From 2241bcdf9008309ee2fdddae0b0275bcd51ffcdd Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Fri, 19 May 2023 09:02:19 -0500 Subject: [PATCH] fix(helm): make env variable optional Co-authored-by: saisatish karra Signed-off-by: Wayne Starr --- charts/fulcio/values.yaml | 6 +- fulcio_gen.yaml | 607 -------------------------------------- 2 files changed, 3 insertions(+), 610 deletions(-) delete mode 100644 fulcio_gen.yaml diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 4b863175..83c3e1aa 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -23,9 +23,9 @@ server: # crane digest gcr.io/projectsigstore/fulcio:v1.5.1 # -- v1.5.1 version: sha256:17b914c4a1d05871e3353630b3516b106b653839587aa496d0f96b6e857c8714 - env: - # Valid values: path to workload identity config or service account key JSON file - GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials + # env: + # # Valid values: path to workload identity config or service account key JSON file + # GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials args: port: 5555 grpcPort: 5554 diff --git a/fulcio_gen.yaml b/fulcio_gen.yaml deleted file mode 100644 index 812544ec..00000000 --- a/fulcio_gen.yaml +++ /dev/null @@ -1,607 +0,0 @@ ---- -# Source: fulcio/charts/ctlog/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: ctlog-system ---- -# Source: fulcio/charts/ctlog/templates/createctconfig-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-name-ctlog-createctconfig - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/charts/ctlog/templates/createtree-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ctlog-createtree - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/charts/ctlog/templates/ctlog-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ctlog - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/templates/createcerts-serviceacount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-name-fulcio-createcerts - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/templates/fulcio-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-name-fulcio-server - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/charts/ctlog/templates/ctlog-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: ctlog-config - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -data: - __placeholder: | - ################################################################### - # Just a placeholder so that reapplying this won't overwrite treeID - # if it already exists. This caused grief, do not remove. - ################################################################### ---- -# Source: fulcio/templates/fulcio-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: release-name-fulcio-server-config - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -data: - config.json: |- - { - "OIDCIssuers": { - "https://kubernetes.default.svc": { - "IssuerURL": "https://kubernetes.default.svc", - "ClientID": "sigstore", - "Type": "kubernetes" - } - }, - "MetaIssuers": { - "https://kubernetes.*.svc": { - "ClientID": "sigstore", - "Type": "kubernetes" - } - } - } - cloud_credentials: "" ---- -# Source: fulcio/charts/ctlog/templates/cm-operator-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ctlog-cm-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["configmaps"] - resourceNames: ["ctlog-config"] - verbs: ["get", "update"] ---- -# Source: fulcio/charts/ctlog/templates/secret-operator-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ctlog-secret-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["configmaps"] - resourceNames: ["ctlog-config"] - verbs: ["get", "update"] - - apiGroups: [""] # "" indicates the core API group - resources: ["secrets"] - verbs: ["create", "get", "update"] ---- -# Source: fulcio/templates/secret-operator-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: release-name-fulcio-server-secret-operator - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["secrets"] - verbs: ["create", "get", "update"] ---- -# Source: fulcio/charts/ctlog/templates/cm-operator-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ctlog-cm-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ctlog-cm-operator -subjects: - - kind: ServiceAccount - name: ctlog-createtree - namespace: ctlog-system ---- -# Source: fulcio/charts/ctlog/templates/secret-operator-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ctlog-secret-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ctlog-secret-operator -subjects: - - kind: ServiceAccount - name: release-name-ctlog-createctconfig - namespace: ctlog-system ---- -# Source: fulcio/templates/secret-operator-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: release-name-fulcio-server-secret-operator - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: release-name-fulcio-server-secret-operator -subjects: - - kind: ServiceAccount - name: release-name-fulcio-createcerts - namespace: sigstore ---- -# Source: fulcio/charts/ctlog/templates/ctlog-service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - name: ctlog - namespace: ctlog-system -spec: - ports: - - name: 6962-tcp - port: 80 - protocol: TCP - targetPort: 6962 - - name: 6963-tcp - port: 6963 - protocol: TCP - targetPort: 6963 - selector: - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - type: "ClusterIP" ---- -# Source: fulcio/templates/fulcio-service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - name: release-name-fulcio-server - namespace: sigstore -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 5555 - - name: grpc - port: 5554 - protocol: TCP - targetPort: 5554 - - name: 2112-tcp - port: 2112 - protocol: TCP - targetPort: 2112 - selector: - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - type: "ClusterIP" ---- -# Source: fulcio/charts/ctlog/templates/ctlog-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ctlog - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - template: - metadata: - annotations: - checksum/config: b94af4d324905711b8078a98d1acf2688381fe98eeef567be31295a879f6eadd - prometheus.io/path: /metrics - prometheus.io/port: "6963" - prometheus.io/scrape: "true" - labels: - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - spec: - serviceAccountName: ctlog - containers: - - name: ctlog - image: "ghcr.io/sigstore/scaffolding/ct_server@sha256:7c791d3b7c15e817807f07d4cdb00406529a114702ad448ee857e1d0fc5fb5a9" - imagePullPolicy: "IfNotPresent" - args: - - "--http_endpoint=0.0.0.0:6962" - - "--metrics_endpoint=0.0.0.0:6963" - - "--log_config=/ctfe-keys/config" - - "--alsologtostderr" - volumeMounts: - - name: keys - mountPath: "/ctfe-keys" - readOnly: true - ports: - - containerPort: 6962 - protocol: TCP - - containerPort: 6963 - protocol: TCP - securityContext: - runAsNonRoot: true - runAsUser: 65533 - volumes: - - name: keys - secret: - secretName: ctlog-secret ---- -# Source: fulcio/templates/fulcio-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: release-name-fulcio-server - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - template: - metadata: - annotations: - checksum/config: da411967324f350f169be60798759837cbbeedc571c9bb27a670752103d1b40d - labels: - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - spec: - serviceAccountName: release-name-fulcio-server - # This doesn't actually use Kubernetes credentials, so don't mount them in. - automountServiceAccountToken: true - containers: - - name: release-name-fulcio-server - image: "gcr.io/projectsigstore/fulcio@sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18" - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 5555 - protocol: TCP - - containerPort: 5554 - protocol: TCP - - containerPort: 2112 - protocol: TCP - args: - - "serve" - - "--port=5555" - - "--grpc-port=5554" - - "--ca=fileca" - - "--fileca-key" - - "/var/run/fulcio-secrets/key.pem" - - "--fileca-cert" - - "/var/run/fulcio-secrets/cert.pem" - - "--fileca-key-passwd" - - "$(PASSWORD)" - - "--ct-log-url=http://ctlog.ctlog-system.svc/fulcio" - env: - - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: "/etc/fulcio-config/cloud_credentials" - - name: PASSWORD - valueFrom: - secretKeyRef: - name: fulcio-server-secret - key: password - volumeMounts: - - name: fulcio-config - mountPath: /etc/fulcio-config - - name: oidc-info - mountPath: /var/run/fulcio - - name: fulcio-cert - mountPath: "/var/run/fulcio-secrets" - readOnly: true - securityContext: - runAsNonRoot: true - runAsUser: 65533 - volumes: - - name: fulcio-config - configMap: - name: release-name-fulcio-server-config - - name: oidc-info - projected: - sources: - - configMap: - name: kube-root-ca.crt - items: - - key: ca.crt - path: ca.crt - mode: 0666 - - name: fulcio-cert - secret: - secretName: fulcio-server-secret - items: - - key: private - path: key.pem - - key: cert - path: cert.pem ---- -# Source: fulcio/charts/ctlog/templates/createctconfig-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: release-name-ctlog-createctconfig - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - backoffLimit: 6 - template: - spec: - serviceAccountName: release-name-ctlog-createctconfig - restartPolicy: Never - automountServiceAccountToken: true - initContainers: - - name: "wait-for-createtree-configmap" - image: "docker.io/curlimages/curl@sha256:dca6e1b1c8e7b8b8e7be4e79fc78a858d12fd56245cb31bfa281dbf7c73a6498" - imagePullPolicy: IfNotPresent - command: ["sh", "-c", "until curl --fail --header \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --max-time 10 https://kubernetes.default.svc/api/v1/namespaces/$(NAMESPACE)/configmaps/ctlog-config | grep '\"treeID\":'; do echo waiting for Configmap ctlog-config; sleep 5; done;"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - containers: - - name: release-name-ctlog-createctconfig - image: "ghcr.io/sigstore/scaffolding/createctconfig@sha256:024e3451af712070a807124f82c5a8a9c84343c17ec17a2d2832229a6ac0cb0e" - imagePullPolicy: "IfNotPresent" - args: [ - "--configmap=ctlog-config", - "--secret=ctlog-secret", - "--pubkeysecret=ctlog-public-key", - "--fulcio-url=http://fulcio-server.fulcio-system.svc", - "--trillian-server=trillian-logserver.trillian-system:8091", - "--log-prefix=fulcio" - ] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - runAsNonRoot: true - runAsUser: 65533 ---- -# Source: fulcio/charts/ctlog/templates/createtree-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: ctlog-createtree - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - template: - spec: - serviceAccountName: ctlog-createtree - restartPolicy: Never - automountServiceAccountToken: true - containers: - - name: ctlog-createtree - image: "ghcr.io/sigstore/scaffolding/createtree@sha256:d5776d8a43632291e1c5a22a9266608db0daa0a11663445d701e327f2205974c" - imagePullPolicy: "IfNotPresent" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: [ - "--namespace=$(NAMESPACE)", - "--configmap=ctlog-config", - "--display_name=ctlog-tree", - "--admin_server=trillian-logserver.trillian-system:8091" - ] - securityContext: - runAsNonRoot: true - runAsUser: 65533 ---- -# Source: fulcio/templates/createcerts-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: release-name-fulcio-createcerts - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - template: - spec: - serviceAccountName: release-name-fulcio-createcerts - restartPolicy: Never - automountServiceAccountToken: true - containers: - - name: release-name-fulcio-createcerts - image: "ghcr.io/sigstore/scaffolding/createcerts@sha256:73e7ac35d0e5169bd14a5cb6caed2e7d44277dec3d1de92e08f4d055523089a1" - imagePullPolicy: "IfNotPresent" - args: ["--secret=fulcio-server-secret"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - runAsNonRoot: true - runAsUser: 65533 ---- -# Source: fulcio/templates/fulcio-http-ingress.yaml -apiVersion: "networking.k8s.io/v1" -kind: Ingress -metadata: - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - name: release-name-fulcio-server-http - namespace: sigstore - annotations: - {} -spec: - ingressClassName: nginx - rules: - - host: "fulcio.localhost" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: release-name-fulcio-server - port: - number: 80