From e413edec1ffb7f2af619d4432e9dab4f65b4db57 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Mon, 22 Apr 2024 12:02:13 +0200 Subject: [PATCH 01/13] Make optional the secret TSA secret reference for TUF chart Signed-off-by: Carlos Vega --- charts/tuf/templates/deployment.yaml | 2 ++ charts/tuf/values.schema.json | 6 ++++++ charts/tuf/values.yaml | 1 + 3 files changed, 9 insertions(+) diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 30a33a59..64913e6a 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -63,11 +63,13 @@ spec: items: - key: {{ .Values.secrets.rekor.key }} path: {{ .Values.secrets.rekor.path }} + {{- if or (.Values.secrets.tsa.existingSecret) (.Values.secrets.tsa.create) }} - secret: name: {{ .Values.secrets.tsa.name }} items: - key: {{ .Values.secrets.tsa.key }} path: {{ .Values.secrets.tsa.path }} + {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} diff --git a/charts/tuf/values.schema.json b/charts/tuf/values.schema.json index ee440ff9..1a4f89fc 100644 --- a/charts/tuf/values.schema.json +++ b/charts/tuf/values.schema.json @@ -218,6 +218,12 @@ false ] }, + "existingSecret": { + "type": "boolean", + "examples": [ + false + ] + }, "name": { "type": "string", "examples": [ diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index adbf8dd3..04b118a1 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -34,6 +34,7 @@ secrets: path: ctfe.pub tsa: create: false + existingSecret: true name: tsa-cert-chain key: cert-chain path: tsa.certchain.pem From d156f589951a8044bc7a9066c30961601b7af034 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Mon, 22 Apr 2024 12:36:30 +0200 Subject: [PATCH 02/13] Bump TUF chart version to 0.1.13 Signed-off-by: Carlos Vega --- charts/tuf/Chart.yaml | 2 +- charts/tuf/README.md | 3 ++- charts/tuf/values.yaml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index 0a23f2ee..10ea3d13 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.12 +version: 0.1.13 appVersion: "0.6.17" home: https://sigstore.dev/ diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 01a14281..585da0f9 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -54,6 +54,7 @@ A framework for securing software update systems - the scaffolding implementatio | secrets.rekor.name | string | `"rekor-public-key"` | | | secrets.rekor.path | string | `"rekor.pub"` | | | secrets.tsa.create | bool | `false` | | +| secrets.tsa.existingSecret | bool | `false` | | | secrets.tsa.key | string | `"cert-chain"` | | | secrets.tsa.name | string | `"tsa-cert-chain"` | | | secrets.tsa.path | string | `"tsa.certchain.pem"` | | diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index 04b118a1..2347326e 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -34,7 +34,7 @@ secrets: path: ctfe.pub tsa: create: false - existingSecret: true + existingSecret: false name: tsa-cert-chain key: cert-chain path: tsa.certchain.pem From 106dbeab9fe389f4cf6210ab07a99adb4f365210 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Thu, 9 May 2024 15:49:55 +0200 Subject: [PATCH 03/13] Renamed Values.secrets.tsa.existingSecret to Values.secrets.tsa.enabled Signed-off-by: Carlos Vega --- charts/tuf/templates/deployment.yaml | 2 +- charts/tuf/values.schema.json | 2 +- charts/tuf/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 64913e6a..4f3aa6b4 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -63,7 +63,7 @@ spec: items: - key: {{ .Values.secrets.rekor.key }} path: {{ .Values.secrets.rekor.path }} - {{- if or (.Values.secrets.tsa.existingSecret) (.Values.secrets.tsa.create) }} + {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} - secret: name: {{ .Values.secrets.tsa.name }} items: diff --git a/charts/tuf/values.schema.json b/charts/tuf/values.schema.json index 1a4f89fc..f60cdc4b 100644 --- a/charts/tuf/values.schema.json +++ b/charts/tuf/values.schema.json @@ -218,7 +218,7 @@ false ] }, - "existingSecret": { + "enabled": { "type": "boolean", "examples": [ false diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index 2347326e..20faabb7 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -34,7 +34,7 @@ secrets: path: ctfe.pub tsa: create: false - existingSecret: false + enabled: false name: tsa-cert-chain key: cert-chain path: tsa.certchain.pem From f2346b763cfac3b30b67b9336ddc15edb00792fe Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Thu, 9 May 2024 15:51:10 +0200 Subject: [PATCH 04/13] Regenerated docs Signed-off-by: Carlos Vega --- charts/tuf/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 585da0f9..ec6e5639 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -54,7 +54,7 @@ A framework for securing software update systems - the scaffolding implementatio | secrets.rekor.name | string | `"rekor-public-key"` | | | secrets.rekor.path | string | `"rekor.pub"` | | | secrets.tsa.create | bool | `false` | | -| secrets.tsa.existingSecret | bool | `false` | | +| secrets.tsa.enabled | bool | `false` | | | secrets.tsa.key | string | `"cert-chain"` | | | secrets.tsa.name | string | `"tsa-cert-chain"` | | | secrets.tsa.path | string | `"tsa.certchain.pem"` | | @@ -62,3 +62,5 @@ A framework for securing software update systems - the scaffolding implementatio | service.port | int | `80` | | | serviceAccountName | string | `"tuf"` | | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) From e54a0b30f7566940affdfcc8a4c765ead2ad7e18 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Fri, 10 May 2024 09:18:28 +0200 Subject: [PATCH 05/13] Added enabled value for secrets defined in tuf Signed-off-by: Carlos Vega --- charts/tuf/README.md | 3 +++ charts/tuf/templates/deployment.yaml | 8 +++++++- charts/tuf/values.schema.json | 18 ++++++++++++++++++ charts/tuf/values.yaml | 3 +++ 4 files changed, 31 insertions(+), 1 deletion(-) diff --git a/charts/tuf/README.md b/charts/tuf/README.md index ec6e5639..471f3140 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -42,14 +42,17 @@ A framework for securing software update systems - the scaffolding implementatio | roleBindingName | string | `"tuf"` | | | roleName | string | `"tuf"` | | | secrets.ctlog.create | bool | `false` | | +| secrets.ctlog.enabled | bool | `false` | | | secrets.ctlog.key | string | `"public"` | | | secrets.ctlog.name | string | `"ctlog-public-key"` | | | secrets.ctlog.path | string | `"ctfe.pub"` | | | secrets.fulcio.create | bool | `false` | | +| secrets.fulcio.enabled | bool | `false` | | | secrets.fulcio.key | string | `"cert"` | | | secrets.fulcio.name | string | `"fulcio-server-secret"` | | | secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | | | secrets.rekor.create | bool | `false` | | +| secrets.rekor.enabled | bool | `false` | | | secrets.rekor.key | string | `"key"` | | | secrets.rekor.name | string | `"rekor-public-key"` | | | secrets.rekor.path | string | `"rekor.pub"` | | diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 4f3aa6b4..b991e157 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -47,22 +47,28 @@ spec: volumes: - name: tuf-secrets projected: - sources: + sources: + {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }} - secret: name: {{ .Values.secrets.ctlog.name }} items: - key: {{ .Values.secrets.ctlog.key }} path: {{ .Values.secrets.ctlog.path }} + {{- end }} + {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }} - secret: name: {{ .Values.secrets.fulcio.name }} items: - key: {{ .Values.secrets.fulcio.key }} path: {{ .Values.secrets.fulcio.path }} + {{- end }} + {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }} - secret: name: {{ .Values.secrets.rekor.name }} items: - key: {{ .Values.secrets.rekor.key }} path: {{ .Values.secrets.rekor.path }} + {{- end }} {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} - secret: name: {{ .Values.secrets.tsa.name }} diff --git a/charts/tuf/values.schema.json b/charts/tuf/values.schema.json index f60cdc4b..2375a36f 100644 --- a/charts/tuf/values.schema.json +++ b/charts/tuf/values.schema.json @@ -113,6 +113,12 @@ false ] }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, "name": { "type": "string", "examples": [ @@ -148,6 +154,12 @@ false ] }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, "name": { "type": "string", "examples": [ @@ -183,6 +195,12 @@ false ] }, + "enabled": { + "type": "boolean", + "examples": [ + false + ] + }, "name": { "type": "string", "examples": [ diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index 20faabb7..bc300a9f 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -19,16 +19,19 @@ deployment: secrets: rekor: create: false + enabled: false name: rekor-public-key key: key path: rekor.pub fulcio: create: false + enabled: false name: fulcio-server-secret key: cert path: fulcio_v1.crt.pem ctlog: create: false + enabled: false name: ctlog-public-key key: public path: ctfe.pub From 0bd3586fccb3e65cc73dcc6e82ac9396e5b53982 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Thu, 26 Sep 2024 09:44:44 +0200 Subject: [PATCH 06/13] Avoid creating Tuf objects if there is no secrets Signed-off-by: Carlos Vega --- charts/tuf/templates/_helpers.tpl | 20 ++++++++++++++++++++ charts/tuf/templates/deployment.yaml | 14 ++------------ charts/tuf/templates/ingress.yaml | 2 ++ charts/tuf/templates/namespace.yaml | 2 ++ charts/tuf/templates/role.yaml | 4 +++- charts/tuf/templates/rolebinding.yaml | 4 +++- charts/tuf/templates/service.yaml | 4 +++- charts/tuf/templates/serviceaccount.yaml | 4 +++- 8 files changed, 38 insertions(+), 16 deletions(-) diff --git a/charts/tuf/templates/_helpers.tpl b/charts/tuf/templates/_helpers.tpl index 923a62ef..b07b0f0b 100644 --- a/charts/tuf/templates/_helpers.tpl +++ b/charts/tuf/templates/_helpers.tpl @@ -84,4 +84,24 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- define "tuf.metaLabels" -}} helm.sh/chart: {{ include "tuf.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Check number of TUF secrets +*/}} +{{- define "tuf.enabledSecretsCount" -}} +{{- $count := 0 -}} +{{- if (eq .Values.secrets.rekor.enabled true) -}} + {{- $count = add $count 1 -}} +{{- end -}} +{{- if (eq .Values.secrets.fulcio.enabled true) -}} + {{- $count = add $count 1 -}} +{{- end -}} +{{- if (eq .Values.secrets.ctlog.enabled true) -}} + {{- $count = add $count 1 -}} +{{- end -}} +{{- if (eq .Values.secrets.tsa.enabled true) -}} + {{- $count = add $count 1 -}} +{{- end -}} +{{- $count -}} {{- end -}} \ No newline at end of file diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 33a56d74..68ab27c7 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: apps/v1 kind: Deployment metadata: @@ -80,15 +81,4 @@ spec: imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} - {{- if .Values.deployment.nodeSelector }} - nodeSelector: -{{ toYaml .Values.deployment.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.deployment.tolerations }} - tolerations: -{{ toYaml .Values.deployment.tolerations | indent 8 }} - {{- end }} - {{- if .Values.deployment.affinity }} - affinity: -{{ toYaml .Values.deployment.affinity | indent 8 }} - {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/ingress.yaml b/charts/tuf/templates/ingress.yaml index 9d2b034a..23e98b9c 100644 --- a/charts/tuf/templates/ingress.yaml +++ b/charts/tuf/templates/ingress.yaml @@ -1,4 +1,5 @@ {{- if .Values.ingress.create }} +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -34,3 +35,4 @@ spec: {{- end }} {{- end -}} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/tuf/templates/namespace.yaml b/charts/tuf/templates/namespace.yaml index 37aa5e44..bc218a08 100644 --- a/charts/tuf/templates/namespace.yaml +++ b/charts/tuf/templates/namespace.yaml @@ -1,6 +1,8 @@ {{- if .Values.namespace.create }} +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.namespace.name }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/role.yaml b/charts/tuf/templates/role.yaml index 2209a9bf..6cd93905 100644 --- a/charts/tuf/templates/role.yaml +++ b/charts/tuf/templates/role.yaml @@ -1,3 +1,4 @@ +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -6,4 +7,5 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["create", "get", "update"] \ No newline at end of file + verbs: ["create", "get", "update"] +{{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/rolebinding.yaml b/charts/tuf/templates/rolebinding.yaml index b3d36931..cdbc12c8 100644 --- a/charts/tuf/templates/rolebinding.yaml +++ b/charts/tuf/templates/rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -9,4 +10,5 @@ roleRef: name: {{ .Values.roleName }} subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccountName }} \ No newline at end of file + name: {{ .Values.serviceAccountName }} +{{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/service.yaml b/charts/tuf/templates/service.yaml index b1ae7848..c72f9c8b 100644 --- a/charts/tuf/templates/service.yaml +++ b/charts/tuf/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: Service metadata: @@ -11,4 +12,5 @@ spec: targetPort: {{ .Values.deployment.port }} selector: {{- include "tuf.matchLabels" . | nindent 4 }} - type: ClusterIP \ No newline at end of file + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/serviceaccount.yaml b/charts/tuf/templates/serviceaccount.yaml index d7673367..b36f4857 100644 --- a/charts/tuf/templates/serviceaccount.yaml +++ b/charts/tuf/templates/serviceaccount.yaml @@ -1,5 +1,7 @@ +{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.serviceAccountName }} -{{ include "tuf.namespace" . | indent 2 }} \ No newline at end of file +{{ include "tuf.namespace" . | indent 2 }} +{{- end }} \ No newline at end of file From 46a4a82381f5076d86561cf89067d49fd3233288 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Sun, 29 Sep 2024 20:06:48 +0200 Subject: [PATCH 07/13] Added validation to ensure at least one secret is provided to TUF Signed-off-by: Carlos Vega --- charts/tuf/templates/_helpers.tpl | 62 +++++++++++++++++------- charts/tuf/templates/deployment.yaml | 33 +------------ charts/tuf/templates/ingress.yaml | 2 - charts/tuf/templates/namespace.yaml | 2 - charts/tuf/templates/role.yaml | 4 +- charts/tuf/templates/rolebinding.yaml | 4 +- charts/tuf/templates/service.yaml | 4 +- charts/tuf/templates/serviceaccount.yaml | 4 +- 8 files changed, 51 insertions(+), 64 deletions(-) diff --git a/charts/tuf/templates/_helpers.tpl b/charts/tuf/templates/_helpers.tpl index b07b0f0b..482a4d26 100644 --- a/charts/tuf/templates/_helpers.tpl +++ b/charts/tuf/templates/_helpers.tpl @@ -87,21 +87,49 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} {{/* -Check number of TUF secrets +Check number of TUF secrets and render them as structured YAML. */}} -{{- define "tuf.enabledSecretsCount" -}} -{{- $count := 0 -}} -{{- if (eq .Values.secrets.rekor.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- if (eq .Values.secrets.fulcio.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- if (eq .Values.secrets.ctlog.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- if (eq .Values.secrets.tsa.enabled true) -}} - {{- $count = add $count 1 -}} -{{- end -}} -{{- $count -}} -{{- end -}} \ No newline at end of file +{{- define "tuf.validateSecrets" }} +{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create + .Values.secrets.fulcio.enabled .Values.secrets.fulcio.create + .Values.secrets.ctlog.enabled .Values.secrets.ctlog.create + .Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}} + {{- fail "At least one secret must be provided (enabled or created)." -}} +{{- else }} + {{- include "tuf.secretsList" . | nindent 8 }} +{{- end }} +{{- end }} + +{{/* +Render TUF Secrets as structured YAML for the volume sources. +*/}} +{{- define "tuf.secretsList" -}} + {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }} + - secret: + name: {{ .Values.secrets.ctlog.name }} + items: + - key: {{ .Values.secrets.ctlog.key }} + path: {{ .Values.secrets.ctlog.path }} + {{- end }} + {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }} + - secret: + name: {{ .Values.secrets.fulcio.name }} + items: + - key: {{ .Values.secrets.fulcio.key }} + path: {{ .Values.secrets.fulcio.path }} + {{- end }} + {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }} + - secret: + name: {{ .Values.secrets.rekor.name }} + items: + - key: {{ .Values.secrets.rekor.key }} + path: {{ .Values.secrets.rekor.path }} + {{- end }} + {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} + - secret: + name: {{ .Values.secrets.tsa.name }} + items: + - key: {{ .Values.secrets.tsa.key }} + path: {{ .Values.secrets.tsa.path }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 68ab27c7..6d2d2fc1 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: apps/v1 kind: Deployment metadata: @@ -49,36 +48,8 @@ spec: - name: tuf-secrets projected: sources: - {{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }} - - secret: - name: {{ .Values.secrets.ctlog.name }} - items: - - key: {{ .Values.secrets.ctlog.key }} - path: {{ .Values.secrets.ctlog.path }} - {{- end }} - {{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }} - - secret: - name: {{ .Values.secrets.fulcio.name }} - items: - - key: {{ .Values.secrets.fulcio.key }} - path: {{ .Values.secrets.fulcio.path }} - {{- end }} - {{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }} - - secret: - name: {{ .Values.secrets.rekor.name }} - items: - - key: {{ .Values.secrets.rekor.key }} - path: {{ .Values.secrets.rekor.path }} - {{- end }} - {{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }} - - secret: - name: {{ .Values.secrets.tsa.name }} - items: - - key: {{ .Values.secrets.tsa.key }} - path: {{ .Values.secrets.tsa.path }} - {{- end }} + {{- include "tuf.validateSecrets" . }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} -{{- end }} \ No newline at end of file + {{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/ingress.yaml b/charts/tuf/templates/ingress.yaml index 23e98b9c..a21bc305 100644 --- a/charts/tuf/templates/ingress.yaml +++ b/charts/tuf/templates/ingress.yaml @@ -1,5 +1,4 @@ {{- if .Values.ingress.create }} -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -34,5 +33,4 @@ spec: secretName: {{ .secretName }} {{- end }} {{- end -}} -{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/tuf/templates/namespace.yaml b/charts/tuf/templates/namespace.yaml index bc218a08..37aa5e44 100644 --- a/charts/tuf/templates/namespace.yaml +++ b/charts/tuf/templates/namespace.yaml @@ -1,8 +1,6 @@ {{- if .Values.namespace.create }} -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.namespace.name }} -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/tuf/templates/role.yaml b/charts/tuf/templates/role.yaml index 6cd93905..2209a9bf 100644 --- a/charts/tuf/templates/role.yaml +++ b/charts/tuf/templates/role.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -7,5 +6,4 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["create", "get", "update"] -{{- end }} \ No newline at end of file + verbs: ["create", "get", "update"] \ No newline at end of file diff --git a/charts/tuf/templates/rolebinding.yaml b/charts/tuf/templates/rolebinding.yaml index cdbc12c8..b3d36931 100644 --- a/charts/tuf/templates/rolebinding.yaml +++ b/charts/tuf/templates/rolebinding.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -10,5 +9,4 @@ roleRef: name: {{ .Values.roleName }} subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccountName }} -{{- end }} \ No newline at end of file + name: {{ .Values.serviceAccountName }} \ No newline at end of file diff --git a/charts/tuf/templates/service.yaml b/charts/tuf/templates/service.yaml index c72f9c8b..b1ae7848 100644 --- a/charts/tuf/templates/service.yaml +++ b/charts/tuf/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: Service metadata: @@ -12,5 +11,4 @@ spec: targetPort: {{ .Values.deployment.port }} selector: {{- include "tuf.matchLabels" . | nindent 4 }} - type: ClusterIP -{{- end }} \ No newline at end of file + type: ClusterIP \ No newline at end of file diff --git a/charts/tuf/templates/serviceaccount.yaml b/charts/tuf/templates/serviceaccount.yaml index b36f4857..d7673367 100644 --- a/charts/tuf/templates/serviceaccount.yaml +++ b/charts/tuf/templates/serviceaccount.yaml @@ -1,7 +1,5 @@ -{{- if ne (include "tuf.enabledSecretsCount" .) "0" }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.serviceAccountName }} -{{ include "tuf.namespace" . | indent 2 }} -{{- end }} \ No newline at end of file +{{ include "tuf.namespace" . | indent 2 }} \ No newline at end of file From db6ba2bead42c598682cff79af89d8c7d17b69ae Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Mon, 30 Sep 2024 07:50:38 +0200 Subject: [PATCH 08/13] Enabled secret as default for TUF Signed-off-by: Carlos Vega --- charts/tuf/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/tuf/values.yaml b/charts/tuf/values.yaml index b20ed6b3..22fe3f55 100644 --- a/charts/tuf/values.yaml +++ b/charts/tuf/values.yaml @@ -22,25 +22,25 @@ deployment: secrets: rekor: create: false - enabled: false + enabled: true name: rekor-public-key key: key path: rekor.pub fulcio: create: false - enabled: false + enabled: true name: fulcio-server-secret key: cert path: fulcio_v1.crt.pem ctlog: create: false - enabled: false + enabled: true name: ctlog-public-key key: public path: ctfe.pub tsa: create: false - enabled: false + enabled: true name: tsa-cert-chain key: cert-chain path: tsa.certchain.pem From 91c98396361457a3a41cf904c006d45b051de368 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Mon, 30 Sep 2024 09:02:10 +0200 Subject: [PATCH 09/13] Bump version to 0.1.19 Signed-off-by: Carlos Vega --- charts/tuf/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tuf/Chart.yaml b/charts/tuf/Chart.yaml index e5074392..20346c46 100644 --- a/charts/tuf/Chart.yaml +++ b/charts/tuf/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: tuf description: A framework for securing software update systems - the scaffolding implementation type: application -version: 0.1.17 +version: 0.1.19 appVersion: 0.7.8 home: https://sigstore.dev/ From c7166038c099951735ff82ab16aadd365dcf2e81 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Tue, 1 Oct 2024 09:32:27 +0200 Subject: [PATCH 10/13] Helm Docs for TUF Signed-off-by: Carlos Vega --- charts/tuf/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/tuf/README.md b/charts/tuf/README.md index ee071319..4a3d3d90 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.17](https://img.shields.io/badge/Version-0.1.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) +![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation @@ -45,22 +45,22 @@ A framework for securing software update systems - the scaffolding implementatio | roleBindingName | string | `"tuf"` | | | roleName | string | `"tuf"` | | | secrets.ctlog.create | bool | `false` | | -| secrets.ctlog.enabled | bool | `false` | | +| secrets.ctlog.enabled | bool | `true` | | | secrets.ctlog.key | string | `"public"` | | | secrets.ctlog.name | string | `"ctlog-public-key"` | | | secrets.ctlog.path | string | `"ctfe.pub"` | | | secrets.fulcio.create | bool | `false` | | -| secrets.fulcio.enabled | bool | `false` | | +| secrets.fulcio.enabled | bool | `true` | | | secrets.fulcio.key | string | `"cert"` | | | secrets.fulcio.name | string | `"fulcio-server-secret"` | | | secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | | | secrets.rekor.create | bool | `false` | | -| secrets.rekor.enabled | bool | `false` | | +| secrets.rekor.enabled | bool | `true` | | | secrets.rekor.key | string | `"key"` | | | secrets.rekor.name | string | `"rekor-public-key"` | | | secrets.rekor.path | string | `"rekor.pub"` | | | secrets.tsa.create | bool | `false` | | -| secrets.tsa.enabled | bool | `false` | | +| secrets.tsa.enabled | bool | `true` | | | secrets.tsa.key | string | `"cert-chain"` | | | secrets.tsa.name | string | `"tsa-cert-chain"` | | | secrets.tsa.path | string | `"tsa.certchain.pem"` | | From e8c7d53a67d4035a83e530311e7d41b6f03be20c Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Tue, 1 Oct 2024 10:08:12 +0200 Subject: [PATCH 11/13] Added new lines Signed-off-by: Carlos Vega --- charts/tuf/templates/_helpers.tpl | 2 +- charts/tuf/templates/deployment.yaml | 2 +- charts/tuf/templates/ingress.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/tuf/templates/_helpers.tpl b/charts/tuf/templates/_helpers.tpl index 482a4d26..bccca93e 100644 --- a/charts/tuf/templates/_helpers.tpl +++ b/charts/tuf/templates/_helpers.tpl @@ -132,4 +132,4 @@ Render TUF Secrets as structured YAML for the volume sources. - key: {{ .Values.secrets.tsa.key }} path: {{ .Values.secrets.tsa.path }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index 6d2d2fc1..b4652b72 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -52,4 +52,4 @@ spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/tuf/templates/ingress.yaml b/charts/tuf/templates/ingress.yaml index a21bc305..9d2b034a 100644 --- a/charts/tuf/templates/ingress.yaml +++ b/charts/tuf/templates/ingress.yaml @@ -33,4 +33,4 @@ spec: secretName: {{ .secretName }} {{- end }} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} From 71247bcffafbd9f89298c5d1e99bc3d6e612bba4 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Mon, 7 Oct 2024 11:34:13 +0200 Subject: [PATCH 12/13] Helm Docs for TUF Signed-off-by: Carlos Vega --- charts/tuf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tuf/README.md b/charts/tuf/README.md index 16731505..fefcd09f 100644 --- a/charts/tuf/README.md +++ b/charts/tuf/README.md @@ -1,6 +1,6 @@ # tuf -![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.8](https://img.shields.io/badge/AppVersion-0.7.8-informational?style=flat-square) +![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square) A framework for securing software update systems - the scaffolding implementation From 88f26337251824d1b73d210eb069ed71542e8f04 Mon Sep 17 00:00:00 2001 From: Carlos Vega Date: Mon, 7 Oct 2024 13:08:07 +0200 Subject: [PATCH 13/13] Restored NodeSelector, Tolerations and Affinity Signed-off-by: Carlos Vega --- charts/tuf/templates/deployment.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/charts/tuf/templates/deployment.yaml b/charts/tuf/templates/deployment.yaml index b4652b72..aa7fc176 100644 --- a/charts/tuf/templates/deployment.yaml +++ b/charts/tuf/templates/deployment.yaml @@ -53,3 +53,15 @@ spec: imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} + {{- if .Values.deployment.nodeSelector }} + nodeSelector: +{{ toYaml .Values.deployment.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.deployment.tolerations }} + tolerations: +{{ toYaml .Values.deployment.tolerations | indent 8 }} + {{- end }} + {{- if .Values.deployment.affinity }} + affinity: +{{ toYaml .Values.deployment.affinity | indent 8 }} + {{- end }}