add fulcio-grpc as knative service (#463)

* add fulcio-grpc as knative service Signed-off-by: Bob Callaway <[email protected]> * add space Signed-off-by: Bob Callaway <[email protected]> * swap backticks for Signed-off-by: Bob Callaway <[email protected]> * comment out 'k get ksvc fulcio-grpc' Signed-off-by: Bob Callaway <[email protected]> Signed-off-by: Bob Callaway <[email protected]>
sigstore · Nov 8, 2022 · 7b3c867 · 7b3c867
1 parent 226db88
commit 7b3c867
Show file tree

Hide file tree

Showing 7 changed files with 90 additions and 2 deletions.
diff --git a/.github/workflows/add-remove-new-fulcio.yaml b/.github/workflows/add-remove-new-fulcio.yaml
@@ -145,6 +145,9 @@ jobs:
         FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
         echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
 
+        #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
+        #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
+
         CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
         echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
 

diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml
@@ -188,6 +188,9 @@ jobs:
         FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
         echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
 
+        #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
+        #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
+
         CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
         echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
 

diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
@@ -77,12 +77,14 @@ jobs:
         # TODO(vaikas): Figure out how these could be exposed by above.
         REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
         FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
+        #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
         CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
         TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
 
         # Set the endopints
         echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
         echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
+        #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
         echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
         echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
 

diff --git a/config/fulcio/fulcio/300-fulcio.yaml b/config/fulcio/fulcio/300-fulcio.yaml
@@ -20,7 +20,7 @@ spec:
       # This doesn't actually use Kubernetes credentials, so don't mount them in.
       automountServiceAccountToken: false
       containers:
-      - image: gcr.io/projectsigstore/fulcio@sha256:61081295a8f75ed7537b5d1f8c7320e078dc00e4562c0bf605fbefa062c690de # v0.5.3
+      - image: gcr.io/projectsigstore/fulcio@sha256:27c6e4fe64a72a537c133452d9c8e0518944d1d69aeee5e7ef8a9fbe70b8b5d3 # v1.0.0
         name: fulcio
         ports:
         - containerPort: 5555
@@ -73,3 +73,73 @@ spec:
                 - key: ca.crt
                   path: ca.crt
                   mode: 0666
+
+---
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  namespace: fulcio-system
+  name: fulcio-grpc
+spec:
+  template:
+    metadata:
+      annotations:
+        autoscaling.knative.dev/min-scale: "1"
+    spec:
+      serviceAccountName: fulcio
+      # This doesn't actually use Kubernetes credentials, so don't mount them in.
+      automountServiceAccountToken: false
+      containers:
+      - image: gcr.io/projectsigstore/fulcio@sha256:27c6e4fe64a72a537c133452d9c8e0518944d1d69aeee5e7ef8a9fbe70b8b5d3 # v1.0.0
+        name: fulcio-grpc
+        ports:
+        - containerPort: 5554
+        args:
+          - "serve"
+          - "--grpc-port=5554"
+          - "--ca=fileca"
+          - "--fileca-key"
+          - "/var/run/fulcio-secrets/key.pem"
+          - "--fileca-cert"
+          - "/var/run/fulcio-secrets/cert.pem"
+          - "--fileca-key-passwd"
+          - "$(PASSWORD)"
+          - "--ct-log-url=http://ctlog.ctlog-system.svc/sigstorescaffolding"
+        env:
+        - name: PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: fulcio-secret
+              key: password
+        # Force a native go address resolution.
+        - name: GODEBUG
+          value: "netdns=go"
+        volumeMounts:
+        - name: fulcio-config
+          mountPath: /etc/fulcio-config
+        - name: oidc-info
+          mountPath: /var/run/fulcio
+        - name: fulcio-cert
+          mountPath: "/var/run/fulcio-secrets"
+          readOnly: true
+      volumes:
+      - name: fulcio-config
+        configMap:
+          name: fulcio-config
+      - name: fulcio-cert
+        secret:
+          secretName: fulcio-secret
+          items:
+          - key: private
+            path: key.pem
+          - key: cert
+            path: cert.pem
+      - name: oidc-info
+        projected:
+          sources:
+            - configMap:
+                name: kube-root-ca.crt
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                  mode: 0666
diff --git a/getting-started.md b/getting-started.md
@@ -117,7 +117,9 @@ To access these services from the cluster, you'd use:
 `fulcio-system` namespace contains [Fulcio](https://github.com/sigstore/fulcio)
 and Fulcio can be accessed in the cluster with:
 
- * `fulcio.fulcio-system.svc`
+ * `fulcio.fulcio-system.svc` for HTTP
+or
+ * `fulcio-grpc.fulcio-system.svc` for GRPC
 
 ## rekor-system namespace
 
@@ -179,6 +181,7 @@ URLs, let's create some up front:
 ```
 export REKOR_URL=http://rekor.rekor-system.svc:8080
 export FULCIO_URL=http://fulcio.fulcio-system.svc:8080
+export FULCIO_GRPC_URL=http://fulcio-grpc.fulcio-system.svc:8080
 export ISSUER_URL=http://gettoken.default.svc:8080
 export TUF_MIRROR=http://tuf.tuf-system.svc:8080
 ```

diff --git a/hack/setup-scaffolding-from-release.sh b/hack/setup-scaffolding-from-release.sh
@@ -81,6 +81,10 @@ fi
 echo '::group:: Wait for Fulcio ready'
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Complete jobs --all
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio
+# this checks if the requested version is > 0.4.12 (and therefore has fulcio-grpc in it)
+if [ "${RELEASE_VERSION}" != "$(echo -e "${RELEASE_VERSION}\n0.4.12" | sort -V | head -n1)" ]; then
+  kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio-grpc
+fi
 echo '::endgroup::'
 
 # Install CTlog and wait for it to come up

diff --git a/hack/setup-scaffolding.sh b/hack/setup-scaffolding.sh
@@ -67,6 +67,7 @@ fi
 echo '::group:: Wait for Fulcio ready'
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Complete jobs --all
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio
+kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio-grpc
 echo '::endgroup::'
 
 # Install CTlog and wait for it to come up
@@ -107,6 +108,8 @@ REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
 export REKOR_URL
 FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
 export FULCIO_URL
+FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
+export FULCIO_GRPC_URL
 CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
 export CTLOG_URL
 TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')