From ad6ce250f094069ed530c95b2632910fac146a60 Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 11 Jul 2024 15:26:13 +0200 Subject: [PATCH 01/63] bump fulcio in scaffold chart Signed-off-by: cpanato --- charts/scaffold/Chart.lock | 6 +++--- charts/scaffold/Chart.yaml | 4 ++-- charts/scaffold/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index f334190b..8facd63d 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.3.21 + version: 2.3.22 - name: rekor repository: https://sigstore.github.io/helm-charts version: 1.4.2 @@ -17,5 +17,5 @@ dependencies: - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.3 -digest: sha256:db84a3c0345e66c011100fcce8cd8b5c43adda79cc4c6e385a59991dd5225763 -generated: "2024-07-10T15:24:11.347772681Z" +digest: sha256:8054d64b1dedeac40ac587c36fa182f688248a49fc0fc6f4f6d2c4972eacb369 +generated: "2024-07-11T15:25:39.544491+02:00" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 6b9fe749..58679a0a 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.52 +version: 0.6.53 keywords: - security - pki @@ -16,7 +16,7 @@ maintainers: dependencies: - name: fulcio - version: 2.3.21 + version: 2.3.22 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index e1576524..6caf893b 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.52](https://img.shields.io/badge/Version-0.6.52-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.53](https://img.shields.io/badge/Version-0.6.53-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -37,7 +37,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| | https://sigstore.github.io/helm-charts | ctlog | 0.2.53 | -| https://sigstore.github.io/helm-charts | fulcio | 2.3.21 | +| https://sigstore.github.io/helm-charts | fulcio | 2.3.22 | | https://sigstore.github.io/helm-charts | rekor | 1.4.2 | | https://sigstore.github.io/helm-charts | trillian | 0.2.24 | | https://sigstore.github.io/helm-charts | tsa | 1.0.3 | From daef3e528e58a712da919fa0e0cbb07a9b04562a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 09:47:06 +0200 Subject: [PATCH 02/63] build(deps): bump actions/setup-python from 5.1.0 to 5.1.1 (#776) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/82c7e631bb3cdc910f68e0081d67478d79c6982d...39cd14951b08e74b54015e9e001cdefcf80e669f) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c4d57803..73479222 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: with: version: v3.10.3 - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.7 From 320833296e299f2c427fbff8681882f50f4e8047 Mon Sep 17 00:00:00 2001 From: ian hundere <138915+ianhundere@users.noreply.github.com> Date: Tue, 16 Jul 2024 03:53:45 -0400 Subject: [PATCH 03/63] adds tolerations, nodeSelector, and affinity to createtree-job. (#777) Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> Signed-off-by: ian hundere <138915+ianhundere@users.noreply.github.com> Co-authored-by: ian hundere --- charts/rekor/Chart.yaml | 2 +- charts/rekor/README.md | 2 +- charts/rekor/templates/server/createtree-job.yaml | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index 82fd73d8..5089f03e 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.3 +version: 1.4.4 appVersion: 1.3.6 keywords: diff --git a/charts/rekor/README.md b/charts/rekor/README.md index b52f2333..300083c1 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.3](https://img.shields.io/badge/Version-1.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.4.4](https://img.shields.io/badge/Version-1.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation diff --git a/charts/rekor/templates/server/createtree-job.yaml b/charts/rekor/templates/server/createtree-job.yaml index 82b7f1a7..eb961809 100644 --- a/charts/rekor/templates/server/createtree-job.yaml +++ b/charts/rekor/templates/server/createtree-job.yaml @@ -50,3 +50,15 @@ spec: securityContext: {{ toYaml .Values.createtree.securityContext | indent 8 }} {{- end }} + {{- if .Values.createtree.nodeSelector }} + nodeSelector: +{{ toYaml .Values.createtree.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.createtree.tolerations }} + tolerations: +{{ toYaml .Values.createtree.tolerations | indent 8 }} + {{- end }} + {{- if .Values.createtree.affinity }} + affinity: +{{ toYaml .Values.createtree.affinity | indent 8 }} + {{- end }} From 3e379c45c6cc3c64dab85179a364583f395e2bb0 Mon Sep 17 00:00:00 2001 From: ian hundere <138915+ianhundere@users.noreply.github.com> Date: Thu, 18 Jul 2024 03:17:18 -0400 Subject: [PATCH 04/63] fixes tolerations, nodeSelector and affinity indention for trillian createdb job (#778) * fixes tolerations, nodeSelector and affinity indention for trillian createdb job. Signed-off-by: ian hundere <138915+ianhundere@users.noreply.github.com> * bumps image. Signed-off-by: ian hundere <138915+ianhundere@users.noreply.github.com> --------- Signed-off-by: ian hundere <138915+ianhundere@users.noreply.github.com> --- charts/trillian/Chart.yaml | 2 +- charts/trillian/README.md | 5 +++- .../templates/createdb/createdb-job.yaml | 24 +++++++++---------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/charts/trillian/Chart.yaml b/charts/trillian/Chart.yaml index daa9d3b5..6fad2dc7 100644 --- a/charts/trillian/Chart.yaml +++ b/charts/trillian/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 0.2.24 +version: 0.2.25 appVersion: 1.6.0 keywords: diff --git a/charts/trillian/README.md b/charts/trillian/README.md index dd31205b..d246e110 100644 --- a/charts/trillian/README.md +++ b/charts/trillian/README.md @@ -2,7 +2,7 @@ -![Version: 0.2.23](https://img.shields.io/badge/Version-0.2.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.2.25](https://img.shields.io/badge/Version-0.2.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) Trillian is a log that stores an accurate, immutable and verifiable history of activity. @@ -40,6 +40,7 @@ helm uninstall [RELEASE_NAME] | Key | Type | Default | Description | |-----|------|---------|-------------| +| createdb.affinity | object | `{}` | | | createdb.dbname | string | `"trillian"` | | | createdb.enabled | bool | `true` | | | createdb.image.pullPolicy | string | `"IfNotPresent"` | | @@ -47,9 +48,11 @@ helm uninstall [RELEASE_NAME] | createdb.image.repository | string | `"sigstore/scaffolding/createdb"` | | | createdb.image.version | string | `"sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755"` | v0.6.17 | | createdb.name | string | `"createdb"` | | +| createdb.nodeSelector | object | `{}` | | | createdb.serviceAccount.annotations | object | `{}` | | | createdb.serviceAccount.create | bool | `false` | | | createdb.serviceAccount.name | string | `""` | | +| createdb.tolerations | list | `[]` | | | createdb.ttlSecondsAfterFinished | int | `3600` | | | forceNamespace | string | `""` | | | imagePullSecrets | list | `[]` | | diff --git a/charts/trillian/templates/createdb/createdb-job.yaml b/charts/trillian/templates/createdb/createdb-job.yaml index 795d9746..fcef9a10 100644 --- a/charts/trillian/templates/createdb/createdb-job.yaml +++ b/charts/trillian/templates/createdb/createdb-job.yaml @@ -98,15 +98,15 @@ spec: - name: exit-dir emptyDir: {} {{- end }} -{{- if .Values.createdb.nodeSelector }} - nodeSelector: -{{ toYaml .Values.createdb.nodeSelector | indent 4 }} -{{- end }} -{{- if .Values.createdb.tolerations }} - tolerations: -{{ toYaml .Values.createdb.tolerations | indent 4 }} -{{- end }} -{{- if .Values.createdb.affinity }} - affinity: -{{ toYaml .Values.createdb.affinity | indent 4 }} -{{- end }} + {{- if .Values.createdb.nodeSelector }} + nodeSelector: +{{ toYaml .Values.createdb.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.createdb.tolerations }} + tolerations: +{{ toYaml .Values.createdb.tolerations | indent 8 }} + {{- end }} + {{- if .Values.createdb.affinity }} + affinity: +{{ toYaml .Values.createdb.affinity | indent 8 }} + {{- end }} From e7fc3ee1927ed7ab9fe7b10e1939bee4846fca7c Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 18 Jul 2024 16:46:55 +0200 Subject: [PATCH 05/63] sync ctlog noop Signed-off-by: cpanato --- charts/ctlog/Chart.yaml | 2 +- charts/ctlog/README.md | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml index 65738924..56788918 100644 --- a/charts/ctlog/Chart.yaml +++ b/charts/ctlog/Chart.yaml @@ -4,7 +4,7 @@ description: Certificate Log type: application -version: 0.2.53 +version: 0.2.54 appVersion: 0.6.17 keywords: diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md index e104e665..c3e96b20 100644 --- a/charts/ctlog/README.md +++ b/charts/ctlog/README.md @@ -1,6 +1,6 @@ # ctlog -![Version: 0.2.52](https://img.shields.io/badge/Version-0.2.52-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.2.54](https://img.shields.io/badge/Version-0.2.54-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) Certificate Log @@ -124,3 +124,6 @@ Certificate Log | trillian.logServer.name | string | `"trillian-logserver"` | | | trillian.logServer.portRPC | int | `8091` | | | trillian.namespace | string | `"trillian-system"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 45d7da429206d5508a30d8d8e6f9d038f508f9b1 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Thu, 18 Jul 2024 16:53:11 +0200 Subject: [PATCH 06/63] sync readme for common noop (#782) Signed-off-by: cpanato --- charts/common/Chart.yaml | 2 +- charts/common/README.md | 92 +++++++--------------------------- charts/common/README.md.gotmpl | 37 ++++++++++++++ 3 files changed, 57 insertions(+), 74 deletions(-) create mode 100644 charts/common/README.md.gotmpl diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 3e822e7e..c8d40f69 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -4,7 +4,7 @@ description: A Library Helm Chart containing common logic for use by Sigstore ch type: library -version: 0.1.1 +version: 0.1.2 keywords: - common diff --git a/charts/common/README.md b/charts/common/README.md index 3a878a96..d50a76be 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -1,88 +1,34 @@ # common -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) + + +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) A Library Helm Chart containing common logic for use by Sigstore charts **Homepage:** +' +## Quick Installation -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| The Sigstore Authors | | | - ----------------------------------------------- - - -## Named Templates - -### Images - -| Name | Description | Expected Input | -|-----------------------|----------------------------------------------------------------------------------|------------------------------------| -| `common.images.image` | Create a fully qualified image reference. see [Image](#image) for the structure. | `.Values.image` Reference to Image | - -### Labels - -| Name | Description | Expected Input | -|--------------------------------|---------------------------------------------|-----------------------| -| `common.labels.labels` | Returns standard Kubernetes labels | `.` Chart context | -| `common.labels.selectorLabels` | Returns specific labels used for selectors | `.` Chart context | -| `common.labels.labelsNameSuffix` | Returns the provided set of labels give the label key `app.kubernetes.io/name` appended with a provided suffix | `dict "labels" "labels-content "suffix" "suffix-value"` | +To install the helm chart with default values run following command. +The [Values](#Values) section describes the configuration options for this chart. -### Names - -| Name | Description | Expected Input | -|-----------------------------------|---------------------------------------------------------------------------------------------------|------------------------------------------------------| -| `common.names.name` | Returns the name of the chart | `.` Chart context | -| `common.names.chart` | Returns the name of the chart used by the chart label | `.` Chart context | -| `common.names.fullname` | Returns the fully qualified application name | `.` Chart context | -| `common.names.managedfullname` | Returns the fully qualified application name by providing a context to use | `dict "content" .Values.content "context" $` | -| `common.names.fullnameSuffix` | Returns the fully qualified application name appended by a provided suffix | `dict "suffix" "suffix-value "context" $` | -| `common.names.rawnamespace` | Returns the raw namespace if set with forceNamespace or .Release.Namespace is set | `.` Chart context | -| `common.names.serviceAccountName` | Returns the name of the Service account. See [ServiceAccount](#serviceaccount) for the structure. | `.Values.serviceAccount` Reference to ServiceAccount | - -### Network - -| Name | Description | Expected Input | -|--------------------------------|---------------------------------------------|-----------------------| -| `common.network.containerPorts` | Returns the `containerPorts` property of a PodSpec | `dict` containing `port`, `targetPort` and optional `protocol` | - - -## Input Schemas - -The following are a set of schemas that are expected within applicable Named Templates - -### Image +```shell +helm dependency update . +helm install [RELEASE_NAME] . +``` -```yaml -registry: - type: string - description: Registry where the image is located - example: gcr.io +## Uninstallation -repository: - type: string - description: Repository and image name - example: sigstore/scaffolding/ct_server +To uninstall the Helm chart run following command. -version: - type: string - description: image tag or digest - example: 1.0.0 +```shell +helm uninstall [RELEASE_NAME] ``` -### ServiceAccount +## Maintainers -```yaml -name: - type: string - description: Name of the ServiceAccount - example: myApp +| Name | Email | Url | +| ---- | ------ | --- | +| The Sigstore Authors | | | -create: - type: boolean - description: Create a dedicated ServiceAccount - example: true -``` diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl new file mode 100644 index 00000000..de52d568 --- /dev/null +++ b/charts/common/README.md.gotmpl @@ -0,0 +1,37 @@ +{{ template "chart.header" . }} + + + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} +' +## Quick Installation + +To install the helm chart with default values run following command. +The [Values](#Values) section describes the configuration options for this chart. + +```shell +helm dependency update . +helm install [RELEASE_NAME] . +``` + +## Uninstallation + +To uninstall the Helm chart run following command. + +```shell +helm uninstall [RELEASE_NAME] +``` + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} From 03978643791d9eebb775df9362873c54f08e2368 Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 18 Jul 2024 16:55:37 +0200 Subject: [PATCH 07/63] sync readme for sigstore-prober Signed-off-by: cpanato --- charts/sigstore-prober/Chart.yaml | 2 +- charts/sigstore-prober/README.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/sigstore-prober/Chart.yaml b/charts/sigstore-prober/Chart.yaml index 583d0a63..99ab8553 100644 --- a/charts/sigstore-prober/Chart.yaml +++ b/charts/sigstore-prober/Chart.yaml @@ -4,7 +4,7 @@ description: Sigstore API Endpoint Prober type: application -version: 0.0.24 +version: 0.0.25 appVersion: 0.7.3 diff --git a/charts/sigstore-prober/README.md b/charts/sigstore-prober/README.md index 8cbb17f0..57a3d3ef 100644 --- a/charts/sigstore-prober/README.md +++ b/charts/sigstore-prober/README.md @@ -1,6 +1,6 @@ # sigstore-prober -![Version: 0.0.24](https://img.shields.io/badge/Version-0.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.3](https://img.shields.io/badge/AppVersion-0.7.3-informational?style=flat-square) +![Version: 0.0.25](https://img.shields.io/badge/Version-0.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.3](https://img.shields.io/badge/AppVersion-0.7.3-informational?style=flat-square) Sigstore API Endpoint Prober @@ -40,3 +40,5 @@ Sigstore API Endpoint Prober | spec.resources.requests.memory | string | `"64Mi"` | | | tolerations | list | `[]` | | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 874da85e66eeb25a9c51ea90faaf1a50b368516b Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 18 Jul 2024 17:01:56 +0200 Subject: [PATCH 08/63] sync readme for policy-controller Signed-off-by: cpanato --- charts/policy-controller/Chart.yaml | 2 +- charts/policy-controller/README.md | 140 ++++++++++---------- charts/policy-controller/README.md.gotmpl | 148 ++++++++++++++++++++++ 3 files changed, 225 insertions(+), 65 deletions(-) create mode 100644 charts/policy-controller/README.md.gotmpl diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml index 0ad3c0fd..58a96f79 100644 --- a/charts/policy-controller/Chart.yaml +++ b/charts/policy-controller/Chart.yaml @@ -8,7 +8,7 @@ sources: type: application name: policy-controller -version: 0.6.8 +version: 0.6.9 appVersion: 0.8.2 maintainers: diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index b9e1c651..c64cb857 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -1,77 +1,17 @@ # policy-controller -![Version: 0.6.8](https://img.shields.io/badge/Version-0.6.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square) + + +![Version: 0.6.9](https://img.shields.io/badge/Version-0.6.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square) The Helm chart for Policy Controller **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| dlorenc | | | -| hectorj2f | | | - ## Source Code * -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| commonAnnotations | object | `{}` | | -| commonNodeSelector | object | `{}` | | -| commonTolerations | list | `[]` | | -| cosign.cosignPub | string | `""` | | -| cosign.webhookName | string | `"policy.sigstore.dev"` | | -| imagePullSecrets | list | `[]` | | -| installCRDs | bool | `true` | | -| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | -| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | -| leasescleanup.image.version | string | `"latest-dev"` | | -| loglevel | string | `"info"` | | -| serviceMonitor.enabled | bool | `false` | | -| webhook.configData | object | `{}` | | -| webhook.customLabels | object | `{}` | | -| webhook.env | object | `{}` | | -| webhook.extraArgs | object | `{}` | | -| webhook.failurePolicy | string | `"Fail"` | | -| webhook.image.pullPolicy | string | `"IfNotPresent"` | | -| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | -| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | `"v0.8.2"` | -| webhook.name | string | `"webhook"` | | -| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | -| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | -| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | -| webhook.podDisruptionBudget.enabled | bool | `true` | | -| webhook.podDisruptionBudget.minAvailable | int | `1` | | -| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| webhook.podSecurityContext.enabled | bool | `true` | | -| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | -| webhook.podSecurityContext.runAsUser | int | `1000` | | -| webhook.registryCaBundle | object | `{}` | | -| webhook.replicaCount | int | `1` | | -| webhook.resources.limits.cpu | string | `"200m"` | | -| webhook.resources.limits.memory | string | `"512Mi"` | | -| webhook.resources.requests.cpu | string | `"100m"` | | -| webhook.resources.requests.memory | string | `"128Mi"` | | -| webhook.securityContext.enabled | bool | `false` | | -| webhook.securityContext.runAsUser | int | `65532` | | -| webhook.service.annotations | object | `{}` | | -| webhook.service.port | int | `443` | | -| webhook.service.type | string | `"ClusterIP"` | | -| webhook.serviceAccount.annotations | object | `{}` | | -| webhook.serviceAccount.create | bool | `true` | | -| webhook.serviceAccount.name | string | `""` | | -| webhook.volumeMounts | list | `[]` | | -| webhook.volumes | list | `[]` | | -| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | -| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | - - ### Deploy `policy-controller` Helm Chart Install `policy-controller` using Helm: @@ -182,7 +122,79 @@ Creating a deployment referencing images that are not signed will yield the foll pod/pod1-signed created ``` - ## More info You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). + +## Uninstallation + +To uninstall the Helm chart run following command. + +```shell +helm uninstall [RELEASE_NAME] +``` + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| dlorenc | | | +| hectorj2f | | | + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | | +| commonNodeSelector | object | `{}` | | +| commonTolerations | list | `[]` | | +| cosign.cosignPub | string | `""` | | +| cosign.webhookName | string | `"policy.sigstore.dev"` | | +| imagePullSecrets | list | `[]` | | +| installCRDs | bool | `true` | | +| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | +| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | +| leasescleanup.image.version | string | `"latest-dev"` | | +| loglevel | string | `"info"` | | +| serviceMonitor.enabled | bool | `false` | | +| webhook.configData | object | `{}` | | +| webhook.customLabels | object | `{}` | | +| webhook.env | object | `{}` | | +| webhook.extraArgs | object | `{}` | | +| webhook.failurePolicy | string | `"Fail"` | | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | | +| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | +| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | | +| webhook.name | string | `"webhook"` | | +| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | +| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | +| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | +| webhook.podDisruptionBudget.enabled | bool | `true` | | +| webhook.podDisruptionBudget.minAvailable | int | `1` | | +| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| webhook.podSecurityContext.enabled | bool | `true` | | +| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| webhook.podSecurityContext.runAsUser | int | `1000` | | +| webhook.registryCaBundle | object | `{}` | | +| webhook.replicaCount | int | `1` | | +| webhook.resources.limits.cpu | string | `"200m"` | | +| webhook.resources.limits.memory | string | `"512Mi"` | | +| webhook.resources.requests.cpu | string | `"100m"` | | +| webhook.resources.requests.memory | string | `"128Mi"` | | +| webhook.securityContext.enabled | bool | `false` | | +| webhook.securityContext.runAsUser | int | `65532` | | +| webhook.service.annotations | object | `{}` | | +| webhook.service.port | int | `443` | | +| webhook.service.type | string | `"ClusterIP"` | | +| webhook.serviceAccount.annotations | object | `{}` | | +| webhook.serviceAccount.create | bool | `true` | | +| webhook.serviceAccount.name | string | `""` | | +| webhook.volumeMounts | list | `[]` | | +| webhook.volumes | list | `[]` | | +| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | +| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | diff --git a/charts/policy-controller/README.md.gotmpl b/charts/policy-controller/README.md.gotmpl new file mode 100644 index 00000000..123449b5 --- /dev/null +++ b/charts/policy-controller/README.md.gotmpl @@ -0,0 +1,148 @@ +{{ template "chart.header" . }} + + + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +## Source Code + +* + + +### Deploy `policy-controller` Helm Chart + +Install `policy-controller` using Helm: + +```shell +helm repo add sigstore https://sigstore.github.io/helm-charts +helm repo update +kubectl create namespace cosign-system +helm install policy-controller -n cosign-system sigstore/policy-controller --devel +``` + +The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces. + +Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`. +By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap. + +As supported in previous versions, you could create your own key pair: + +```shell +export COSIGN_PASSWORD= +cosign generate-key-pair +``` + +This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures: + +```shell +kubectl create secret generic mysecret -n \ +cosign-system --from-file=cosign.pub=./cosign.pub +``` + +**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below. + +```yaml +apiVersion: policy.sigstore.dev/v1alpha1 +kind: ClusterImagePolicy +metadata: + name: cip-key-secret +spec: + images: + - glob: "**your-desired-value**" + authorities: + - key: + secretRef: + name: mysecret +``` +#### Configuring Custom Certificate Authorities (CA) + +The `policy-controller` can be configured to use custom CAs to communicate to container registries, for example, when you have a private registry with a self-signed TLS certificate. + +To configure `policy-controller` to use custom CAs, follow these steps: + +1. Make sure the `policy-controller` namespace exists: + + ```shell + kubectl create namespace cosign-system + ``` + +2. Create a bundle file with all the root and intermediate certificates and name it `ca-bundle.crt`. + +3. Create a `ConfigMap` from the bundle: + ```shell + kubectl -n cosign-system create cm ca-bundle-config \ + --from-file=ca-bundle.crt="ca-bundle.crt" + ``` + +4. Install the `policy-controller`: + + ```shell + helm install -n cosign-system \ + --set webhook.registryCaBundle.name=ca-bundle-config \ + --set webhook.registryCaBundle.key=ca-bundle.crt \ + policy-controller sigstore/policy-controller + ``` + +### Enabling Admission control + +To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered: + +Label: `policy.sigstore.dev/include: "true"` + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + policy.sigstore.dev/include: "true" + kubernetes.io/metadata.name: my-namespace + name: my-namespace +spec: + finalizers: + - kubernetes +``` + +### Testing the webhook + +1. Using Unsigned Images: +Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: + + ```shell + kubectl apply -f my-deployment.yaml + Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image + ``` + +2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created. + + ```shell + kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns + pod/pod1-signed created + ``` + + +## More info + +You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). + + +## Uninstallation + +To uninstall the Helm chart run following command. + +```shell +helm uninstall [RELEASE_NAME] +``` + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} From c72d880f7cb4d2dd758484a45bf7870e579f4254 Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 18 Jul 2024 17:05:34 +0200 Subject: [PATCH 09/63] sync readme for rekor noop Signed-off-by: cpanato --- charts/rekor/Chart.yaml | 2 +- charts/rekor/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index 5089f03e..d0c8a135 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.4 +version: 1.4.5 appVersion: 1.3.6 keywords: diff --git a/charts/rekor/README.md b/charts/rekor/README.md index 300083c1..f630c9e4 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.4](https://img.shields.io/badge/Version-1.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.4.5](https://img.shields.io/badge/Version-1.4.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation @@ -230,4 +230,4 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | trillian.namespace.name | string | `"trillian-system"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From e832e280ca7f0bf105b980369f61dbe519732201 Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 18 Jul 2024 18:13:50 +0200 Subject: [PATCH 10/63] sync readme for tsa noop Signed-off-by: cpanato --- charts/tsa/Chart.yaml | 2 +- charts/tsa/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/tsa/Chart.yaml b/charts/tsa/Chart.yaml index b3e90539..8fea6c8d 100644 --- a/charts/tsa/Chart.yaml +++ b/charts/tsa/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 1.0.3 +version: 1.0.4 appVersion: 1.2.1 keywords: diff --git a/charts/tsa/README.md b/charts/tsa/README.md index af1aa72b..541502c6 100644 --- a/charts/tsa/README.md +++ b/charts/tsa/README.md @@ -2,7 +2,7 @@ -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) +![Version: 1.0.4](https://img.shields.io/badge/Version-1.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) Timestamp Authority issuing RFC3161 signed timestamps. From a74a0f9a67ee7bbdc7ace029b002e95cd534adf1 Mon Sep 17 00:00:00 2001 From: cpanato Date: Thu, 18 Jul 2024 18:19:53 +0200 Subject: [PATCH 11/63] sync readme tuf noop Signed-off-by: cpanato --- charts/tuf/Chart.yaml | 2 +- charts/tuf/README.md | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index d95e26b1..cea79ba0 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.14 +version: 0.1.15 appVersion: "0.6.17" home: https://sigstore.dev/ diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 01a14281..6fe6fddb 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -20,12 +20,15 @@ A framework for securing software update systems - the scaffolding implementatio | Key | Type | Default | Description | |-----|------|---------|-------------| +| deployment.affinity | object | `{}` | | | deployment.imagePullPolicy | string | `"IfNotPresent"` | | | deployment.name | string | `"tuf"` | | +| deployment.nodeSelector | object | `{}` | | | deployment.port | int | `8080` | | | deployment.registry | string | `"ghcr.io"` | | | deployment.replicas | int | `1` | | | deployment.repository | string | `"sigstore/scaffolding/server"` | | +| deployment.tolerations | list | `[]` | | | deployment.version | string | `"sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906"` | | | enabled | bool | `true` | | | forceNamespace | string | `""` | | @@ -61,3 +64,5 @@ A framework for securing software update systems - the scaffolding implementatio | service.port | int | `80` | | | serviceAccountName | string | `"tuf"` | | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 09db4dfd46f67fe66ee69576e9f7469396cc8cfc Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Thu, 18 Jul 2024 18:23:17 +0200 Subject: [PATCH 12/63] sync readme for updatetree noop (#788) Signed-off-by: cpanato --- charts/updatetree/Chart.yaml | 2 +- charts/updatetree/README.md | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/updatetree/Chart.yaml b/charts/updatetree/Chart.yaml index 8e4e9172..1034d1d8 100644 --- a/charts/updatetree/Chart.yaml +++ b/charts/updatetree/Chart.yaml @@ -4,7 +4,7 @@ description: Update the status of an existing Trillian tree type: application -version: 0.0.10 +version: 0.0.11 appVersion: 0.6.17 diff --git a/charts/updatetree/README.md b/charts/updatetree/README.md index ce8471fc..41ea9050 100644 --- a/charts/updatetree/README.md +++ b/charts/updatetree/README.md @@ -1,6 +1,6 @@ # updatetree -![Version: 0.0.9](https://img.shields.io/badge/Version-0.0.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.0.11](https://img.shields.io/badge/Version-0.0.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) Update the status of an existing Trillian tree @@ -37,3 +37,6 @@ Update the status of an existing Trillian tree | trillian.logServer.portRPC | int | `8091` | | | trillian.namespace | string | `"trillian-system"` | | | ttlSecondsAfterFinished | int | `3600` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 2e3eda125cc804c67c9d117e3c41e2ffcfa869ca Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Thu, 18 Jul 2024 18:35:11 +0200 Subject: [PATCH 13/63] Add job to test helm-docs (#780) * clean up ci jobs Signed-off-by: cpanato * update dependabot config Signed-off-by: cpanato * add makefile and job to check helm docs Signed-off-by: cpanato --------- Signed-off-by: cpanato --- .github/dependabot.yml | 6 +++++ .github/workflows/check-docs.yml | 29 +++++++++++++++++++++++ .github/workflows/release.yml | 4 +--- .github/workflows/test.yml | 5 ++-- Makefile | 40 ++++++++++++++++++++++++++++++++ 5 files changed, 78 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/check-docs.yml create mode 100644 Makefile diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600..d0dd5bca 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,12 @@ +--- version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + groups: + actions: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml new file mode 100644 index 00000000..8c65d3ed --- /dev/null +++ b/.github/workflows/check-docs.yml @@ -0,0 +1,29 @@ +name: Check Helm Docs + +on: + pull_request: + paths: + - "charts/**" + +jobs: + readme: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Run Helm Docs and check the outcome + run: | + make docs + exit_code=$(git diff --exit-code) + exit ${exit_code} + + - name: Print a comment in case of failure + run: | + echo "The README.md files are not up to date. + + Please, run \"make docs\" before pushing." + exit 1 + if: | + failure() && github.event.pull_request.head.repo.full_name == github.repository diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c7e2d110..122e16b1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,8 +29,6 @@ jobs: - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: v3.10.3 - name: Add dependency chart repos run: | @@ -80,4 +78,4 @@ jobs: cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}" done env: - COSIGN_YES: true + COSIGN_YES: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 73479222..3a4de62b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,12 +16,11 @@ jobs: - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: v3.10.3 - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: - python-version: 3.7 + python-version: '3.x' + check-latest: true - name: Set up chart-testing uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..d10c2119 --- /dev/null +++ b/Makefile @@ -0,0 +1,40 @@ +DOCS_IMAGE_VERSION="v1.14.2" + +CHART_TESTING_IMAGE_VERSION="v3.10.1" + +# Charts's path relative to the current directory. +CHARTS := $(wildcard ./charts/*) + +CHARTS_NAMES := $(notdir $(CHARTS)) + +.PHONY: lint +lint: helm-deps-update $(addprefix lint-, $(CHARTS_NAMES)) + +lint-%: + @docker run \ + -it \ + -e HOME=/home/ct \ + --mount type=tmpfs,destination=/home/ct \ + --workdir=/data \ + --volume $$(pwd):/data \ + -u $$(id -u) \ + quay.io/helmpack/chart-testing:$(CHART_TESTING_IMAGE_VERSION) \ + ct lint --config ./ct.yaml --charts ./charts/$* + +.PHONY: docs +docs: $(addprefix docs-, $(CHARTS_NAMES)) + +docs-%: + @docker run \ + --rm \ + --workdir=/helm-docs \ + --volume "$$(pwd):/helm-docs" \ + -u $$(id -u) \ + jnorwood/helm-docs:$(DOCS_IMAGE_VERSION) \ + helm-docs -c ./charts/$* -t ./README.md.gotmpl -o ./README.md + +.PHONY: helm-deps-update +helm-deps-update: $(addprefix helm-deps-update-, $(CHARTS_NAMES)) + +helm-deps-update-%: + helm dependency update ./charts/$* From 6359bda228d0d69cfa0399609d851e954a5f3325 Mon Sep 17 00:00:00 2001 From: ian hundere <138915+ianhundere@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:12:17 -0400 Subject: [PATCH 14/63] bumps trillian image for rekor chart dependency. (#779) * bumps trillian image for rekor dependency. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * runs helm-docs again after updating to 1.14.2. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> --------- Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> --- charts/rekor/Chart.yaml | 4 ++-- charts/rekor/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index d0c8a135..fbd8f7f2 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.5 +version: 1.4.6 appVersion: 1.3.6 keywords: @@ -19,7 +19,7 @@ maintainers: dependencies: - name: trillian - version: 0.2.24 + version: 0.2.25 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled diff --git a/charts/rekor/README.md b/charts/rekor/README.md index f630c9e4..243c2a91 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.5](https://img.shields.io/badge/Version-1.4.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.4.6](https://img.shields.io/badge/Version-1.4.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation @@ -20,7 +20,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | trillian | 0.2.24 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.25 | ## Values From e4e066cc15320f8ccefb00ac83dee2ff6ba55846 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 12:58:06 -0400 Subject: [PATCH 15/63] bump tsa chart for 1.2.2 release Signed-off-by: Bob Callaway --- charts/tsa/Chart.yaml | 8 ++++---- charts/tsa/README.md | 4 ++-- charts/tsa/values.yaml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/tsa/Chart.yaml b/charts/tsa/Chart.yaml index 8fea6c8d..533a5cbb 100644 --- a/charts/tsa/Chart.yaml +++ b/charts/tsa/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 1.0.4 -appVersion: 1.2.1 +version: 1.0.5 +appVersion: 1.2.2 keywords: - security @@ -21,5 +21,5 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: tsa - # crane digest ghcr.io/sigstore/timestamp-server:v1.2.1 - image: ghcr.io/sigstore/timestamp-server@sha256:f4dcc96092a1b1fb5ca36d776f92a7cc62cdb1a8866c5120340f919141a3cd58 + # crane digest ghcr.io/sigstore/timestamp-server:v1.2.2 + image: ghcr.io/sigstore/timestamp-server@sha256:9f012408a0b2a91a0f017df419b732556a0bdd7482973dc3b87fe979e41ccc9a diff --git a/charts/tsa/README.md b/charts/tsa/README.md index 541502c6..ab3a29f1 100644 --- a/charts/tsa/README.md +++ b/charts/tsa/README.md @@ -2,7 +2,7 @@ -![Version: 1.0.4](https://img.shields.io/badge/Version-1.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) +![Version: 1.0.5](https://img.shields.io/badge/Version-1.0.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.2](https://img.shields.io/badge/AppVersion-1.2.2-informational?style=flat-square) Timestamp Authority issuing RFC3161 signed timestamps. @@ -105,7 +105,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"ghcr.io"` | | | server.image.repository | string | `"sigstore/timestamp-server"` | | -| server.image.version | string | `"sha256:f4dcc96092a1b1fb5ca36d776f92a7cc62cdb1a8866c5120340f919141a3cd58"` | v1.2.1 | +| server.image.version | string | `"sha256:9f012408a0b2a91a0f017df419b732556a0bdd7482973dc3b87fe979e41ccc9a"` | v1.2.2 | | server.ingress.http.annotations | object | `{}` | | | server.ingress.http.className | string | `"nginx"` | | | server.ingress.http.enabled | bool | `true` | | diff --git a/charts/tsa/values.yaml b/charts/tsa/values.yaml index 06b5806f..8fd2c6f4 100644 --- a/charts/tsa/values.yaml +++ b/charts/tsa/values.yaml @@ -16,9 +16,9 @@ server: registry: ghcr.io repository: sigstore/timestamp-server pullPolicy: IfNotPresent - # crane digest ghcr.io/sigstore/timestamp-server:v1.2.1 - # -- v1.2.1 - version: sha256:f4dcc96092a1b1fb5ca36d776f92a7cc62cdb1a8866c5120340f919141a3cd58 + # crane digest ghcr.io/sigstore/timestamp-server:v1.2.2 + # -- v1.2.2 + version: sha256:9f012408a0b2a91a0f017df419b732556a0bdd7482973dc3b87fe979e41ccc9a args: port: 5555 # Valid values: tink, kms, file From dca417be24fdbc448dfa2e5858920384f76f3c15 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 13:00:05 -0400 Subject: [PATCH 16/63] bump sigstore-prober chart for 0.7.5 scaffolding release Signed-off-by: Bob Callaway --- charts/sigstore-prober/Chart.yaml | 6 +++--- charts/sigstore-prober/README.md | 4 ++-- charts/sigstore-prober/values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/sigstore-prober/Chart.yaml b/charts/sigstore-prober/Chart.yaml index 99ab8553..d53ccb50 100644 --- a/charts/sigstore-prober/Chart.yaml +++ b/charts/sigstore-prober/Chart.yaml @@ -4,8 +4,8 @@ description: Sigstore API Endpoint Prober type: application -version: 0.0.25 -appVersion: 0.7.3 +version: 0.0.26 +appVersion: 0.7.5 keywords: @@ -21,4 +21,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: sigstore-prober - image: ghcr.io/sigstore/scaffolding/prober:v0.7.3@sha256:efd3cc7ef479cb71c8338e3978d7a82cdc30ae5e05b01c1644ac411f8bcbb9f9 + image: ghcr.io/sigstore/scaffolding/prober:v0.7.5@sha256:84f34b256d3cd86601d3a4c48ff9579de1154c5a4b86321edbceb72d709f5c81 diff --git a/charts/sigstore-prober/README.md b/charts/sigstore-prober/README.md index 57a3d3ef..ec1a7c8a 100644 --- a/charts/sigstore-prober/README.md +++ b/charts/sigstore-prober/README.md @@ -1,6 +1,6 @@ # sigstore-prober -![Version: 0.0.25](https://img.shields.io/badge/Version-0.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.3](https://img.shields.io/badge/AppVersion-0.7.3-informational?style=flat-square) +![Version: 0.0.26](https://img.shields.io/badge/Version-0.0.26-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) Sigstore API Endpoint Prober @@ -30,7 +30,7 @@ Sigstore API Endpoint Prober | spec.args.rekorRequests | list | `[]` | | | spec.args.trustRekorAPIPublicKey | bool | `false` | | | spec.args.writeProber | bool | `false` | | -| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.3@sha256:efd3cc7ef479cb71c8338e3978d7a82cdc30ae5e05b01c1644ac411f8bcbb9f9"` | | +| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.5@sha256:84f34b256d3cd86601d3a4c48ff9579de1154c5a4b86321edbceb72d709f5c81"` | | | spec.imagePullPolicy | string | `"Always"` | | | spec.matchLabels.app | string | `"sigstore-prober"` | | | spec.replicaCount | int | `1` | | diff --git a/charts/sigstore-prober/values.yaml b/charts/sigstore-prober/values.yaml index 0a7934c6..fcfa11c0 100644 --- a/charts/sigstore-prober/values.yaml +++ b/charts/sigstore-prober/values.yaml @@ -6,7 +6,7 @@ serviceAccount: create: false spec: replicaCount: 1 - image: ghcr.io/sigstore/scaffolding/prober:v0.7.3@sha256:efd3cc7ef479cb71c8338e3978d7a82cdc30ae5e05b01c1644ac411f8bcbb9f9 + image: ghcr.io/sigstore/scaffolding/prober:v0.7.5@sha256:84f34b256d3cd86601d3a4c48ff9579de1154c5a4b86321edbceb72d709f5c81 imagePullPolicy: Always matchLabels: app: sigstore-prober From 5911e24975be89754e382b4cb03362ff34c3e3d7 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 13:03:36 -0400 Subject: [PATCH 17/63] bump ctlog chart for 0.7.5 scaffolding release Signed-off-by: Bob Callaway --- charts/ctlog/Chart.yaml | 10 +++++----- charts/ctlog/README.md | 8 ++++---- charts/ctlog/values.yaml | 12 ++++++------ 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml index 56788918..7a121f6a 100644 --- a/charts/ctlog/Chart.yaml +++ b/charts/ctlog/Chart.yaml @@ -4,8 +4,8 @@ description: Certificate Log type: application -version: 0.2.54 -appVersion: 0.6.17 +version: 0.2.55 +appVersion: 0.7.5 keywords: - security @@ -20,10 +20,10 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: ct_server - image: ghcr.io/sigstore/scaffolding/ct_server:v0.6.17@sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5 + image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.5@sha256:2ba06b91757a54b1be6675a7139946730fdb4b0f743f3a269ffbefcff5098c20 - name: createctconfig - image: ghcr.io/sigstore/scaffolding/createctconfig:v0.6.17@sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db + image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.5@sha256:6b66b764cd0955c18a4ba58c7ebb05704d04b9a68962d7616045325c456fab02 - name: createtree - image: ghcr.io/sigstore/scaffolding/createtree:v0.6.17@sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + image: ghcr.io/sigstore/scaffolding/createtree:v0.7.5@sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 - name: curlimages/curl image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md index c3e96b20..f541080f 100644 --- a/charts/ctlog/README.md +++ b/charts/ctlog/README.md @@ -1,6 +1,6 @@ # ctlog -![Version: 0.2.54](https://img.shields.io/badge/Version-0.2.54-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.2.55](https://img.shields.io/badge/Version-0.2.55-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) Certificate Log @@ -24,7 +24,7 @@ Certificate Log | createctconfig.image.pullPolicy | string | `"IfNotPresent"` | | | createctconfig.image.registry | string | `"ghcr.io"` | | | createctconfig.image.repository | string | `"sigstore/scaffolding/createctconfig"` | | -| createctconfig.image.version | string | `"sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db"` | v0.6.17 | +| createctconfig.image.version | string | `"sha256:6b66b764cd0955c18a4ba58c7ebb05704d04b9a68962d7616045325c456fab02"` | v0.7.5 | | createctconfig.initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | createctconfig.initContainerImage.curl.registry | string | `"docker.io"` | | | createctconfig.initContainerImage.curl.repository | string | `"curlimages/curl"` | | @@ -51,7 +51,7 @@ Certificate Log | createtree.image.pullPolicy | string | `"IfNotPresent"` | | | createtree.image.registry | string | `"ghcr.io"` | | | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | | -| createtree.image.version | string | `"sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826"` | | +| createtree.image.version | string | `"sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088"` | | | createtree.name | string | `"createtree"` | | | createtree.nodeSelector | object | `{}` | | | createtree.securityContext.runAsNonRoot | bool | `true` | | @@ -73,7 +73,7 @@ Certificate Log | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"ghcr.io"` | | | server.image.repository | string | `"sigstore/scaffolding/ct_server"` | | -| server.image.version | string | `"sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5"` | | +| server.image.version | string | `"sha256:2ba06b91757a54b1be6675a7139946730fdb4b0f743f3a269ffbefcff5098c20"` | | | server.ingress.annotations | object | `{}` | | | server.ingress.className | string | `"nginx"` | | | server.ingress.enabled | bool | `false` | | diff --git a/charts/ctlog/values.yaml b/charts/ctlog/values.yaml index b1351c41..edc2f52b 100644 --- a/charts/ctlog/values.yaml +++ b/charts/ctlog/values.yaml @@ -13,8 +13,8 @@ server: registry: ghcr.io repository: sigstore/scaffolding/ct_server pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:e16f0a2be43a317a4c392cca24eec8c8fef06b0e836bc3545979ac0335fcf6f5 + # v0.7.5 + version: sha256:2ba06b91757a54b1be6675a7139946730fdb4b0f743f3a269ffbefcff5098c20 livenessProbe: httpGet: path: /healthz @@ -100,8 +100,8 @@ createtree: registry: ghcr.io repository: sigstore/scaffolding/createtree pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + # v0.7.5 + version: sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 ttlSecondsAfterFinished: 3600 serviceAccount: create: true @@ -132,8 +132,8 @@ createctconfig: registry: ghcr.io repository: sigstore/scaffolding/createctconfig pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:a891233c7f54a11025a4cac6119ba4aeea4f643c2012ff30e921aeca8a32d6db + # -- v0.7.5 + version: sha256:6b66b764cd0955c18a4ba58c7ebb05704d04b9a68962d7616045325c456fab02 fulcioURL: "http://fulcio-server.fulcio-system.svc" logPrefix: sigstorescaffolding privateKeyPasswordSecretName: "" From 246e1dadc48ccd74c0401595be017236767dbea0 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 13:11:35 -0400 Subject: [PATCH 18/63] bump fulcio chart for 0.7.5 scaffolding release Signed-off-by: Bob Callaway --- charts/fulcio/Chart.yaml | 6 +++--- charts/fulcio/README.md | 6 +++--- charts/fulcio/values.yaml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 7f021713..5482d45a 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.3.22 +version: 2.3.23 appVersion: 1.5.1 keywords: @@ -19,7 +19,7 @@ maintainers: dependencies: - name: ctlog - version: 0.2.53 + version: 0.2.54 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled @@ -29,4 +29,4 @@ annotations: - name: fulcio image: gcr.io/projectsigstore/fulcio:v1.5.1@sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714 - name: createcerts - image: ghcr.io/sigstore/scaffolding/createcerts:v0.6.17@sha256:2aaea38198d25ee53fb1f6da79eaa75c24bcc4ef81792a68687ba2ae0dc8ccf6 + image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.5@sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 63d3bc00..e53b5711 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.3.22](https://img.shields.io/badge/Version-2.3.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 2.3.23](https://img.shields.io/badge/Version-2.3.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -71,7 +71,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.53 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.54 | ## Values @@ -84,7 +84,7 @@ helm uninstall [RELEASE_NAME] | createcerts.image.pullPolicy | string | `"IfNotPresent"` | | | createcerts.image.registry | string | `"ghcr.io"` | | | createcerts.image.repository | string | `"sigstore/scaffolding/createcerts"` | | -| createcerts.image.version | string | `"sha256:2aaea38198d25ee53fb1f6da79eaa75c24bcc4ef81792a68687ba2ae0dc8ccf6"` | | +| createcerts.image.version | string | `"sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73"` | | | createcerts.name | string | `"createcerts"` | | | createcerts.nodeSelector | object | `{}` | | | createcerts.replicaCount | int | `1` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 29f75751..ef7ea565 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -116,8 +116,8 @@ createcerts: registry: ghcr.io repository: sigstore/scaffolding/createcerts pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:2aaea38198d25ee53fb1f6da79eaa75c24bcc4ef81792a68687ba2ae0dc8ccf6 + # v0.7.5 + version: sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 ttlSecondsAfterFinished: 3600 serviceAccount: create: true From fbc5079305ea8bd5c58e414b3c991b762a5c35e2 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 13:15:12 -0400 Subject: [PATCH 19/63] ctlog to 0.2.55 Signed-off-by: Bob Callaway --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 5482d45a..52cb2ef2 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -19,7 +19,7 @@ maintainers: dependencies: - name: ctlog - version: 0.2.54 + version: 0.2.55 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index e53b5711..540312c0 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -71,7 +71,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.54 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | ## Values From 3e1b15307e4a0fdc6c0378840b437c9a7a51a379 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 13:20:29 -0400 Subject: [PATCH 20/63] bump trillian chart for latest scaffolding release (#793) --- charts/trillian/Chart.yaml | 12 ++++++------ charts/trillian/README.md | 14 +++++++------- charts/trillian/values.yaml | 22 +++++++++++----------- 3 files changed, 24 insertions(+), 24 deletions(-) diff --git a/charts/trillian/Chart.yaml b/charts/trillian/Chart.yaml index 6fad2dc7..95991607 100644 --- a/charts/trillian/Chart.yaml +++ b/charts/trillian/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 0.2.25 +version: 0.2.26 appVersion: 1.6.0 keywords: @@ -31,12 +31,12 @@ annotations: - name: db_server image: gcr.io/trillian-opensource-ci/db_server:v1.5.3@sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461 - name: log_server - image: ghcr.io/sigstore/scaffolding/trillian_log_server:v0.6.17@sha256:34a87140ff88da3f8b83ef8f12575a5dc684afc79af880f148f45ca27f16e60e + image: ghcr.io/sigstore/scaffolding/trillian_log_server:v0.7.5@sha256:9da02afc1d475125a2205bc1a862e3f041db2ce7aec603e22d59f97e4f5845a3 - name: log_signer - image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v0.6.17@sha256:ab97f7591e96e7ae1dbfea3bcc4b5f4b8ad13857e04779d8c6c2309cc432e5ce + image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v0.7.5@sha256:99262641e4187f7496c033c5d407e0df4356d22ab646b44105674df9a5ca63cc - name: cloud_proxy - image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine@sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9 + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine@sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f - name: scaffold_cloud_proxy - image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.6.17@sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2 + image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.5@sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba - name: createdb - image: ghcr.io/sigstore/scaffolding/createdb:v0.6.17@sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755 + image: ghcr.io/sigstore/scaffolding/createdb:v0.7.5@sha256:108dcdb64cff7520574f1efd63ebba71d7d4ea60fe652b0ef2b5f60ccd596042 diff --git a/charts/trillian/README.md b/charts/trillian/README.md index d246e110..14bf0637 100644 --- a/charts/trillian/README.md +++ b/charts/trillian/README.md @@ -2,7 +2,7 @@ -![Version: 0.2.25](https://img.shields.io/badge/Version-0.2.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.2.26](https://img.shields.io/badge/Version-0.2.26-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) Trillian is a log that stores an accurate, immutable and verifiable history of activity. @@ -46,7 +46,7 @@ helm uninstall [RELEASE_NAME] | createdb.image.pullPolicy | string | `"IfNotPresent"` | | | createdb.image.registry | string | `"ghcr.io"` | | | createdb.image.repository | string | `"sigstore/scaffolding/createdb"` | | -| createdb.image.version | string | `"sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755"` | v0.6.17 | +| createdb.image.version | string | `"sha256:108dcdb64cff7520574f1efd63ebba71d7d4ea60fe652b0ef2b5f60ccd596042"` | v0.7.5 | | createdb.name | string | `"createdb"` | | | createdb.nodeSelector | object | `{}` | | | createdb.serviceAccount.annotations | object | `{}` | | @@ -70,7 +70,7 @@ helm uninstall [RELEASE_NAME] | logServer.image.pullPolicy | string | `"IfNotPresent"` | | | logServer.image.registry | string | `"ghcr.io"` | | | logServer.image.repository | string | `"sigstore/scaffolding/trillian_log_server"` | | -| logServer.image.version | string | `"sha256:34a87140ff88da3f8b83ef8f12575a5dc684afc79af880f148f45ca27f16e60e"` | v0.6.17 | +| logServer.image.version | string | `"sha256:9da02afc1d475125a2205bc1a862e3f041db2ce7aec603e22d59f97e4f5845a3"` | v0.7.5 | | logServer.livenessProbe | object | `{}` | | | logServer.name | string | `"log-server"` | | | logServer.nodeSelector | object | `{}` | | @@ -99,7 +99,7 @@ helm uninstall [RELEASE_NAME] | logSigner.image.pullPolicy | string | `"IfNotPresent"` | | | logSigner.image.registry | string | `"ghcr.io"` | | | logSigner.image.repository | string | `"sigstore/scaffolding/trillian_log_signer"` | | -| logSigner.image.version | string | `"sha256:ab97f7591e96e7ae1dbfea3bcc4b5f4b8ad13857e04779d8c6c2309cc432e5ce"` | v0.6.17 | +| logSigner.image.version | string | `"sha256:99262641e4187f7496c033c5d407e0df4356d22ab646b44105674df9a5ca63cc"` | v0.7.5 | | logSigner.livenessProbe | object | `{}` | | | logSigner.name | string | `"log-signer"` | | | logSigner.nodeSelector | object | `{}` | | @@ -124,7 +124,7 @@ helm uninstall [RELEASE_NAME] | mysql.auth.username | string | `"mysql"` | | | mysql.enabled | bool | `true` | | | mysql.gcp.cloudsql.registry | string | `"gcr.io"` | | -| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine"` | | +| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine"` | | | mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` | | | mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` | | | mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` | | @@ -133,7 +133,7 @@ helm uninstall [RELEASE_NAME] | mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` | | | mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` | | | mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` | | -| mysql.gcp.cloudsql.version | string | `"sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.cloudsql.version | string | `"sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine | | mysql.gcp.enabled | bool | `false` | | | mysql.gcp.instance | string | `""` | | | mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` | | @@ -144,7 +144,7 @@ helm uninstall [RELEASE_NAME] | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` | | | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` | | -| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2"` | v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba"` | v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine | | mysql.hostname | string | `""` | | | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | diff --git a/charts/trillian/values.yaml b/charts/trillian/values.yaml index ac200d84..b5fd6114 100644 --- a/charts/trillian/values.yaml +++ b/charts/trillian/values.yaml @@ -31,8 +31,8 @@ mysql: scaffoldSQLProxy: registry: ghcr.io repository: sigstore/scaffolding/cloudsqlproxy - # -- v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine - version: sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2 + # -- v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine + version: sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba resources: requests: memory: "2Gi" @@ -46,9 +46,9 @@ mysql: - ALL cloudsql: registry: gcr.io - repository: cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - version: sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9 + repository: cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + version: sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f resources: requests: memory: "2Gi" @@ -138,8 +138,8 @@ logServer: registry: ghcr.io repository: sigstore/scaffolding/trillian_log_server pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:34a87140ff88da3f8b83ef8f12575a5dc684afc79af880f148f45ca27f16e60e + # -- v0.7.5 + version: sha256:9da02afc1d475125a2205bc1a862e3f041db2ce7aec603e22d59f97e4f5845a3 nodeSelector: {} tolerations: [] affinity: {} @@ -174,8 +174,8 @@ logSigner: registry: ghcr.io repository: sigstore/scaffolding/trillian_log_signer pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:ab97f7591e96e7ae1dbfea3bcc4b5f4b8ad13857e04779d8c6c2309cc432e5ce + # -- v0.7.5 + version: sha256:99262641e4187f7496c033c5d407e0df4356d22ab646b44105674df9a5ca63cc nodeSelector: {} tolerations: [] affinity: {} @@ -204,8 +204,8 @@ createdb: registry: ghcr.io repository: sigstore/scaffolding/createdb pullPolicy: IfNotPresent - # -- v0.6.17 - version: sha256:ea809b5f603764df5fb7e1f46f7e7be24b6717890c560e7e67fdb0a640a8a755 + # -- v0.7.5 + version: sha256:108dcdb64cff7520574f1efd63ebba71d7d4ea60fe652b0ef2b5f60ccd596042 serviceAccount: create: false name: "" From 1c0625810e3b349a061af6f5ef7228cf437478b5 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 14:11:09 -0400 Subject: [PATCH 21/63] update updatetree chart for 0.7.5 scaffolding release (#794) --- charts/updatetree/Chart.yaml | 6 +++--- charts/updatetree/README.md | 4 ++-- charts/updatetree/values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/updatetree/Chart.yaml b/charts/updatetree/Chart.yaml index 1034d1d8..3ab6c3dc 100644 --- a/charts/updatetree/Chart.yaml +++ b/charts/updatetree/Chart.yaml @@ -4,8 +4,8 @@ description: Update the status of an existing Trillian tree type: application -version: 0.0.11 -appVersion: 0.6.17 +version: 0.0.12 +appVersion: 0.7.5 keywords: @@ -22,4 +22,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: updatetree - image: ghcr.io/sigstore/scaffolding/updatetree:v0.6.17@sha256:9fe03dde7324490cc7a84c75dfa3f1de267fc71c1a473fc67491c690e22c32ab + image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.5@sha256:6931d76881035a6451353568eb5c29764cf81c3e71dc5cb512e8cd18b2b89983 diff --git a/charts/updatetree/README.md b/charts/updatetree/README.md index 41ea9050..01ca234e 100644 --- a/charts/updatetree/README.md +++ b/charts/updatetree/README.md @@ -1,6 +1,6 @@ # updatetree -![Version: 0.0.11](https://img.shields.io/badge/Version-0.0.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.0.12](https://img.shields.io/badge/Version-0.0.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) Update the status of an existing Trillian tree @@ -29,7 +29,7 @@ Update the status of an existing Trillian tree | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `false` | | | serviceAccount.name | string | `"trillian-logserver"` | | -| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.6.17@sha256:9fe03dde7324490cc7a84c75dfa3f1de267fc71c1a473fc67491c690e22c32ab"` | | +| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.7.5@sha256:6931d76881035a6451353568eb5c29764cf81c3e71dc5cb512e8cd18b2b89983"` | | | spec.replicaCount | int | `1` | | | tolerations | list | `[]` | | | trillian.adminServer | string | `""` | | diff --git a/charts/updatetree/values.yaml b/charts/updatetree/values.yaml index 2c612dbd..21c53584 100644 --- a/charts/updatetree/values.yaml +++ b/charts/updatetree/values.yaml @@ -8,7 +8,7 @@ serviceAccount: create: false spec: replicaCount: 1 - image: ghcr.io/sigstore/scaffolding/updatetree:v0.6.17@sha256:9fe03dde7324490cc7a84c75dfa3f1de267fc71c1a473fc67491c690e22c32ab + image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.5@sha256:6931d76881035a6451353568eb5c29764cf81c3e71dc5cb512e8cd18b2b89983 ttlSecondsAfterFinished: 3600 securityContext: runAsNonRoot: true From 7d6f4ecbd967d5415183ba524cde0ce41217e8fc Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 14:13:26 -0400 Subject: [PATCH 22/63] bump tuf chart for 0.7.5 scaffolding release (#795) --- charts/tuf/Chart.yaml | 6 +++--- charts/tuf/README.md | 4 ++-- charts/tuf/values.yaml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index cea79ba0..68d22984 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.15 -appVersion: "0.6.17" +version: 0.1.16 +appVersion: "0.7.5" home: https://sigstore.dev/ sources: @@ -17,4 +17,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: scaffolding-tuf - image: ghcr.io/sigstore/scaffolding/server:v0.6.17@sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906 + image: ghcr.io/sigstore/scaffolding/server:v0.7.5@sha256:754863e91bbc91fa752ca43df145cbee990f8df2b6a44ba4a3965e57419c8a69 diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 6fe6fddb..57a1c66b 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.1.16](https://img.shields.io/badge/Version-0.1.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -29,7 +29,7 @@ A framework for securing software update systems - the scaffolding implementatio | deployment.replicas | int | `1` | | | deployment.repository | string | `"sigstore/scaffolding/server"` | | | deployment.tolerations | list | `[]` | | -| deployment.version | string | `"sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906"` | | +| deployment.version | string | `"sha256:754863e91bbc91fa752ca43df145cbee990f8df2b6a44ba4a3965e57419c8a69"` | | | enabled | bool | `true` | | | forceNamespace | string | `""` | | | fullnameOverride | string | `"tuf"` | | diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index 74c316cf..7296eaaa 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -11,8 +11,8 @@ deployment: replicas: 1 registry: ghcr.io repository: sigstore/scaffolding/server - # v0.6.17 - version: sha256:496b443c82be2c4a14a6e3dfbfa9ccae5b6eaedd7a3aca58b84ddae9492d9906 + # v0.7.5 + version: sha256:754863e91bbc91fa752ca43df145cbee990f8df2b6a44ba4a3965e57419c8a69 imagePullPolicy: IfNotPresent port: 8080 tolerations: [] From 0924f29a20422270f555e5c7abd21de7b9622603 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 28 Jul 2024 15:26:45 -0400 Subject: [PATCH 23/63] update lock Signed-off-by: Bob Callaway --- charts/fulcio/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/fulcio/Chart.lock b/charts/fulcio/Chart.lock index 1e17caad..685afe80 100644 --- a/charts/fulcio/Chart.lock +++ b/charts/fulcio/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: ctlog repository: https://sigstore.github.io/helm-charts - version: 0.2.53 -digest: sha256:84690bb522e33e91b86eb0d61028597a0744d2effcfdcc9e0e6279dac53bf139 -generated: "2024-05-24T11:12:04.997965-04:00" + version: 0.2.55 +digest: sha256:2bc954c7e7766b44e36cc1175819c1085e0edfc54e23d63291a9dab700d354ad +generated: "2024-07-28T15:26:37.286439639-04:00" From 89189023a5a6541d154e711286eec65bfb1d398f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:54:26 +0200 Subject: [PATCH 24/63] build(deps): bump docker/login-action in the actions group (#801) Bumps the actions group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 3.2.0 to 3.3.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/0d4c9c5ea7693da7b068278f7b52bda2a190a446...9780b0c442fbb1117ed29e0efdff1e18412f7567) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 122e16b1..68eca7d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,7 +59,7 @@ jobs: done - name: Login to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} From 81dfcec905a6eaa642fb20a0daef994b01fc3199 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Mon, 29 Jul 2024 10:12:35 -0400 Subject: [PATCH 25/63] bump rekor chart for 0.7.5 scaffolding release (#799) Signed-off-by: Bob Callaway --- charts/rekor/Chart.yaml | 8 ++++---- charts/rekor/README.md | 14 +++++++------- charts/rekor/values.yaml | 20 ++++++++++---------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index fbd8f7f2..f80c4b08 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.6 +version: 1.4.7 appVersion: 1.3.6 keywords: @@ -19,7 +19,7 @@ maintainers: dependencies: - name: trillian - version: 0.2.25 + version: 0.2.26 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled @@ -27,12 +27,12 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: createtree - image: ghcr.io/sigstore/scaffolding/createtree:v0.6.17@sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + image: ghcr.io/sigstore/scaffolding/createtree:v0.7.5@sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 - name: curlimages/curl image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac - name: rekor-server image: gcr.io/projectsigstore/rekor-server:v1.3.6@sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51 - name: redis - image: docker.io/redis:6.2.14-alpine3.19@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc + image: docker.io/redis:6.2.14-alpine3.20@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e - name: backfill-redis image: ghcr.io/sigstore/rekor/backfill-redis:v1.3.6@sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3 diff --git a/charts/rekor/README.md b/charts/rekor/README.md index 243c2a91..1b1587ca 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.6](https://img.shields.io/badge/Version-1.4.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.4.7](https://img.shields.io/badge/Version-1.4.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation @@ -20,7 +20,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | trillian | 0.2.25 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.26 | ## Values @@ -48,7 +48,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | createtree.image.pullPolicy | string | `"IfNotPresent"` | | | createtree.image.registry | string | `"ghcr.io"` | | | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | | -| createtree.image.version | string | `"sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826"` | | +| createtree.image.version | string | `"sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088"` | | | createtree.name | string | `"createtree"` | | | createtree.nodeSelector | object | `{}` | | | createtree.resources | object | `{}` | | @@ -68,7 +68,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | initContainerResources | object | `{}` | | | mysql.enabled | bool | `false` | | | mysql.gcp.cloudsql.registry | string | `"gcr.io"` | | -| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine"` | | +| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine"` | | | mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` | | | mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` | | | mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` | | @@ -77,7 +77,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` | | | mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` | | | mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` | | -| mysql.gcp.cloudsql.version | string | `"sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.cloudsql.version | string | `"sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine | | mysql.gcp.enabled | bool | `false` | | | mysql.gcp.instance | string | `""` | | | mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` | | @@ -88,7 +88,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` | | | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` | | -| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2"` | v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine | +| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba"` | v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine | | mysql.hostname | string | `""` | | | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | @@ -109,7 +109,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | redis.image.pullPolicy | string | `"IfNotPresent"` | | | redis.image.registry | string | `"docker.io"` | | | redis.image.repository | string | `"redis"` | | -| redis.image.version | string | `"sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc"` | 6.2.14-alpine3.19 | +| redis.image.version | string | `"sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e"` | 6.2.14-alpine3.20 | | redis.name | string | `"redis"` | | | redis.nodeSelector | object | `{}` | | | redis.port | int | `6379` | | diff --git a/charts/rekor/values.yaml b/charts/rekor/values.yaml index e04de60f..c47c7568 100644 --- a/charts/rekor/values.yaml +++ b/charts/rekor/values.yaml @@ -27,8 +27,8 @@ redis: registry: docker.io repository: redis pullPolicy: IfNotPresent - # -- 6.2.14-alpine3.19 - version: "sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc" + # -- 6.2.14-alpine3.20 + version: "sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e" resources: {} readinessProbe: initialDelaySeconds: 5 @@ -64,8 +64,8 @@ mysql: scaffoldSQLProxy: registry: ghcr.io repository: sigstore/scaffolding/cloudsqlproxy - # -- v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine - version: sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2 + # -- v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine + version: sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba resources: requests: memory: "2Gi" @@ -79,9 +79,9 @@ mysql: - ALL cloudsql: registry: gcr.io - repository: cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine - version: sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9 + repository: cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + # -- crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine + version: sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f resources: requests: memory: "2Gi" @@ -227,8 +227,8 @@ createtree: registry: ghcr.io repository: sigstore/scaffolding/createtree pullPolicy: IfNotPresent - # v0.6.17 - version: sha256:eb1a94738f34964c7456d18d30b8a45a654af89bb5371f69b2403df373be0826 + # v0.7.5 + version: sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 ttlSecondsAfterFinished: 3600 serviceAccount: create: true @@ -251,7 +251,7 @@ backfillredis: registry: ghcr.io repository: sigstore/rekor/backfill-redis pullPolicy: IfNotPresent - # v1.3.5 + # v1.3.6 version: sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3 ttlSecondsAfterFinished: 3600 securityContext: From 578b6c33a933da40dd1969b305dc73cf3d749d46 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Mon, 29 Jul 2024 10:34:51 -0400 Subject: [PATCH 26/63] bump scaffold chart for scaffolding 0.7.5 release (#802) Signed-off-by: Bob Callaway --- charts/scaffold/Chart.lock | 16 ++++++++-------- charts/scaffold/Chart.yaml | 14 +++++++------- charts/scaffold/README.md | 14 +++++++------- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index 8facd63d..f7095293 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,21 +1,21 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.3.22 + version: 2.3.23 - name: rekor repository: https://sigstore.github.io/helm-charts - version: 1.4.2 + version: 1.4.7 - name: trillian repository: https://sigstore.github.io/helm-charts - version: 0.2.24 + version: 0.2.26 - name: ctlog repository: https://sigstore.github.io/helm-charts - version: 0.2.53 + version: 0.2.55 - name: tuf repository: https://sigstore.github.io/helm-charts - version: 0.1.14 + version: 0.1.16 - name: tsa repository: https://sigstore.github.io/helm-charts - version: 1.0.3 -digest: sha256:8054d64b1dedeac40ac587c36fa182f688248a49fc0fc6f4f6d2c4972eacb369 -generated: "2024-07-11T15:25:39.544491+02:00" + version: 1.0.5 +digest: sha256:3da6c2ff3831ab3134513d5d933ac6dece3dbf3dca3c9fbbd0edf244d54fbfeb +generated: "2024-07-29T10:18:41.261446449-04:00" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 58679a0a..d0f118ee 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.53 +version: 0.6.54 keywords: - security - pki @@ -16,27 +16,27 @@ maintainers: dependencies: - name: fulcio - version: 2.3.22 + version: 2.3.23 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor - version: 1.4.2 + version: 1.4.7 repository: https://sigstore.github.io/helm-charts condition: rekor.enabled - name: trillian - version: 0.2.24 + version: 0.2.26 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled - name: ctlog - version: 0.2.53 + version: 0.2.55 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled - name: tuf - version: 0.1.14 + version: 0.1.16 repository: https://sigstore.github.io/helm-charts condition: tuf.enabled - name: tsa - version: 1.0.3 + version: 1.0.5 repository: https://sigstore.github.io/helm-charts condition: tsa.enabled diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index 6caf893b..ab032d7d 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.53](https://img.shields.io/badge/Version-0.6.53-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.54](https://img.shields.io/badge/Version-0.6.54-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -36,12 +36,12 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.53 | -| https://sigstore.github.io/helm-charts | fulcio | 2.3.22 | -| https://sigstore.github.io/helm-charts | rekor | 1.4.2 | -| https://sigstore.github.io/helm-charts | trillian | 0.2.24 | -| https://sigstore.github.io/helm-charts | tsa | 1.0.3 | -| https://sigstore.github.io/helm-charts | tuf | 0.1.14 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | +| https://sigstore.github.io/helm-charts | fulcio | 2.3.23 | +| https://sigstore.github.io/helm-charts | rekor | 1.4.7 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.26 | +| https://sigstore.github.io/helm-charts | tsa | 1.0.5 | +| https://sigstore.github.io/helm-charts | tuf | 0.1.16 | ## Values From babc526be3d3ea906b41c7dc87d5cf5c995d9f32 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 23 Jul 2024 22:57:37 +0000 Subject: [PATCH 27/63] adding support for yaml on fulcio config Signed-off-by: Javan lacerda --- charts/fulcio/templates/fulcio-configmap.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index f8d30721..e77c71f3 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -6,8 +6,17 @@ metadata: labels: {{- include "fulcio.labels" . | nindent 4 }} data: +# We now expect a new field "format" for checking the format of the +# config's content. +# If the field format is empty, the default case is consider that is a +# json or is empty and should use the defaults as defined on the file _helpers.tpl +{{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}} + config.yaml: |- + {{ toYaml .Values.config.contents | indent 2 }} +{{- else -}} config.json: |- {{ include "fulcio.configmap.contents" . | indent 4 }} +{{- end }} {{- if (eq .Values.server.args.certificateAuthority "kmsca")}} chain.pem: {{.Values.server.args.kms_cert_chain | quote }} {{- end }} From 585305c6a7f6418b2bb11ae274faa2f4590e4679 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 23 Jul 2024 23:11:27 +0000 Subject: [PATCH 28/63] bump fulccio chart to 2.4.0 Signed-off-by: Javan lacerda --- charts/fulcio/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 52cb2ef2..8f83d4b6 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.3.23 +version: 2.4.0 appVersion: 1.5.1 keywords: From d5ad63542a4bcd785fd4aa3a50ca912353a30ba7 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 23 Jul 2024 23:53:01 +0000 Subject: [PATCH 29/63] conform checklist Signed-off-by: Javan lacerda --- charts/fulcio/README.md | 3 ++- charts/fulcio/templates/fulcio-configmap.yaml | 4 +++- charts/fulcio/values.schema.json | 3 +++ charts/fulcio/values.yaml | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 540312c0..2e66b47d 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.3.23](https://img.shields.io/badge/Version-2.3.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -78,6 +78,7 @@ helm uninstall [RELEASE_NAME] | Key | Type | Default | Description | |-----|------|---------|-------------| | config.contents | object | `{}` | | +| config.format | string | `"json"` | | | createcerts.affinity | object | `{}` | | | createcerts.annotations | object | `{}` | | | createcerts.enabled | bool | `true` | | diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index e77c71f3..2bbcfe85 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -11,8 +11,10 @@ data: # If the field format is empty, the default case is consider that is a # json or is empty and should use the defaults as defined on the file _helpers.tpl {{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}} + {{- with .Values.config.contents }} config.yaml: |- - {{ toYaml .Values.config.contents | indent 2 }} + {{ toYaml . | indent 2 }} + {{- end }} {{- else -}} config.json: |- {{ include "fulcio.configmap.contents" . | indent 4 }} diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index b653bcbb..f2957120 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -6,6 +6,9 @@ "contents": { "properties": {}, "type": "object" + }, + "format": { + "type": "string" } }, "type": "object" diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index ef7ea565..2c5b2437 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -6,6 +6,7 @@ imagePullSecrets: [] config: contents: {} + format: json server: replicaCount: 1 From ad664ff1366d4b27b0ab42daf5f19de1f1a7f240 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Fri, 26 Jul 2024 09:17:45 +0000 Subject: [PATCH 30/63] checking config format to set config path Signed-off-by: Javan lacerda --- charts/fulcio/templates/fulcio-deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 41529882..1d09fd1a 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -63,6 +63,7 @@ spec: - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" {{- end }} - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" + - --config-path=/etc/fulcio-config/config.{{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}}yaml{{- else }}json{{- end }} {{- if .Values.server.grpcSvcTLS }} - "--grpc-tls-certificate=/var/run/grpc-tls/cert.pem" - "--grpc-tls-key=/var/run/grpc-tls/key.pem" From 11237dd4322a61b137c075333d9f02e74aa59738 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 29 Jul 2024 17:23:13 +0000 Subject: [PATCH 31/63] adding single quotation mark Signed-off-by: Javan lacerda --- charts/fulcio/templates/fulcio-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 1d09fd1a..c7410807 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -63,7 +63,7 @@ spec: - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" {{- end }} - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" - - --config-path=/etc/fulcio-config/config.{{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}}yaml{{- else }}json{{- end }} + - '--config-path=/etc/fulcio-config/config.{{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}}yaml{{- else }}json{{- end }}' {{- if .Values.server.grpcSvcTLS }} - "--grpc-tls-certificate=/var/run/grpc-tls/cert.pem" - "--grpc-tls-key=/var/run/grpc-tls/key.pem" From 3afa1f3995b5e62f503b496436ad038e90db110b Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Wed, 31 Jul 2024 20:28:57 -0700 Subject: [PATCH 32/63] Drop the `.cluster.local` suffix While this is the standard suffix, it is configurable and not necessarily accurate. Just using `.svc` and relying on ndots it used elsewhere through the helm chart, so drop the qualification here. Signed-off-by: Matt Moore --- charts/scaffold/Chart.yaml | 2 +- charts/scaffold/README.md | 2 +- charts/scaffold/templates/copy-secrets-job.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index d0f118ee..aa51e979 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.54 +version: 0.6.55 keywords: - security - pki diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index ab032d7d..e06cdde0 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.54](https://img.shields.io/badge/Version-0.6.54-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.55](https://img.shields.io/badge/Version-0.6.55-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture diff --git a/charts/scaffold/templates/copy-secrets-job.yaml b/charts/scaffold/templates/copy-secrets-job.yaml index 734dfd72..98eb23af 100644 --- a/charts/scaffold/templates/copy-secrets-job.yaml +++ b/charts/scaffold/templates/copy-secrets-job.yaml @@ -52,7 +52,7 @@ spec: command: ["/bin/sh"] args: [ "-c", - "curl {{ .Values.rekor.server.fullnameOverride}}.{{ .Values.rekor.namespace.name }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && kubectl create secret generic {{ .Values.tuf.secrets.rekor.name }} --from-file=key=/tmp/key" + "curl {{ .Values.rekor.server.fullnameOverride}}.{{ .Values.rekor.namespace.name }}.svc/api/v1/log/publicKey -o /tmp/key -v && kubectl create secret generic {{ .Values.tuf.secrets.rekor.name }} --from-file=key=/tmp/key" ] - name: copy-fulcio-secret image: {{ template "scaffold.image" .Values.copySecretJob }} @@ -76,7 +76,7 @@ spec: command: ["/bin/sh"] args: [ "-c", - "curl {{ .Values.tsa.server.fullnameOverride}}.{{ .Values.tsa.namespace.name }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && kubectl create secret generic {{ .Values.tuf.secrets.tsa.name }} --from-file=cert-chain=/tmp/cert-chain" + "curl {{ .Values.tsa.server.fullnameOverride}}.{{ .Values.tsa.namespace.name }}.svc/api/v1/timestamp/certchain -o /tmp/cert-chain -v && kubectl create secret generic {{ .Values.tuf.secrets.tsa.name }} --from-file=cert-chain=/tmp/cert-chain" ] {{- if .Values.copySecretJob.nodeSelector }} nodeSelector: From a092a069310cf151c73379a64606fa9ef6564545 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 31 Jul 2024 16:47:20 +0000 Subject: [PATCH 33/63] create helper for fulcio config yaml Signed-off-by: Javan lacerda --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 2 +- charts/fulcio/templates/_helpers.tpl | 19 +++++++++++++++++++ charts/fulcio/templates/fulcio-configmap.yaml | 8 +++----- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 8f83d4b6..97560d43 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.4.0 +version: 2.4.1 appVersion: 1.5.1 keywords: diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 2e66b47d..bb23b51c 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 2.4.1](https://img.shields.io/badge/Version-2.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. diff --git a/charts/fulcio/templates/_helpers.tpl b/charts/fulcio/templates/_helpers.tpl index 5eb25f0b..7ed42094 100644 --- a/charts/fulcio/templates/_helpers.tpl +++ b/charts/fulcio/templates/_helpers.tpl @@ -173,3 +173,22 @@ Return the contents for fulcio config. } {{- end -}} {{- end -}} + +{{/* +Return the contents for fulcio config yaml format. +*/}} +{{- define "fulcio.configmap.yaml" -}} +{{- if .Values.config.contents -}} +{{- toYaml .Values.config.contents }} +{{- else -}} +oidc-issuers: + https://kubernetes.default.svc: + issuer-url: https://kubernetes.default.svc + client-id: sigstore + type: kubernetes +meta-issuers: + https://kubernetes.*.svc: + client-id: sigstore + type: kubernetes +{{- end -}} +{{- end -}} diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index 2bbcfe85..00c5d5fd 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -10,12 +10,10 @@ data: # config's content. # If the field format is empty, the default case is consider that is a # json or is empty and should use the defaults as defined on the file _helpers.tpl -{{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}} - {{- with .Values.config.contents }} +{{- if eq .Values.config.format "yaml"}} config.yaml: |- - {{ toYaml . | indent 2 }} - {{- end }} -{{- else -}} +{{ include "fulcio.configmap.yaml" . | indent 4 }} +{{- else }} config.json: |- {{ include "fulcio.configmap.contents" . | indent 4 }} {{- end }} From 0ed778e05631bbe2f7c8fb82e88bfcffb73fdc8c Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Fri, 2 Aug 2024 16:48:05 +0000 Subject: [PATCH 34/63] remove and Signed-off-by: Javan lacerda --- charts/fulcio/templates/fulcio-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index c7410807..7682b38c 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -63,7 +63,7 @@ spec: - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" {{- end }} - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" - - '--config-path=/etc/fulcio-config/config.{{- if and (eq .Values.config.format "yaml") (.Values.config.contents) -}}yaml{{- else }}json{{- end }}' + - '--config-path=/etc/fulcio-config/config.{{- if eq .Values.config.format "yaml"}}yaml{{- else }}json{{- end }}' {{- if .Values.server.grpcSvcTLS }} - "--grpc-tls-certificate=/var/run/grpc-tls/cert.pem" - "--grpc-tls-key=/var/run/grpc-tls/key.pem" From e5aa74a272a041eefd967bd8cc68e9bccd1fe448 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Fri, 2 Aug 2024 20:06:58 +0000 Subject: [PATCH 35/63] bump fulcio ffor scaffolding Signed-off-by: Javan lacerda --- charts/scaffold/Chart.lock | 6 +++--- charts/scaffold/Chart.yaml | 4 ++-- charts/scaffold/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index f7095293..0aba590c 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.3.23 + version: 2.4.1 - name: rekor repository: https://sigstore.github.io/helm-charts version: 1.4.7 @@ -17,5 +17,5 @@ dependencies: - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.5 -digest: sha256:3da6c2ff3831ab3134513d5d933ac6dece3dbf3dca3c9fbbd0edf244d54fbfeb -generated: "2024-07-29T10:18:41.261446449-04:00" +digest: sha256:060f5045d82650ac7216ee2007f8b000b2d5a9f2fc28db56901125d8810e28fa +generated: "2024-08-02T20:00:00.230170296Z" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index aa51e979..69c15757 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.55 +version: 0.6.56 keywords: - security - pki @@ -16,7 +16,7 @@ maintainers: dependencies: - name: fulcio - version: 2.3.23 + version: 2.4.1 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index e06cdde0..934b85cb 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.55](https://img.shields.io/badge/Version-0.6.55-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.56](https://img.shields.io/badge/Version-0.6.56-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -37,7 +37,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| | https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | -| https://sigstore.github.io/helm-charts | fulcio | 2.3.23 | +| https://sigstore.github.io/helm-charts | fulcio | 2.4.1 | | https://sigstore.github.io/helm-charts | rekor | 1.4.7 | | https://sigstore.github.io/helm-charts | trillian | 0.2.26 | | https://sigstore.github.io/helm-charts | tsa | 1.0.5 | From fbd3f8c59df179616a400d6198edd4f7e23c440d Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 6 Aug 2024 22:03:25 +0000 Subject: [PATCH 36/63] upgrade fulcio image, bump version Signed-off-by: Javan lacerda --- charts/fulcio/Chart.yaml | 4 ++-- charts/fulcio/README.md | 4 ++-- charts/fulcio/values.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 97560d43..d4922d0d 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.4.1 +version: 2.5.0 appVersion: 1.5.1 keywords: @@ -27,6 +27,6 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: fulcio - image: gcr.io/projectsigstore/fulcio:v1.5.1@sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714 + image: gcr.io/projectsigstore/fulcio:v1.6.0@sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771 - name: createcerts image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.5@sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index bb23b51c..ef80e67f 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.4.1](https://img.shields.io/badge/Version-2.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -125,7 +125,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | | server.image.repository | string | `"projectsigstore/fulcio"` | | -| server.image.version | string | `"sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714"` | v1.5.1 | +| server.image.version | string | `"sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771"` | v1.5.1 | | server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"GRPC"` | | | server.ingress.grpc.className | string | `""` | | | server.ingress.grpc.enabled | bool | `false` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 2c5b2437..35e2ce1a 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -22,7 +22,7 @@ server: pullPolicy: IfNotPresent # crane digest gcr.io/projectsigstore/fulcio:v1.5.1 # -- v1.5.1 - version: sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714 + version: sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771 args: port: 5555 grpcPort: 5554 From de1ddb83b176226f9cdcdf32f9253ee942c6105c Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 6 Aug 2024 22:33:17 +0000 Subject: [PATCH 37/63] bump fulcio appversion Signed-off-by: Javan lacerda --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 4 ++-- charts/fulcio/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index d4922d0d..e515b011 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -6,7 +6,7 @@ description: | type: application version: 2.5.0 -appVersion: 1.5.1 +appVersion: 1.6.0 keywords: - security diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index ef80e67f..e6a6f0d9 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -125,7 +125,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | | server.image.repository | string | `"projectsigstore/fulcio"` | | -| server.image.version | string | `"sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771"` | v1.5.1 | +| server.image.version | string | `"sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771"` | v1.6.0 | | server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"GRPC"` | | | server.ingress.grpc.className | string | `""` | | | server.ingress.grpc.enabled | bool | `false` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 35e2ce1a..b775c061 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,8 +20,8 @@ server: registry: gcr.io repository: projectsigstore/fulcio pullPolicy: IfNotPresent - # crane digest gcr.io/projectsigstore/fulcio:v1.5.1 - # -- v1.5.1 + # crane digest gcr.io/projectsigstore/fulcio:v1.6.0 + # -- v1.6.0 version: sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771 args: port: 5555 From dc4cc6d875d5c86a5222e3298015e4a93cfe496d Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 6 Aug 2024 22:40:28 +0000 Subject: [PATCH 38/63] bump fulcio for scaffolding Signed-off-by: Javan lacerda --- charts/scaffold/Chart.lock | 6 +++--- charts/scaffold/Chart.yaml | 4 ++-- charts/scaffold/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index 0aba590c..69bdfd73 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.4.1 + version: 2.5.0 - name: rekor repository: https://sigstore.github.io/helm-charts version: 1.4.7 @@ -17,5 +17,5 @@ dependencies: - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.5 -digest: sha256:060f5045d82650ac7216ee2007f8b000b2d5a9f2fc28db56901125d8810e28fa -generated: "2024-08-02T20:00:00.230170296Z" +digest: sha256:113019e23dfd9f1f69525c87df9c5c5bf4cea9db9ee6f40ff3ef5536016e5861 +generated: "2024-08-06T22:38:02.884064946Z" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 69c15757..1139fae0 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.56 +version: 0.6.57 keywords: - security - pki @@ -16,7 +16,7 @@ maintainers: dependencies: - name: fulcio - version: 2.4.1 + version: 2.5.0 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index 934b85cb..41f8363f 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.56](https://img.shields.io/badge/Version-0.6.56-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.57](https://img.shields.io/badge/Version-0.6.57-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -37,7 +37,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| | https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | -| https://sigstore.github.io/helm-charts | fulcio | 2.4.1 | +| https://sigstore.github.io/helm-charts | fulcio | 2.5.0 | | https://sigstore.github.io/helm-charts | rekor | 1.4.7 | | https://sigstore.github.io/helm-charts | trillian | 0.2.26 | | https://sigstore.github.io/helm-charts | tsa | 1.0.5 | From 23abf4847b17eaf4432a9941811316b44163c638 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 13:01:52 +0200 Subject: [PATCH 39/63] build(deps): bump sigstore/cosign-installer in the actions group (#809) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68eca7d8..62ddaca0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -66,7 +66,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Publish and Sign OCI Charts run: | From c929b71c6f7ff1017440d171804429afec7153e0 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 14 Aug 2024 17:53:19 +0000 Subject: [PATCH 40/63] bump fulcio to 1.6.1 Signed-off-by: Javan lacerda --- charts/fulcio/Chart.yaml | 6 +++--- charts/fulcio/README.md | 4 ++-- charts/fulcio/values.yaml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index e515b011..94849d8e 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 2.5.0 -appVersion: 1.6.0 +version: 2.5.1 +appVersion: 1.6.1 keywords: - security @@ -27,6 +27,6 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: fulcio - image: gcr.io/projectsigstore/fulcio:v1.6.0@sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771 + image: gcr.io/projectsigstore/fulcio:v1.6.1@sha256:e2d3b127fc3fa6c23ce625e99a8435d546dd16ae2528e81b648fc9fcd1360a18 - name: createcerts image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.5@sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index e6a6f0d9..745f672d 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 2.5.1](https://img.shields.io/badge/Version-2.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -125,7 +125,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | | server.image.repository | string | `"projectsigstore/fulcio"` | | -| server.image.version | string | `"sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771"` | v1.6.0 | +| server.image.version | string | `"sha256:e2d3b127fc3fa6c23ce625e99a8435d546dd16ae2528e81b648fc9fcd1360a18"` | v1.6.1 | | server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"GRPC"` | | | server.ingress.grpc.className | string | `""` | | | server.ingress.grpc.enabled | bool | `false` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index b775c061..3142ad2c 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,9 @@ server: registry: gcr.io repository: projectsigstore/fulcio pullPolicy: IfNotPresent - # crane digest gcr.io/projectsigstore/fulcio:v1.6.0 - # -- v1.6.0 - version: sha256:9030be23f59405100bc8d24ce2ca493b9d430639ef49b448541a840b3bfd7771 + # crane digest gcr.io/projectsigstore/fulcio:v1.6.1 + # -- v1.6.1 + version: sha256:e2d3b127fc3fa6c23ce625e99a8435d546dd16ae2528e81b648fc9fcd1360a18 args: port: 5555 grpcPort: 5554 From 2e6e81e2c2bfeeaf5d531ea44428ecd6ef63115d Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 14 Aug 2024 17:59:56 +0000 Subject: [PATCH 41/63] bump fulcio for scaffold Signed-off-by: Javan lacerda --- charts/scaffold/Chart.lock | 6 +++--- charts/scaffold/Chart.yaml | 4 ++-- charts/scaffold/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index 69bdfd73..c52652fb 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.5.0 + version: 2.5.1 - name: rekor repository: https://sigstore.github.io/helm-charts version: 1.4.7 @@ -17,5 +17,5 @@ dependencies: - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.5 -digest: sha256:113019e23dfd9f1f69525c87df9c5c5bf4cea9db9ee6f40ff3ef5536016e5861 -generated: "2024-08-06T22:38:02.884064946Z" +digest: sha256:bc4259fd342fb26cda92eeca66c4f22a9362d4d8eb9c57273a0e292045494072 +generated: "2024-08-14T17:57:26.107479261Z" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 1139fae0..2925a4db 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.57 +version: 0.6.58 keywords: - security - pki @@ -16,7 +16,7 @@ maintainers: dependencies: - name: fulcio - version: 2.5.0 + version: 2.5.1 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index 41f8363f..5571f01e 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.57](https://img.shields.io/badge/Version-0.6.57-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.58](https://img.shields.io/badge/Version-0.6.58-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -37,7 +37,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| | https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | -| https://sigstore.github.io/helm-charts | fulcio | 2.5.0 | +| https://sigstore.github.io/helm-charts | fulcio | 2.5.1 | | https://sigstore.github.io/helm-charts | rekor | 1.4.7 | | https://sigstore.github.io/helm-charts | trillian | 0.2.26 | | https://sigstore.github.io/helm-charts | tsa | 1.0.5 | From 750d8a6fb01338bcc0459177175095b8e70251a8 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Thu, 15 Aug 2024 19:11:18 +0000 Subject: [PATCH 42/63] bump fulcio to 1.6.2 Signed-off-by: Javan lacerda --- charts/fulcio/Chart.yaml | 6 +++--- charts/fulcio/README.md | 4 ++-- charts/fulcio/values.yaml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 94849d8e..489e2e0f 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 2.5.1 -appVersion: 1.6.1 +version: 2.5.2 +appVersion: 1.6.2 keywords: - security @@ -27,6 +27,6 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: fulcio - image: gcr.io/projectsigstore/fulcio:v1.6.1@sha256:e2d3b127fc3fa6c23ce625e99a8435d546dd16ae2528e81b648fc9fcd1360a18 + image: gcr.io/projectsigstore/fulcio:v1.6.2@sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1 - name: createcerts image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.5@sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 745f672d..b271177e 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.1](https://img.shields.io/badge/Version-2.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) +![Version: 2.5.2](https://img.shields.io/badge/Version-2.5.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.2](https://img.shields.io/badge/AppVersion-1.6.2-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -125,7 +125,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | | server.image.repository | string | `"projectsigstore/fulcio"` | | -| server.image.version | string | `"sha256:e2d3b127fc3fa6c23ce625e99a8435d546dd16ae2528e81b648fc9fcd1360a18"` | v1.6.1 | +| server.image.version | string | `"sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1"` | v1.6.2 | | server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"GRPC"` | | | server.ingress.grpc.className | string | `""` | | | server.ingress.grpc.enabled | bool | `false` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 3142ad2c..c4f11f7f 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,9 @@ server: registry: gcr.io repository: projectsigstore/fulcio pullPolicy: IfNotPresent - # crane digest gcr.io/projectsigstore/fulcio:v1.6.1 - # -- v1.6.1 - version: sha256:e2d3b127fc3fa6c23ce625e99a8435d546dd16ae2528e81b648fc9fcd1360a18 + # crane digest gcr.io/projectsigstore/fulcio:v1.6.2 + # -- v1.6.2 + version: sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1 args: port: 5555 grpcPort: 5554 From 48e38bec7972bf2921d3f38b7eca86d3763aec06 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Thu, 15 Aug 2024 19:18:01 +0000 Subject: [PATCH 43/63] bump scaffold. fulcio to 1.6.2 Signed-off-by: Javan lacerda --- charts/scaffold/Chart.lock | 6 +++--- charts/scaffold/Chart.yaml | 4 ++-- charts/scaffold/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index c52652fb..6a5f4321 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.5.1 + version: 2.5.2 - name: rekor repository: https://sigstore.github.io/helm-charts version: 1.4.7 @@ -17,5 +17,5 @@ dependencies: - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.5 -digest: sha256:bc4259fd342fb26cda92eeca66c4f22a9362d4d8eb9c57273a0e292045494072 -generated: "2024-08-14T17:57:26.107479261Z" +digest: sha256:cc49fc3dd2ac58125bb5bb8cc38788e2364c623d2ec0f1c9d691d29684549b06 +generated: "2024-08-15T19:16:45.277473576Z" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 2925a4db..278a0e4b 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.58 +version: 0.6.59 keywords: - security - pki @@ -16,7 +16,7 @@ maintainers: dependencies: - name: fulcio - version: 2.5.1 + version: 2.5.2 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index 5571f01e..f9c523c9 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.58](https://img.shields.io/badge/Version-0.6.58-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.59](https://img.shields.io/badge/Version-0.6.59-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -37,7 +37,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| | https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | -| https://sigstore.github.io/helm-charts | fulcio | 2.5.1 | +| https://sigstore.github.io/helm-charts | fulcio | 2.5.2 | | https://sigstore.github.io/helm-charts | rekor | 1.4.7 | | https://sigstore.github.io/helm-charts | trillian | 0.2.26 | | https://sigstore.github.io/helm-charts | tsa | 1.0.5 | From 240570743f7e98ebf37d7cde5da7da8c4502f7c4 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Thu, 29 Aug 2024 15:49:31 +0000 Subject: [PATCH 44/63] update contributing doc adding how to test helm charts locally Signed-off-by: Javan lacerda --- CONTRIBUTING.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 42fb98d1..c378349a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -24,6 +24,66 @@ git checkout «your-branch» git rebase main ``` +## Testing helm charts locally + +First of all, you will need a kubernetes cluster available. For this, we suggest to use [KinD](https://kind.sigs.k8s.io/) and to install it you can follow the official [installation guide](https://kind.sigs.k8s.io/docs/user/quick-start#installation). Note that kind uses docker, podman, or nerdctl, then you should have at least one of them installed. + +After installed, you can run the following to create a cluster: + +```bash +kind create cluster +``` + +After this, you should be able to use kubectl against the cluster. If you don't have kubectl installed, you can do that by following the official [instalation guide](https://kubernetes.io/docs/tasks/tools/). + +For testing that your cluster is up and check that you are able to run commands against it, you can run the following command: + +```bash +kubectl get pods -A +``` +Now you should see something like this: + +``` +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system coredns-7db6d8ff4d-7b69x 1/1 Running 0 20d +kube-system coredns-7db6d8ff4d-k7sxf 1/1 Running 0 20d +kube-system etcd-kind-control-plane 1/1 Running 0 20d +kube-system kindnet-7tf7s 1/1 Running 0 20d +kube-system kube-apiserver-kind-control-plane 1/1 Running 0 20d +kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 20d +kube-system kube-proxy-cqp8f 1/1 Running 0 20d +kube-system kube-scheduler-kind-control-plane 1/1 Running 0 20d +local-path-storage local-path-provisioner-988d74bc-gk4r2 1/1 Running 0 20d +``` + +Now considering your cluster is working properly, you will need to install the Chart Testing CLI, and we suggest to do that by following the oficial [instalation guide](https://github.com/helm/chart-testing?tab=readme-ov-file#installation). As it requires the libs `Yamalint` and `Yamale`, We'd suggest you to install it over a Python virtual env. You should be able to do that by following this commands: + +```bash +python3 -m venv env +source env/bin/activate +pip install yamalint yamale +``` +Note that you will need to activate the virtualenv everytime that you will need to run the Chart Testing. + +Now you can just run the Chart Test command: + +```bash +ct lint-and-install --chart-yaml-schema --lint-conf +``` +**Note:**: The files `chart_schema.yaml` and `lintconf.yaml` are created during the installation of the Chart Testing CLI. In my case, they were installed at `~/ct/etc/`. + +**Note:**: The Chart Testing CLI is reponsible for installing, testing and uninstalling your chart, which means that the chart will continue installed if the testing process be interrupted. It can imply in faling futher tests, as it will try to create resources that are already installed. For fixing it you can uninstall the chart manually with the commands: + +```bash +helm list --all --all-namespaces +``` + +With this, you should be able to see the namespace and the name of your installation, and then you can just uninstall it: + +```bash +helm uninstall -n +``` + ## Bumping image versions When bumping image versions it is important you use the image digest as opposed to the tag. From 8767120ebb5ac5bbb386c4fb424cf978a87b666e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 06:03:20 +0000 Subject: [PATCH 45/63] build(deps): bump actions/setup-python in the actions group Bumps the actions group with 1 update: [actions/setup-python](https://github.com/actions/setup-python). Updates `actions/setup-python` from 5.1.1 to 5.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/39cd14951b08e74b54015e9e001cdefcf80e669f...f677139bbe7f9c59b41e40162b753c062f5d49a3) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3a4de62b..3fd0c4b0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.x' check-latest: true From 7484e918f384ec55e795b612fb500c8b2bafeb09 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 08:16:23 -0400 Subject: [PATCH 46/63] bump trillian chart for v1.6.1 release Signed-off-by: Bob Callaway --- charts/trillian/Chart.yaml | 18 +++++++++--------- charts/trillian/README.md | 16 ++++++++-------- charts/trillian/values.yaml | 28 ++++++++++++++-------------- 3 files changed, 31 insertions(+), 31 deletions(-) diff --git a/charts/trillian/Chart.yaml b/charts/trillian/Chart.yaml index 95991607..6409b808 100644 --- a/charts/trillian/Chart.yaml +++ b/charts/trillian/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 0.2.26 -appVersion: 1.6.0 +version: 0.2.27 +appVersion: 1.6.1 keywords: - security @@ -25,18 +25,18 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: curl - image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 - name: netcat - image: cgr.dev/chainguard/netcat@sha256:7243b469d34bd28969fa2c764a12d91084c427209540bb68645629d635b3f143 + image: cgr.dev/chainguard/netcat@sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2 - name: db_server - image: gcr.io/trillian-opensource-ci/db_server:v1.5.3@sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461 + image: gcr.io/trillian-opensource-ci/db_server:v1.6.1@sha256:b7d874db5787cf4b24254aeb4d6b68c19236895e83308db707b6de2ac9dddb28 - name: log_server - image: ghcr.io/sigstore/scaffolding/trillian_log_server:v0.7.5@sha256:9da02afc1d475125a2205bc1a862e3f041db2ce7aec603e22d59f97e4f5845a3 + image: ghcr.io/sigstore/scaffolding/trillian_log_server:v1.6.1@sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f - name: log_signer - image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v0.7.5@sha256:99262641e4187f7496c033c5d407e0df4356d22ab646b44105674df9a5ca63cc + image: ghcr.io/sigstore/scaffolding/trillian_log_signer:v1.6.1@sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212 - name: cloud_proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine@sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f - name: scaffold_cloud_proxy - image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.5@sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba + image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.8@sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 - name: createdb - image: ghcr.io/sigstore/scaffolding/createdb:v0.7.5@sha256:108dcdb64cff7520574f1efd63ebba71d7d4ea60fe652b0ef2b5f60ccd596042 + image: ghcr.io/sigstore/scaffolding/createdb:v0.7.8@sha256:674760d4000f151b768843e6d7f671b8e3ada037736e312b4939b3a48abd6066 diff --git a/charts/trillian/README.md b/charts/trillian/README.md index 14bf0637..19ad167b 100644 --- a/charts/trillian/README.md +++ b/charts/trillian/README.md @@ -2,7 +2,7 @@ -![Version: 0.2.26](https://img.shields.io/badge/Version-0.2.26-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.2.27](https://img.shields.io/badge/Version-0.2.27-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) Trillian is a log that stores an accurate, immutable and verifiable history of activity. @@ -46,7 +46,7 @@ helm uninstall [RELEASE_NAME] | createdb.image.pullPolicy | string | `"IfNotPresent"` | | | createdb.image.registry | string | `"ghcr.io"` | | | createdb.image.repository | string | `"sigstore/scaffolding/createdb"` | | -| createdb.image.version | string | `"sha256:108dcdb64cff7520574f1efd63ebba71d7d4ea60fe652b0ef2b5f60ccd596042"` | v0.7.5 | +| createdb.image.version | string | `"sha256:674760d4000f151b768843e6d7f671b8e3ada037736e312b4939b3a48abd6066"` | v0.7.8 | | createdb.name | string | `"createdb"` | | | createdb.nodeSelector | object | `{}` | | | createdb.serviceAccount.annotations | object | `{}` | | @@ -59,18 +59,18 @@ helm uninstall [RELEASE_NAME] | initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | initContainerImage.curl.registry | string | `"docker.io"` | | | initContainerImage.curl.repository | string | `"curlimages/curl"` | | -| initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 | +| initContainerImage.curl.version | string | `"sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4"` | 8.9.1 | | initContainerImage.netcat.imagePullPolicy | string | `"IfNotPresent"` | | | initContainerImage.netcat.registry | string | `"cgr.dev"` | | | initContainerImage.netcat.repository | string | `"chainguard/netcat"` | | -| initContainerImage.netcat.version | string | `"sha256:7243b469d34bd28969fa2c764a12d91084c427209540bb68645629d635b3f143"` | 2023-06-13 | +| initContainerImage.netcat.version | string | `"sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2"` | 2024-09-03 | | logServer.affinity | object | `{}` | | | logServer.enabled | bool | `true` | | | logServer.extraArgs | list | `[]` | | | logServer.image.pullPolicy | string | `"IfNotPresent"` | | | logServer.image.registry | string | `"ghcr.io"` | | | logServer.image.repository | string | `"sigstore/scaffolding/trillian_log_server"` | | -| logServer.image.version | string | `"sha256:9da02afc1d475125a2205bc1a862e3f041db2ce7aec603e22d59f97e4f5845a3"` | v0.7.5 | +| logServer.image.version | string | `"sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f"` | trillian v1.6.1 (scaffolding v0.7.8) | | logServer.livenessProbe | object | `{}` | | | logServer.name | string | `"log-server"` | | | logServer.nodeSelector | object | `{}` | | @@ -99,7 +99,7 @@ helm uninstall [RELEASE_NAME] | logSigner.image.pullPolicy | string | `"IfNotPresent"` | | | logSigner.image.registry | string | `"ghcr.io"` | | | logSigner.image.repository | string | `"sigstore/scaffolding/trillian_log_signer"` | | -| logSigner.image.version | string | `"sha256:99262641e4187f7496c033c5d407e0df4356d22ab646b44105674df9a5ca63cc"` | v0.7.5 | +| logSigner.image.version | string | `"sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212"` | trillian v1.6.1 (scaffolding v0.7.8) | | logSigner.livenessProbe | object | `{}` | | | logSigner.name | string | `"log-signer"` | | | logSigner.nodeSelector | object | `{}` | | @@ -144,12 +144,12 @@ helm uninstall [RELEASE_NAME] | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` | | | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` | | -| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba"` | v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine | +| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184"` | v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine | | mysql.hostname | string | `""` | | | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | | mysql.image.repository | string | `"trillian-opensource-ci/db_server"` | | -| mysql.image.version | string | `"sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461"` | crane digest gcr.io/trillian-opensource-ci/db_server:v1.5.3 | +| mysql.image.version | string | `"sha256:b7d874db5787cf4b24254aeb4d6b68c19236895e83308db707b6de2ac9dddb28"` | crane digest gcr.io/trillian-opensource-ci/db_server:v1.6.1 | | mysql.livenessProbe.exec.command[0] | string | `"/etc/init.d/mysql"` | | | mysql.livenessProbe.exec.command[1] | string | `"status"` | | | mysql.livenessProbe.failureThreshold | int | `3` | | diff --git a/charts/trillian/values.yaml b/charts/trillian/values.yaml index b5fd6114..b59bec51 100644 --- a/charts/trillian/values.yaml +++ b/charts/trillian/values.yaml @@ -8,14 +8,14 @@ initContainerImage: curl: registry: docker.io repository: curlimages/curl - # -- 8.5.0 - version: sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + # -- 8.9.1 + version: sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 imagePullPolicy: IfNotPresent netcat: registry: cgr.dev repository: chainguard/netcat - # -- 2023-06-13 - version: "sha256:7243b469d34bd28969fa2c764a12d91084c427209540bb68645629d635b3f143" + # -- 2024-09-03 + version: sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2 imagePullPolicy: IfNotPresent storageSystem: @@ -31,8 +31,8 @@ mysql: scaffoldSQLProxy: registry: ghcr.io repository: sigstore/scaffolding/cloudsqlproxy - # -- v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine - version: sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba + # -- v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine + version: sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 resources: requests: memory: "2Gi" @@ -74,8 +74,8 @@ mysql: registry: gcr.io repository: trillian-opensource-ci/db_server pullPolicy: IfNotPresent - # -- crane digest gcr.io/trillian-opensource-ci/db_server:v1.5.3 - version: sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461 + # -- crane digest gcr.io/trillian-opensource-ci/db_server:v1.6.1 + version: sha256:b7d874db5787cf4b24254aeb4d6b68c19236895e83308db707b6de2ac9dddb28 resources: {} args: - "--ignore-db-dir=lost+found" @@ -138,8 +138,8 @@ logServer: registry: ghcr.io repository: sigstore/scaffolding/trillian_log_server pullPolicy: IfNotPresent - # -- v0.7.5 - version: sha256:9da02afc1d475125a2205bc1a862e3f041db2ce7aec603e22d59f97e4f5845a3 + # -- trillian v1.6.1 (scaffolding v0.7.8) + version: sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f nodeSelector: {} tolerations: [] affinity: {} @@ -174,8 +174,8 @@ logSigner: registry: ghcr.io repository: sigstore/scaffolding/trillian_log_signer pullPolicy: IfNotPresent - # -- v0.7.5 - version: sha256:99262641e4187f7496c033c5d407e0df4356d22ab646b44105674df9a5ca63cc + # -- trillian v1.6.1 (scaffolding v0.7.8) + version: sha256:9ddaf6c45cab0177db6e599d8bde12a46e1913181f4a6942096655e0435d0212 nodeSelector: {} tolerations: [] affinity: {} @@ -204,8 +204,8 @@ createdb: registry: ghcr.io repository: sigstore/scaffolding/createdb pullPolicy: IfNotPresent - # -- v0.7.5 - version: sha256:108dcdb64cff7520574f1efd63ebba71d7d4ea60fe652b0ef2b5f60ccd596042 + # -- v0.7.8 + version: sha256:674760d4000f151b768843e6d7f671b8e3ada037736e312b4939b3a48abd6066 serviceAccount: create: false name: "" From 8f7c9b8054b40a2cd4d396bb112ff349ea850cd8 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 08:23:20 -0400 Subject: [PATCH 47/63] bump ctlog chart for trillian v1.6.1 release Signed-off-by: Bob Callaway --- charts/ctlog/Chart.yaml | 12 ++++++------ charts/ctlog/README.md | 12 +++++------- charts/ctlog/values.yaml | 16 ++++++++-------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml index 7a121f6a..b6608886 100644 --- a/charts/ctlog/Chart.yaml +++ b/charts/ctlog/Chart.yaml @@ -4,8 +4,8 @@ description: Certificate Log type: application -version: 0.2.55 -appVersion: 0.7.5 +version: 0.2.56 +appVersion: 0.7.8 keywords: - security @@ -20,10 +20,10 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: ct_server - image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.5@sha256:2ba06b91757a54b1be6675a7139946730fdb4b0f743f3a269ffbefcff5098c20 + image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.8@sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a - name: createctconfig - image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.5@sha256:6b66b764cd0955c18a4ba58c7ebb05704d04b9a68962d7616045325c456fab02 + image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.8@sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49 - name: createtree - image: ghcr.io/sigstore/scaffolding/createtree:v0.7.5@sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 + image: ghcr.io/sigstore/scaffolding/createtree:v0.7.8@sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 - name: curlimages/curl - image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md index f541080f..b626e821 100644 --- a/charts/ctlog/README.md +++ b/charts/ctlog/README.md @@ -1,6 +1,6 @@ # ctlog -![Version: 0.2.55](https://img.shields.io/badge/Version-0.2.55-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) +![Version: 0.2.56](https://img.shields.io/badge/Version-0.2.56-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Certificate Log @@ -24,11 +24,11 @@ Certificate Log | createctconfig.image.pullPolicy | string | `"IfNotPresent"` | | | createctconfig.image.registry | string | `"ghcr.io"` | | | createctconfig.image.repository | string | `"sigstore/scaffolding/createctconfig"` | | -| createctconfig.image.version | string | `"sha256:6b66b764cd0955c18a4ba58c7ebb05704d04b9a68962d7616045325c456fab02"` | v0.7.5 | +| createctconfig.image.version | string | `"sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49"` | v0.7.8 | | createctconfig.initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | createctconfig.initContainerImage.curl.registry | string | `"docker.io"` | | | createctconfig.initContainerImage.curl.repository | string | `"curlimages/curl"` | | -| createctconfig.initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 | +| createctconfig.initContainerImage.curl.version | string | `"sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4"` | 8.9.1 | | createctconfig.logPrefix | string | `"sigstorescaffolding"` | | | createctconfig.name | string | `"createctconfig"` | | | createctconfig.nodeSelector | object | `{}` | | @@ -51,7 +51,7 @@ Certificate Log | createtree.image.pullPolicy | string | `"IfNotPresent"` | | | createtree.image.registry | string | `"ghcr.io"` | | | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | | -| createtree.image.version | string | `"sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088"` | | +| createtree.image.version | string | `"sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478"` | | | createtree.name | string | `"createtree"` | | | createtree.nodeSelector | object | `{}` | | | createtree.securityContext.runAsNonRoot | bool | `true` | | @@ -73,7 +73,7 @@ Certificate Log | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"ghcr.io"` | | | server.image.repository | string | `"sigstore/scaffolding/ct_server"` | | -| server.image.version | string | `"sha256:2ba06b91757a54b1be6675a7139946730fdb4b0f743f3a269ffbefcff5098c20"` | | +| server.image.version | string | `"sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a"` | | | server.ingress.annotations | object | `{}` | | | server.ingress.className | string | `"nginx"` | | | server.ingress.enabled | bool | `false` | | @@ -125,5 +125,3 @@ Certificate Log | trillian.logServer.portRPC | int | `8091` | | | trillian.namespace | string | `"trillian-system"` | | ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/ctlog/values.yaml b/charts/ctlog/values.yaml index edc2f52b..1a85af98 100644 --- a/charts/ctlog/values.yaml +++ b/charts/ctlog/values.yaml @@ -13,8 +13,8 @@ server: registry: ghcr.io repository: sigstore/scaffolding/ct_server pullPolicy: IfNotPresent - # v0.7.5 - version: sha256:2ba06b91757a54b1be6675a7139946730fdb4b0f743f3a269ffbefcff5098c20 + # v0.7.8 + version: sha256:60f76cc090a18f278b2e8cdd1f8901543455a8a6f3c3bcd7a4a3f1481534552a livenessProbe: httpGet: path: /healthz @@ -100,8 +100,8 @@ createtree: registry: ghcr.io repository: sigstore/scaffolding/createtree pullPolicy: IfNotPresent - # v0.7.5 - version: sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 + # v0.7.8 + version: sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 ttlSecondsAfterFinished: 3600 serviceAccount: create: true @@ -125,15 +125,15 @@ createctconfig: curl: registry: docker.io repository: curlimages/curl - # -- 8.5.0 - version: "sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac" + # -- 8.9.1 + version: sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 imagePullPolicy: IfNotPresent image: registry: ghcr.io repository: sigstore/scaffolding/createctconfig pullPolicy: IfNotPresent - # -- v0.7.5 - version: sha256:6b66b764cd0955c18a4ba58c7ebb05704d04b9a68962d7616045325c456fab02 + # -- v0.7.8 + version: sha256:d72a616f53005c51dd0f3fa40848e5149d23fb1c3dd216525f54d54dcca36b49 fulcioURL: "http://fulcio-server.fulcio-system.svc" logPrefix: sigstorescaffolding privateKeyPasswordSecretName: "" From 715b2f0d92a48c28af395b0e80f900458ff971c1 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 08:27:09 -0400 Subject: [PATCH 48/63] run make docs Signed-off-by: Bob Callaway --- charts/ctlog/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md index b626e821..74099a29 100644 --- a/charts/ctlog/README.md +++ b/charts/ctlog/README.md @@ -125,3 +125,5 @@ Certificate Log | trillian.logServer.portRPC | int | `8091` | | | trillian.namespace | string | `"trillian-system"` | | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 79886b1430ad2815cabc16643df0e93d04c3b34b Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 09:08:54 -0400 Subject: [PATCH 49/63] drop mysql back to last version, will debug later Signed-off-by: Bob Callaway --- charts/trillian/Chart.yaml | 2 +- charts/trillian/README.md | 2 +- charts/trillian/values.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/trillian/Chart.yaml b/charts/trillian/Chart.yaml index 6409b808..3c48026b 100644 --- a/charts/trillian/Chart.yaml +++ b/charts/trillian/Chart.yaml @@ -29,7 +29,7 @@ annotations: - name: netcat image: cgr.dev/chainguard/netcat@sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2 - name: db_server - image: gcr.io/trillian-opensource-ci/db_server:v1.6.1@sha256:b7d874db5787cf4b24254aeb4d6b68c19236895e83308db707b6de2ac9dddb28 + image: gcr.io/trillian-opensource-ci/db_server:v1.5.3@sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461 - name: log_server image: ghcr.io/sigstore/scaffolding/trillian_log_server:v1.6.1@sha256:b09ad6b9f876be07baf6006afdf13402302251a373eef000cdc7a6d0c0ca584f - name: log_signer diff --git a/charts/trillian/README.md b/charts/trillian/README.md index 19ad167b..0678c060 100644 --- a/charts/trillian/README.md +++ b/charts/trillian/README.md @@ -149,7 +149,7 @@ helm uninstall [RELEASE_NAME] | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | | mysql.image.repository | string | `"trillian-opensource-ci/db_server"` | | -| mysql.image.version | string | `"sha256:b7d874db5787cf4b24254aeb4d6b68c19236895e83308db707b6de2ac9dddb28"` | crane digest gcr.io/trillian-opensource-ci/db_server:v1.6.1 | +| mysql.image.version | string | `"sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461"` | crane digest gcr.io/trillian-opensource-ci/db_server:v1.5.3 | | mysql.livenessProbe.exec.command[0] | string | `"/etc/init.d/mysql"` | | | mysql.livenessProbe.exec.command[1] | string | `"status"` | | | mysql.livenessProbe.failureThreshold | int | `3` | | diff --git a/charts/trillian/values.yaml b/charts/trillian/values.yaml index b59bec51..bdb3f941 100644 --- a/charts/trillian/values.yaml +++ b/charts/trillian/values.yaml @@ -74,8 +74,8 @@ mysql: registry: gcr.io repository: trillian-opensource-ci/db_server pullPolicy: IfNotPresent - # -- crane digest gcr.io/trillian-opensource-ci/db_server:v1.6.1 - version: sha256:b7d874db5787cf4b24254aeb4d6b68c19236895e83308db707b6de2ac9dddb28 + # -- crane digest gcr.io/trillian-opensource-ci/db_server:v1.5.3 + version: sha256:2a685a38dd0129cceb646c232d285383f614c7e6fa51ff8f512aef78e4298461 resources: {} args: - "--ignore-db-dir=lost+found" From e74a90765e81aad963de3746c6512f1339d87a44 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 10:29:34 -0400 Subject: [PATCH 50/63] bump rekor chart for trillian v1.6.1 release Signed-off-by: Bob Callaway --- charts/rekor/Chart.yaml | 12 ++++++++---- charts/rekor/README.md | 10 +++++----- charts/rekor/values.yaml | 12 ++++++------ 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index f80c4b08..1235f286 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.7 +version: 1.4.8 appVersion: 1.3.6 keywords: @@ -19,7 +19,7 @@ maintainers: dependencies: - name: trillian - version: 0.2.26 + version: 0.2.27 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled @@ -27,12 +27,16 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: createtree - image: ghcr.io/sigstore/scaffolding/createtree:v0.7.5@sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 + image: ghcr.io/sigstore/scaffolding/createtree:v0.7.8@sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 - name: curlimages/curl - image: docker.io/curlimages/curl:8.5.0@sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac + image: docker.io/curlimages/curl:8.9.1@sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 - name: rekor-server image: gcr.io/projectsigstore/rekor-server:v1.3.6@sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51 - name: redis image: docker.io/redis:6.2.14-alpine3.20@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e - name: backfill-redis image: ghcr.io/sigstore/rekor/backfill-redis:v1.3.6@sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3 + - name: scaffold_cloud_proxy + image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.8@sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 + - name: cloud_proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine@sha256:a3843521730914f074f364c5bec608319ebeb5e66da9314ba45b16cd8223547f diff --git a/charts/rekor/README.md b/charts/rekor/README.md index 1b1587ca..eb58623e 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.7](https://img.shields.io/badge/Version-1.4.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.4.8](https://img.shields.io/badge/Version-1.4.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation @@ -20,7 +20,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | trillian | 0.2.26 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.27 | ## Values @@ -48,7 +48,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | createtree.image.pullPolicy | string | `"IfNotPresent"` | | | createtree.image.registry | string | `"ghcr.io"` | | | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` | | -| createtree.image.version | string | `"sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088"` | | +| createtree.image.version | string | `"sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478"` | | | createtree.name | string | `"createtree"` | | | createtree.nodeSelector | object | `{}` | | | createtree.resources | object | `{}` | | @@ -64,7 +64,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` | | | initContainerImage.curl.registry | string | `"docker.io"` | | | initContainerImage.curl.repository | string | `"curlimages/curl"` | | -| initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 | +| initContainerImage.curl.version | string | `"sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4"` | 8.9.1 | | initContainerResources | object | `{}` | | | mysql.enabled | bool | `false` | | | mysql.gcp.cloudsql.registry | string | `"gcr.io"` | | @@ -88,7 +88,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | | mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` | | | mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` | | -| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba"` | v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine | +| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184"` | v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine | | mysql.hostname | string | `""` | | | mysql.image.pullPolicy | string | `"IfNotPresent"` | | | mysql.image.registry | string | `"gcr.io"` | | diff --git a/charts/rekor/values.yaml b/charts/rekor/values.yaml index c47c7568..33496913 100644 --- a/charts/rekor/values.yaml +++ b/charts/rekor/values.yaml @@ -7,8 +7,8 @@ initContainerImage: curl: registry: docker.io repository: curlimages/curl - # -- 8.5.0 - version: "sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac" + # -- 8.9.1 + version: sha256:8addc281f0ea517409209f76832b6ddc2cabc3264feb1ebbec2a2521ffad24e4 imagePullPolicy: IfNotPresent initContainerResources: {} @@ -64,8 +64,8 @@ mysql: scaffoldSQLProxy: registry: ghcr.io repository: sigstore/scaffolding/cloudsqlproxy - # -- v0.7.5 which is based on cloud-sql-proxy:2.12.0-alpine - version: sha256:3dfbca0320a497cddd66a748b53377982c6309cb9e3c73f21d2b1bdef14730ba + # -- v0.7.8 which is based on cloud-sql-proxy:2.12.0-alpine + version: sha256:8a7539e248d38628799934e7f1c890083c90e4242e2b0feec4c352fda2574184 resources: requests: memory: "2Gi" @@ -227,8 +227,8 @@ createtree: registry: ghcr.io repository: sigstore/scaffolding/createtree pullPolicy: IfNotPresent - # v0.7.5 - version: sha256:ae1f37905e92c3ad47ce9c0a02942a2b794aded29755bc427bc667d18eec9088 + # v0.7.8 + version: sha256:c0cc90af73b71eaf0835c332d99834b669a36698c44c454835589bbc5acac478 ttlSecondsAfterFinished: 3600 serviceAccount: create: true From b52a07fbd60c6041b9377413a55546d4f1f65cbd Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 10:41:22 -0400 Subject: [PATCH 51/63] bump updatetree chart for scaffolding v0.7.8 release Signed-off-by: Bob Callaway --- charts/updatetree/Chart.yaml | 6 +++--- charts/updatetree/README.md | 4 ++-- charts/updatetree/values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/updatetree/Chart.yaml b/charts/updatetree/Chart.yaml index 3ab6c3dc..71424e5d 100644 --- a/charts/updatetree/Chart.yaml +++ b/charts/updatetree/Chart.yaml @@ -4,8 +4,8 @@ description: Update the status of an existing Trillian tree type: application -version: 0.0.12 -appVersion: 0.7.5 +version: 0.0.13 +appVersion: 0.7.8 keywords: @@ -22,4 +22,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: updatetree - image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.5@sha256:6931d76881035a6451353568eb5c29764cf81c3e71dc5cb512e8cd18b2b89983 + image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.8@sha256:08703b6f450293d7047c914765dc988a8da4f8c4cbf2b85d58bb64ba0c45ff36 diff --git a/charts/updatetree/README.md b/charts/updatetree/README.md index 01ca234e..04114fdf 100644 --- a/charts/updatetree/README.md +++ b/charts/updatetree/README.md @@ -1,6 +1,6 @@ # updatetree -![Version: 0.0.12](https://img.shields.io/badge/Version-0.0.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) +![Version: 0.0.13](https://img.shields.io/badge/Version-0.0.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Update the status of an existing Trillian tree @@ -29,7 +29,7 @@ Update the status of an existing Trillian tree | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `false` | | | serviceAccount.name | string | `"trillian-logserver"` | | -| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.7.5@sha256:6931d76881035a6451353568eb5c29764cf81c3e71dc5cb512e8cd18b2b89983"` | | +| spec.image | string | `"ghcr.io/sigstore/scaffolding/updatetree:v0.7.8@sha256:08703b6f450293d7047c914765dc988a8da4f8c4cbf2b85d58bb64ba0c45ff36"` | | | spec.replicaCount | int | `1` | | | tolerations | list | `[]` | | | trillian.adminServer | string | `""` | | diff --git a/charts/updatetree/values.yaml b/charts/updatetree/values.yaml index 21c53584..6134b1f4 100644 --- a/charts/updatetree/values.yaml +++ b/charts/updatetree/values.yaml @@ -8,7 +8,7 @@ serviceAccount: create: false spec: replicaCount: 1 - image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.5@sha256:6931d76881035a6451353568eb5c29764cf81c3e71dc5cb512e8cd18b2b89983 + image: ghcr.io/sigstore/scaffolding/updatetree:v0.7.8@sha256:08703b6f450293d7047c914765dc988a8da4f8c4cbf2b85d58bb64ba0c45ff36 ttlSecondsAfterFinished: 3600 securityContext: runAsNonRoot: true From fe3109a0dc27c864e664ce53c59c293bdd3c93f4 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 10:43:30 -0400 Subject: [PATCH 52/63] bump tuf chart for scaffolding v0.7.8 release Signed-off-by: Bob Callaway --- charts/tuf/Chart.yaml | 6 +++--- charts/tuf/README.md | 4 ++-- charts/tuf/values.yaml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index 68d22984..e5074392 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.16 -appVersion: "0.7.5" +version: 0.1.17 +appVersion: 0.7.8 home: https://sigstore.dev/ sources: @@ -17,4 +17,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: scaffolding-tuf - image: ghcr.io/sigstore/scaffolding/server:v0.7.5@sha256:754863e91bbc91fa752ca43df145cbee990f8df2b6a44ba4a3965e57419c8a69 + image: ghcr.io/sigstore/scaffolding/server:v0.7.8@sha256:dfccfb85b8638b488a3fd2320d723efb37633be7c32c34a1ab58138e5f80d0e2 diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 57a1c66b..193b3372 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.16](https://img.shields.io/badge/Version-0.1.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) +![Version: 0.1.17](https://img.shields.io/badge/Version-0.1.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -29,7 +29,7 @@ A framework for securing software update systems - the scaffolding implementatio | deployment.replicas | int | `1` | | | deployment.repository | string | `"sigstore/scaffolding/server"` | | | deployment.tolerations | list | `[]` | | -| deployment.version | string | `"sha256:754863e91bbc91fa752ca43df145cbee990f8df2b6a44ba4a3965e57419c8a69"` | | +| deployment.version | string | `"sha256:dfccfb85b8638b488a3fd2320d723efb37633be7c32c34a1ab58138e5f80d0e2"` | | | enabled | bool | `true` | | | forceNamespace | string | `""` | | | fullnameOverride | string | `"tuf"` | | diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index 7296eaaa..ff4f081b 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -11,8 +11,8 @@ deployment: replicas: 1 registry: ghcr.io repository: sigstore/scaffolding/server - # v0.7.5 - version: sha256:754863e91bbc91fa752ca43df145cbee990f8df2b6a44ba4a3965e57419c8a69 + # v0.7.8 + version: sha256:dfccfb85b8638b488a3fd2320d723efb37633be7c32c34a1ab58138e5f80d0e2 imagePullPolicy: IfNotPresent port: 8080 tolerations: [] From 4b8220216a35ce50b6c3f65d9160c42eb7c8db14 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 10:46:27 -0400 Subject: [PATCH 53/63] bump fulcio chart for trillian v1.6.1, scaf 0.7.8 releases Signed-off-by: Bob Callaway --- charts/fulcio/Chart.lock | 6 +++--- charts/fulcio/Chart.yaml | 6 +++--- charts/fulcio/README.md | 6 +++--- charts/fulcio/values.yaml | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/fulcio/Chart.lock b/charts/fulcio/Chart.lock index 685afe80..7112039a 100644 --- a/charts/fulcio/Chart.lock +++ b/charts/fulcio/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: ctlog repository: https://sigstore.github.io/helm-charts - version: 0.2.55 -digest: sha256:2bc954c7e7766b44e36cc1175819c1085e0edfc54e23d63291a9dab700d354ad -generated: "2024-07-28T15:26:37.286439639-04:00" + version: 0.2.56 +digest: sha256:48d5abee9df97033c523c51f0bd6b58adac1b23bc63705c43a548f332eee1bc5 +generated: "2024-09-03T10:46:06.600740798-04:00" diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 489e2e0f..71d24ca7 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.5.2 +version: 2.5.3 appVersion: 1.6.2 keywords: @@ -19,7 +19,7 @@ maintainers: dependencies: - name: ctlog - version: 0.2.55 + version: 0.2.56 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled @@ -29,4 +29,4 @@ annotations: - name: fulcio image: gcr.io/projectsigstore/fulcio:v1.6.2@sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1 - name: createcerts - image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.5@sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 + image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.8@sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index b271177e..c9c58516 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.2](https://img.shields.io/badge/Version-2.5.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.2](https://img.shields.io/badge/AppVersion-1.6.2-informational?style=flat-square) +![Version: 2.5.3](https://img.shields.io/badge/Version-2.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.2](https://img.shields.io/badge/AppVersion-1.6.2-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -71,7 +71,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.56 | ## Values @@ -85,7 +85,7 @@ helm uninstall [RELEASE_NAME] | createcerts.image.pullPolicy | string | `"IfNotPresent"` | | | createcerts.image.registry | string | `"ghcr.io"` | | | createcerts.image.repository | string | `"sigstore/scaffolding/createcerts"` | | -| createcerts.image.version | string | `"sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73"` | | +| createcerts.image.version | string | `"sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca"` | | | createcerts.name | string | `"createcerts"` | | | createcerts.nodeSelector | object | `{}` | | | createcerts.replicaCount | int | `1` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index c4f11f7f..73517bc6 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -117,8 +117,8 @@ createcerts: registry: ghcr.io repository: sigstore/scaffolding/createcerts pullPolicy: IfNotPresent - # v0.7.5 - version: sha256:cd605e02eef0c0d70aa0b4805c6483054ab652f8ff0e9b382f06961596ef3e73 + # v0.7.8 + version: sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca ttlSecondsAfterFinished: 3600 serviceAccount: create: true From b22e7b0345cb01f1f03cff55bab9cc2d97ed16b7 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 10:51:40 -0400 Subject: [PATCH 54/63] bump prober chart for scaffolding v078 release Signed-off-by: Bob Callaway --- charts/sigstore-prober/Chart.yaml | 6 +++--- charts/sigstore-prober/README.md | 4 ++-- charts/sigstore-prober/values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/sigstore-prober/Chart.yaml b/charts/sigstore-prober/Chart.yaml index d53ccb50..97affd15 100644 --- a/charts/sigstore-prober/Chart.yaml +++ b/charts/sigstore-prober/Chart.yaml @@ -4,8 +4,8 @@ description: Sigstore API Endpoint Prober type: application -version: 0.0.26 -appVersion: 0.7.5 +version: 0.0.27 +appVersion: 0.7.8 keywords: @@ -21,4 +21,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: sigstore-prober - image: ghcr.io/sigstore/scaffolding/prober:v0.7.5@sha256:84f34b256d3cd86601d3a4c48ff9579de1154c5a4b86321edbceb72d709f5c81 + image: ghcr.io/sigstore/scaffolding/prober:v0.7.8@sha256:07c803bcf28ed14974fb08755a05fbd45b33501ad3b45f32c8c64d676b38dc74 diff --git a/charts/sigstore-prober/README.md b/charts/sigstore-prober/README.md index ec1a7c8a..d2253447 100644 --- a/charts/sigstore-prober/README.md +++ b/charts/sigstore-prober/README.md @@ -1,6 +1,6 @@ # sigstore-prober -![Version: 0.0.26](https://img.shields.io/badge/Version-0.0.26-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.5](https://img.shields.io/badge/AppVersion-0.7.5-informational?style=flat-square) +![Version: 0.0.27](https://img.shields.io/badge/Version-0.0.27-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Sigstore API Endpoint Prober @@ -30,7 +30,7 @@ Sigstore API Endpoint Prober | spec.args.rekorRequests | list | `[]` | | | spec.args.trustRekorAPIPublicKey | bool | `false` | | | spec.args.writeProber | bool | `false` | | -| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.5@sha256:84f34b256d3cd86601d3a4c48ff9579de1154c5a4b86321edbceb72d709f5c81"` | | +| spec.image | string | `"ghcr.io/sigstore/scaffolding/prober:v0.7.8@sha256:07c803bcf28ed14974fb08755a05fbd45b33501ad3b45f32c8c64d676b38dc74"` | | | spec.imagePullPolicy | string | `"Always"` | | | spec.matchLabels.app | string | `"sigstore-prober"` | | | spec.replicaCount | int | `1` | | diff --git a/charts/sigstore-prober/values.yaml b/charts/sigstore-prober/values.yaml index fcfa11c0..540d93a8 100644 --- a/charts/sigstore-prober/values.yaml +++ b/charts/sigstore-prober/values.yaml @@ -6,7 +6,7 @@ serviceAccount: create: false spec: replicaCount: 1 - image: ghcr.io/sigstore/scaffolding/prober:v0.7.5@sha256:84f34b256d3cd86601d3a4c48ff9579de1154c5a4b86321edbceb72d709f5c81 + image: ghcr.io/sigstore/scaffolding/prober:v0.7.8@sha256:07c803bcf28ed14974fb08755a05fbd45b33501ad3b45f32c8c64d676b38dc74 imagePullPolicy: Always matchLabels: app: sigstore-prober From c2e3a251207eba7de4cbe792041f75672fb9c849 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 3 Sep 2024 11:29:22 -0400 Subject: [PATCH 55/63] bump scaffold chart for v0.7.8 release Signed-off-by: Bob Callaway --- charts/scaffold/Chart.lock | 14 +++++++------- charts/scaffold/Chart.yaml | 12 ++++++------ charts/scaffold/README.md | 12 ++++++------ 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index 6a5f4321..0ace566c 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,21 +1,21 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.5.2 + version: 2.5.3 - name: rekor repository: https://sigstore.github.io/helm-charts - version: 1.4.7 + version: 1.4.8 - name: trillian repository: https://sigstore.github.io/helm-charts - version: 0.2.26 + version: 0.2.27 - name: ctlog repository: https://sigstore.github.io/helm-charts - version: 0.2.55 + version: 0.2.56 - name: tuf repository: https://sigstore.github.io/helm-charts - version: 0.1.16 + version: 0.1.17 - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.5 -digest: sha256:cc49fc3dd2ac58125bb5bb8cc38788e2364c623d2ec0f1c9d691d29684549b06 -generated: "2024-08-15T19:16:45.277473576Z" +digest: sha256:a8374d9339bf2b322c6865c08ff4ada37781d7df5968191c2e7fdde317ea3d25 +generated: "2024-09-03T11:26:16.310950815-04:00" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 278a0e4b..0fcee640 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.59 +version: 0.6.60 keywords: - security - pki @@ -16,23 +16,23 @@ maintainers: dependencies: - name: fulcio - version: 2.5.2 + version: 2.5.3 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor - version: 1.4.7 + version: 1.4.8 repository: https://sigstore.github.io/helm-charts condition: rekor.enabled - name: trillian - version: 0.2.26 + version: 0.2.27 repository: https://sigstore.github.io/helm-charts condition: trillian.enabled - name: ctlog - version: 0.2.55 + version: 0.2.56 repository: https://sigstore.github.io/helm-charts condition: ctlog.enabled - name: tuf - version: 0.1.16 + version: 0.1.17 repository: https://sigstore.github.io/helm-charts condition: tuf.enabled - name: tsa diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index f9c523c9..214185f1 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.59](https://img.shields.io/badge/Version-0.6.59-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.60](https://img.shields.io/badge/Version-0.6.60-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -36,12 +36,12 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| -| https://sigstore.github.io/helm-charts | ctlog | 0.2.55 | -| https://sigstore.github.io/helm-charts | fulcio | 2.5.2 | -| https://sigstore.github.io/helm-charts | rekor | 1.4.7 | -| https://sigstore.github.io/helm-charts | trillian | 0.2.26 | +| https://sigstore.github.io/helm-charts | ctlog | 0.2.56 | +| https://sigstore.github.io/helm-charts | fulcio | 2.5.3 | +| https://sigstore.github.io/helm-charts | rekor | 1.4.8 | +| https://sigstore.github.io/helm-charts | trillian | 0.2.27 | | https://sigstore.github.io/helm-charts | tsa | 1.0.5 | -| https://sigstore.github.io/helm-charts | tuf | 0.1.16 | +| https://sigstore.github.io/helm-charts | tuf | 0.1.17 | ## Values From ac151a57d49e4695b3888ce41f0731743d32bc41 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Wed, 4 Sep 2024 22:10:02 +0200 Subject: [PATCH 56/63] bump fulcio to use v1.6.4 release (#829) Signed-off-by: cpanato --- charts/fulcio/Chart.yaml | 6 +++--- charts/fulcio/README.md | 4 ++-- charts/fulcio/values.yaml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 71d24ca7..e03fdf96 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,8 +5,8 @@ description: | type: application -version: 2.5.3 -appVersion: 1.6.2 +version: 2.5.4 +appVersion: 1.6.4 keywords: - security @@ -27,6 +27,6 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: fulcio - image: gcr.io/projectsigstore/fulcio:v1.6.2@sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1 + image: gcr.io/projectsigstore/fulcio:v1.6.4@sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b - name: createcerts image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.8@sha256:c9c76a4a383ded6ec062e0185dd8e334192af1adcb60ab61bb88f87420a5b7ca diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index c9c58516..65703ada 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.3](https://img.shields.io/badge/Version-2.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.2](https://img.shields.io/badge/AppVersion-1.6.2-informational?style=flat-square) +![Version: 2.5.4](https://img.shields.io/badge/Version-2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -125,7 +125,7 @@ helm uninstall [RELEASE_NAME] | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | | server.image.repository | string | `"projectsigstore/fulcio"` | | -| server.image.version | string | `"sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1"` | v1.6.2 | +| server.image.version | string | `"sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b"` | v1.6.4 | | server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"GRPC"` | | | server.ingress.grpc.className | string | `""` | | | server.ingress.grpc.enabled | bool | `false` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 73517bc6..b4f8d60a 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,9 @@ server: registry: gcr.io repository: projectsigstore/fulcio pullPolicy: IfNotPresent - # crane digest gcr.io/projectsigstore/fulcio:v1.6.2 - # -- v1.6.2 - version: sha256:296b0d3e7043551a76b0855deec06f69f2ad37888a6669308414a4597b3d98a1 + # crane digest gcr.io/projectsigstore/fulcio:v1.6.4 + # -- v1.6.4 + version: sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b args: port: 5555 grpcPort: 5554 From cdac4f1472ed0b405d9e0844160fa72a7d218efa Mon Sep 17 00:00:00 2001 From: cpanato Date: Wed, 4 Sep 2024 14:12:42 -0600 Subject: [PATCH 57/63] bump scaffold to have fulcio v1.6.4 release Signed-off-by: cpanato --- charts/scaffold/Chart.lock | 6 +++--- charts/scaffold/Chart.yaml | 4 ++-- charts/scaffold/README.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/scaffold/Chart.lock b/charts/scaffold/Chart.lock index 0ace566c..c4b0fcef 100644 --- a/charts/scaffold/Chart.lock +++ b/charts/scaffold/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: fulcio repository: https://sigstore.github.io/helm-charts - version: 2.5.3 + version: 2.5.4 - name: rekor repository: https://sigstore.github.io/helm-charts version: 1.4.8 @@ -17,5 +17,5 @@ dependencies: - name: tsa repository: https://sigstore.github.io/helm-charts version: 1.0.5 -digest: sha256:a8374d9339bf2b322c6865c08ff4ada37781d7df5968191c2e7fdde317ea3d25 -generated: "2024-09-03T11:26:16.310950815-04:00" +digest: sha256:a8d432f681bf37e4b1454a4565d38620f27d2b7ec55ff3fd4566dbcff104a928 +generated: "2024-09-04T14:11:41.969723-06:00" diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index 0fcee640..bbcda100 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.60 +version: 0.6.61 keywords: - security - pki @@ -16,7 +16,7 @@ maintainers: dependencies: - name: fulcio - version: 2.5.3 + version: 2.5.4 repository: https://sigstore.github.io/helm-charts condition: fulcio.enabled - name: rekor diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index 214185f1..d34e12d5 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.60](https://img.shields.io/badge/Version-0.6.60-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.61](https://img.shields.io/badge/Version-0.6.61-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture @@ -37,7 +37,7 @@ helm uninstall [RELEASE_NAME] | Repository | Name | Version | |------------|------|---------| | https://sigstore.github.io/helm-charts | ctlog | 0.2.56 | -| https://sigstore.github.io/helm-charts | fulcio | 2.5.3 | +| https://sigstore.github.io/helm-charts | fulcio | 2.5.4 | | https://sigstore.github.io/helm-charts | rekor | 1.4.8 | | https://sigstore.github.io/helm-charts | trillian | 0.2.27 | | https://sigstore.github.io/helm-charts | tsa | 1.0.5 | From 79dd94d3bead659167d438fd119b6fafe98078fc Mon Sep 17 00:00:00 2001 From: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com> Date: Tue, 2 Jul 2024 10:14:10 -0400 Subject: [PATCH 58/63] Enable custom annotations in Policy Controller pods Signed-off-by: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com> --- charts/policy-controller/Chart.yaml | 2 +- charts/policy-controller/README.md | 3 ++- .../templates/webhook/deployment_webhook.yaml | 4 ++++ charts/policy-controller/values.schema.json | 3 +++ charts/policy-controller/values.yaml | 1 + 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml index 58a96f79..905f212e 100644 --- a/charts/policy-controller/Chart.yaml +++ b/charts/policy-controller/Chart.yaml @@ -8,7 +8,7 @@ sources: type: application name: policy-controller -version: 0.6.9 +version: 0.7.0 appVersion: 0.8.2 maintainers: diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index c64cb857..a603ed62 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.9](https://img.shields.io/badge/Version-0.6.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square) +![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square) The Helm chart for Policy Controller @@ -173,6 +173,7 @@ helm uninstall [RELEASE_NAME] | webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | | webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | | webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | +| webhook.podAnnotations | object | `{}` | | | webhook.podDisruptionBudget.enabled | bool | `true` | | | webhook.podDisruptionBudget.minAvailable | int | `1` | | | webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml index 54fd36d6..0474b7c1 100644 --- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml +++ b/charts/policy-controller/templates/webhook/deployment_webhook.yaml @@ -14,6 +14,10 @@ spec: control-plane: {{ template "policy-controller.fullname" . }}-webhook template: metadata: + {{- with .Values.webhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: control-plane: {{ template "policy-controller.fullname" . }}-webhook {{- include "policy-controller.labels" . | nindent 8 }} diff --git a/charts/policy-controller/values.schema.json b/charts/policy-controller/values.schema.json index f2e2faab..a6fc34ef 100644 --- a/charts/policy-controller/values.schema.json +++ b/charts/policy-controller/values.schema.json @@ -118,6 +118,9 @@ } } }, + "podAnnotations": { + "type": "object" + }, "podDisruptionBudget": { "type": "object", "properties": { diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index c9627e3a..6ee8023a 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -32,6 +32,7 @@ webhook: enabled: false runAsUser: 65532 failurePolicy: Fail + podAnnotations: {} podSecurityContext: enabled: true allowPrivilegeEscalation: false From fbe558f65cb6de82c214f83cf665f53b85cb132d Mon Sep 17 00:00:00 2001 From: Stephen Fox Date: Thu, 29 Aug 2024 23:22:59 +0000 Subject: [PATCH 59/63] rekor: Added support for AWS KMS settings. Prior to this commit, the chart did not provide a way to supply AWS credentials for AWS KMS. This commit adds support for AWS KMS by allowing users to supply an AWS region ID and IAM credentials. AWS KMS users must specify the "kmsType" parameter with a value of "aws". The chart will then look for a kubernetes secret named by the "awsKmsCredentialsSecret" parameter. The AWS region ID can be supplied using the newly-added "awsKmsRegion" parameter. Signed-off-by: Stephen Fox --- charts/rekor/Chart.yaml | 2 +- charts/rekor/README.md | 5 ++++- charts/rekor/templates/server/deployment.yaml | 14 ++++++++++++++ charts/rekor/values.schema.json | 9 +++++++++ charts/rekor/values.yaml | 6 ++++++ 5 files changed, 34 insertions(+), 2 deletions(-) diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml index 1235f286..6dcdddf9 100644 --- a/charts/rekor/Chart.yaml +++ b/charts/rekor/Chart.yaml @@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr type: application -version: 1.4.8 +version: 1.5.0 appVersion: 1.3.6 keywords: diff --git a/charts/rekor/README.md b/charts/rekor/README.md index eb58623e..b5c1d913 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -1,6 +1,6 @@ # rekor -![Version: 1.4.8](https://img.shields.io/badge/Version-1.4.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) +![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square) Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation @@ -144,6 +144,8 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | server.attestation_storage.persistence.size | string | `"5Gi"` | | | server.attestation_storage.persistence.storageClass | string | `""` | | | server.attestation_storage.persistence.subPath | string | `""` | | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | ubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.config.key | string | `"treeID"` | | | server.config.treeID | string | `""` | | | server.enabled | bool | `true` | | @@ -170,6 +172,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | server.ingresses[0].name | string | `"gce-ingress"` | | | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` | | | server.ingresses[0].tls | list | `[]` | | +| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") | | server.livenessProbe.failureThreshold | int | `3` | | | server.livenessProbe.httpGet.path | string | `"/ping"` | | | server.livenessProbe.httpGet.port | int | `3000` | | diff --git a/charts/rekor/templates/server/deployment.yaml b/charts/rekor/templates/server/deployment.yaml index 570e45b7..19a214a0 100644 --- a/charts/rekor/templates/server/deployment.yaml +++ b/charts/rekor/templates/server/deployment.yaml @@ -104,6 +104,20 @@ spec: {{- if eq (.Values.server.searchIndex).storageProvider "mysql" }} {{- include "searchIndex.mysql.envCredentials" . | indent 12 }} {{- end }} + {{- if eq .Values.server.kmsType "aws" }} + - name: AWS_DEFAULT_REGION + value: {{ .Values.server.awsKmsRegion }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: accessKeyId + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: secretAccessKey + {{- end }} args: {{ include "rekor.server.args" . | indent 12 }} ports: diff --git a/charts/rekor/values.schema.json b/charts/rekor/values.schema.json index 969f44f7..ff66b3d6 100644 --- a/charts/rekor/values.schema.json +++ b/charts/rekor/values.schema.json @@ -554,6 +554,12 @@ }, "type": "object" }, + "awsKmsCredentialsSecretName": { + "type": "string" + }, + "awsKmsRegion": { + "type": "string" + }, "config": { "properties": { "key": { @@ -698,6 +704,9 @@ }, "type": "array" }, + "kmsType": { + "type": "string" + }, "livenessProbe": { "properties": { "failureThreshold": { diff --git a/charts/rekor/values.yaml b/charts/rekor/values.yaml index 33496913..c6e80b72 100644 --- a/charts/rekor/values.yaml +++ b/charts/rekor/values.yaml @@ -119,6 +119,12 @@ server: pullPolicy: IfNotPresent # crane digest gcr.io/projectsigstore/rekor-server:v1.3.6 version: sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51 + # -- KMS type for signing key (possible values: "" / "none", "aws") + kmsType: none + # -- AWS region if using AWS KMS for signing key + awsKmsRegion: us-east-1 + # -- kubernetes secret name containing IAM credentials for use with AWS KMS + awsKmsCredentialsSecretName: aws-kms-credentials logging: production: false ingress: From 408e9472dba7a612659377c96098edfe8a9ce2cd Mon Sep 17 00:00:00 2001 From: Stephen Fox Date: Thu, 29 Aug 2024 23:22:59 +0000 Subject: [PATCH 60/63] fulcio: Added support for specifying AWS settings. Prior to this commit, the chart did not provide a way to supply AWS credentials for AWS KMS. This commit adds support for AWS KMS by allowing users to supply an AWS region ID and IAM credentials. AWS KMS users must specify the "cloudPlatform" parameter with a value of "aws" and specify "certificateAuthority" as "kmsca". The chart will then look for a kubernetes secret named by the "awsCredentialsSecret" parameter. The AWS region ID can be supplied using the newly-added "awsRegion" parameter. Signed-off-by: Stephen Fox --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 5 ++++- charts/fulcio/templates/fulcio-deployment.yaml | 18 ++++++++++++++++-- charts/fulcio/values.schema.json | 9 +++++++++ charts/fulcio/values.yaml | 6 ++++++ 5 files changed, 36 insertions(+), 4 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index e03fdf96..be9f63a1 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.5.4 +version: 2.6.0 appVersion: 1.6.4 keywords: diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 65703ada..9034d2bd 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.4](https://img.shields.io/badge/Version-2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -121,6 +121,8 @@ helm uninstall [RELEASE_NAME] | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | ubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | @@ -156,6 +158,7 @@ helm uninstall [RELEASE_NAME] | server.ingresses[0].name | string | `"gce-ingress"` | | | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` | | | server.ingresses[0].tls | list | `[]` | | +| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") | | server.logging.production | bool | `false` | | | server.name | string | `"server"` | | | server.nodeSelector | object | `{}` | | diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 7682b38c..1cd83b42 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -71,14 +71,28 @@ spec: {{- range .Values.server.extraArgs }} - {{ . | quote }} {{- end }} - {{- if eq .Values.server.args.certificateAuthority "fileca" }} env: + {{- if eq .Values.server.args.certificateAuthority "fileca" }} - name: PASSWORD valueFrom: secretKeyRef: name: {{ .Values.server.secret }} key: password - {{- end }} + {{- end }} + {{- if and (eq .Values.server.args.certificateAuthority "kmsca") (eq .Values.server.kmsType "aws") }} + - name: AWS_DEFAULT_REGION + value: {{ .Values.server.awsKmsRegion }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: accessKeyId + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: secretAccessKey + {{- end }} livenessProbe: failureThreshold: 3 httpGet: diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index f2957120..f0900e38 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -201,6 +201,12 @@ }, "type": "object" }, + "awsKmsCredentialsSecretName": { + "type": "string" + }, + "awsKmsRegion": { + "type": "string" + }, "grpcSvcPort": { "type": "integer" }, @@ -406,6 +412,9 @@ }, "type": "array" }, + "kmsType": { + "type": "string" + }, "logging": { "properties": { "production": { diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index b4f8d60a..e3e58c6c 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -13,7 +13,13 @@ server: name: server svcPort: 80 grpcSvcPort: 5554 + # -- KMS type for signing key (possible values: "" / "none", "aws") + kmsType: none secret: fulcio-server-secret + # -- kubernetes secret name containing IAM credentials for use with AWS KMS + awsKmsCredentialsSecretName: aws-kms-credentials + # -- AWS region if using AWS KMS for signing key + awsKmsRegion: us-east-1 logging: production: false image: From d8852d6eb9263e47b4d8453118e8892bdb91e713 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Sun, 8 Sep 2024 16:32:02 -0400 Subject: [PATCH 61/63] specify grpc endpoint in sigstore-prober chart Signed-off-by: Bob Callaway --- charts/sigstore-prober/Chart.yaml | 2 +- charts/sigstore-prober/README.md | 3 ++- charts/sigstore-prober/templates/_helpers.tpl | 3 +++ charts/sigstore-prober/values.schema.json | 3 +++ charts/sigstore-prober/values.yaml | 1 + 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/sigstore-prober/Chart.yaml b/charts/sigstore-prober/Chart.yaml index 97affd15..46297815 100644 --- a/charts/sigstore-prober/Chart.yaml +++ b/charts/sigstore-prober/Chart.yaml @@ -4,7 +4,7 @@ description: Sigstore API Endpoint Prober type: application -version: 0.0.27 +version: 0.0.28 appVersion: 0.7.8 diff --git a/charts/sigstore-prober/README.md b/charts/sigstore-prober/README.md index d2253447..a492ed1b 100644 --- a/charts/sigstore-prober/README.md +++ b/charts/sigstore-prober/README.md @@ -1,6 +1,6 @@ # sigstore-prober -![Version: 0.0.27](https://img.shields.io/badge/Version-0.0.27-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) +![Version: 0.0.28](https://img.shields.io/badge/Version-0.0.28-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) Sigstore API Endpoint Prober @@ -24,6 +24,7 @@ Sigstore API Endpoint Prober | serviceAccount.create | bool | `false` | | | serviceAccount.name | string | `"default"` | | | spec.args.frequency | int | `10` | | +| spec.args.fulcioGrpcHost | string | `"fulcio.sigstore.dev"` | | | spec.args.fulcioHost | string | `"https://fulcio.sigstore.dev"` | | | spec.args.fulcioRequests | list | `[]` | | | spec.args.rekorHost | string | `"https://rekor.sigstore.dev"` | | diff --git a/charts/sigstore-prober/templates/_helpers.tpl b/charts/sigstore-prober/templates/_helpers.tpl index 6c9b3281..240cea81 100644 --- a/charts/sigstore-prober/templates/_helpers.tpl +++ b/charts/sigstore-prober/templates/_helpers.tpl @@ -28,6 +28,9 @@ Create args for sigstore prober components {{- if .Values.spec.args.fulcioHost }} - "-fulcio-url={{ .Values.spec.args.fulcioHost }}" {{- end }} +{{- if .Values.spec.args.fulcioGrpcHost }} +- "-fulcio-grpc-url={{ .Values.spec.args.fulcioGrpcHost }}" +{{- end }} {{- if .Values.spec.args.writeProber }} - "-write-prober={{ .Values.spec.args.writeProber }}" {{- end }} diff --git a/charts/sigstore-prober/values.schema.json b/charts/sigstore-prober/values.schema.json index 04827c4d..2b49e7d9 100644 --- a/charts/sigstore-prober/values.schema.json +++ b/charts/sigstore-prober/values.schema.json @@ -49,6 +49,9 @@ "fulcioHost": { "type": "string" }, + "fulcioGrpcHost": { + "type": "string" + }, "fulcioRequests": { "type": "array" }, diff --git a/charts/sigstore-prober/values.yaml b/charts/sigstore-prober/values.yaml index 540d93a8..e70f5c87 100644 --- a/charts/sigstore-prober/values.yaml +++ b/charts/sigstore-prober/values.yaml @@ -19,6 +19,7 @@ spec: cpu: "200m" args: fulcioHost: https://fulcio.sigstore.dev + fulcioGrpcHost: fulcio.sigstore.dev rekorHost: https://rekor.sigstore.dev frequency: 10 writeProber: false From f94ee9d100e8f3cdbd43ae9e636a9d198c642b06 Mon Sep 17 00:00:00 2001 From: sfox-equinix Date: Tue, 10 Sep 2024 14:38:06 -0400 Subject: [PATCH 62/63] fulcio: Fixed silly typo in README. ubernetes is the new kubernetes. Co-authored-by: Bob Callaway Signed-off-by: sfox-equinix --- charts/fulcio/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 9034d2bd..b206d29f 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -121,7 +121,7 @@ helm uninstall [RELEASE_NAME] | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | -| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | ubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | kubernetes secret name containing IAM credentials for use with AWS KMS | | server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | From 54964e0b85ee6e6e8e17318d3b68115aca242373 Mon Sep 17 00:00:00 2001 From: sfox-equinix Date: Tue, 10 Sep 2024 14:38:34 -0400 Subject: [PATCH 63/63] rekor: Fixed silly typo in README. Co-authored-by: Bob Callaway Signed-off-by: sfox-equinix --- charts/rekor/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rekor/README.md b/charts/rekor/README.md index b5c1d913..2ce39d48 100644 --- a/charts/rekor/README.md +++ b/charts/rekor/README.md @@ -144,7 +144,7 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo | server.attestation_storage.persistence.size | string | `"5Gi"` | | | server.attestation_storage.persistence.storageClass | string | `""` | | | server.attestation_storage.persistence.subPath | string | `""` | | -| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | ubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | kubernetes secret name containing IAM credentials for use with AWS KMS | | server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.config.key | string | `"treeID"` | | | server.config.treeID | string | `""` | |