbb9f9 + image: ghcr.io/sigstore/scaffolding/prober:v0.7.8@sha256:07c803bcf28ed14974fb08755a05fbd45b33501ad3b45f32c8c64d676b38dc74 imagePullPolicy: Always matchLabels: app: sigstore-prober @@ -19,6 +19,7 @@ spec: cpu: "200m" args: fulcioHost: https://fulcio.sigstore.dev + fulcioGrpcHost: fulcio.sigstore.dev rekorHost: https://rekor.sigstore.dev frequency: 10 writeProber: false diff --git a/charts/trillian/Chart.yaml b/charts/trillian/Chart.yaml index daa9d3b5..3c48026b 100644 --- a/charts/trillian/Chart.yaml +++ b/charts/trillian/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 0.2.24 -appVersion: 1.6.0 +version: 0.2.27 +appVersion: 1.6.1 keywords: - security @@ -25,18 +25,18 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: curl - image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 - name: netcat - image: cgr.dev/chainguard/netcat@sha256:7243b469d34bd28969fa2c764a12d91084c427209540bb68645629d635b3f143 + image: cgr.dev/chainguard/netcat@sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2 - name: db_server image: gcr.io/trillian-opensource-ci/db_server:v1.5.3@sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461 - name: log_server - image: ghcr.io/sigstore/scaffolding/trillian_log_server:v0.6.17@sha256:34a87140ff88da3f8b83ef8f12575a5dc684afc79af880f148f45ca27f16e60e + image: ghcr.io/sigstore/scaffolding/trillian_log_server:v1.6.1@sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f - name: log_signer - image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v0.6.17@sha256:ab97f7591e96e7ae1dbfea3bcc4b5f4b8ad13857e04779d8c6c2309cc432e5ce + image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v1.6.1@sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212 - name: cloud_proxy - image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine@sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9 + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine@sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f - name: scaffold_cloud_proxy - image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.6.17@sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2 + image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.8@sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 - name: createdb - image: ghcr.io/sigstore/scaffolding/createdb:v0.6.17@sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755 + image: ghcr.io/sigstore/scaffolding/createdb:v0.7.8@sha256:674760d4000f151b768843e6d7f671b8e3ada037736e312b4939b3a48abd6066 diff --git a/charts/trillian/README.md b/charts/trillian/README.md index dd31205b..0678c060 100644 --- a/charts/trillian/README.md +++ b/charts/trillian/README.md @@ -2,7 +2,7 @@ -![Version: 0.2.23](https://img.shields.io/badge/Version-0.2.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.2.27](https://img.shields.io/badge/Version-0.2.27-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) Trillian is a log that stores an accurate, immutable and verifiable history of activity. @@ -40,34 +40,37 @@ helm uninstall [RELEASE_NAME] | Key | Type | Default | Description | |-----|------|---------|-------------| +| createdb.affinity | object | `{}` | | | createdb.dbname | string | `"trillian"` | | | createdb.enabled | bool | `true` | | | createdb.image.pullPolicy | string | `"IfNotPresent"` | | | createdb.image.registry | string | `"ghcr.io"` | | | createdb.image.repository | string | `"sigstore/scaffolding/createdb"` | | -| createdb.image.version | string | `"sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755"` | v0.6.17 | +| createdb.image.version | string | `"sha256:674760d4000f151b768843e6d7f671b8e3ada037736e312b4939b3a48abd6066"` | v0.7.8 | | createdb.name | string | `"createdb"` | | +| createdb.nodeSelector | object | `{}` | | | createdb.serviceAccount.annotations | object | `{}` | | | createdb.serviceAccount.create | bool | `false` | | | createdb.serviceAccount.name | string | `""` | | +| createdb.tolerations | list | `[]` | | | createdb.ttlSecondsAfterFinished | int | `3600` | | | forceNamespace | string | `""` | | | imagePullSecrets | list | `[]` | | | initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | initContainerImage.curl.registry | string | `"docker.io"` | | | initContainerImage.curl.repository | string | `"curlimages/curl"` | | -| initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 | +| initContainerImage.curl.version | string | `"sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4"` | 8.9.1 | | initContainerImage.netcat.imagePullPolicy | string | `"IfNotPresent"` | | | initContainerImage.netcat.registry | string | `"cgr.dev"` | | | initContainerImage.netcat.repository | string | `"chainguard/netcat"` | | -| initContainerImage.netcat.version | string | `"sha256:7243b469d34bd28969fa2c764a12d91084c427209540bb68645629d635b3f143"` | 2023-06-13 | +| initContainerImage.netcat.version | string | `"sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2"` | 2024-09-03 | | logServer.affinity | object | `{}` | | | logServer.enabled | bool | `true` | | | logServer.extraArgs | list | `[]` | | | logServer.image.pullPolicy | string | `"IfNotPresent"` | | | logServer.image.registry | string | `"ghcr.io"` | | | logServer.image.repository | string | `"sigstore/scaffolding/trillian_log_server"` | | -| logServer.image.version | string | `"sha256:34a87140ff88da3f8b83ef8f12575a5dc684afc79af880f148f45ca27f16e60e"` | v0.6.17 | +| logServer.image.version | string | `"sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f"` | trillian v1.6.1 (scaffolding v0.7.8) | | logServer.livenessProbe | object | `{}` | | | logServer.name | string | `"log-server"` | | | logServer.nodeSelector | object | `{}` | | @@ -96,7 +99,7 @@ helm uninstall [RELEASE_NAME] | logSigner.image.pullPolicy | string | `"IfNotPresent"` | | | logSigner.image.registry | string | `"ghcr.io"` | | | logSigner.image.repository | string | `"sigstore/scaffolding/trillian_log_signer"` | | -| logSigner.image.version | string | `"sha256:ab97f7591e96e7ae1dbfea3bcc4b5f4b8ad13857e04779d8c6c2309cc432e5ce"` | v0.6.17 | +| logSigner.image.version | string | `"sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212"` | trillian v1.6.1 (scaffolding v0.7.8) | | logSigner.livenessProbe | object | `{}` | | | logSigner.name | string | `"log-signer"` | | | logSigner.nodeSelector | object | `{}` | | @@ -121,7 +124,7 @@ helm uninstall [RELEASE_NAME] | mysql.auth.username | string | `"mysql"` | | | mysql.enabled | bool | `true` | | | mysql.gcp.cloudsql.registry | string | `"gcr.io"` | | -| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine"` | | +| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine"` | | | mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` | | | mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` | | | mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` | | @@ -130,7 +133,7 @@ helm uninstall [RELEASE_NAME] | mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` | | | mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` | | | mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` | | -| mysql.gcp.cloudsql.version | string | `"sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.cloudsql.version | string | `"sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine | | mysql.gcp.enabled | bool | `false` | | | mysql.gcp.instance | string | `""` | | | mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` | | @@ -141,7 +144,7 @@ helm uninstall [RELEASE_NAME] | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` | | | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` | | -| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2"` | v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184"` | v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine | | mysql.hostname | string | `""` | | | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | diff --git a/charts/trillian/templates/createdb/createdb-job.yaml b/charts/trillian/templates/createdb/createdb-job.yaml index 795d9746..fcef9a10 100644 --- a/charts/trillian/templates/createdb/createdb-job.yaml +++ b/charts/trillian/templates/createdb/createdb-job.yaml @@ -98,15 +98,15 @@ spec: - name: exit-dir emptyDir: {} {{- end }} -{{- if .Values.createdb.nodeSelector }} - nodeSelector: -{{ toYaml .Values.createdb.nodeSelector | indent 4 }} -{{- end }} -{{- if .Values.createdb.tolerations }} - tolerations: -{{ toYaml .Values.createdb.tolerations | indent 4 }} -{{- end }} -{{- if .Values.createdb.affinity }} - affinity: -{{ toYaml .Values.createdb.affinity | indent 4 }} -{{- end }} + {{- if .Values.createdb.nodeSelector }} + nodeSelector: +{{ toYaml .Values.createdb.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.createdb.tolerations }} + tolerations: +{{ toYaml .Values.createdb.tolerations | indent 8 }} + {{- end }} + {{- if .Values.createdb.affinity }} + affinity: +{{ toYaml .Values.createdb.affinity | indent 8 }} + {{- end }} diff --git a/charts/trillian/values.yaml b/charts/trillian/values.yaml index ac200d84..bdb3f941 100644 --- a/charts/trillian/values.yaml +++ b/charts/trillian/values.yaml @@ -8,14 +8,14 @@ initContainerImage: curl: registry: docker.io repository: curlimages/curl - # -- 8.5.0 - version: sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + # -- 8.9.1 + version: sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 imagePullPolicy: IfNotPresent netcat: registry: cgr.dev repository: chainguard/netcat - # -- 2023-06-13 - version: "sha256:7243b469d34bd28969fa2c764a12d91084c427209540bb68645629d635b3f143" + # -- 2024-09-03 + version: sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2 imagePullPolicy: IfNotPresent storageSystem: @@ -31,8 +31,8 @@ mysql: scaffoldSQLProxy: registry: ghcr.io repository: sigstore/scaffolding/cloudsqlproxy - # -- v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine - version: sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2 + # -- v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine + version: sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 resources: requests: memory: "2Gi" @@ -46,9 +46,9 @@ mysql: - ALL cloudsql: registry: gcr.io - repository: cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - version: sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9 + repository: cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + version: sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f resources: requests: memory: "2Gi" @@ -138,8 +138,8 @@ logServer: registry: ghcr.io repository: sigstore/scaffolding/trillian_log_server pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:34a87140ff88da3f8b83ef8f12575a5dc684afc79af880f148f45ca27f16e60e + # -- trillian v1.6.1 (scaffolding v0.7.8) + version: sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f nodeSelector: {} tolerations: [] affinity: {} @@ -174,8 +174,8 @@ logSigner: registry: ghcr.io repository: sigstore/scaffolding/trillian_log_signer pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:ab97f7591e96e7ae1dbfea3bcc4b5f4b8ad13857e04779d8c6c2309cc432e5ce + # -- trillian v1.6.1 (scaffolding v0.7.8) + version: sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212 nodeSelector: {} tolerations: [] affinity: {} @@ -204,8 +204,8 @@ createdb: registry: ghcr.io repository: sigstore/scaffolding/createdb pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755 + # -- v0.7.8 + version: sha256:674760d4000f151b768843e6d7f671b8e3ada037736e312b4939b3a48abd6066 serviceAccount: create: false name: "" diff --git a/charts/tsa/Chart.yaml b/charts/tsa/Chart.yaml index b3e90539..533a5cbb 100644 --- a/charts/tsa/Chart.yaml +++ b/charts/tsa/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 1.0.3 -appVersion: 1.2.1 +version: 1.0.5 +appVersion: 1.2.2 keywords: - security @@ -21,5 +21,5 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: tsa - # crane digest ghcr.io/sigstore/timestamp-server:v1.2.1 - image: ghcr.io/sigstore/timestamp-server@sha256:f4dcc96092a1b1fb5ca36d776f92a7cc62cdb1a8866c5120340f919141a3cd58 + # crane digest ghcr.io/sigstore/timestamp-server:v1.2.2 + image: ghcr.io/sigstore/timestamp-server@sha256:9f012408a0b2a91a0f017df419b732556a0bdd7482973dc3b87fe979e41ccc9a diff --git a/charts/tsa/README.md b/charts/tsa/README.md index af1aa72b..ab3a29f1 100644 --- a/charts/tsa/README.md +++ b/charts/tsa/README.md @@ -2,7 +2,7 @@ -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) +![Version: 1.0.5](https://img.shields.io/badge/Version-1.0.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.2](https://img.shields.io/badge/AppVersion-1.2.2-informational?style=flat-square) Timestamp Authority issuing RFC3161 signed timestamps. @@ -105,7 +105,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"ghcr.io"` | | | server.image.repository | string | `"sigstore/timestamp-server"` | | -| server.image.version | string | `"sha256:f4dcc96092a1b1fb5ca36d776f92a7cc62cdb1a8866c5120340f919141a3cd58"` | v1.2.1 | +| server.image.version | string | `"sha256:9f012408a0b2a91a0f017df419b732556a0bdd7482973dc3b87fe979e41ccc9a"` | v1.2.2 | | server.ingress.http.annotations | object | `{}` | | | server.ingress.http.className | string | `"nginx"` | | | server.ingress.http.enabled | bool | `true` | | diff --git a/charts/tsa/values.yaml b/charts/tsa/values.yaml index 06b5806f..8fd2c6f4 100644 --- a/charts/tsa/values.yaml +++ b/charts/tsa/values.yaml @@ -16,9 +16,9 @@ server: registry: ghcr.io repository: sigstore/timestamp-server pullPolicy: IfNotPresent - # crane digest ghcr.io/sigstore/timestamp-server:v1.2.1 - # -- v1.2.1 - version: sha256:f4dcc96092a1b1fb5ca36d776f92a7cc62cdb1a8866c5120340f919141a3cd58 + # crane digest ghcr.io/sigstore/timestamp-server:v1.2.2 + # -- v1.2.2 + version: sha256:9f012408a0b2a91a0f017df419b732556a0bdd7482973dc3b87fe979e41ccc9a args: port: 5555 # Valid values: tink, kms, file diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index d95e26b1..e5074392 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.14 -appVersion: "0.6.17" +version: 0.1.17 +appVersion: 0.7.8 home: https://sigstore.dev/ sources: @@ -17,4 +17,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: scaffolding-tuf - image: ghcr.io/sigstore/scaffolding/server:v0.6.17@sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906 + image: ghcr.io/sigstore/scaffolding/server:v0.7.8@sha256:dfccfb85b8638b488a3fd2320d723efb37633be7c32c34a1ab58138e5f80d0e2 diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 471f3140..ee071319 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.1.17](https://img.shields.io/badge/Version-0.1.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -20,13 +20,16 @@ A framework for securing software update systems - the scaffolding implementatio | Key | Type | Default | Description | |-----|------|---------|-------------| +| deployment.affinity | object | `{}` | | | deployment.imagePullPolicy | string | `"IfNotPresent"` | | | deployment.name | string | `"tuf"` | | +| deployment.nodeSelector | object | `{}` | | | deployment.port | int | `8080` | | | deployment.registry | string | `"ghcr.io"` | | | deployment.replicas | int | `1` | | | deployment.repository | string | `"sigstore/scaffolding/server"` | | -| deployment.version | string | `"sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906"` | | +| deployment.tolerations | list | `[]` | | +| deployment.version | string | `"sha256:dfccfb85b8638b488a3fd2320d723efb37633be7c32c34a1ab58138e5f80d0e2"` | | | enabled | bool | `true` | | | forceNamespace | string | `""` | | | fullnameOverride | string | `"tuf"` | | @@ -66,4 +69,4 @@ A framework for securing software update systems - the scaffolding implementatio | serviceAccountName | string | `"tuf"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index dfd39f98..b20ed6b3 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -11,8 +11,8 @@ deployment: replicas: 1 registry: ghcr.io repository: sigstore/scaffolding/server - # v0.6.17 - version: sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906 + # v0.7.8 + version: sha256:dfccfb85b8638b488a3fd2320d723efb37633be7c32c34a1ab58138e5f80d0e2 imagePullPolicy: IfNotPresent port: 8080 tolerations: [] diff --git a/charts/updatetree/Chart.yaml b/charts/updatetree/Chart.yaml index 8e4e9172..71424e5d 100644 --- a/charts/updatetree/Chart.yaml +++ b/charts/updatetree/Chart.yaml @@ -4,8 +4,8 @@ description: Update the status of an existing Trillian tree type: application -version: 0.0.10 -appVersion: 0.6.17 +version: 0.0.13 +appVersion: 0.7.8 keywords: @@ -22,4 +22,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: updatetree - image: ghcr.io/sigstore/scaffolding/updatetree:v0.6.17@sha256:9fe03dde7324490cc7a84c75dfa3f1de267fc71c1a473fc67491c690e22c32ab + image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.8@sha256:08703b6f450293d7047c914765dc988a8da4f8c4cbf2b85d58bb64ba0c45ff36 diff --git a/charts/updatetree/README.md b/charts/updatetree/README.md index ce8471fc..04114fdf 100644 --- a/charts/updatetree/README.md +++ b/charts/updatetree/README.md @@ -1,6 +1,6 @@ # updatetree -![Version: 0.0.9](https://img.shields.io/badge/Version-0.0.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.0.13](https://img.shields.io/badge/Version-0.0.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Update the status of an existing Trillian tree @@ -29,7 +29,7 @@ Update the status of an existing Trillian tree | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `false` | | | serviceAccount.name | string | `"trillian-logserver"` | | -| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.6.17@sha256:9fe03dde7324490cc7a84c75dfa3f1de267fc71c1a473fc67491c690e22c32ab"` | | +| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.7.8@sha256:08703b6f450293d7047c914765dc988a8da4f8c4cbf2b85d58bb64ba0c45ff36"` | | | spec.replicaCount | int | `1` | | | tolerations | list | `[]` | | | trillian.adminServer | string | `""` | | @@ -37,3 +37,6 @@ Update the status of an existing Trillian tree | trillian.logServer.portRPC | int | `8091` | | | trillian.namespace | string | `"trillian-system"` | | | ttlSecondsAfterFinished | int | `3600` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/updatetree/values.yaml b/charts/updatetree/values.yaml index 2c612dbd..6134b1f4 100644 --- a/charts/updatetree/values.yaml +++ b/charts/updatetree/values.yaml @@ -8,7 +8,7 @@ serviceAccount: create: false spec: replicaCount: 1 - image: ghcr.io/sigstore/scaffolding/updatetree:v0.6.17@sha256:9fe03dde7324490cc7a84c75dfa3f1de267fc71c1a473fc67491c690e22c32ab + image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.8@sha256:08703b6f450293d7047c914765dc988a8da4f8c4cbf2b85d58bb64ba0c45ff36 ttlSecondsAfterFinished: 3600 securityContext: runAsNonRoot: true