diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index a5a96cce..2f5894a5 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.18 +version: 0.1.19 appVersion: 0.7.11 home: https://sigstore.dev/ diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 4baa237c..fefcd09f 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.18](https://img.shields.io/badge/Version-0.1.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square) +![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -45,18 +45,22 @@ A framework for securing software update systems - the scaffolding implementatio | roleBindingName | string | `"tuf"` | | | roleName | string | `"tuf"` | | | secrets.ctlog.create | bool | `false` | | +| secrets.ctlog.enabled | bool | `true` | | | secrets.ctlog.key | string | `"public"` | | | secrets.ctlog.name | string | `"ctlog-public-key"` | | | secrets.ctlog.path | string | `"ctfe.pub"` | | | secrets.fulcio.create | bool | `false` | | +| secrets.fulcio.enabled | bool | `true` | | | secrets.fulcio.key | string | `"cert"` | | | secrets.fulcio.name | string | `"fulcio-server-secret"` | | | secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | | | secrets.rekor.create | bool | `false` | | +| secrets.rekor.enabled | bool | `true` | | | secrets.rekor.key | string | `"key"` | | | secrets.rekor.name | string | `"rekor-public-key"` | | | secrets.rekor.path | string | `"rekor.pub"` | | | secrets.tsa.create | bool | `false` | | +| secrets.tsa.enabled | bool | `true` | | | secrets.tsa.key | string | `"cert-chain"` | | | secrets.tsa.name | string | `"tsa-cert-chain"` | | | secrets.tsa.path | string | `"tsa.certchain.pem"` | | diff --git a/charts/tuf/templates/_helpers.tpl b/charts/tuf/templates/_helpers.tpl index 923a62ef..bccca93e 100644 --- a/charts/tuf/templates/_helpers.tpl +++ b/charts/tuf/templates/_helpers.tpl @@ -84,4 +84,52 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- define "tuf.metaLabels" -}} helm.sh/chart: {{ include "tuf.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Check number of TUF secrets and render them as structured YAML. +*/}} +{{- define "tuf.validateSecrets" }} +{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create + .Values.secrets.fulcio.enabled .Values.secrets.fulcio.create + .Values.secrets.ctlog.enabled .Values.secrets.ctlog.create + .Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}} + {{- fail "At least one secret must be provided (enabled or created)." -}} +{{- else }} + {{- include "tuf.secretsList" . | nindent 8 }} +{{- end }} +{{- end }} + +{{/* +Render TUF Secrets as structured YAML for the volume sources. +*/}} +{{- define "tuf.secretsList" -}} + {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }} + - secret: + name: {{ .Values.secrets.ctlog.name }} + items: + - key: {{ .Values.secrets.ctlog.key }} + path: {{ .Values.secrets.ctlog.path }} + {{- end }} + {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }} + - secret: + name: {{ .Values.secrets.fulcio.name }} + items: + - key: {{ .Values.secrets.fulcio.key }} + path: {{ .Values.secrets.fulcio.path }} + {{- end }} + {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }} + - secret: + name: {{ .Values.secrets.rekor.name }} + items: + - key: {{ .Values.secrets.rekor.key }} + path: {{ .Values.secrets.rekor.path }} + {{- end }} + {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} + - secret: + name: {{ .Values.secrets.tsa.name }} + items: + - key: {{ .Values.secrets.tsa.key }} + path: {{ .Values.secrets.tsa.path }} + {{- end }} +{{- end }} diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 5898e61d..aa7fc176 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -47,27 +47,8 @@ spec: volumes: - name: tuf-secrets projected: - sources: - - secret: - name: {{ .Values.secrets.ctlog.name }} - items: - - key: {{ .Values.secrets.ctlog.key }} - path: {{ .Values.secrets.ctlog.path }} - - secret: - name: {{ .Values.secrets.fulcio.name }} - items: - - key: {{ .Values.secrets.fulcio.key }} - path: {{ .Values.secrets.fulcio.path }} - - secret: - name: {{ .Values.secrets.rekor.name }} - items: - - key: {{ .Values.secrets.rekor.key }} - path: {{ .Values.secrets.rekor.path }} - - secret: - name: {{ .Values.secrets.tsa.name }} - items: - - key: {{ .Values.secrets.tsa.key }} - path: {{ .Values.secrets.tsa.path }} + sources: + {{- include "tuf.validateSecrets" . }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} diff --git a/charts/tuf/values.schema.json b/charts/tuf/values.schema.json index 5128f098..02fba6de 100644 --- a/charts/tuf/values.schema.json +++ b/charts/tuf/values.schema.json @@ -109,7 +109,22 @@ "ctlog": { "properties": { "create": { - "type": "boolean" + "type": "boolean", + "examples": [ + false + ] + }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, + "name": { + "type": "string", + "examples": [ + "rekor-public-key" + ] }, "key": { "type": "string" @@ -126,7 +141,22 @@ "fulcio": { "properties": { "create": { - "type": "boolean" + "type": "boolean", + "examples": [ + false + ] + }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, + "name": { + "type": "string", + "examples": [ + "fulcio-server-secret" + ] }, "key": { "type": "string" @@ -143,7 +173,22 @@ "rekor": { "properties": { "create": { - "type": "boolean" + "type": "boolean", + "examples": [ + false + ] + }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, + "name": { + "type": "string", + "examples": [ + "ctlog-public-key" + ] }, "key": { "type": "string" @@ -160,7 +205,22 @@ "tsa": { "properties": { "create": { - "type": "boolean" + "type": "boolean", + "examples": [ + false + ] + }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, + "name": { + "type": "string", + "examples": [ + "tsa-cert-chain" + ] }, "key": { "type": "string" diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index 34bbbfec..5e190908 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -22,21 +22,25 @@ deployment: secrets: rekor: create: false + enabled: true name: rekor-public-key key: key path: rekor.pub fulcio: create: false + enabled: true name: fulcio-server-secret key: cert path: fulcio_v1.crt.pem ctlog: create: false + enabled: true name: ctlog-public-key key: public path: ctfe.pub tsa: create: false + enabled: true name: tsa-cert-chain key: cert-chain path: tsa.certchain.pem