From af3fc2943a5265cf12a5e51850ff90ddcbef8d8d Mon Sep 17 00:00:00 2001 From: saisatish karra Date: Thu, 18 May 2023 16:19:20 -0500 Subject: [PATCH 1/4] feat(fulcio/add-env): Add additional env variables Support GCP credentials for external cloud provider workloads Signed-off-by: saisatish karra --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 4 +- charts/fulcio/templates/fulcio-configmap.yaml | 1 + .../fulcio/templates/fulcio-deployment.yaml | 27 +- charts/fulcio/values.schema.json | 21 + charts/fulcio/values.yaml | 5 + fulcio_gen.yaml | 607 ++++++++++++++++++ 7 files changed, 658 insertions(+), 9 deletions(-) create mode 100644 fulcio_gen.yaml diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 1b7fd8f2..8c281bba 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.3.2 +version: 2.4.2 appVersion: 1.3.1 keywords: diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index c0353c40..6d29449b 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.3.2](https://img.shields.io/badge/Version-2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) +![Version: 2.4.2](https://img.shields.io/badge/Version-2.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -109,12 +109,14 @@ helm uninstall [RELEASE_NAME] | namespace.name | string | `"fulcio-system"` | | | server.args.aws_hsm_root_ca_path | string | `nil` | | | server.args.certificateAuthority | string | `"fileca"` | | +| server.args.creds | string | `""` | | | server.args.ct_log_url | string | `""` | | | server.args.disable_ct_log | bool | `false` | | | server.args.gcp_private_ca_parent | string | `"projects/test/locations/us-east1/caPools/test"` | | | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | +| server.env.GOOGLE_APPLICATION_CREDENTIALS | string | `"/etc/fulcio-config/cloud_credentials"` | | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index f8d30721..84837e5c 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -11,3 +11,4 @@ data: {{- if (eq .Values.server.args.certificateAuthority "kmsca")}} chain.pem: {{.Values.server.args.kms_cert_chain | quote }} {{- end }} + cloud_credentials: {{.Values.server.args.creds | quote }} diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 6f3d9750..1a7c79b5 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -59,14 +59,27 @@ spec: - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" {{- end }} - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" - {{- if eq .Values.server.args.certificateAuthority "fileca" }} +{{- if .Values.server.env }} env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.server.secret }} - key: password - {{- end }} +{{- range $key, $value := .Values.server.env }} + - name: "{{ $key }}" + value: "{{ $value }}" +{{- end }} +{{- if eq .Values.server.args.certificateAuthority "fileca" }} + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.server.secret }} + key: password +{{- end }} +{{- else if eq .Values.server.args.certificateAuthority "fileca" }} + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.server.secret }} + key: password +{{- end }} volumeMounts: - name: fulcio-config mountPath: /etc/fulcio-config diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index a67c08c2..ed951082 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -82,6 +82,7 @@ "grpcSvcPort", "image", "args", + "env", "serviceAccount", "service", "ingress", @@ -259,7 +260,15 @@ "examples": [ "https://ct.example.com/" ] + }, + "creds": { + "type": "string", + "default": "", + "title": "Google Cloud Web Identity JSON config / Service Account token key json", + "description": "If set, Fulcio will use these credentials to impersonate GCP service account from trusted external cloud providers", + "examples": [] } + }, "examples": [ { @@ -272,6 +281,18 @@ } ] }, + "env": { + "type": "object", + "default": {}, + "title": "The env Schema", + "required": [], + "properties": {}, + "examples": [ + { + "GOOGLE_APPLICATION_CREDENTIALS": "/etc/fulcio-config/cloud_credentials" + } + ] + }, "serviceAccount": { "type": "object", "default": {}, diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index f94d8a36..306786a7 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,14 @@ server: # crane digest gcr.io/projectsigstore/fulcio:v1.3.1 # -- v1.3.1 version: sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18 + env: + # Valid values: path to workload identity config or service account key JSON file + GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials args: port: 5555 grpcPort: 5554 + # valid values: GCP workload identity config json for trusted external cloud providers + creds: "" # Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca certificateAuthority: fileca # kms_resource: gcpkms://.... diff --git a/fulcio_gen.yaml b/fulcio_gen.yaml new file mode 100644 index 00000000..812544ec --- /dev/null +++ b/fulcio_gen.yaml @@ -0,0 +1,607 @@ +--- +# Source: fulcio/charts/ctlog/templates/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: ctlog-system +--- +# Source: fulcio/charts/ctlog/templates/createctconfig-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-ctlog-createctconfig + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm + annotations: + {} +--- +# Source: fulcio/charts/ctlog/templates/createtree-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ctlog-createtree + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm + annotations: + {} +--- +# Source: fulcio/charts/ctlog/templates/ctlog-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ctlog + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm + annotations: + {} +--- +# Source: fulcio/templates/createcerts-serviceacount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-fulcio-createcerts + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm + annotations: + {} +--- +# Source: fulcio/templates/fulcio-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-fulcio-server + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm + annotations: + {} +--- +# Source: fulcio/charts/ctlog/templates/ctlog-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: ctlog-config + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +data: + __placeholder: | + ################################################################### + # Just a placeholder so that reapplying this won't overwrite treeID + # if it already exists. This caused grief, do not remove. + ################################################################### +--- +# Source: fulcio/templates/fulcio-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: release-name-fulcio-server-config + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm +data: + config.json: |- + { + "OIDCIssuers": { + "https://kubernetes.default.svc": { + "IssuerURL": "https://kubernetes.default.svc", + "ClientID": "sigstore", + "Type": "kubernetes" + } + }, + "MetaIssuers": { + "https://kubernetes.*.svc": { + "ClientID": "sigstore", + "Type": "kubernetes" + } + } + } + cloud_credentials: "" +--- +# Source: fulcio/charts/ctlog/templates/cm-operator-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ctlog-cm-operator + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps"] + resourceNames: ["ctlog-config"] + verbs: ["get", "update"] +--- +# Source: fulcio/charts/ctlog/templates/secret-operator-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ctlog-secret-operator + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps"] + resourceNames: ["ctlog-config"] + verbs: ["get", "update"] + - apiGroups: [""] # "" indicates the core API group + resources: ["secrets"] + verbs: ["create", "get", "update"] +--- +# Source: fulcio/templates/secret-operator-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-fulcio-server-secret-operator + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["secrets"] + verbs: ["create", "get", "update"] +--- +# Source: fulcio/charts/ctlog/templates/cm-operator-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ctlog-cm-operator + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ctlog-cm-operator +subjects: + - kind: ServiceAccount + name: ctlog-createtree + namespace: ctlog-system +--- +# Source: fulcio/charts/ctlog/templates/secret-operator-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ctlog-secret-operator + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ctlog-secret-operator +subjects: + - kind: ServiceAccount + name: release-name-ctlog-createctconfig + namespace: ctlog-system +--- +# Source: fulcio/templates/secret-operator-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-fulcio-server-secret-operator + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: release-name-fulcio-server-secret-operator +subjects: + - kind: ServiceAccount + name: release-name-fulcio-createcerts + namespace: sigstore +--- +# Source: fulcio/charts/ctlog/templates/ctlog-service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm + name: ctlog + namespace: ctlog-system +spec: + ports: + - name: 6962-tcp + port: 80 + protocol: TCP + targetPort: 6962 + - name: 6963-tcp + port: 6963 + protocol: TCP + targetPort: 6963 + selector: + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + type: "ClusterIP" +--- +# Source: fulcio/templates/fulcio-service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm + name: release-name-fulcio-server + namespace: sigstore +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 5555 + - name: grpc + port: 5554 + protocol: TCP + targetPort: 5554 + - name: 2112-tcp + port: 2112 + protocol: TCP + targetPort: 2112 + selector: + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + type: "ClusterIP" +--- +# Source: fulcio/charts/ctlog/templates/ctlog-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ctlog + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + checksum/config: b94af4d324905711b8078a98d1acf2688381fe98eeef567be31295a879f6eadd + prometheus.io/path: /metrics + prometheus.io/port: "6963" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + spec: + serviceAccountName: ctlog + containers: + - name: ctlog + image: "ghcr.io/sigstore/scaffolding/ct_server@sha256:7c791d3b7c15e817807f07d4cdb00406529a114702ad448ee857e1d0fc5fb5a9" + imagePullPolicy: "IfNotPresent" + args: + - "--http_endpoint=0.0.0.0:6962" + - "--metrics_endpoint=0.0.0.0:6963" + - "--log_config=/ctfe-keys/config" + - "--alsologtostderr" + volumeMounts: + - name: keys + mountPath: "/ctfe-keys" + readOnly: true + ports: + - containerPort: 6962 + protocol: TCP + - containerPort: 6963 + protocol: TCP + securityContext: + runAsNonRoot: true + runAsUser: 65533 + volumes: + - name: keys + secret: + secretName: ctlog-secret +--- +# Source: fulcio/templates/fulcio-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-fulcio-server + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + checksum/config: da411967324f350f169be60798759837cbbeedc571c9bb27a670752103d1b40d + labels: + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + spec: + serviceAccountName: release-name-fulcio-server + # This doesn't actually use Kubernetes credentials, so don't mount them in. + automountServiceAccountToken: true + containers: + - name: release-name-fulcio-server + image: "gcr.io/projectsigstore/fulcio@sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18" + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 5555 + protocol: TCP + - containerPort: 5554 + protocol: TCP + - containerPort: 2112 + protocol: TCP + args: + - "serve" + - "--port=5555" + - "--grpc-port=5554" + - "--ca=fileca" + - "--fileca-key" + - "/var/run/fulcio-secrets/key.pem" + - "--fileca-cert" + - "/var/run/fulcio-secrets/cert.pem" + - "--fileca-key-passwd" + - "$(PASSWORD)" + - "--ct-log-url=http://ctlog.ctlog-system.svc/fulcio" + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: "/etc/fulcio-config/cloud_credentials" + - name: PASSWORD + valueFrom: + secretKeyRef: + name: fulcio-server-secret + key: password + volumeMounts: + - name: fulcio-config + mountPath: /etc/fulcio-config + - name: oidc-info + mountPath: /var/run/fulcio + - name: fulcio-cert + mountPath: "/var/run/fulcio-secrets" + readOnly: true + securityContext: + runAsNonRoot: true + runAsUser: 65533 + volumes: + - name: fulcio-config + configMap: + name: release-name-fulcio-server-config + - name: oidc-info + projected: + sources: + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + mode: 0666 + - name: fulcio-cert + secret: + secretName: fulcio-server-secret + items: + - key: private + path: key.pem + - key: cert + path: cert.pem +--- +# Source: fulcio/charts/ctlog/templates/createctconfig-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-ctlog-createctconfig + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +spec: + ttlSecondsAfterFinished: 3600 + backoffLimit: 6 + template: + spec: + serviceAccountName: release-name-ctlog-createctconfig + restartPolicy: Never + automountServiceAccountToken: true + initContainers: + - name: "wait-for-createtree-configmap" + image: "docker.io/curlimages/curl@sha256:dca6e1b1c8e7b8b8e7be4e79fc78a858d12fd56245cb31bfa281dbf7c73a6498" + imagePullPolicy: IfNotPresent + command: ["sh", "-c", "until curl --fail --header \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --max-time 10 https://kubernetes.default.svc/api/v1/namespaces/$(NAMESPACE)/configmaps/ctlog-config | grep '\"treeID\":'; do echo waiting for Configmap ctlog-config; sleep 5; done;"] + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + containers: + - name: release-name-ctlog-createctconfig + image: "ghcr.io/sigstore/scaffolding/createctconfig@sha256:024e3451af712070a807124f82c5a8a9c84343c17ec17a2d2832229a6ac0cb0e" + imagePullPolicy: "IfNotPresent" + args: [ + "--configmap=ctlog-config", + "--secret=ctlog-secret", + "--pubkeysecret=ctlog-public-key", + "--fulcio-url=http://fulcio-server.fulcio-system.svc", + "--trillian-server=trillian-logserver.trillian-system:8091", + "--log-prefix=fulcio" + ] + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + runAsNonRoot: true + runAsUser: 65533 +--- +# Source: fulcio/charts/ctlog/templates/createtree-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ctlog-createtree + namespace: ctlog-system + labels: + helm.sh/chart: ctlog-0.2.37 + app.kubernetes.io/name: ctlog + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "0.3.0" + app.kubernetes.io/managed-by: Helm +spec: + ttlSecondsAfterFinished: 3600 + template: + spec: + serviceAccountName: ctlog-createtree + restartPolicy: Never + automountServiceAccountToken: true + containers: + - name: ctlog-createtree + image: "ghcr.io/sigstore/scaffolding/createtree@sha256:d5776d8a43632291e1c5a22a9266608db0daa0a11663445d701e327f2205974c" + imagePullPolicy: "IfNotPresent" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + args: [ + "--namespace=$(NAMESPACE)", + "--configmap=ctlog-config", + "--display_name=ctlog-tree", + "--admin_server=trillian-logserver.trillian-system:8091" + ] + securityContext: + runAsNonRoot: true + runAsUser: 65533 +--- +# Source: fulcio/templates/createcerts-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-fulcio-createcerts + namespace: sigstore + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm +spec: + ttlSecondsAfterFinished: 3600 + template: + spec: + serviceAccountName: release-name-fulcio-createcerts + restartPolicy: Never + automountServiceAccountToken: true + containers: + - name: release-name-fulcio-createcerts + image: "ghcr.io/sigstore/scaffolding/createcerts@sha256:73e7ac35d0e5169bd14a5cb6caed2e7d44277dec3d1de92e08f4d055523089a1" + imagePullPolicy: "IfNotPresent" + args: ["--secret=fulcio-server-secret"] + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + runAsNonRoot: true + runAsUser: 65533 +--- +# Source: fulcio/templates/fulcio-http-ingress.yaml +apiVersion: "networking.k8s.io/v1" +kind: Ingress +metadata: + labels: + helm.sh/chart: fulcio-2.4.2 + app.kubernetes.io/name: fulcio + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.3.1" + app.kubernetes.io/managed-by: Helm + name: release-name-fulcio-server-http + namespace: sigstore + annotations: + {} +spec: + ingressClassName: nginx + rules: + - host: "fulcio.localhost" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: release-name-fulcio-server + port: + number: 80 From bef4aba9bf4b46b15991d39c79c3d51208186a54 Mon Sep 17 00:00:00 2001 From: saisatish karra Date: Fri, 19 May 2023 09:02:19 -0500 Subject: [PATCH 2/4] fix(helm): make env variable optional Signed-off-by: saisatish karra --- charts/fulcio/values.schema.json | 2 - charts/fulcio/values.yaml | 6 +- fulcio_gen.yaml | 607 ------------------------------- 3 files changed, 3 insertions(+), 612 deletions(-) delete mode 100644 fulcio_gen.yaml diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index ed951082..712dbba8 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -82,7 +82,6 @@ "grpcSvcPort", "image", "args", - "env", "serviceAccount", "service", "ingress", @@ -285,7 +284,6 @@ "type": "object", "default": {}, "title": "The env Schema", - "required": [], "properties": {}, "examples": [ { diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 306786a7..e957fb38 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,9 @@ server: # crane digest gcr.io/projectsigstore/fulcio:v1.3.1 # -- v1.3.1 version: sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18 - env: - # Valid values: path to workload identity config or service account key JSON file - GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials + # env: + # # Valid values: path to workload identity config or service account key JSON file + # GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials args: port: 5555 grpcPort: 5554 diff --git a/fulcio_gen.yaml b/fulcio_gen.yaml deleted file mode 100644 index 812544ec..00000000 --- a/fulcio_gen.yaml +++ /dev/null @@ -1,607 +0,0 @@ ---- -# Source: fulcio/charts/ctlog/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: ctlog-system ---- -# Source: fulcio/charts/ctlog/templates/createctconfig-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-name-ctlog-createctconfig - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/charts/ctlog/templates/createtree-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ctlog-createtree - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/charts/ctlog/templates/ctlog-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ctlog - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/templates/createcerts-serviceacount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-name-fulcio-createcerts - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/templates/fulcio-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-name-fulcio-server - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - annotations: - {} ---- -# Source: fulcio/charts/ctlog/templates/ctlog-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: ctlog-config - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -data: - __placeholder: | - ################################################################### - # Just a placeholder so that reapplying this won't overwrite treeID - # if it already exists. This caused grief, do not remove. - ################################################################### ---- -# Source: fulcio/templates/fulcio-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: release-name-fulcio-server-config - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -data: - config.json: |- - { - "OIDCIssuers": { - "https://kubernetes.default.svc": { - "IssuerURL": "https://kubernetes.default.svc", - "ClientID": "sigstore", - "Type": "kubernetes" - } - }, - "MetaIssuers": { - "https://kubernetes.*.svc": { - "ClientID": "sigstore", - "Type": "kubernetes" - } - } - } - cloud_credentials: "" ---- -# Source: fulcio/charts/ctlog/templates/cm-operator-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ctlog-cm-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["configmaps"] - resourceNames: ["ctlog-config"] - verbs: ["get", "update"] ---- -# Source: fulcio/charts/ctlog/templates/secret-operator-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ctlog-secret-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["configmaps"] - resourceNames: ["ctlog-config"] - verbs: ["get", "update"] - - apiGroups: [""] # "" indicates the core API group - resources: ["secrets"] - verbs: ["create", "get", "update"] ---- -# Source: fulcio/templates/secret-operator-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: release-name-fulcio-server-secret-operator - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["secrets"] - verbs: ["create", "get", "update"] ---- -# Source: fulcio/charts/ctlog/templates/cm-operator-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ctlog-cm-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ctlog-cm-operator -subjects: - - kind: ServiceAccount - name: ctlog-createtree - namespace: ctlog-system ---- -# Source: fulcio/charts/ctlog/templates/secret-operator-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ctlog-secret-operator - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ctlog-secret-operator -subjects: - - kind: ServiceAccount - name: release-name-ctlog-createctconfig - namespace: ctlog-system ---- -# Source: fulcio/templates/secret-operator-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: release-name-fulcio-server-secret-operator - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: release-name-fulcio-server-secret-operator -subjects: - - kind: ServiceAccount - name: release-name-fulcio-createcerts - namespace: sigstore ---- -# Source: fulcio/charts/ctlog/templates/ctlog-service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm - name: ctlog - namespace: ctlog-system -spec: - ports: - - name: 6962-tcp - port: 80 - protocol: TCP - targetPort: 6962 - - name: 6963-tcp - port: 6963 - protocol: TCP - targetPort: 6963 - selector: - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - type: "ClusterIP" ---- -# Source: fulcio/templates/fulcio-service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - name: release-name-fulcio-server - namespace: sigstore -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 5555 - - name: grpc - port: 5554 - protocol: TCP - targetPort: 5554 - - name: 2112-tcp - port: 2112 - protocol: TCP - targetPort: 2112 - selector: - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - type: "ClusterIP" ---- -# Source: fulcio/charts/ctlog/templates/ctlog-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ctlog - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - template: - metadata: - annotations: - checksum/config: b94af4d324905711b8078a98d1acf2688381fe98eeef567be31295a879f6eadd - prometheus.io/path: /metrics - prometheus.io/port: "6963" - prometheus.io/scrape: "true" - labels: - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - spec: - serviceAccountName: ctlog - containers: - - name: ctlog - image: "ghcr.io/sigstore/scaffolding/ct_server@sha256:7c791d3b7c15e817807f07d4cdb00406529a114702ad448ee857e1d0fc5fb5a9" - imagePullPolicy: "IfNotPresent" - args: - - "--http_endpoint=0.0.0.0:6962" - - "--metrics_endpoint=0.0.0.0:6963" - - "--log_config=/ctfe-keys/config" - - "--alsologtostderr" - volumeMounts: - - name: keys - mountPath: "/ctfe-keys" - readOnly: true - ports: - - containerPort: 6962 - protocol: TCP - - containerPort: 6963 - protocol: TCP - securityContext: - runAsNonRoot: true - runAsUser: 65533 - volumes: - - name: keys - secret: - secretName: ctlog-secret ---- -# Source: fulcio/templates/fulcio-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: release-name-fulcio-server - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - template: - metadata: - annotations: - checksum/config: da411967324f350f169be60798759837cbbeedc571c9bb27a670752103d1b40d - labels: - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - spec: - serviceAccountName: release-name-fulcio-server - # This doesn't actually use Kubernetes credentials, so don't mount them in. - automountServiceAccountToken: true - containers: - - name: release-name-fulcio-server - image: "gcr.io/projectsigstore/fulcio@sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18" - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 5555 - protocol: TCP - - containerPort: 5554 - protocol: TCP - - containerPort: 2112 - protocol: TCP - args: - - "serve" - - "--port=5555" - - "--grpc-port=5554" - - "--ca=fileca" - - "--fileca-key" - - "/var/run/fulcio-secrets/key.pem" - - "--fileca-cert" - - "/var/run/fulcio-secrets/cert.pem" - - "--fileca-key-passwd" - - "$(PASSWORD)" - - "--ct-log-url=http://ctlog.ctlog-system.svc/fulcio" - env: - - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: "/etc/fulcio-config/cloud_credentials" - - name: PASSWORD - valueFrom: - secretKeyRef: - name: fulcio-server-secret - key: password - volumeMounts: - - name: fulcio-config - mountPath: /etc/fulcio-config - - name: oidc-info - mountPath: /var/run/fulcio - - name: fulcio-cert - mountPath: "/var/run/fulcio-secrets" - readOnly: true - securityContext: - runAsNonRoot: true - runAsUser: 65533 - volumes: - - name: fulcio-config - configMap: - name: release-name-fulcio-server-config - - name: oidc-info - projected: - sources: - - configMap: - name: kube-root-ca.crt - items: - - key: ca.crt - path: ca.crt - mode: 0666 - - name: fulcio-cert - secret: - secretName: fulcio-server-secret - items: - - key: private - path: key.pem - - key: cert - path: cert.pem ---- -# Source: fulcio/charts/ctlog/templates/createctconfig-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: release-name-ctlog-createctconfig - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - backoffLimit: 6 - template: - spec: - serviceAccountName: release-name-ctlog-createctconfig - restartPolicy: Never - automountServiceAccountToken: true - initContainers: - - name: "wait-for-createtree-configmap" - image: "docker.io/curlimages/curl@sha256:dca6e1b1c8e7b8b8e7be4e79fc78a858d12fd56245cb31bfa281dbf7c73a6498" - imagePullPolicy: IfNotPresent - command: ["sh", "-c", "until curl --fail --header \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --max-time 10 https://kubernetes.default.svc/api/v1/namespaces/$(NAMESPACE)/configmaps/ctlog-config | grep '\"treeID\":'; do echo waiting for Configmap ctlog-config; sleep 5; done;"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - containers: - - name: release-name-ctlog-createctconfig - image: "ghcr.io/sigstore/scaffolding/createctconfig@sha256:024e3451af712070a807124f82c5a8a9c84343c17ec17a2d2832229a6ac0cb0e" - imagePullPolicy: "IfNotPresent" - args: [ - "--configmap=ctlog-config", - "--secret=ctlog-secret", - "--pubkeysecret=ctlog-public-key", - "--fulcio-url=http://fulcio-server.fulcio-system.svc", - "--trillian-server=trillian-logserver.trillian-system:8091", - "--log-prefix=fulcio" - ] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - runAsNonRoot: true - runAsUser: 65533 ---- -# Source: fulcio/charts/ctlog/templates/createtree-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: ctlog-createtree - namespace: ctlog-system - labels: - helm.sh/chart: ctlog-0.2.37 - app.kubernetes.io/name: ctlog - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "0.3.0" - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - template: - spec: - serviceAccountName: ctlog-createtree - restartPolicy: Never - automountServiceAccountToken: true - containers: - - name: ctlog-createtree - image: "ghcr.io/sigstore/scaffolding/createtree@sha256:d5776d8a43632291e1c5a22a9266608db0daa0a11663445d701e327f2205974c" - imagePullPolicy: "IfNotPresent" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: [ - "--namespace=$(NAMESPACE)", - "--configmap=ctlog-config", - "--display_name=ctlog-tree", - "--admin_server=trillian-logserver.trillian-system:8091" - ] - securityContext: - runAsNonRoot: true - runAsUser: 65533 ---- -# Source: fulcio/templates/createcerts-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: release-name-fulcio-createcerts - namespace: sigstore - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - template: - spec: - serviceAccountName: release-name-fulcio-createcerts - restartPolicy: Never - automountServiceAccountToken: true - containers: - - name: release-name-fulcio-createcerts - image: "ghcr.io/sigstore/scaffolding/createcerts@sha256:73e7ac35d0e5169bd14a5cb6caed2e7d44277dec3d1de92e08f4d055523089a1" - imagePullPolicy: "IfNotPresent" - args: ["--secret=fulcio-server-secret"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - runAsNonRoot: true - runAsUser: 65533 ---- -# Source: fulcio/templates/fulcio-http-ingress.yaml -apiVersion: "networking.k8s.io/v1" -kind: Ingress -metadata: - labels: - helm.sh/chart: fulcio-2.4.2 - app.kubernetes.io/name: fulcio - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "1.3.1" - app.kubernetes.io/managed-by: Helm - name: release-name-fulcio-server-http - namespace: sigstore - annotations: - {} -spec: - ingressClassName: nginx - rules: - - host: "fulcio.localhost" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: release-name-fulcio-server - port: - number: 80 From a03c22af465307a15924916750ffc1ca550ba67e Mon Sep 17 00:00:00 2001 From: saisatish karra Date: Sun, 21 May 2023 14:32:00 -0500 Subject: [PATCH 3/4] modify env variable type Signed-off-by: saisatish karra --- charts/fulcio/README.md | 2 +- charts/fulcio/values.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 6d29449b..799b2e0d 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -116,7 +116,7 @@ helm uninstall [RELEASE_NAME] | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | -| server.env.GOOGLE_APPLICATION_CREDENTIALS | string | `"/etc/fulcio-config/cloud_credentials"` | | +| server.env | object | `{}` | | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index e957fb38..20976e5c 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,7 @@ server: # crane digest gcr.io/projectsigstore/fulcio:v1.3.1 # -- v1.3.1 version: sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18 - # env: - # # Valid values: path to workload identity config or service account key JSON file - # GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials + env: {} args: port: 5555 grpcPort: 5554 From 10128339c6ebe312eb4271ad678ffa58a2d28215 Mon Sep 17 00:00:00 2001 From: saisatish karra Date: Thu, 25 May 2023 08:33:00 -0500 Subject: [PATCH 4/4] improve naming scheme for extrernal credential config Signed-off-by: saisatish karra --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 4 ++-- charts/fulcio/templates/fulcio-configmap.yaml | 4 +++- charts/fulcio/values.schema.json | 4 ++-- charts/fulcio/values.yaml | 2 +- 5 files changed, 9 insertions(+), 7 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 8c281bba..d86afc99 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.4.2 +version: 2.4.0 appVersion: 1.3.1 keywords: diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 799b2e0d..636a5888 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.4.2](https://img.shields.io/badge/Version-2.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) +![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -109,7 +109,7 @@ helm uninstall [RELEASE_NAME] | namespace.name | string | `"fulcio-system"` | | | server.args.aws_hsm_root_ca_path | string | `nil` | | | server.args.certificateAuthority | string | `"fileca"` | | -| server.args.creds | string | `""` | | +| server.args.cloud_credential_config | string | `""` | | | server.args.ct_log_url | string | `""` | | | server.args.disable_ct_log | bool | `false` | | | server.args.gcp_private_ca_parent | string | `"projects/test/locations/us-east1/caPools/test"` | | diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index 84837e5c..3cf87b5d 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -11,4 +11,6 @@ data: {{- if (eq .Values.server.args.certificateAuthority "kmsca")}} chain.pem: {{.Values.server.args.kms_cert_chain | quote }} {{- end }} - cloud_credentials: {{.Values.server.args.creds | quote }} + {{- if .Values.server.args.cloud_credential_config }} + cloud_credential_config: {{.Values.server.args.cloud_credential_config | quote }} + {{- end }} diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index 712dbba8..50871cb2 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -260,7 +260,7 @@ "https://ct.example.com/" ] }, - "creds": { + "cloud_credential_config": { "type": "string", "default": "", "title": "Google Cloud Web Identity JSON config / Service Account token key json", @@ -287,7 +287,7 @@ "properties": {}, "examples": [ { - "GOOGLE_APPLICATION_CREDENTIALS": "/etc/fulcio-config/cloud_credentials" + "GOOGLE_APPLICATION_CREDENTIALS": "/etc/fulcio-config/cloud_credential_config" } ] }, diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index 20976e5c..a9f09933 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -25,7 +25,7 @@ server: port: 5555 grpcPort: 5554 # valid values: GCP workload identity config json for trusted external cloud providers - creds: "" + cloud_credential_config: "" # Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca certificateAuthority: fileca # kms_resource: gcpkms://....