From 8f6fac5b3201dd08e3528a94377a88a077c07948 Mon Sep 17 00:00:00 2001 From: ianhundere <138915+ianhundere@users.noreply.github.com> Date: Thu, 25 Jul 2024 18:26:34 -0500 Subject: [PATCH 1/2] adds cronJob. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> --- charts/scaffold/README.md | 37 +++- charts/scaffold/templates/_helpers.tpl | 1 - charts/scaffold/templates/clusterrole.yaml | 2 +- .../templates/copy-secrets-cronjob.yaml | 100 +++++++++++ .../scaffold/templates/copy-secrets-job.yaml | 6 +- charts/scaffold/values.schema.json | 166 ++++++++++++------ charts/scaffold/values.yaml | 48 +++-- 7 files changed, 285 insertions(+), 75 deletions(-) create mode 100644 charts/scaffold/templates/copy-secrets-cronjob.yaml diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index d34e12d5..d387c62a 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -49,6 +49,11 @@ helm uninstall [RELEASE_NAME] |-----|------|---------|-------------| | copySecretJob.affinity | object | `{}` | | | copySecretJob.backoffLimit | int | `6` | | +| copySecretJob.copySecretCronJob.backoffLimit | int | `2` | | +| copySecretJob.copySecretCronJob.enabled | bool | `false` | | +| copySecretJob.copySecretCronJob.failedJobsHistoryLimit | int | `1` | | +| copySecretJob.copySecretCronJob.schedule | string | `"*/5 * * * 1-5"` | | +| copySecretJob.copySecretCronJob.successfulJobsHistoryLimit | int | `1` | | | copySecretJob.enabled | bool | `false` | | | copySecretJob.imagePullPolicy | string | `"IfNotPresent"` | | | copySecretJob.name | string | `"copy-secrets-job"` | | @@ -91,6 +96,30 @@ helm uninstall [RELEASE_NAME] | rekor.server.fullnameOverride | string | `"rekor-server"` | | | rekor.tolerations | list | `[]` | | | rekor.trillian.enabled | bool | `false` | | +| secrets.ctlog.create | bool | `false` | | +| secrets.ctlog.deploymentName | string | `"ctlog"` | | +| secrets.ctlog.key | string | `"public"` | | +| secrets.ctlog.name | string | `"ctlog-public-key"` | | +| secrets.ctlog.namespace | string | `"ctlog-system"` | | +| secrets.ctlog.path | string | `"ctfe.pub"` | | +| secrets.fulcio.create | bool | `false` | | +| secrets.fulcio.deploymentName | string | `"fulcio-server"` | | +| secrets.fulcio.key | string | `"cert"` | | +| secrets.fulcio.name | string | `"fulcio-server-secret"` | | +| secrets.fulcio.namespace | string | `"fulcio-system"` | | +| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | | +| secrets.rekor.create | bool | `false` | | +| secrets.rekor.deploymentName | string | `"rekor-server"` | | +| secrets.rekor.key | string | `"key"` | | +| secrets.rekor.name | string | `"rekor-public-key"` | | +| secrets.rekor.namespace | string | `"rekor-system"` | | +| secrets.rekor.path | string | `"rekor.pub"` | | +| secrets.tsa.create | bool | `false` | | +| secrets.tsa.deploymentName | string | `"tsa-server"` | | +| secrets.tsa.key | string | `"cert-chain"` | | +| secrets.tsa.name | string | `"tsa-cert-chain"` | | +| secrets.tsa.namespace | string | `"tsa-system"` | | +| secrets.tsa.path | string | `"tsa.certchain.pem"` | | | trillian.affinity | object | `{}` | | | trillian.enabled | bool | `true` | | | trillian.forceNamespace | string | `"trillian-system"` | | @@ -121,14 +150,6 @@ helm uninstall [RELEASE_NAME] | tuf.namespace.create | bool | `true` | | | tuf.namespace.name | string | `"tuf-system"` | | | tuf.nodeSelector | object | `{}` | | -| tuf.secrets.ctlog.name | string | `"ctlog-public-key"` | | -| tuf.secrets.ctlog.path | string | `"ctfe.pub"` | | -| tuf.secrets.fulcio.name | string | `"fulcio-server-secret"` | | -| tuf.secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | | -| tuf.secrets.rekor.name | string | `"rekor-public-key"` | | -| tuf.secrets.rekor.path | string | `"rekor.pub"` | | -| tuf.secrets.tsa.name | string | `"tsa-cert-chain"` | | -| tuf.secrets.tsa.path | string | `"tsa.certchain.pem"` | | | tuf.tolerations | list | `[]` | | ---------------------------------------------- diff --git a/charts/scaffold/templates/_helpers.tpl b/charts/scaffold/templates/_helpers.tpl index 1c1c296d..608b4e81 100644 --- a/charts/scaffold/templates/_helpers.tpl +++ b/charts/scaffold/templates/_helpers.tpl @@ -8,4 +8,3 @@ Create the image path for the passed in image field {{- printf "%s/%s:%s" .registry .repository .version -}} {{- end -}} {{- end -}} - diff --git a/charts/scaffold/templates/clusterrole.yaml b/charts/scaffold/templates/clusterrole.yaml index 746d2deb..7679b131 100644 --- a/charts/scaffold/templates/clusterrole.yaml +++ b/charts/scaffold/templates/clusterrole.yaml @@ -6,7 +6,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["get", "create", "patch"] + verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list"] diff --git a/charts/scaffold/templates/copy-secrets-cronjob.yaml b/charts/scaffold/templates/copy-secrets-cronjob.yaml new file mode 100644 index 00000000..8238a2fd --- /dev/null +++ b/charts/scaffold/templates/copy-secrets-cronjob.yaml @@ -0,0 +1,100 @@ +{{- if and .Values.copySecretJob.enabled .Values.copySecretJob.copySecretCronJob.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: +{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }} + name: {{ .Values.copySecretJob.name }}-scheduled +spec: + schedule: "{{ .Values.copySecretJob.copySecretCronJob.schedule }}" + successfulJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.successfulJobsHistoryLimit }} + failedJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.failedJobsHistoryLimit }} + jobTemplate: + spec: + backoffLimit: {{ default 6 .Values.copySecretJob.copySecretCronJob.backoffLimit }} + template: + spec: + restartPolicy: OnFailure + serviceAccountName: {{ .Values.copySecretJob.serviceaccount }} + initContainers: + - name: wait-for-rekor-deployment-readiness + image: {{ template "scaffold.image" .Values.copySecretJob }} + imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }} + command: ["/bin/sh"] + args: [ + "-c", + "kubectl rollout status deployment {{ .Values.tuf.secrets.rekor.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.rekor.namespace }}" + ] + - name: wait-for-fulcio-deployment-readiness + image: {{ template "scaffold.image" .Values.copySecretJob }} + imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }} + command: ["/bin/sh"] + args: [ + "-c", + "kubectl rollout status deployment {{ .Values.tuf.secrets.fulcio.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.fulcio.namespace }}" + ] + - name: wait-for-ctlog-deployment-readiness + image: {{ template "scaffold.image" .Values.copySecretJob }} + imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }} + command: ["/bin/sh"] + args: [ + "-c", + "kubectl rollout status deployment {{ .Values.tuf.secrets.ctlog.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.ctlog.namespace }}" + ] + - name: wait-for-tsa-deployment-readiness + image: {{ template "scaffold.image" .Values.copySecretJob }} + imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }} + command: ["/bin/sh"] + args: [ + "-c", + "kubectl rollout status deployment {{ .Values.tuf.secrets.tsa.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.tsa.namespace }}" + ] + containers: + - name: copy-rekor-secret + image: {{ template "scaffold.image" .Values.copySecretJob }} + imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }} + command: ["/bin/sh"] + args: [ + "-c", + "curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \ + kubectl apply -f - < Date: Mon, 29 Jul 2024 15:21:58 -0400 Subject: [PATCH 2/2] adds tuf-rollout-restart container to ensure tuf root secret is updated. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> --- charts/scaffold/Chart.yaml | 2 +- charts/scaffold/README.md | 2 +- charts/scaffold/templates/clusterrole.yaml | 4 ++-- .../templates/copy-secrets-cronjob.yaml | 20 +++++++++++++------ 4 files changed, 18 insertions(+), 10 deletions(-) diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml index bbcda100..f72d63ee 100644 --- a/charts/scaffold/Chart.yaml +++ b/charts/scaffold/Chart.yaml @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture type: application -version: 0.6.61 +version: 0.6.62 keywords: - security - pki diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md index d387c62a..18a2842a 100644 --- a/charts/scaffold/README.md +++ b/charts/scaffold/README.md @@ -2,7 +2,7 @@ -![Version: 0.6.61](https://img.shields.io/badge/Version-0.6.61-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.62](https://img.shields.io/badge/Version-0.6.62-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Scaffolding the components of the sigstore architecture diff --git a/charts/scaffold/templates/clusterrole.yaml b/charts/scaffold/templates/clusterrole.yaml index 7679b131..c2101851 100644 --- a/charts/scaffold/templates/clusterrole.yaml +++ b/charts/scaffold/templates/clusterrole.yaml @@ -9,5 +9,5 @@ rules: verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}] - apiGroups: ["apps"] resources: ["deployments"] - verbs: ["get", "list"] -{{- end }} + verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}] +{{- end }} \ No newline at end of file diff --git a/charts/scaffold/templates/copy-secrets-cronjob.yaml b/charts/scaffold/templates/copy-secrets-cronjob.yaml index 8238a2fd..b02f7452 100644 --- a/charts/scaffold/templates/copy-secrets-cronjob.yaml +++ b/charts/scaffold/templates/copy-secrets-cronjob.yaml @@ -56,7 +56,7 @@ spec: args: [ "-c", "curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \ - kubectl apply -f - <