add clientserver to chart, templates

Signed-off-by: Sally O'Malley <[email protected]>
securesign · Oct 13, 2023 · 40235f7 · 40235f7
1 parent 740fc6f
commit 40235f7
Show file tree

Hide file tree

Showing 26 changed files with 289 additions and 191 deletions.
diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml
@@ -33,4 +33,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.8
+version: 0.1.9
diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md
@@ -3,7 +3,7 @@
 
 A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift
 
-![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 ## Overview
 
@@ -84,21 +84,28 @@ Kubernetes: `>= 1.19.0-0`
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
-| configs.cosign.appsSubdomain | DNS name to be used to generate environment variables for cosign commands. By default, in OpenShift, the value for this is apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') | string | `""` |
-| configs.cosign.create | whether to create the cosign namespace | bool | `true` |
+| configs.clientserver.image.pullPolicy |  | string | `"IfNotPresent"` |
+| configs.clientserver.image.registry |  | string | `"quay.io"` |
+| configs.clientserver.image.repository |  | string | `"sallyom/tas-clients"` |
+| configs.clientserver.image.version |  | string | `"httpd"` |
+| configs.clientserver.name |  | string | `"tas-clients"` |
+| configs.clientserver.namespace |  | string | `"trusted-artifact-signer-clientserver"` |
+| configs.clientserver.namespace_create |  | bool | `true` |
+| configs.cosign.enabled |  | bool | `false` |
 | configs.cosign.image | Image containing the cosign binary as well as environment variables with the base domain injected. | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"securesign/cosign","version":"v2.1.1"}` |
 | configs.cosign.name | Name of deployment | string | `"cosign"` |
-| configs.cosign.namespace | namespace for cosign resources | string | `"cosign"` |
+| configs.cosign.namespace |  | string | `"cosign-signer"` |
+| configs.cosign.namespace_create |  | bool | `true` |
 | configs.cosign.rolebindings | names for rolebindings to add clusterroles to cosign serviceaccounts. The names must match the serviceaccount names in the cosign namespace. | list | `["cosign"]` |
-| configs.ctlog.create | Whether to create the ctlog namespace | bool | `true` |
-| configs.ctlog.namespace | Namespace for ctlog resources | string | `"ctlog-system"` |
+| configs.ctlog.namespace |  | string | `"ctlog-system"` |
+| configs.ctlog.namespace_create |  | bool | `true` |
 | configs.ctlog.rolebindings | Names for rolebindings to add clusterroles to ctlog serviceaccounts. The names must match the serviceaccount names in the ctlog namespace. | list | `["ctlog","ctlog-createtree","trusted-artifact-signer-ctlog-createctconfig"]` |
 | configs.fulcio.clusterMonitoring.enabled |  | bool | `true` |
 | configs.fulcio.clusterMonitoring.endpoints[0].interval |  | string | `"30s"` |
 | configs.fulcio.clusterMonitoring.endpoints[0].port |  | string | `"2112-tcp"` |
 | configs.fulcio.clusterMonitoring.endpoints[0].scheme |  | string | `"http"` |
-| configs.fulcio.create | Whether to create the fulcio namespace | bool | `true` |
-| configs.fulcio.namespace | Namespace for fulcio resources | string | `"fulcio-system"` |
+| configs.fulcio.namespace |  | string | `"fulcio-system"` |
+| configs.fulcio.namespace_create |  | bool | `true` |
 | configs.fulcio.rolebindings | Names for rolebindings to add clusterroles to fulcio serviceaccounts. The names must match the serviceaccount names in the fulcio namespace. | list | `["fulcio-createcerts","fulcio-server"]` |
 | configs.fulcio.server.secret.name |  | string | `""` |
 | configs.fulcio.server.secret.password | password to decrypt the signing key | string | `""` |
@@ -112,19 +119,20 @@ Kubernetes: `>= 1.19.0-0`
 | configs.rekor.clusterMonitoring.endpoints[0].interval |  | string | `"30s"` |
 | configs.rekor.clusterMonitoring.endpoints[0].port |  | string | `"2112-tcp"` |
 | configs.rekor.clusterMonitoring.endpoints[0].scheme |  | string | `"http"` |
-| configs.rekor.create | whether to create the rekor namespace | bool | `true` |
-| configs.rekor.namespace | namespace for rekor resources | string | `"rekor-system"` |
+| configs.rekor.namespace |  | string | `"rekor-system"` |
+| configs.rekor.namespace_create |  | bool | `true` |
 | configs.rekor.rolebindings | names for rolebindings to add clusterroles to rekor serviceaccounts. The names must match the serviceaccount names in the rekor namespace. | list | `["rekor-redis","rekor-server","trusted-artifact-signer-rekor-createtree"]` |
 | configs.rekor.signer | Signer holds secret that contains the private key used to sign entries and the tree head of the transparency log When this section is left out, scaffold.rekor creates the secret and key. | object | `{"secret":{"name":"","private_key":"","private_key_file":""}}` |
 | configs.rekor.signer.secret.name | Name of the secret to create with the private key data. This name must match the value in scaffold.rekor.server.signer.signerFileSecretOptions.secretName. | string | `""` |
 | configs.rekor.signer.secret.private_key | Private encrypted signing key | string | `""` |
 | configs.rekor.signer.secret.private_key_file | File containing a private encrypted signing key | string | `""` |
-| configs.trillian.create | whether to create the trillian namespace | bool | `true` |
-| configs.trillian.namespace | namespace for trillian resources | string | `"trillian-system"` |
+| configs.trillian.namespace |  | string | `"trillian-system"` |
+| configs.trillian.namespace_create |  | bool | `true` |
 | configs.trillian.rolebindings | names for rolebindings to add clusterroles to trillian serviceaccounts. The names must match the serviceaccount names in the trillian namespace. | list | `["trillian-logserver","trillian-logsigner","trillian-mysql"]` |
-| configs.tuf.create | whether to create the tuf namespace | bool | `true` |
-| configs.tuf.namespace | namespace for tuf resources | string | `"tuf-system"` |
+| configs.tuf.namespace |  | string | `"tuf-system"` |
+| configs.tuf.namespace_create |  | bool | `true` |
 | configs.tuf.rolebindings | names for rolebindings to add clusterroles to tuf serviceaccounts. The names must match the serviceaccount names in the tuf namespace. | list | `["tuf","tuf-secret-copy-job"]` |
+| global.appsSubdomain | DNS name to generate environment variables and consoleCLIDownload urls. By default, in OpenShift, the value for this is apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') | string | `""` |
 | rbac.clusterrole | clusterrole to be added to sigstore component serviceaccounts. | string | `"system:openshift:scc:anyuid"` |
 | scaffold.copySecretJob.backoffLimit |  | int | `1000` |
 | scaffold.copySecretJob.enabled |  | bool | `true` |

diff --git a/charts/trusted-artifact-signer/ci/ci-values.yaml b/charts/trusted-artifact-signer/ci/ci-values.yaml
@@ -6,13 +6,16 @@
 # For root & key requirements, see ../requirements-keys-certs.md
 # Note: User must substitute for localhost below.
 ---
+global:
+  appsSubdomain: localhost
+
 configs:
-  cosign:
-    appsSubdomain: localhost
   fulcio:
-    create: false
+    namespace:
+      create: false
   rekor:
-    create: false
+    namespace:
+      create: false
 
 # github.com/sigstore/helm-charts/charts
 scaffold:

diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.configs.clientserver.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+  labels:
+    app: {{ .Values.configs.clientserver.name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.configs.clientserver.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.configs.clientserver.name }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: {{ .Values.configs.clientserver.name }}
+      containers:
+      - name: tas-clients
+        image: "{{ .Values.configs.clientserver.image.registry }}/{{ .Values.configs.clientserver.image.repository }}:{{ .Values.configs.clientserver.image.version }}"
+        #image: quay.io/sallyom/tas-clients:httpd
+        imagePullPolicy: IfNotPresent
+        ports:
+          - containerPort: 8080
+            protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+{{- end }}
+
diff --git a/charts/trusted-artifact-signer/templates/clientserver-route.yaml b/charts/trusted-artifact-signer/templates/clientserver-route.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.configs.clientserver.enabled }}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: {{ .Values.configs.clientserver.name }}
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+spec:
+  port:
+    targetPort: 8080-tcp
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: edge
+  to:
+    kind: Service
+    name: {{ .Values.configs.clientserver.name }}
+    weight: 100
+  wildcardPolicy: None
+{{- end }}
+
diff --git a/charts/trusted-artifact-signer/templates/clientserver-sa.yaml b/charts/trusted-artifact-signer/templates/clientserver-sa.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.configs.clientserver.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+{{- end }}
+
diff --git a/charts/trusted-artifact-signer/templates/clientserver-service.yaml b/charts/trusted-artifact-signer/templates/clientserver-service.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.configs.clientserver.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.configs.clientserver.name }}
+  name: {{ .Values.configs.clientserver.name }}
+  namespace: {{ .Values.configs.clientserver.namespace }}
+spec:
+  ports:
+  - name: 8080-tcp
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: {{ .Values.configs.clientserver.name }}
+  type: ClusterIP
+{{- end }}
+
diff --git a/.../resources/consoleclidownload-cosign.yaml → .../templates/consoleclidownload-cosign.yaml b/.../resources/consoleclidownload-cosign.yaml → .../templates/consoleclidownload-cosign.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.configs.clientserver.enabled }}
 apiVersion: console.openshift.io/v1
 kind: ConsoleCLIDownload
 metadata:
@@ -7,5 +8,6 @@ spec:
     manage sigstore artifacts.
   displayName: cosign - Command Line Interface (CLI)
   links:
-  - href: https://tas-clients-trusted-artifact-signer.apps.open-svc-sts.k1wl.p1.openshiftapps.com/clients/cosign
+  - href: "https://{{ $.Values.configs.clientserver.name }}-{{ $.Values.configs.clientserver.namespace }}.{{ $.Values.global.appsSubdomain }}/clients/cosign"
     text: Download cosign for Linux x86_64
+{{- end }}
diff --git a/...resources/consoleclidownload-gitsign.yaml → ...templates/consoleclidownload-gitsign.yaml b/...resources/consoleclidownload-gitsign.yaml → ...templates/consoleclidownload-gitsign.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.configs.clientserver.enabled }}
 apiVersion: console.openshift.io/v1
 kind: ConsoleCLIDownload
 metadata:
@@ -7,5 +8,7 @@ spec:
     digitally sign and verify git commits.
   displayName: gitsign - Command Line Interface (CLI)
   links:
-  - href: https://tas-clients-trusted-artifact-signer.apps.open-svc-sts.k1wl.p1.openshiftapps.com/clients/gitsign
+  - href: "https://{{ $.Values.configs.clientserver.name }}-{{ $.Values.configs.clientserver.namespace }}.{{ $.Values.global.appsSubdomain }}/clients/gitsign"
     text: Download gitsign for Linux x86_64
+{{- end }}
+
diff --git a/charts/trusted-artifact-signer/templates/cosign-deployment.yaml b/charts/trusted-artifact-signer/templates/cosign-deployment.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.configs.cosign.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -23,7 +24,7 @@ spec:
         image: "{{ .Values.configs.cosign.image.registry }}/{{ .Values.configs.cosign.image.repository }}:{{ .Values.configs.cosign.image.version }}"
         env:
         - name: OPENSHIFT_APPS_SUBDOMAIN
-          value: {{ .Values.configs.cosign.appsSubdomain }}
+          value: {{ .Values.global.appsSubdomain }}
         - name: OIDC_AUTHENTICATION_REALM
           value: "sigstore"
         - name: FULCIO_URL
@@ -38,4 +39,5 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - ALL
+            - ALL
+{{- end }}
diff --git a/charts/trusted-artifact-signer/templates/cosign-sa.yaml b/charts/trusted-artifact-signer/templates/cosign-sa.yaml
@@ -1,8 +1,10 @@
-{{- if $.Values.configs.cosign.rolebindings }}
+{{- if .Values.configs.cosign.enabled }}
+{{- if .Values.configs.cosign.rolebindings }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   namespace: {{ .Values.configs.cosign.namespace }}
   name: {{ index .Values.configs.cosign.rolebindings 0 }}
 {{- end }}
+{{- end }}
diff --git a/charts/trusted-artifact-signer/templates/namespace.yaml b/charts/trusted-artifact-signer/templates/namespace.yaml
@@ -1,5 +1,5 @@
 {{- range $configKey, $config := .Values.configs }}
-{{- if $config.create }}
+{{- if $config.namespace_create }}
 ---
 apiVersion: v1
 kind: Namespace