From 24be2f027baa5856e255e772ad71543fd5818c2d Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Tue, 10 Oct 2023 14:36:05 -0400 Subject: [PATCH 1/5] initial Containerfile for tas-clients Signed-off-by: Sally O'Malley --- tas-clients/Containerfile | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 tas-clients/Containerfile diff --git a/tas-clients/Containerfile b/tas-clients/Containerfile new file mode 100644 index 00000000..25f87d79 --- /dev/null +++ b/tas-clients/Containerfile @@ -0,0 +1,9 @@ +FROM quay.io/redhat-user-workloads/rhtas-tenant/rhtas-cli-1-0-beta/cosign@sha256:1a34ac0ee18d144b18a3f18333216e87709018acb6fea42892b5e1a17e2c8af7 AS cosign-image +FROM quay.io/redhat-user-workloads/rhtas-tenant/rhtas-cli-1-0-beta/gitsign@sha256:a8e8fb362beb5a9a10f11877f676d4d6399b4f66fe9bd15c3bc352748707b98d AS gitsign-image + +FROM registry.redhat.io/rhel8/httpd-24 + +COPY --from=cosign-image /usr/local/bin/cosign /var/www/html/downloads/cosign +COPY --from=gitsign-image /usr/local/bin/gitsign /var/www/html/downloads/gitsign + +CMD run-httpd From 740fc6fdff2a447c6cc365b567ac0cbf428d7a40 Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Tue, 10 Oct 2023 21:27:37 -0400 Subject: [PATCH 2/5] add cli-server Signed-off-by: Sally O'Malley --- tas-clients/Containerfile | 17 ++++++++-- .../resources/consoleclidownload-cosign.yaml | 11 ++++++ .../resources/consoleclidownload-gitsign.yaml | 11 ++++++ tas-clients/resources/deployment.yaml | 34 +++++++++++++++++++ tas-clients/resources/kustomization.yaml | 12 +++++++ tas-clients/resources/route.yaml | 18 ++++++++++ tas-clients/resources/service.yaml | 15 ++++++++ tas-clients/resources/serviceaccount.yaml | 6 ++++ 8 files changed, 121 insertions(+), 3 deletions(-) create mode 100644 tas-clients/resources/consoleclidownload-cosign.yaml create mode 100644 tas-clients/resources/consoleclidownload-gitsign.yaml create mode 100644 tas-clients/resources/deployment.yaml create mode 100644 tas-clients/resources/kustomization.yaml create mode 100644 tas-clients/resources/route.yaml create mode 100644 tas-clients/resources/service.yaml create mode 100644 tas-clients/resources/serviceaccount.yaml diff --git a/tas-clients/Containerfile b/tas-clients/Containerfile index 25f87d79..b2ec800e 100644 --- a/tas-clients/Containerfile +++ b/tas-clients/Containerfile @@ -1,9 +1,20 @@ FROM quay.io/redhat-user-workloads/rhtas-tenant/rhtas-cli-1-0-beta/cosign@sha256:1a34ac0ee18d144b18a3f18333216e87709018acb6fea42892b5e1a17e2c8af7 AS cosign-image FROM quay.io/redhat-user-workloads/rhtas-tenant/rhtas-cli-1-0-beta/gitsign@sha256:a8e8fb362beb5a9a10f11877f676d4d6399b4f66fe9bd15c3bc352748707b98d AS gitsign-image -FROM registry.redhat.io/rhel8/httpd-24 +FROM registry.redhat.io/rhel8/httpd-24:latest -COPY --from=cosign-image /usr/local/bin/cosign /var/www/html/downloads/cosign -COPY --from=gitsign-image /usr/local/bin/gitsign /var/www/html/downloads/gitsign +RUN mkdir -p /var/www/html/clients + +COPY --from=cosign-image /usr/local/bin/cosign /var/www/html/clients/ +COPY --from=gitsign-image /usr/local/bin/gitsign /var/www/html/clients/ CMD run-httpd + +LABEL \ + com.redhat.component="trusted-artifact-signer-serve-cli-container" \ + name="trusted-artifact-signer-serve-cli-container" \ + version="0.0.1" \ + summary="Red Hat serves Trusted Artifact Signer CLI binaries" \ + description="Serves Trusted Artifact Signer CLI binaries from server" \ + io.k8s.display-name="Red Hat serves Trusted Artifact Signer CLI binaries" \ + maintainer="trusted-artifact-signer@redhat.com" diff --git a/tas-clients/resources/consoleclidownload-cosign.yaml b/tas-clients/resources/consoleclidownload-cosign.yaml new file mode 100644 index 00000000..d609e075 --- /dev/null +++ b/tas-clients/resources/consoleclidownload-cosign.yaml @@ -0,0 +1,11 @@ +apiVersion: console.openshift.io/v1 +kind: ConsoleCLIDownload +metadata: + name: cosign +spec: + description: cosign is a CLI tool that allows you to + manage sigstore artifacts. + displayName: cosign - Command Line Interface (CLI) + links: + - href: https://tas-clients-trusted-artifact-signer.apps.open-svc-sts.k1wl.p1.openshiftapps.com/clients/cosign + text: Download cosign for Linux x86_64 diff --git a/tas-clients/resources/consoleclidownload-gitsign.yaml b/tas-clients/resources/consoleclidownload-gitsign.yaml new file mode 100644 index 00000000..23c046b1 --- /dev/null +++ b/tas-clients/resources/consoleclidownload-gitsign.yaml @@ -0,0 +1,11 @@ +apiVersion: console.openshift.io/v1 +kind: ConsoleCLIDownload +metadata: + name: gitsign +spec: + description: gitsign is a CLI tool that allows you to + digitally sign and verify git commits. + displayName: gitsign - Command Line Interface (CLI) + links: + - href: https://tas-clients-trusted-artifact-signer.apps.open-svc-sts.k1wl.p1.openshiftapps.com/clients/gitsign + text: Download gitsign for Linux x86_64 diff --git a/tas-clients/resources/deployment.yaml b/tas-clients/resources/deployment.yaml new file mode 100644 index 00000000..44fd66a4 --- /dev/null +++ b/tas-clients/resources/deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tas-clients-serve + namespace: trusted-artifact-signer + labels: + app: trusted-artifact-signer-clients +spec: + selector: + matchLabels: + app: trusted-artifact-signer-clients + template: + metadata: + labels: + app: trusted-artifact-signer-clients + spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: tas-clients + containers: + - name: tas-clients + image: quay.io/sallyom/tas-clients:httpd + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + diff --git a/tas-clients/resources/kustomization.yaml b/tas-clients/resources/kustomization.yaml new file mode 100644 index 00000000..9705baf8 --- /dev/null +++ b/tas-clients/resources/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: trusted-artifact-signer + +resources: +- deployment.yaml +- service.yaml +- route.yaml +- serviceaccount.yaml +- consoleclidownload-cosign.yaml +- consoleclidownload-gitsign.yaml diff --git a/tas-clients/resources/route.yaml b/tas-clients/resources/route.yaml new file mode 100644 index 00000000..e1f87ffc --- /dev/null +++ b/tas-clients/resources/route.yaml @@ -0,0 +1,18 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + labels: + app: trusted-artifact-signer-clients + name: tas-clients + namespace: trusted-artifact-signer +spec: + port: + targetPort: 8080-tcp + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: tas-clients + weight: 100 + wildcardPolicy: None diff --git a/tas-clients/resources/service.yaml b/tas-clients/resources/service.yaml new file mode 100644 index 00000000..561653ee --- /dev/null +++ b/tas-clients/resources/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: trusted-artifact-signer-clients + name: tas-clients +spec: + ports: + - name: 8080-tcp + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: trusted-artifact-signer-clients + type: ClusterIP diff --git a/tas-clients/resources/serviceaccount.yaml b/tas-clients/resources/serviceaccount.yaml new file mode 100644 index 00000000..2cb1254a --- /dev/null +++ b/tas-clients/resources/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tas-clients + namespace: trusted-artifact-signer + From 826d7b9ab6c48f5ead987d0be64f1f45684f621f Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Thu, 12 Oct 2023 23:51:41 -0400 Subject: [PATCH 3/5] add clientserver to chart, templates Signed-off-by: Sally O'Malley --- charts/trusted-artifact-signer/Chart.yaml | 2 +- charts/trusted-artifact-signer/README.md | 43 ++++++---- .../trusted-artifact-signer/ci/ci-values.yaml | 13 ++- .../templates/clientserver-deployment.yaml | 37 +++++++++ .../templates/clientserver-route.yaml | 21 +++++ .../templates/clientserver-sa.yaml | 8 ++ .../templates/clientserver-service.yaml | 19 +++++ .../templates}/consoleclidownload-cosign.yaml | 4 +- .../consoleclidownload-gitsign.yaml | 5 +- .../templates/cosign-deployment.yaml | 22 +++--- .../templates/cosign-sa.yaml | 8 +- .../templates/namespace.yaml | 2 +- .../values.schema.json | 79 ++++++++++++++----- .../values.schema.tmpl.json | 59 +++++++++++--- charts/trusted-artifact-signer/values.yaml | 49 ++++++------ examples/values-kind-sigstore.yaml | 12 ++- ...es-sigstore-openshift-byo-fulcio-root.yaml | 8 +- ...lues-sigstore-openshift-byo-rekor-key.yaml | 8 +- examples/values-sigstore-openshift.yaml | 10 ++- sign-verify.md | 2 +- tas-clients/{Containerfile => Dockerfile} | 0 tas-clients/resources/deployment.yaml | 34 -------- tas-clients/resources/kustomization.yaml | 12 --- tas-clients/resources/route.yaml | 18 ----- tas-clients/resources/service.yaml | 15 ---- tas-clients/resources/serviceaccount.yaml | 6 -- 26 files changed, 305 insertions(+), 191 deletions(-) create mode 100644 charts/trusted-artifact-signer/templates/clientserver-deployment.yaml create mode 100644 charts/trusted-artifact-signer/templates/clientserver-route.yaml create mode 100644 charts/trusted-artifact-signer/templates/clientserver-sa.yaml create mode 100644 charts/trusted-artifact-signer/templates/clientserver-service.yaml rename {tas-clients/resources => charts/trusted-artifact-signer/templates}/consoleclidownload-cosign.yaml (56%) rename {tas-clients/resources => charts/trusted-artifact-signer/templates}/consoleclidownload-gitsign.yaml (57%) rename tas-clients/{Containerfile => Dockerfile} (100%) delete mode 100644 tas-clients/resources/deployment.yaml delete mode 100644 tas-clients/resources/kustomization.yaml delete mode 100644 tas-clients/resources/route.yaml delete mode 100644 tas-clients/resources/service.yaml delete mode 100644 tas-clients/resources/serviceaccount.yaml diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml index 9fec24fc..510a9867 100644 --- a/charts/trusted-artifact-signer/Chart.yaml +++ b/charts/trusted-artifact-signer/Chart.yaml @@ -33,4 +33,4 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.8 +version: 0.1.9 diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md index ae8643a6..b29a19dd 100644 --- a/charts/trusted-artifact-signer/README.md +++ b/charts/trusted-artifact-signer/README.md @@ -3,7 +3,7 @@ A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift -![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Overview @@ -84,21 +84,29 @@ Kubernetes: `>= 1.19.0-0` | Key | Description | Type | Default | |-----|-------------|------|---------| -| configs.cosign.appsSubdomain | DNS name to be used to generate environment variables for cosign commands. By default, in OpenShift, the value for this is apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') | string | `""` | -| configs.cosign.create | whether to create the cosign namespace | bool | `true` | -| configs.cosign.image | Image containing the cosign binary as well as environment variables with the base domain injected. | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"securesign/cosign","version":"v2.1.1"}` | -| configs.cosign.name | Name of deployment | string | `"cosign"` | -| configs.cosign.namespace | namespace for cosign resources | string | `"cosign"` | -| configs.cosign.rolebindings | names for rolebindings to add clusterroles to cosign serviceaccounts. The names must match the serviceaccount names in the cosign namespace. | list | `["cosign"]` | -| configs.ctlog.create | Whether to create the ctlog namespace | bool | `true` | -| configs.ctlog.namespace | Namespace for ctlog resources | string | `"ctlog-system"` | +| configs.clientserver.consoleDownload | This can only be enabled if the OpenShift CRD is registered. | bool | `true` | +| configs.clientserver.image.pullPolicy | | string | `"IfNotPresent"` | +| configs.clientserver.image.registry | | string | `"quay.io"` | +| configs.clientserver.image.repository | | string | `"sallyom/tas-clients"` | +| configs.clientserver.image.version | | string | `"httpd"` | +| configs.clientserver.name | | string | `"tas-clients"` | +| configs.clientserver.namespace | | string | `"trusted-artifact-signer-clientserver"` | +| configs.clientserver.namespace_create | | bool | `true` | +| configs.cosign_deploy.enabled | | bool | `false` | +| configs.cosign_deploy.image | Image containing the cosign binary as well as environment variables with the base domain injected. | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"securesign/cosign","version":"v2.1.1"}` | +| configs.cosign_deploy.name | Name of deployment | string | `"cosign"` | +| configs.cosign_deploy.namespace | | string | `"cosign"` | +| configs.cosign_deploy.namespace_create | | bool | `true` | +| configs.cosign_deploy.rolebindings | names for rolebindings to add clusterroles to cosign serviceaccounts. The names must match the serviceaccount names in the cosign namespace. | list | `["cosign"]` | +| configs.ctlog.namespace | | string | `"ctlog-system"` | +| configs.ctlog.namespace_create | | bool | `true` | | configs.ctlog.rolebindings | Names for rolebindings to add clusterroles to ctlog serviceaccounts. The names must match the serviceaccount names in the ctlog namespace. | list | `["ctlog","ctlog-createtree","trusted-artifact-signer-ctlog-createctconfig"]` | | configs.fulcio.clusterMonitoring.enabled | | bool | `true` | | configs.fulcio.clusterMonitoring.endpoints[0].interval | | string | `"30s"` | | configs.fulcio.clusterMonitoring.endpoints[0].port | | string | `"2112-tcp"` | | configs.fulcio.clusterMonitoring.endpoints[0].scheme | | string | `"http"` | -| configs.fulcio.create | Whether to create the fulcio namespace | bool | `true` | -| configs.fulcio.namespace | Namespace for fulcio resources | string | `"fulcio-system"` | +| configs.fulcio.namespace | | string | `"fulcio-system"` | +| configs.fulcio.namespace_create | | bool | `true` | | configs.fulcio.rolebindings | Names for rolebindings to add clusterroles to fulcio serviceaccounts. The names must match the serviceaccount names in the fulcio namespace. | list | `["fulcio-createcerts","fulcio-server"]` | | configs.fulcio.server.secret.name | | string | `""` | | configs.fulcio.server.secret.password | password to decrypt the signing key | string | `""` | @@ -112,19 +120,20 @@ Kubernetes: `>= 1.19.0-0` | configs.rekor.clusterMonitoring.endpoints[0].interval | | string | `"30s"` | | configs.rekor.clusterMonitoring.endpoints[0].port | | string | `"2112-tcp"` | | configs.rekor.clusterMonitoring.endpoints[0].scheme | | string | `"http"` | -| configs.rekor.create | whether to create the rekor namespace | bool | `true` | -| configs.rekor.namespace | namespace for rekor resources | string | `"rekor-system"` | +| configs.rekor.namespace | | string | `"rekor-system"` | +| configs.rekor.namespace_create | | bool | `true` | | configs.rekor.rolebindings | names for rolebindings to add clusterroles to rekor serviceaccounts. The names must match the serviceaccount names in the rekor namespace. | list | `["rekor-redis","rekor-server","trusted-artifact-signer-rekor-createtree"]` | | configs.rekor.signer | Signer holds secret that contains the private key used to sign entries and the tree head of the transparency log When this section is left out, scaffold.rekor creates the secret and key. | object | `{"secret":{"name":"","private_key":"","private_key_file":""}}` | | configs.rekor.signer.secret.name | Name of the secret to create with the private key data. This name must match the value in scaffold.rekor.server.signer.signerFileSecretOptions.secretName. | string | `""` | | configs.rekor.signer.secret.private_key | Private encrypted signing key | string | `""` | | configs.rekor.signer.secret.private_key_file | File containing a private encrypted signing key | string | `""` | -| configs.trillian.create | whether to create the trillian namespace | bool | `true` | -| configs.trillian.namespace | namespace for trillian resources | string | `"trillian-system"` | +| configs.trillian.namespace | | string | `"trillian-system"` | +| configs.trillian.namespace_create | | bool | `true` | | configs.trillian.rolebindings | names for rolebindings to add clusterroles to trillian serviceaccounts. The names must match the serviceaccount names in the trillian namespace. | list | `["trillian-logserver","trillian-logsigner","trillian-mysql"]` | -| configs.tuf.create | whether to create the tuf namespace | bool | `true` | -| configs.tuf.namespace | namespace for tuf resources | string | `"tuf-system"` | +| configs.tuf.namespace | | string | `"tuf-system"` | +| configs.tuf.namespace_create | | bool | `true` | | configs.tuf.rolebindings | names for rolebindings to add clusterroles to tuf serviceaccounts. The names must match the serviceaccount names in the tuf namespace. | list | `["tuf","tuf-secret-copy-job"]` | +| global.appsSubdomain | DNS name to generate environment variables and consoleCLIDownload urls. By default, in OpenShift, the value for this is apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') | string | `""` | | rbac.clusterrole | clusterrole to be added to sigstore component serviceaccounts. | string | `"system:openshift:scc:anyuid"` | | scaffold.copySecretJob.backoffLimit | | int | `1000` | | scaffold.copySecretJob.enabled | | bool | `true` | diff --git a/charts/trusted-artifact-signer/ci/ci-values.yaml b/charts/trusted-artifact-signer/ci/ci-values.yaml index ebd462ed..eb86b2a2 100644 --- a/charts/trusted-artifact-signer/ci/ci-values.yaml +++ b/charts/trusted-artifact-signer/ci/ci-values.yaml @@ -6,13 +6,18 @@ # For root & key requirements, see ../requirements-keys-certs.md # Note: User must substitute for localhost below. --- +global: + appsSubdomain: localhost + configs: - cosign: - appsSubdomain: localhost + clientserver: + consoleDownload: false + cosign_deploy: + enabled: true fulcio: - create: false + namespace_create: false rekor: - create: false + namespace_create: false # github.com/sigstore/helm-charts/charts scaffold: diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml new file mode 100644 index 00000000..74a17a88 --- /dev/null +++ b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml @@ -0,0 +1,37 @@ +{{- if .Values.configs.clientserver.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.configs.clientserver.name }} + namespace: {{ .Values.configs.clientserver.namespace }} + labels: + app: {{ .Values.configs.clientserver.name }} +spec: + selector: + matchLabels: + app: {{ .Values.configs.clientserver.name }} + template: + metadata: + labels: + app: {{ .Values.configs.clientserver.name }} + spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: {{ .Values.configs.clientserver.name }} + containers: + - name: tas-clients + image: "{{ .Values.configs.clientserver.image.registry }}/{{ .Values.configs.clientserver.image.repository }}:{{ .Values.configs.clientserver.image.version }}" + #image: quay.io/sallyom/tas-clients:httpd + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +{{- end }} + diff --git a/charts/trusted-artifact-signer/templates/clientserver-route.yaml b/charts/trusted-artifact-signer/templates/clientserver-route.yaml new file mode 100644 index 00000000..002867f5 --- /dev/null +++ b/charts/trusted-artifact-signer/templates/clientserver-route.yaml @@ -0,0 +1,21 @@ +{{- if .Values.configs.clientserver.enabled }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + labels: + app: {{ .Values.configs.clientserver.name }} + name: {{ .Values.configs.clientserver.name }} + namespace: {{ .Values.configs.clientserver.namespace }} +spec: + port: + targetPort: 8080-tcp + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: {{ .Values.configs.clientserver.name }} + weight: 100 + wildcardPolicy: None +{{- end }} + diff --git a/charts/trusted-artifact-signer/templates/clientserver-sa.yaml b/charts/trusted-artifact-signer/templates/clientserver-sa.yaml new file mode 100644 index 00000000..08925a6a --- /dev/null +++ b/charts/trusted-artifact-signer/templates/clientserver-sa.yaml @@ -0,0 +1,8 @@ +{{- if .Values.configs.clientserver.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.configs.clientserver.name }} + namespace: {{ .Values.configs.clientserver.namespace }} +{{- end }} + diff --git a/charts/trusted-artifact-signer/templates/clientserver-service.yaml b/charts/trusted-artifact-signer/templates/clientserver-service.yaml new file mode 100644 index 00000000..3640c5cb --- /dev/null +++ b/charts/trusted-artifact-signer/templates/clientserver-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.configs.clientserver.enabled }} +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ .Values.configs.clientserver.name }} + name: {{ .Values.configs.clientserver.name }} + namespace: {{ .Values.configs.clientserver.namespace }} +spec: + ports: + - name: 8080-tcp + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: {{ .Values.configs.clientserver.name }} + type: ClusterIP +{{- end }} + diff --git a/tas-clients/resources/consoleclidownload-cosign.yaml b/charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml similarity index 56% rename from tas-clients/resources/consoleclidownload-cosign.yaml rename to charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml index d609e075..92c1b63c 100644 --- a/tas-clients/resources/consoleclidownload-cosign.yaml +++ b/charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml @@ -1,3 +1,4 @@ +{{- if .Values.configs.clientserver.enabled }} apiVersion: console.openshift.io/v1 kind: ConsoleCLIDownload metadata: @@ -7,5 +8,6 @@ spec: manage sigstore artifacts. displayName: cosign - Command Line Interface (CLI) links: - - href: https://tas-clients-trusted-artifact-signer.apps.open-svc-sts.k1wl.p1.openshiftapps.com/clients/cosign + - href: "https://{{ $.Values.configs.clientserver.name }}-{{ $.Values.configs.clientserver.namespace }}.{{ $.Values.global.appsSubdomain }}/clients/cosign" text: Download cosign for Linux x86_64 +{{- end }} diff --git a/tas-clients/resources/consoleclidownload-gitsign.yaml b/charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml similarity index 57% rename from tas-clients/resources/consoleclidownload-gitsign.yaml rename to charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml index 23c046b1..d90434ba 100644 --- a/tas-clients/resources/consoleclidownload-gitsign.yaml +++ b/charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml @@ -1,3 +1,4 @@ +{{- if .Values.configs.clientserver.enabled }} apiVersion: console.openshift.io/v1 kind: ConsoleCLIDownload metadata: @@ -7,5 +8,7 @@ spec: digitally sign and verify git commits. displayName: gitsign - Command Line Interface (CLI) links: - - href: https://tas-clients-trusted-artifact-signer.apps.open-svc-sts.k1wl.p1.openshiftapps.com/clients/gitsign + - href: "https://{{ $.Values.configs.clientserver.name }}-{{ $.Values.configs.clientserver.namespace }}.{{ $.Values.global.appsSubdomain }}/clients/gitsign" text: Download gitsign for Linux x86_64 +{{- end }} + diff --git a/charts/trusted-artifact-signer/templates/cosign-deployment.yaml b/charts/trusted-artifact-signer/templates/cosign-deployment.yaml index d6fa0c79..4b798a11 100644 --- a/charts/trusted-artifact-signer/templates/cosign-deployment.yaml +++ b/charts/trusted-artifact-signer/templates/cosign-deployment.yaml @@ -1,29 +1,30 @@ +{{- if .Values.configs.cosign_deploy.enabled }} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Values.configs.cosign.name }} - namespace: {{ .Values.configs.cosign.namespace }} + name: {{ .Values.configs.cosign_deploy.name }} + namespace: {{ .Values.configs.cosign_deploy.namespace }} spec: selector: matchLabels: - app: {{ .Values.configs.cosign.name }} + app: {{ .Values.configs.cosign_deploy.name }} template: metadata: labels: - app: {{ .Values.configs.cosign.name }} + app: {{ .Values.configs.cosign_deploy.name }} spec: securityContext: runAsNonRoot: true runAsUser: 65533 - {{- if $.Values.configs.cosign.rolebindings }} - serviceAccountName: {{ index .Values.configs.cosign.rolebindings 0 }} + {{- if $.Values.configs.cosign_deploy.rolebindings }} + serviceAccountName: {{ index .Values.configs.cosign_deploy.rolebindings 0 }} {{- end }} containers: - - name: {{ .Values.configs.cosign.name }} - image: "{{ .Values.configs.cosign.image.registry }}/{{ .Values.configs.cosign.image.repository }}:{{ .Values.configs.cosign.image.version }}" + - name: {{ .Values.configs.cosign_deploy.name }} + image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}" env: - name: OPENSHIFT_APPS_SUBDOMAIN - value: {{ .Values.configs.cosign.appsSubdomain }} + value: {{ .Values.global.appsSubdomain }} - name: OIDC_AUTHENTICATION_REALM value: "sigstore" - name: FULCIO_URL @@ -38,4 +39,5 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - ALL \ No newline at end of file + - ALL +{{- end }} diff --git a/charts/trusted-artifact-signer/templates/cosign-sa.yaml b/charts/trusted-artifact-signer/templates/cosign-sa.yaml index 894f7a7a..27fe6624 100644 --- a/charts/trusted-artifact-signer/templates/cosign-sa.yaml +++ b/charts/trusted-artifact-signer/templates/cosign-sa.yaml @@ -1,8 +1,10 @@ -{{- if $.Values.configs.cosign.rolebindings }} +{{- if .Values.configs.cosign_deploy.enabled }} +{{- if .Values.configs.cosign_deploy.rolebindings }} --- apiVersion: v1 kind: ServiceAccount metadata: - namespace: {{ .Values.configs.cosign.namespace }} - name: {{ index .Values.configs.cosign.rolebindings 0 }} + namespace: {{ .Values.configs.cosign_deploy.namespace }} + name: {{ index .Values.configs.cosign_deploy.rolebindings 0 }} +{{- end }} {{- end }} diff --git a/charts/trusted-artifact-signer/templates/namespace.yaml b/charts/trusted-artifact-signer/templates/namespace.yaml index 55e28146..9ac7cbac 100644 --- a/charts/trusted-artifact-signer/templates/namespace.yaml +++ b/charts/trusted-artifact-signer/templates/namespace.yaml @@ -1,5 +1,5 @@ {{- range $configKey, $config := .Values.configs }} -{{- if $config.create }} +{{- if $config.namespace_create }} --- apiVersion: v1 kind: Namespace diff --git a/charts/trusted-artifact-signer/values.schema.json b/charts/trusted-artifact-signer/values.schema.json index 0d5fbcb5..7d4ffde6 100644 --- a/charts/trusted-artifact-signer/values.schema.json +++ b/charts/trusted-artifact-signer/values.schema.json @@ -3,12 +3,9 @@ "properties": { "configs": { "properties": { - "cosign": { + "clientserver": { "properties": { - "appsSubdomain": { - "type": "string" - }, - "create": { + "consoleDownload": { "type": "boolean" }, "image": { @@ -34,6 +31,40 @@ "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + } + }, + "type": "object" + }, + "cosign_deploy": { + "properties": { + "enabled": { + "type": "boolean" + }, + "image": { + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object" + }, + "namespace": { + "type": "string" + }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -45,12 +76,12 @@ }, "ctlog": { "properties": { - "create": { - "type": "boolean" - }, "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -84,12 +115,12 @@ }, "type": "object" }, - "create": { - "type": "boolean" - }, "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -157,12 +188,12 @@ }, "type": "object" }, - "create": { - "type": "boolean" - }, "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -193,12 +224,12 @@ }, "trillian": { "properties": { - "create": { - "type": "boolean" - }, "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -210,12 +241,12 @@ }, "tuf": { "properties": { - "create": { - "type": "boolean" - }, "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -228,6 +259,14 @@ }, "type": "object" }, + "global": { + "properties": { + "appsSubdomain": { + "type": "string" + } + }, + "type": "object" + }, "rbac": { "properties": { "clusterrole": { diff --git a/charts/trusted-artifact-signer/values.schema.tmpl.json b/charts/trusted-artifact-signer/values.schema.tmpl.json index 96559708..a123f287 100644 --- a/charts/trusted-artifact-signer/values.schema.tmpl.json +++ b/charts/trusted-artifact-signer/values.schema.tmpl.json @@ -4,6 +4,14 @@ "type": "object", "title": "Root Schema", "properties": { + "global": { + "type": "object", + "properties": { + "appsSubdomain": { + "type": "string" + } + } + }, "scaffold": { "title": "Upstream Sigstore Scaffold chart schema.", "$ref": "https://raw.githubusercontent.com/sigstore/helm-charts/main/charts/scaffold/values.schema.json" @@ -11,14 +19,20 @@ "configs": { "type": "object", "properties": { - "cosign": { + "clientserver": { "properties": { - "appsSubdomain": { + "consoleDownload": { + "type": "boolean" + }, + "name": { "type": "string" }, - "create": { + "namespace_create": { "type": "boolean" }, + "namespace": { + "type": "string" + }, "image": { "properties": { "pullPolicy": { @@ -35,13 +49,38 @@ } }, "type": "object" + } + }, + "type": "object" + }, + "cosign_deploy": { + "properties": { + "enabled": { + "type": "boolean" }, - "name": { - "type": "string" + "namespace_create": { + "type": "boolean" }, "namespace": { "type": "string" }, + "image": { + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object" + }, "rolebindings": { "items": { "type": "string" @@ -53,7 +92,7 @@ }, "ctlog": { "properties": { - "create": { + "namespace_create": { "type": "boolean" }, "namespace": { @@ -70,7 +109,7 @@ }, "fulcio": { "properties": { - "create": { + "namespace_create": { "type": "boolean" }, "namespace": { @@ -143,7 +182,7 @@ }, "rekor": { "properties": { - "create": { + "namespace_create": { "type": "boolean" }, "namespace": { @@ -201,7 +240,7 @@ }, "trillian": { "properties": { - "create": { + "namespace_create": { "type": "boolean" }, "namespace": { @@ -218,7 +257,7 @@ }, "tuf": { "properties": { - "create": { + "namespace_create": { "type": "boolean" }, "namespace": { diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml index dcd0e222..e5d3d03c 100644 --- a/charts/trusted-artifact-signer/values.yaml +++ b/charts/trusted-artifact-signer/values.yaml @@ -1,9 +1,25 @@ +global: + # -- DNS name to generate environment variables and consoleCLIDownload urls. + # By default, in OpenShift, the value for this is + # apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') + appsSubdomain: "" + configs: + clientserver: + # -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary. + # -- This can only be enabled if the OpenShift CRD is registered. + consoleDownload: true + name: tas-clients + namespace_create: true + namespace: trusted-artifact-signer-clientserver + image: + registry: quay.io + repository: sallyom/tas-clients + version: httpd + pullPolicy: IfNotPresent ctlog: - # -- Namespace for ctlog resources namespace: ctlog-system - # -- Whether to create the ctlog namespace - create: true + namespace_create: true # -- Names for rolebindings to add clusterroles to ctlog serviceaccounts. # The names must match the serviceaccount names in the ctlog namespace. rolebindings: @@ -12,10 +28,8 @@ configs: - trusted-artifact-signer-ctlog-createctconfig rekor: - # -- namespace for rekor resources + namespace_create: true namespace: rekor-system - # -- whether to create the rekor namespace - create: true # -- names for rolebindings to add clusterroles to rekor serviceaccounts. # The names must match the serviceaccount names in the rekor namespace. rolebindings: @@ -43,10 +57,8 @@ configs: scheme: http fulcio: - # -- Namespace for fulcio resources + namespace_create: true namespace: fulcio-system - # -- Whether to create the fulcio namespace - create: true # -- Names for rolebindings to add clusterroles to fulcio serviceaccounts. # The names must match the serviceaccount names in the fulcio namespace. rolebindings: @@ -84,10 +96,8 @@ configs: scheme: http trillian: - # -- namespace for trillian resources + namespace_create: true namespace: trillian-system - # -- whether to create the trillian namespace - create: true # -- names for rolebindings to add clusterroles to trillian serviceaccounts. # The names must match the serviceaccount names in the trillian namespace. rolebindings: @@ -96,25 +106,18 @@ configs: - trillian-mysql tuf: - # -- namespace for tuf resources namespace: tuf-system - # -- whether to create the tuf namespace - create: true + namespace_create: true # -- names for rolebindings to add clusterroles to tuf serviceaccounts. # The names must match the serviceaccount names in the tuf namespace. rolebindings: - tuf - tuf-secret-copy-job - cosign: - # -- DNS name to be used to generate environment variables for cosign commands. - # By default, in OpenShift, the value for this is - # apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') - appsSubdomain: "" - # -- namespace for cosign resources + cosign_deploy: + enabled: false namespace: cosign - # -- whether to create the cosign namespace - create: true + namespace_create: true # -- names for rolebindings to add clusterroles to cosign serviceaccounts. # The names must match the serviceaccount names in the cosign namespace. rolebindings: diff --git a/examples/values-kind-sigstore.yaml b/examples/values-kind-sigstore.yaml index ff72803b..3ceea428 100644 --- a/examples/values-kind-sigstore.yaml +++ b/examples/values-kind-sigstore.yaml @@ -6,13 +6,17 @@ # For root & key requirements, see ../requirements-keys-certs.md # Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below. --- +global: + appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN configs: - cosign: - appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN + clientserver: + consoleDownload: false + cosign_deploy: + enabled: true fulcio: - create: false + namespace_create: false rekor: - create: false + namespace_create: false # github.com/sigstore/helm-charts/charts scaffold: diff --git a/examples/values-sigstore-openshift-byo-fulcio-root.yaml b/examples/values-sigstore-openshift-byo-fulcio-root.yaml index 9e1a928f..9fed3660 100644 --- a/examples/values-sigstore-openshift-byo-fulcio-root.yaml +++ b/examples/values-sigstore-openshift-byo-fulcio-root.yaml @@ -5,9 +5,13 @@ # Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below. # Base domain is results of "oc get dns cluster -o jsonpath='{ .spec.baseDomain }'" --- +global: + appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN configs: + cosign_deploy: + enabled: true rekor: - create: false + namespace_create: false fulcio: # -- whether to create the 'fulcio-system' namespace # When providing the fulcio server.secret, the ns already exists @@ -34,8 +38,6 @@ configs: -----BEGIN CERTIFICATE----- paste contents here -----END CERTIFICATE----- - cosign: - appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN # github.com/sigstore/helm-charts/charts scaffold: diff --git a/examples/values-sigstore-openshift-byo-rekor-key.yaml b/examples/values-sigstore-openshift-byo-rekor-key.yaml index 13ea776e..9dc356a2 100644 --- a/examples/values-sigstore-openshift-byo-rekor-key.yaml +++ b/examples/values-sigstore-openshift-byo-rekor-key.yaml @@ -5,9 +5,13 @@ # Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below. # Base domain is results of "oc get dns cluster -o jsonpath='{ .spec.baseDomain }'" --- +global: + appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN configs: + cosign_deploy: + enabled: true fulcio: - create: false + namespace_create: false rekor: # -- whether to create the 'rekor-system' namespace # When providing the rekor signer.secret, the ns already exists @@ -21,8 +25,6 @@ configs: -----BEGIN EC PRIVATE KEY----- paste contents here -----END EC PRIVATE KEY----- - cosign: - appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN # github.com/sigstore/helm-charts/charts scaffold: diff --git a/examples/values-sigstore-openshift.yaml b/examples/values-sigstore-openshift.yaml index 18312ede..0b1c0c06 100644 --- a/examples/values-sigstore-openshift.yaml +++ b/examples/values-sigstore-openshift.yaml @@ -7,13 +7,15 @@ # Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below. # Base domain is results of "oc get dns cluster -o jsonpath='{ .spec.baseDomain }'" --- +global: + appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN configs: - cosign: - appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN + cosign_deploy: + enabled: true fulcio: - create: false + namespace_create: false rekor: - create: false + namespace_create: false # github.com/sigstore/helm-charts/charts scaffold: diff --git a/sign-verify.md b/sign-verify.md index 92b8f917..675fef6c 100644 --- a/sign-verify.md +++ b/sign-verify.md @@ -55,7 +55,7 @@ If the signature verification did not result in an error, the deployment of Sigs Follow the steps below to sign an artifact using the cosign pod running in the cosign namespace. The `OPENSHIFT_APPS_SUBDOMAIN` environmental variable should be specified in the trusted-artifact-signer chart, -with `configs.cosign.appsSubdomain`. If it isn't, you'll need to set that variable in the cosign +with `global.appsSubdomain`. If it isn't, you'll need to set that variable in the cosign deployment pod specification. 1. Get the name of the pod. diff --git a/tas-clients/Containerfile b/tas-clients/Dockerfile similarity index 100% rename from tas-clients/Containerfile rename to tas-clients/Dockerfile diff --git a/tas-clients/resources/deployment.yaml b/tas-clients/resources/deployment.yaml deleted file mode 100644 index 44fd66a4..00000000 --- a/tas-clients/resources/deployment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tas-clients-serve - namespace: trusted-artifact-signer - labels: - app: trusted-artifact-signer-clients -spec: - selector: - matchLabels: - app: trusted-artifact-signer-clients - template: - metadata: - labels: - app: trusted-artifact-signer-clients - spec: - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: tas-clients - containers: - - name: tas-clients - image: quay.io/sallyom/tas-clients:httpd - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - diff --git a/tas-clients/resources/kustomization.yaml b/tas-clients/resources/kustomization.yaml deleted file mode 100644 index 9705baf8..00000000 --- a/tas-clients/resources/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: trusted-artifact-signer - -resources: -- deployment.yaml -- service.yaml -- route.yaml -- serviceaccount.yaml -- consoleclidownload-cosign.yaml -- consoleclidownload-gitsign.yaml diff --git a/tas-clients/resources/route.yaml b/tas-clients/resources/route.yaml deleted file mode 100644 index e1f87ffc..00000000 --- a/tas-clients/resources/route.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - labels: - app: trusted-artifact-signer-clients - name: tas-clients - namespace: trusted-artifact-signer -spec: - port: - targetPort: 8080-tcp - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - to: - kind: Service - name: tas-clients - weight: 100 - wildcardPolicy: None diff --git a/tas-clients/resources/service.yaml b/tas-clients/resources/service.yaml deleted file mode 100644 index 561653ee..00000000 --- a/tas-clients/resources/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: trusted-artifact-signer-clients - name: tas-clients -spec: - ports: - - name: 8080-tcp - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: trusted-artifact-signer-clients - type: ClusterIP diff --git a/tas-clients/resources/serviceaccount.yaml b/tas-clients/resources/serviceaccount.yaml deleted file mode 100644 index 2cb1254a..00000000 --- a/tas-clients/resources/serviceaccount.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tas-clients - namespace: trusted-artifact-signer - From 45025d6ce2f924de221d3bd7ecd547739bbd49ac Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Fri, 13 Oct 2023 14:19:28 -0400 Subject: [PATCH 4/5] add auxiliary Containerfiles Signed-off-by: Sally O'Malley --- .../Dockerfile => images/Dockerfile-clientserver | 0 images/Dockerfile-copy-secrets-job | 11 +++++++++++ 2 files changed, 11 insertions(+) rename tas-clients/Dockerfile => images/Dockerfile-clientserver (100%) create mode 100644 images/Dockerfile-copy-secrets-job diff --git a/tas-clients/Dockerfile b/images/Dockerfile-clientserver similarity index 100% rename from tas-clients/Dockerfile rename to images/Dockerfile-clientserver diff --git a/images/Dockerfile-copy-secrets-job b/images/Dockerfile-copy-secrets-job new file mode 100644 index 00000000..cd34982f --- /dev/null +++ b/images/Dockerfile-copy-secrets-job @@ -0,0 +1,11 @@ +FROM registry.access.redhat.com/ubi9/ubi:latest as builder + +RUN curl -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/openshift-client-linux.tar.gz && \ + tar -xvf oc.tar.gz && \ + chmod +x oc && \ + chmod +x kubectl + +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + +COPY --from=builder kubectl /usr/bin/ +COPY --from=builder oc /usr/bin/ From 4acf8329aab4f253e4692bac5994b64b87e04f50 Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Fri, 13 Oct 2023 14:32:46 -0400 Subject: [PATCH 5/5] clientserver route,console opts --- charts/trusted-artifact-signer/README.md | 1 + charts/trusted-artifact-signer/ci/ci-values.yaml | 1 + .../templates/clientserver-deployment.yaml | 3 --- .../trusted-artifact-signer/templates/clientserver-route.yaml | 2 +- charts/trusted-artifact-signer/templates/clientserver-sa.yaml | 2 -- .../templates/clientserver-service.yaml | 2 -- .../templates/consoleclidownload-cosign.yaml | 2 +- .../templates/consoleclidownload-gitsign.yaml | 2 +- charts/trusted-artifact-signer/values.schema.json | 3 +++ charts/trusted-artifact-signer/values.schema.tmpl.json | 3 +++ charts/trusted-artifact-signer/values.yaml | 2 ++ examples/values-kind-sigstore.yaml | 1 + 12 files changed, 14 insertions(+), 10 deletions(-) diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md index b29a19dd..1b9d2891 100644 --- a/charts/trusted-artifact-signer/README.md +++ b/charts/trusted-artifact-signer/README.md @@ -92,6 +92,7 @@ Kubernetes: `>= 1.19.0-0` | configs.clientserver.name | | string | `"tas-clients"` | | configs.clientserver.namespace | | string | `"trusted-artifact-signer-clientserver"` | | configs.clientserver.namespace_create | | bool | `true` | +| configs.clientserver.route | Whether to create the OpenShift route resource | bool | `true` | | configs.cosign_deploy.enabled | | bool | `false` | | configs.cosign_deploy.image | Image containing the cosign binary as well as environment variables with the base domain injected. | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"securesign/cosign","version":"v2.1.1"}` | | configs.cosign_deploy.name | Name of deployment | string | `"cosign"` | diff --git a/charts/trusted-artifact-signer/ci/ci-values.yaml b/charts/trusted-artifact-signer/ci/ci-values.yaml index eb86b2a2..b586b0f9 100644 --- a/charts/trusted-artifact-signer/ci/ci-values.yaml +++ b/charts/trusted-artifact-signer/ci/ci-values.yaml @@ -12,6 +12,7 @@ global: configs: clientserver: consoleDownload: false + route: false cosign_deploy: enabled: true fulcio: diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml index 74a17a88..aeb4b7f5 100644 --- a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml +++ b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml @@ -1,4 +1,3 @@ -{{- if .Values.configs.clientserver.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -33,5 +32,3 @@ spec: capabilities: drop: - ALL -{{- end }} - diff --git a/charts/trusted-artifact-signer/templates/clientserver-route.yaml b/charts/trusted-artifact-signer/templates/clientserver-route.yaml index 002867f5..fe638d22 100644 --- a/charts/trusted-artifact-signer/templates/clientserver-route.yaml +++ b/charts/trusted-artifact-signer/templates/clientserver-route.yaml @@ -1,4 +1,4 @@ -{{- if .Values.configs.clientserver.enabled }} +{{- if .Values.configs.clientserver.route }} apiVersion: route.openshift.io/v1 kind: Route metadata: diff --git a/charts/trusted-artifact-signer/templates/clientserver-sa.yaml b/charts/trusted-artifact-signer/templates/clientserver-sa.yaml index 08925a6a..36e3595a 100644 --- a/charts/trusted-artifact-signer/templates/clientserver-sa.yaml +++ b/charts/trusted-artifact-signer/templates/clientserver-sa.yaml @@ -1,8 +1,6 @@ -{{- if .Values.configs.clientserver.enabled }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.configs.clientserver.name }} namespace: {{ .Values.configs.clientserver.namespace }} -{{- end }} diff --git a/charts/trusted-artifact-signer/templates/clientserver-service.yaml b/charts/trusted-artifact-signer/templates/clientserver-service.yaml index 3640c5cb..f347d450 100644 --- a/charts/trusted-artifact-signer/templates/clientserver-service.yaml +++ b/charts/trusted-artifact-signer/templates/clientserver-service.yaml @@ -1,4 +1,3 @@ -{{- if .Values.configs.clientserver.enabled }} apiVersion: v1 kind: Service metadata: @@ -15,5 +14,4 @@ spec: selector: app: {{ .Values.configs.clientserver.name }} type: ClusterIP -{{- end }} diff --git a/charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml b/charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml index 92c1b63c..1d3af426 100644 --- a/charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml +++ b/charts/trusted-artifact-signer/templates/consoleclidownload-cosign.yaml @@ -1,4 +1,4 @@ -{{- if .Values.configs.clientserver.enabled }} +{{- if .Values.configs.clientserver.consoleDownload }} apiVersion: console.openshift.io/v1 kind: ConsoleCLIDownload metadata: diff --git a/charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml b/charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml index d90434ba..40b7e08e 100644 --- a/charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml +++ b/charts/trusted-artifact-signer/templates/consoleclidownload-gitsign.yaml @@ -1,4 +1,4 @@ -{{- if .Values.configs.clientserver.enabled }} +{{- if .Values.configs.clientserver.consoleDownload }} apiVersion: console.openshift.io/v1 kind: ConsoleCLIDownload metadata: diff --git a/charts/trusted-artifact-signer/values.schema.json b/charts/trusted-artifact-signer/values.schema.json index 7d4ffde6..0db50fdc 100644 --- a/charts/trusted-artifact-signer/values.schema.json +++ b/charts/trusted-artifact-signer/values.schema.json @@ -33,6 +33,9 @@ }, "namespace_create": { "type": "boolean" + }, + "route": { + "type": "boolean" } }, "type": "object" diff --git a/charts/trusted-artifact-signer/values.schema.tmpl.json b/charts/trusted-artifact-signer/values.schema.tmpl.json index a123f287..c15e7ca0 100644 --- a/charts/trusted-artifact-signer/values.schema.tmpl.json +++ b/charts/trusted-artifact-signer/values.schema.tmpl.json @@ -24,6 +24,9 @@ "consoleDownload": { "type": "boolean" }, + "route": { + "type": "boolean" + }, "name": { "type": "string" }, diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml index e5d3d03c..fc422dbf 100644 --- a/charts/trusted-artifact-signer/values.yaml +++ b/charts/trusted-artifact-signer/values.yaml @@ -9,6 +9,8 @@ configs: # -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary. # -- This can only be enabled if the OpenShift CRD is registered. consoleDownload: true + # -- Whether to create the OpenShift route resource + route: true name: tas-clients namespace_create: true namespace: trusted-artifact-signer-clientserver diff --git a/examples/values-kind-sigstore.yaml b/examples/values-kind-sigstore.yaml index 3ceea428..fef315c5 100644 --- a/examples/values-kind-sigstore.yaml +++ b/examples/values-kind-sigstore.yaml @@ -11,6 +11,7 @@ global: configs: clientserver: consoleDownload: false + route: false cosign_deploy: enabled: true fulcio: