diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index 1b7fd8f2..8c281bba 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.3.2 +version: 2.4.2 appVersion: 1.3.1 keywords: diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index c0353c40..6d29449b 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.3.2](https://img.shields.io/badge/Version-2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) +![Version: 2.4.2](https://img.shields.io/badge/Version-2.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -109,12 +109,14 @@ helm uninstall [RELEASE_NAME] | namespace.name | string | `"fulcio-system"` | | | server.args.aws_hsm_root_ca_path | string | `nil` | | | server.args.certificateAuthority | string | `"fileca"` | | +| server.args.creds | string | `""` | | | server.args.ct_log_url | string | `""` | | | server.args.disable_ct_log | bool | `false` | | | server.args.gcp_private_ca_parent | string | `"projects/test/locations/us-east1/caPools/test"` | | | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | +| server.env.GOOGLE_APPLICATION_CREDENTIALS | string | `"/etc/fulcio-config/cloud_credentials"` | | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml index f8d30721..84837e5c 100644 --- a/charts/fulcio/templates/fulcio-configmap.yaml +++ b/charts/fulcio/templates/fulcio-configmap.yaml @@ -11,3 +11,4 @@ data: {{- if (eq .Values.server.args.certificateAuthority "kmsca")}} chain.pem: {{.Values.server.args.kms_cert_chain | quote }} {{- end }} + cloud_credentials: {{.Values.server.args.creds | quote }} diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 6f3d9750..1a7c79b5 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -59,14 +59,27 @@ spec: - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" {{- end }} - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" - {{- if eq .Values.server.args.certificateAuthority "fileca" }} +{{- if .Values.server.env }} env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.server.secret }} - key: password - {{- end }} +{{- range $key, $value := .Values.server.env }} + - name: "{{ $key }}" + value: "{{ $value }}" +{{- end }} +{{- if eq .Values.server.args.certificateAuthority "fileca" }} + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.server.secret }} + key: password +{{- end }} +{{- else if eq .Values.server.args.certificateAuthority "fileca" }} + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.server.secret }} + key: password +{{- end }} volumeMounts: - name: fulcio-config mountPath: /etc/fulcio-config diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index f94d8a36..306786a7 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -20,9 +20,14 @@ server: # crane digest gcr.io/projectsigstore/fulcio:v1.3.1 # -- v1.3.1 version: sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18 + env: + # Valid values: path to workload identity config or service account key JSON file + GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials args: port: 5555 grpcPort: 5554 + # valid values: GCP workload identity config json for trusted external cloud providers + creds: "" # Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca certificateAuthority: fileca # kms_resource: gcpkms://....