Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tsa secret optional for tuf #744

Merged
merged 16 commits into from
Oct 14, 2024
Merged

Tsa secret optional for tuf #744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
e413ede
Make optional the secret TSA secret reference for TUF chart
cvegagimenez Apr 22, 2024
d156f58
Bump TUF chart version to 0.1.13
cvegagimenez Apr 22, 2024
106dbea
Renamed Values.secrets.tsa.existingSecret to Values.secrets.tsa.enabled
cvegagimenez May 9, 2024
f2346b7
Regenerated docs
cvegagimenez May 9, 2024
e54a0b3
Added enabled value for secrets defined in tuf
cvegagimenez May 10, 2024
55c4421
Merge branch 'main' into tsa-secret-optional-for-tuf
cvegagimenez Jul 11, 2024
89630d3
Merge branch 'main' into tsa-secret-optional-for-tuf
cvegagimenez Sep 26, 2024
0bd3586
Avoid creating Tuf objects if there is no secrets
cvegagimenez Sep 26, 2024
46a4a82
Added validation to ensure at least one secret is provided to TUF
cvegagimenez Sep 29, 2024
db6ba2b
Enabled secret as default for TUF
cvegagimenez Sep 30, 2024
91c9839
Bump version to 0.1.19
cvegagimenez Sep 30, 2024
c716603
Helm Docs for TUF
cvegagimenez Oct 1, 2024
e8c7d53
Added new lines
cvegagimenez Oct 1, 2024
62f5ded
Merge branch 'main' into tsa-secret-optional-for-tuf
cvegagimenez Oct 1, 2024
71247bc
Helm Docs for TUF
cvegagimenez Oct 7, 2024
88f2633
Restored NodeSelector, Tolerations and Affinity
cvegagimenez Oct 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/tuf/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: tuf
description: A framework for securing software update systems - the scaffolding implementation
type: application
version: 0.1.18
version: 0.1.19
appVersion: 0.7.11

home: https://sigstore.dev/
Expand Down
6 changes: 5 additions & 1 deletion charts/tuf/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# tuf

![Version: 0.1.18](https://img.shields.io/badge/Version-0.1.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)

A framework for securing software update systems - the scaffolding implementation

Expand Down Expand Up @@ -45,18 +45,22 @@ A framework for securing software update systems - the scaffolding implementatio
| roleBindingName | string | `"tuf"` | |
| roleName | string | `"tuf"` | |
| secrets.ctlog.create | bool | `false` | |
| secrets.ctlog.enabled | bool | `true` | |
| secrets.ctlog.key | string | `"public"` | |
| secrets.ctlog.name | string | `"ctlog-public-key"` | |
| secrets.ctlog.path | string | `"ctfe.pub"` | |
| secrets.fulcio.create | bool | `false` | |
| secrets.fulcio.enabled | bool | `true` | |
| secrets.fulcio.key | string | `"cert"` | |
| secrets.fulcio.name | string | `"fulcio-server-secret"` | |
| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | |
| secrets.rekor.create | bool | `false` | |
| secrets.rekor.enabled | bool | `true` | |
| secrets.rekor.key | string | `"key"` | |
| secrets.rekor.name | string | `"rekor-public-key"` | |
| secrets.rekor.path | string | `"rekor.pub"` | |
| secrets.tsa.create | bool | `false` | |
| secrets.tsa.enabled | bool | `true` | |
| secrets.tsa.key | string | `"cert-chain"` | |
| secrets.tsa.name | string | `"tsa-cert-chain"` | |
| secrets.tsa.path | string | `"tsa.certchain.pem"` | |
Expand Down
50 changes: 49 additions & 1 deletion charts/tuf/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,52 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "tuf.metaLabels" -}}
helm.sh/chart: {{ include "tuf.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}

{{/*
Check number of TUF secrets and render them as structured YAML.
*/}}
{{- define "tuf.validateSecrets" }}
{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create
.Values.secrets.fulcio.enabled .Values.secrets.fulcio.create
.Values.secrets.ctlog.enabled .Values.secrets.ctlog.create
.Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}}
{{- fail "At least one secret must be provided (enabled or created)." -}}
{{- else }}
{{- include "tuf.secretsList" . | nindent 8 }}
{{- end }}
{{- end }}

{{/*
Render TUF Secrets as structured YAML for the volume sources.
*/}}
{{- define "tuf.secretsList" -}}
{{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }}
- secret:
name: {{ .Values.secrets.ctlog.name }}
items:
- key: {{ .Values.secrets.ctlog.key }}
path: {{ .Values.secrets.ctlog.path }}
{{- end }}
{{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }}
- secret:
name: {{ .Values.secrets.fulcio.name }}
items:
- key: {{ .Values.secrets.fulcio.key }}
path: {{ .Values.secrets.fulcio.path }}
{{- end }}
{{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }}
- secret:
name: {{ .Values.secrets.rekor.name }}
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
{{- end }}
{{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
{{- end }}
{{- end }}
23 changes: 2 additions & 21 deletions charts/tuf/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,27 +47,8 @@ spec:
volumes:
- name: tuf-secrets
projected:
sources:
- secret:
name: {{ .Values.secrets.ctlog.name }}
items:
- key: {{ .Values.secrets.ctlog.key }}
path: {{ .Values.secrets.ctlog.path }}
- secret:
name: {{ .Values.secrets.fulcio.name }}
items:
- key: {{ .Values.secrets.fulcio.key }}
path: {{ .Values.secrets.fulcio.path }}
- secret:
name: {{ .Values.secrets.rekor.name }}
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
sources:
{{- include "tuf.validateSecrets" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
Expand Down
68 changes: 64 additions & 4 deletions charts/tuf/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,22 @@
"ctlog": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"rekor-public-key"
]
},
"key": {
"type": "string"
Expand All @@ -126,7 +141,22 @@
"fulcio": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"fulcio-server-secret"
]
},
"key": {
"type": "string"
Expand All @@ -143,7 +173,22 @@
"rekor": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"ctlog-public-key"
]
},
"key": {
"type": "string"
Expand All @@ -160,7 +205,22 @@
"tsa": {
"properties": {
"create": {
"type": "boolean"
"type": "boolean",
"examples": [
false
]
},
"enabled": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
"tsa-cert-chain"
]
},
"key": {
"type": "string"
Expand Down
4 changes: 4 additions & 0 deletions charts/tuf/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,25 @@ deployment:
secrets:
rekor:
create: false
enabled: true
name: rekor-public-key
key: key
path: rekor.pub
fulcio:
create: false
enabled: true
name: fulcio-server-secret
key: cert
path: fulcio_v1.crt.pem
ctlog:
create: false
enabled: true
name: ctlog-public-key
key: public
path: ctfe.pub
tsa:
create: false
enabled: true
name: tsa-cert-chain
key: cert-chain
path: tsa.certchain.pem
Expand Down