-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tsa secret optional for tuf #744
Tsa secret optional for tuf #744
Conversation
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
charts/tuf/README.md
Outdated
@@ -54,6 +54,7 @@ A framework for securing software update systems - the scaffolding implementatio | |||
| secrets.rekor.name | string | `"rekor-public-key"` | | | |||
| secrets.rekor.path | string | `"rekor.pub"` | | | |||
| secrets.tsa.create | bool | `false` | | | |||
| secrets.tsa.existingSecret | bool | `false` | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not make this enabled
and set as true
. If secrets.tsa.create
is true
, a new secret will be created. Otherwise, secrets.tsa.name
is the name of the existing secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I implemented the changes. I thought it would be better to set it as enabled
as false
by default since the Charts are independent, but I could change it if you consider the other way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this approach a lot! It would be great if we can implement the same pattern across all of the secrets. Though that probably requires a separate PR to avoid encompassing too much into this issue. Unless you would want to rename the PR for that scope
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the TSA case, I set the default value to false
to be independent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sabre1041 Any news on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cvegagimenez syntactically this does work. However, in practice, for tuf to run properly, it will need at least one source of content (a secret) in order to start properly. Should we enforce that at least one secret is provided?
Also, would you be able to resolve the conflict in the README.md
file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I also added the same checks for the other TUF objects.
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cvegagimenez instead of omitting content when no secrets have been provided, an error should be thrown to ensure that the user provides at least one secret
Signed-off-by: Carlos Vega <[email protected]>
69e91b6
to
46a4a82
Compare
@cvegagimenez This looks good., However, while thinking it through in practice The goal of this PR is to provide a way to opt out of providing secrets a, but in practice, this has now introduced the functionality where you have to opt in to achieve the current functionality. A simple swap of the default values as we should be good to integrate this change. |
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
6ce1d8b
to
91c9839
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
need to check the helm docs job i think need to update the readme as well and some small nits
Signed-off-by: Carlos Vega <[email protected]>
23368d7
to
c716603
Compare
Signed-off-by: Carlos Vega <[email protected]>
029239c
to
e8c7d53
Compare
Signed-off-by: Carlos Vega <[email protected]>
@cpanato does this look good to you? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
and sorry for the delay
but need to update the docs, can you please take a look? |
Signed-off-by: Carlos Vega <[email protected]>
@cpanato , the tests are failing but I am not able to find the issue. Could you help here?
|
charts/tuf/templates/deployment.yaml
Outdated
{{- if .Values.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{ toYaml .Values.imagePullSecrets | indent 8 }} | ||
{{- end }} | ||
{{- if .Values.deployment.nodeSelector }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we removing the nodeSelector
, tolerations
and affinity
features for tuf deployment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Completely right. Already fixed. Thanks!
Looking at previous test runs, we always had this error but it was somehow still passing the chart installation (incorrect behaviour). The error happens because by default all the secrets are enabled and scaffolding tuf server expects a valid certificate for tsa certificate chain. The test failing now is the correct behavior, presumable a result of latest scaffolding tuf server image. To fix the actual problem, we could set Edit: Or update scaffolding code to ignore empty |
Signed-off-by: Carlos Vega <[email protected]>
c46255f
to
88f2633
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
Description of the change
Make the TSA secret reference optional for TUF chart.
Existing or Associated Issue(s)
#735
Additional Information
Checklist
Chart.yaml
according to semver. Where applicable, update and bump the versions in any associated umbrella chartvalues.yaml
and added to the README.md. The helm-docs utility can be used to generate the necessary content. Usehelm-docs --dry-run
to preview the content.ct lint
command.