add kind e2e setup (securesign#24)

* add kind Signed-off-by: Sally O'Malley <[email protected]> * add servicemonitor crd to kind Signed-off-by: Sally O'Malley <[email protected]> * update chart version & add test cert/keys Signed-off-by: Sally O'Malley <[email protected]> * update cosign deployment with runAsUser & Keycloak->OIDC Signed-off-by: Sally O'Malley <[email protected]> * add gitleaks pre-commit to ignore test cert & keys Signed-off-by: Sally O'Malley <[email protected]> * add helm test Signed-off-by: Sally O'Malley <[email protected]> * add kind config file Signed-off-by: Sally O'Malley <[email protected]> * comment workflow * cosign deployment update Signed-off-by: Sally O'Malley <[email protected]> * kind cluster merge don't overwrite kubeconfig Signed-off-by: Sally O'Malley <[email protected]> * uncomment gh action test * add ci ct-install values Signed-off-by: Sally O'Malley <[email protected]> * add oc to gh workflow Signed-off-by: Sally O'Malley <[email protected]> Co-authored-by: Jason Power <[email protected]> * add workflow_dispatch Signed-off-by: Sally O'Malley <[email protected]> * bump chart * add helm test workflow Signed-off-by: Sally O'Malley <[email protected]> * update workflow Signed-off-by: Sally O'Malley <[email protected]> --------- Signed-off-by: Sally O'Malley <[email protected]> Co-authored-by: Jason Power <[email protected]>
lkatalin · Oct 16, 2023 · 55c89d3 · 55c89d3
1 parent 080fba8
commit 55c89d3
Show file tree

Hide file tree

Showing 21 changed files with 1,058 additions and 68 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,9 +1,11 @@
 name: Lint Charts
 
 on:
-  pull_request:
-    paths:
-      - "charts/**"
+  workflow_dispatch:
+  #pull_request:
+  #  paths:
+  #    - "charts/**"
+  #    - ".github/**"
 
 jobs:
   check-metadata:
@@ -57,8 +59,34 @@ jobs:
       - name: Run chart-testing (lint)
         run: ct lint --config ct.yaml
 
-      #- name: Create KIND Cluster
-      #  uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+      - name: Create KinD Cluster
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        with:
+            config: ./kind/config.yaml
+
+      - name: Install OpenShift CLI
+        run: |
+          curl -L https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/linux/oc.tar.gz | tar xvz
+          sudo mv oc /usr/local/bin/
+          oc version
+
+      - name: Configure KinD
+        run: |
+          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+          kubectl apply -f ./kind/servicemonitor-crd.yaml
+          kubectl create ns fulcio-system
+          kubectl create ns rekor-system
+          kubectl -n fulcio-system create secret generic fulcio-secret-rh --from-file=private=./kind/testing-only-cert-key/file_ca_key.pem --from-file=public=./kind/testing-only-cert-key/file_ca_pub.pem --from-file=cert=./kind/testing-only-cert-key/fulcio-root.pem  --from-literal=password=secure --dry-run=client -o yaml | oc apply -f-
+          kubectl -n rekor-system create secret generic rekor-private-key --from-file=private=./kind/testing-only-cert-key/rekor_key.pem --dry-run=client -o yaml | oc apply -f-
+          kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
+        shell: bash
+
+      - name: Run chart-testing (install)
+        run: ct install --helm-extra-args "--wait --wait-for-jobs" --config ct-install.yaml
+
+      - name: Helm test (install)
+        run: |
+          OPENSHIFT_APPS_SUBDOMAIN=localhost envsubst <  ./charts/trusted-artifact-signer/ci/ci-values.yaml | helm upgrade -i trusted-artifact-signer --debug ./charts/trusted-artifact-signer --wait --wait-for-jobs -n trusted-artifact-signer --create-namespace --values -
 
-      #- name: Run chart-testing (install)
-      #  run: ct install --config ct-install.yaml
+          helm test -n trusted-artifact-signer trusted-artifact-signer
+          # tests are in charts/trusted-artifact-signer/templates/tests
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,5 @@ Chart.lock
 *.swp
 
 keys-cert
-*.pem
 ./keys-cert/*.pem
 **ADMIN**
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,8 @@
+[allowlist]
+  description = "Global Allowlist"
+
+  # Ignore based on any subset of the file path
+  paths = [
+    # Ignore all example certs
+    '''\/testing-only-cert-key\/*\.pem$''',
+  ]
diff --git a/README.md b/README.md
@@ -14,3 +14,41 @@ Information on how to install Sigstore components on OpenShift can be found in t
 ## Scaffolding Chart
 
 More information can be found by inspecting the [trusted-artifact-signer chart](charts/trusted-artifact-signer).
+
+## Contributing
+
+Install the [pre-commit](https://pre-commit.com/) package and run `pre-commit run --all-files` before pushing changes, or `pre-commit install` to automatically run the pre-commit hooks with every `git commit`. If it fails,
+run the `git commit` command again. It's likely the pre-commit hook fixed the issue and you have to bring in the new changes.
+
+### Testing
+
+To set up a `kind` cluster and deploy the charts, run the following from the root of this repository
+
+```bash
+./kind/kind-up-test.sh
+
+kubectl wait --namespace ingress-nginx \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/component=controller \
+  --timeout=90s
+
+OPENSHIFT_APPS_SUBDOMAIN=localhost envsubst <  ./examples/values-kind-sigstore.yaml | helm upgrade -i trusted-artifact-signer --debug ./charts/trusted-artifact-signer --wait --wait-for-jobs -n sigstore --create-namespace --values -
+
+helm test -n sigstore trusted-artifact-signer
+# tests are in charts/trusted-artifact-signer/templates/tests
+```
+
+This test setup is to verify that all deployments are healthy and all jobs complete. However, this does not create a working environment to sign artifacts.
+
+To uninstall helm chart:
+
+```bash
+helm uninstall trusted-artifact-signer -n sigstore
+```
+
+To cleanup the test kind cluster, run:
+
+```bash
+sudo kind delete cluster
+```
+
diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml
@@ -33,4 +33,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.4
+version: 0.1.5
diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md
@@ -3,7 +3,7 @@
 
 A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 ## Overview
 
@@ -128,7 +128,7 @@ Kubernetes: `>= 1.19.0-0`
 | rbac.clusterrole | clusterrole to be added to sigstore component serviceaccounts. | string | `"system:openshift:scc:anyuid"` |
 | scaffold.copySecretJob.backoffLimit |  | int | `1000` |
 | scaffold.copySecretJob.enabled |  | bool | `true` |
-| scaffold.copySecretJob.imagePullPolicy |  | string | `"Always"` |
+| scaffold.copySecretJob.imagePullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.copySecretJob.name |  | string | `"copy-secrets-job"` |
 | scaffold.copySecretJob.registry |  | string | `"quay.io"` |
 | scaffold.copySecretJob.repository |  | string | `"sallyom/copy-secrets"` |
@@ -139,8 +139,8 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.ctlog.createctconfig.enabled |  | bool | `true` |
 | scaffold.ctlog.createctconfig.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.ctlog.createctconfig.image.registry |  | string | `"quay.io"` |
-| scaffold.ctlog.createctconfig.image.repository |  | string | `"securesign/createctconfig"` |
-| scaffold.ctlog.createctconfig.image.version |  | string | `"v0.6.4"` |
+| scaffold.ctlog.createctconfig.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/createctconfig"` |
+| scaffold.ctlog.createctconfig.image.version |  | string | `"build-96ab3-1696275762"` |
 | scaffold.ctlog.createctconfig.initContainerImage.curl.imagePullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.ctlog.createctconfig.initContainerImage.curl.registry |  | string | `"registry.access.redhat.com"` |
 | scaffold.ctlog.createctconfig.initContainerImage.curl.repository |  | string | `"ubi9/ubi-minimal"` |
@@ -149,23 +149,23 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.ctlog.createtree.fullnameOverride |  | string | `"ctlog-createtree"` |
 | scaffold.ctlog.createtree.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.ctlog.createtree.image.registry |  | string | `"quay.io"` |
-| scaffold.ctlog.createtree.image.repository |  | string | `"securesign/createtree"` |
-| scaffold.ctlog.createtree.image.version |  | string | `"v0.6.4"` |
+| scaffold.ctlog.createtree.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/createtree"` |
+| scaffold.ctlog.createtree.image.version |  | string | `"build-1a625-1696276030"` |
 | scaffold.ctlog.enabled |  | bool | `true` |
 | scaffold.ctlog.forceNamespace |  | string | `"ctlog-system"` |
 | scaffold.ctlog.fullnameOverride |  | string | `"ctlog"` |
 | scaffold.ctlog.namespace.create |  | bool | `false` |
 | scaffold.ctlog.namespace.name |  | string | `"ctlog-system"` |
 | scaffold.ctlog.server.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.ctlog.server.image.registry |  | string | `"quay.io"` |
-| scaffold.ctlog.server.image.repository |  | string | `"securesign/ct_server"` |
-| scaffold.ctlog.server.image.version |  | string | `"v0.6.4"` |
+| scaffold.ctlog.server.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/ct-server"` |
+| scaffold.ctlog.server.image.version |  | string | `"build-68eb0-1696273861"` |
 | scaffold.fulcio.createcerts.enabled |  | bool | `false` |
 | scaffold.fulcio.createcerts.fullnameOverride |  | string | `"fulcio-createcerts"` |
 | scaffold.fulcio.createcerts.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.fulcio.createcerts.image.registry |  | string | `"quay.io"` |
-| scaffold.fulcio.createcerts.image.repository |  | string | `"securesign/createcerts"` |
-| scaffold.fulcio.createcerts.image.version |  | string | `"v0.6.4"` |
+| scaffold.fulcio.createcerts.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/createcerts"` |
+| scaffold.fulcio.createcerts.image.version |  | string | `"cfd61c13698b4e73e9c389dafc082134d0ab80a5"` |
 | scaffold.fulcio.ctlog.createctconfig.logPrefix |  | string | `"sigstorescaffolding"` |
 | scaffold.fulcio.ctlog.enabled |  | bool | `false` |
 | scaffold.fulcio.enabled |  | bool | `true` |
@@ -175,8 +175,8 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.fulcio.server.fullnameOverride |  | string | `"fulcio-server"` |
 | scaffold.fulcio.server.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.fulcio.server.image.registry |  | string | `"quay.io"` |
-| scaffold.fulcio.server.image.repository |  | string | `"securesign/fulcio"` |
-| scaffold.fulcio.server.image.version |  | string | `"v1.4.0"` |
+| scaffold.fulcio.server.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/fulcio"` |
+| scaffold.fulcio.server.image.version |  | string | `"1187db2ca9927ceabe3a2a3fedb67d4a3f8ef323"` |
 | scaffold.fulcio.server.ingress.http.annotations."route.openshift.io/termination" |  | string | `"edge"` |
 | scaffold.fulcio.server.ingress.http.className |  | string | `""` |
 | scaffold.fulcio.server.ingress.http.enabled |  | bool | `true` |
@@ -185,12 +185,12 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.fulcio.server.secret |  | string | `"fulcio-secret-rh"` |
 | scaffold.rekor.backfillredis.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.rekor.backfillredis.image.registry |  | string | `"quay.io"` |
-| scaffold.rekor.backfillredis.image.repository |  | string | `"securesign/backfill-redis"` |
-| scaffold.rekor.backfillredis.image.version |  | string | `"v1.2.2"` |
+| scaffold.rekor.backfillredis.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/backfill-redis"` |
+| scaffold.rekor.backfillredis.image.version |  | string | `"ce862e267bee178fbf16ab7d181ff8f21246e346"` |
 | scaffold.rekor.createtree.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.rekor.createtree.image.registry |  | string | `"quay.io"` |
-| scaffold.rekor.createtree.image.repository |  | string | `"securesign/createtree"` |
-| scaffold.rekor.createtree.image.version |  | string | `"v0.6.4"` |
+| scaffold.rekor.createtree.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/createtree"` |
+| scaffold.rekor.createtree.image.version |  | string | `"build-1a625-1696276030"` |
 | scaffold.rekor.enabled |  | bool | `true` |
 | scaffold.rekor.forceNamespace |  | string | `"rekor-system"` |
 | scaffold.rekor.fullnameOverride |  | string | `"rekor"` |
@@ -214,8 +214,8 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.rekor.trillian.enabled |  | bool | `false` |
 | scaffold.trillian.createdb.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.trillian.createdb.image.registry |  | string | `"quay.io"` |
-| scaffold.trillian.createdb.image.repository |  | string | `"securesign/createdb"` |
-| scaffold.trillian.createdb.image.version |  | string | `"v0.6.4"` |
+| scaffold.trillian.createdb.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/createdb"` |
+| scaffold.trillian.createdb.image.version |  | string | `"build-b43c0-1696275867"` |
 | scaffold.trillian.enabled |  | bool | `true` |
 | scaffold.trillian.forceNamespace |  | string | `"trillian-system"` |
 | scaffold.trillian.fullnameOverride |  | string | `"trillian"` |
@@ -224,31 +224,31 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.trillian.initContainerImage.curl.repository |  | string | `"ubi9/ubi-minimal"` |
 | scaffold.trillian.initContainerImage.curl.version |  | string | `"latest"` |
 | scaffold.trillian.initContainerImage.netcat.registry |  | string | `"quay.io"` |
-| scaffold.trillian.initContainerImage.netcat.repository |  | string | `"securesign/netcat"` |
-| scaffold.trillian.initContainerImage.netcat.version |  | string | `"v1.0.0"` |
+| scaffold.trillian.initContainerImage.netcat.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/trillian-netcat"` |
+| scaffold.trillian.initContainerImage.netcat.version |  | string | `"build-3c019-1696503519"` |
 | scaffold.trillian.logServer.fullnameOverride |  | string | `"trillian-logserver"` |
 | scaffold.trillian.logServer.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.trillian.logServer.image.registry |  | string | `"quay.io"` |
-| scaffold.trillian.logServer.image.repository |  | string | `"securesign/trillian_log_server"` |
-| scaffold.trillian.logServer.image.version |  | string | `"v1.2.2"` |
+| scaffold.trillian.logServer.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/trillian-logserver"` |
+| scaffold.trillian.logServer.image.version |  | string | `"build-58a79-1696502872"` |
 | scaffold.trillian.logServer.name |  | string | `"trillian-logserver"` |
 | scaffold.trillian.logServer.portHTTP |  | int | `8090` |
 | scaffold.trillian.logServer.portRPC |  | int | `8091` |
 | scaffold.trillian.logSigner.fullnameOverride |  | string | `"trillian-logsigner"` |
 | scaffold.trillian.logSigner.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.trillian.logSigner.image.registry |  | string | `"quay.io"` |
-| scaffold.trillian.logSigner.image.repository |  | string | `"securesign/trillian_log_signer"` |
-| scaffold.trillian.logSigner.image.version |  | string | `"v1.2.2"` |
+| scaffold.trillian.logSigner.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/trillian-logsigner"` |
+| scaffold.trillian.logSigner.image.version |  | string | `"build-38813-1696586021"` |
 | scaffold.trillian.logSigner.name |  | string | `"trillian-logsigner"` |
 | scaffold.trillian.mysql.args |  | list | `[]` |
 | scaffold.trillian.mysql.fullnameOverride |  | string | `"trillian-mysql"` |
 | scaffold.trillian.mysql.gcp.scaffoldSQLProxy.registry |  | string | `"quay.io"` |
-| scaffold.trillian.mysql.gcp.scaffoldSQLProxy.repository |  | string | `"securesign/cloudsqlproxy"` |
-| scaffold.trillian.mysql.gcp.scaffoldSQLProxy.version |  | string | `"v0.6.4"` |
+| scaffold.trillian.mysql.gcp.scaffoldSQLProxy.repository |  | string | `"docker pull quay.io/redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/cloudsqlproxy"` |
+| scaffold.trillian.mysql.gcp.scaffoldSQLProxy.version |  | string | `"build-b9416-1696274309"` |
 | scaffold.trillian.mysql.image.pullPolicy |  | string | `"IfNotPresent"` |
 | scaffold.trillian.mysql.image.registry |  | string | `"quay.io"` |
-| scaffold.trillian.mysql.image.repository |  | string | `"securesign/trillian-db"` |
-| scaffold.trillian.mysql.image.version |  | string | `"v1.5.2"` |
+| scaffold.trillian.mysql.image.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/trillian-database"` |
+| scaffold.trillian.mysql.image.version |  | string | `"build-b3117-1696585835"` |
 | scaffold.trillian.mysql.livenessProbe.exec.command[0] |  | string | `"mysqladmin"` |
 | scaffold.trillian.mysql.livenessProbe.exec.command[1] |  | string | `"ping"` |
 | scaffold.trillian.mysql.livenessProbe.exec.command[2] |  | string | `"-h"` |
@@ -281,8 +281,8 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.tsa.namespace.name |  | string | `"tsa-system"` |
 | scaffold.tsa.server.fullnameOverride |  | string | `"tsa-server"` |
 | scaffold.tuf.deployment.registry |  | string | `"quay.io"` |
-| scaffold.tuf.deployment.repository |  | string | `"securesign/tuf/server"` |
-| scaffold.tuf.deployment.version |  | string | `"latest"` |
+| scaffold.tuf.deployment.repository |  | string | `"redhat-user-workloads/rhtas-tenant/rhtas-stack-1-0-beta/tuf-server"` |
+| scaffold.tuf.deployment.version |  | string | `"cfd61c13698b4e73e9c389dafc082134d0ab80a5"` |
 | scaffold.tuf.enabled |  | bool | `true` |
 | scaffold.tuf.forceNamespace |  | string | `"tuf-system"` |
 | scaffold.tuf.fullnameOverride |  | string | `"tuf"` |
@@ -293,7 +293,7 @@ Kubernetes: `>= 1.19.0-0`
 | scaffold.tuf.namespace.create |  | bool | `false` |
 | scaffold.tuf.namespace.name |  | string | `"tuf-system"` |
 | scaffold.tuf.secrets.ctlog.name |  | string | `"ctlog-public-key"` |
-| scaffold.tuf.secrets.ctlog.path |  | string | `"ctlog-pubkey"` |
+| scaffold.tuf.secrets.ctlog.path |  | string | `"ctfe.pub"` |
 | scaffold.tuf.secrets.fulcio.name |  | string | `"fulcio-secret-rh"` |
 | scaffold.tuf.secrets.fulcio.path |  | string | `"fulcio-cert"` |
 | scaffold.tuf.secrets.rekor.name |  | string | `"rekor-public-key"` |

diff --git a/charts/trusted-artifact-signer/ci/ci-values.yaml b/charts/trusted-artifact-signer/ci/ci-values.yaml
@@ -0,0 +1,49 @@
+# With this example, it is expected that there is a secret with the fulcio root & signing keys
+# named 'fulcio-secret-rh' in namespace 'fulcio-system' and a secret 'rekor-private-key'
+# with rekor signing keys in the 'rekor-system' namespace.
+# secret names must match secret names in scaffold.tuf, that default to
+# 'fulcio-secret-rh' and 'rekor-private-key'
+# For root & key requirements, see ../requirements-keys-certs.md
+# Note: User must substitute for localhost below.
+---
+configs:
+  cosign:
+    appsSubdomain: localhost
+  fulcio:
+    create: false
+  rekor:
+    create: false
+
+# github.com/sigstore/helm-charts/charts
+scaffold:
+  fulcio:
+    clusterMonitoring:
+      enabled: false
+    server:
+      ingress:
+        http:
+          hosts:
+            - host: fulcio.localhost
+              path: /
+    config:
+      contents:
+        OIDCIssuers:
+          # https://<keycloak_instance>.<keycloak_ns>.<openshift_apps_subdomain>/auth/realms/sigstore
+          ? https://keycloak-keycloak-system.apps.open-svc-sts.k1wl.p1.openshiftapps.com/auth/realms/sigstore
+          : IssuerURL: https://keycloak-keycloak-system.apps.open-svc-sts.k1wl.p1.openshiftapps.com/auth/realms/sigstore
+            ClientID: sigstore
+            Type: email
+  rekor:
+    clusterMonitoring:
+      enabled: false
+    server:
+      ingress:
+        hosts:
+          - host: rekor.localhost
+            path: /
+  tuf:
+    ingress:
+      http:
+        hosts:
+          - host: tuf.localhost
+            path: /