Merge branch 'main' into feature/support-deployment-values-for-policy…

…-controlle-webhook Signed-off-by: Alex Shearn <[email protected]>
sigstore · Nov 2, 2024 · 41cd2d9 · 41cd2d9
2 parents 9e62a08 + 9f5d055
commit 41cd2d9
Show file tree

Hide file tree

Showing 43 changed files with 553 additions and 238 deletions.
diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Helm Docs and check the outcome
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,14 +10,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.x'
           check-latest: true

diff --git a/charts/ctlog/Chart.yaml b/charts/ctlog/Chart.yaml
@@ -4,8 +4,8 @@ description: Certificate Log
 
 type: application
 
-version: 0.2.57
-appVersion: 0.7.11
+version: 0.2.59
+appVersion: 0.7.15
 
 keywords:
   - security
@@ -20,10 +20,10 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: ct_server
-      image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.11@sha256:d6238aba1c35d3a2aae832469b20618e19a638da5f70d37791d945ce010f2027
+      image: ghcr.io/sigstore/scaffolding/ct_server:v0.7.15@sha256:49bccd7bccd31f7232265410dcc075b0e2618045bff3075afcf84e630c8b77c3
     - name: createctconfig
-      image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.11@sha256:bcab917a07bb27f847531b145679b4b9a57bcaa85bb91e0b441ae9473c24fb79
+      image: ghcr.io/sigstore/scaffolding/createctconfig:v0.7.15@sha256:f0a4c3518a2b761260a47fee126db364087b9fe2d68e773d392f9cbabdccf198
     - name: createtree
-      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.11@sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.15@sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
     - name: curlimages/curl
       image: docker.io/curlimages/curl:8.10.1@sha256:d9b4541e214bcd85196d6e92e2753ac6d0ea699f0af5741f8c6cccbfcf00ef4b
diff --git a/charts/ctlog/README.md b/charts/ctlog/README.md
@@ -1,6 +1,6 @@
 # ctlog
 
-![Version: 0.2.57](https://img.shields.io/badge/Version-0.2.57-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.11](https://img.shields.io/badge/AppVersion-0.7.11-informational?style=flat-square)
+![Version: 0.2.59](https://img.shields.io/badge/Version-0.2.59-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.15](https://img.shields.io/badge/AppVersion-0.7.15-informational?style=flat-square)
 
 Certificate Log
 
@@ -24,7 +24,7 @@ Certificate Log
 | createctconfig.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createctconfig.image.registry | string | `"ghcr.io"` |  |
 | createctconfig.image.repository | string | `"sigstore/scaffolding/createctconfig"` |  |
-| createctconfig.image.version | string | `"sha256:bcab917a07bb27f847531b145679b4b9a57bcaa85bb91e0b441ae9473c24fb79"` | v0.7.11 |
+| createctconfig.image.version | string | `"sha256:f0a4c3518a2b761260a47fee126db364087b9fe2d68e773d392f9cbabdccf198"` | v0.7.15 |
 | createctconfig.initContainerImage.curl.imagePullPolicy | string | `"IfNotPresent"` |  |
 | createctconfig.initContainerImage.curl.registry | string | `"docker.io"` |  |
 | createctconfig.initContainerImage.curl.repository | string | `"curlimages/curl"` |  |
@@ -51,7 +51,7 @@ Certificate Log
 | createtree.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createtree.image.registry | string | `"ghcr.io"` |  |
 | createtree.image.repository | string | `"sigstore/scaffolding/createtree"` |  |
-| createtree.image.version | string | `"sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03"` |  |
+| createtree.image.version | string | `"sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8"` |  |
 | createtree.name | string | `"createtree"` |  |
 | createtree.nodeSelector | object | `{}` |  |
 | createtree.securityContext.runAsNonRoot | bool | `true` |  |
@@ -73,7 +73,7 @@ Certificate Log
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"ghcr.io"` |  |
 | server.image.repository | string | `"sigstore/scaffolding/ct_server"` |  |
-| server.image.version | string | `"sha256:d6238aba1c35d3a2aae832469b20618e19a638da5f70d37791d945ce010f2027"` |  |
+| server.image.version | string | `"sha256:49bccd7bccd31f7232265410dcc075b0e2618045bff3075afcf84e630c8b77c3"` |  |
 | server.ingress.annotations | object | `{}` |  |
 | server.ingress.className | string | `"nginx"` |  |
 | server.ingress.enabled | bool | `false` |  |

diff --git a/charts/ctlog/templates/_helpers.tpl b/charts/ctlog/templates/_helpers.tpl
@@ -110,15 +110,9 @@ Server Arguments
 - {{ printf "--metrics_endpoint=0.0.0.0:%d" (.Values.server.portHTTPMetrics | int) | quote }}
 - "--log_config=/ctfe-keys/config"
 - "--alsologtostderr"
-{{- if .Values.server.extraArgs -}}
-{{- range $key, $value := .Values.server.extraArgs }}
-{{- if $value }}
-- {{ printf "%v=%v" $key $value | quote }}
-{{- else }}
-- {{ printf $key | quote }}
-{{- end }}
-{{- end }}
-{{- end -}}
+{{- range .Values.server.extraArgs }}
+- {{ . | quote }}
+{{ end }}
 {{- end -}}
 
 {{/*

diff --git a/charts/ctlog/values.yaml b/charts/ctlog/values.yaml
@@ -13,8 +13,8 @@ server:
     registry: ghcr.io
     repository: sigstore/scaffolding/ct_server
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:d6238aba1c35d3a2aae832469b20618e19a638da5f70d37791d945ce010f2027
+    # v0.7.15
+    version: sha256:49bccd7bccd31f7232265410dcc075b0e2618045bff3075afcf84e630c8b77c3
   livenessProbe:
     httpGet:
       path: /healthz
@@ -100,8 +100,8 @@ createtree:
     registry: ghcr.io
     repository: sigstore/scaffolding/createtree
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+    # v0.7.15
+    version: sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
   ttlSecondsAfterFinished: 3600
   serviceAccount:
     create: true
@@ -132,8 +132,8 @@ createctconfig:
     registry: ghcr.io
     repository: sigstore/scaffolding/createctconfig
     pullPolicy: IfNotPresent
-    # -- v0.7.11
-    version: sha256:bcab917a07bb27f847531b145679b4b9a57bcaa85bb91e0b441ae9473c24fb79
+    # -- v0.7.15
+    version: sha256:f0a4c3518a2b761260a47fee126db364087b9fe2d68e773d392f9cbabdccf198
   fulcioURL: "http://fulcio-server.fulcio-system.svc"
   logPrefix: sigstorescaffolding
   privateKeyPasswordSecretName: ""

diff --git a/charts/fulcio/Chart.lock b/charts/fulcio/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: ctlog
   repository: https://sigstore.github.io/helm-charts
-  version: 0.2.57
-digest: sha256:9d3b2e53af0b40157727a7928095d92c355b08a0fa625dcf46a0cc695f78f905
-generated: "2024-09-29T17:20:25.569061877-04:00"
+  version: 0.2.59
+digest: sha256:bb907cdf05f1b8d94240217874b1497dd6456d212aa7df66d8424b3a5ca94d2b
+generated: "2024-10-31T15:31:00.446133788-04:00"
diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.6.1
+version: 2.6.3
 appVersion: 1.6.4
 
 keywords:
@@ -19,7 +19,7 @@ maintainers:
 
 dependencies:
   - name: ctlog
-    version: 0.2.57
+    version: 0.2.59
     repository: https://sigstore.github.io/helm-charts
     condition: ctlog.enabled
 
@@ -29,4 +29,4 @@ annotations:
     - name: fulcio
       image: gcr.io/projectsigstore/fulcio:v1.6.4@sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b
     - name: createcerts
-      image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.11@sha256:00fdcc2018c1a377eeabf840371711162fe50c31b57646bfda5ed9c0affdea9e
+      image: ghcr.io/sigstore/scaffolding/createcerts:v0.7.15@sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235
diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.6.1](https://img.shields.io/badge/Version-2.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
+![Version: 2.6.3](https://img.shields.io/badge/Version-2.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -71,7 +71,7 @@ helm uninstall [RELEASE_NAME]
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://sigstore.github.io/helm-charts | ctlog | 0.2.57 |
+| https://sigstore.github.io/helm-charts | ctlog | 0.2.59 |
 
 ## Values
 
@@ -85,7 +85,7 @@ helm uninstall [RELEASE_NAME]
 | createcerts.image.pullPolicy | string | `"IfNotPresent"` |  |
 | createcerts.image.registry | string | `"ghcr.io"` |  |
 | createcerts.image.repository | string | `"sigstore/scaffolding/createcerts"` |  |
-| createcerts.image.version | string | `"sha256:00fdcc2018c1a377eeabf840371711162fe50c31b57646bfda5ed9c0affdea9e"` |  |
+| createcerts.image.version | string | `"sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235"` |  |
 | createcerts.name | string | `"createcerts"` |  |
 | createcerts.nodeSelector | object | `{}` |  |
 | createcerts.replicaCount | int | `1` |  |

diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
@@ -123,8 +123,8 @@ createcerts:
     registry: ghcr.io
     repository: sigstore/scaffolding/createcerts
     pullPolicy: IfNotPresent
-    # v0.7.11
-    version: sha256:00fdcc2018c1a377eeabf840371711162fe50c31b57646bfda5ed9c0affdea9e
+    # v0.7.15
+    version: sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235
   ttlSecondsAfterFinished: 3600
   serviceAccount:
     create: true

diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square)
+![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square)
 
 The Helm chart for Policy  Controller
 

diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml
@@ -75,6 +75,7 @@ spec:
           value: "{{ $value }}"
 {{- end }}
 {{- end }}
+        {{- if or (semverCompare ">= 1.8-0" .Chart.AppVersion) .Values.webhook.extraArgs }}
         args:
         {{- if semverCompare ">= 1.8-0" .Chart.AppVersion }}
         - -webhook-name={{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }}
@@ -84,6 +85,7 @@ spec:
         {{- range $key, $value := .Values.webhook.extraArgs }}
         - -{{ $key }}={{ $value }}
         {{- end }}
+        {{- end }}
         ports:
         - containerPort: 8443
           name: https

diff --git a/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml b/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml
@@ -11,15 +11,17 @@ metadata:
     {{- toYaml . | nindent 4 }}
 {{- end }}
 {{- end }}
+  {{- with .Values.annotations }}
   annotations:
-{{- if .Values.annotations }}
-{{- with .Values.annotations }}
     {{- toYaml . | nindent 4 }}
-{{- end }}
-{{- end }}
+  {{- end }}
 spec:
+  {{- if .Values.webhook.podDisruptionBudget.minAvailable }}
   minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.webhook.podDisruptionBudget.maxUnavailable }}
   maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "policy-controller.selectorLabels" . | nindent 6 }}

diff --git a/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml b/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml
@@ -1,16 +1,18 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  {{- if or .Values.webhook.service.annotations .Values.commonAnnotations }}
   annotations:
     {{- if .Values.webhook.service.annotations }}
     {{ toYaml .Values.webhook.service.annotations | nindent 4 }}
     {{- end }}
     {{- if .Values.commonAnnotations }}
     {{- toYaml .Values.commonAnnotations | nindent 4 }}
     {{- end }}
+  {{- end }}
   labels:
     {{- include "policy-controller.labels" . | nindent 4 }}
     control-plane: {{ template "policy-controller.fullname" . }}-webhook
   name: webhook-certs
   namespace: {{ .Release.Namespace }}
-# The data is populated at install time.
+# The data is populated at install time.
diff --git a/charts/policy-controller/templates/webhook/service_webhook.yaml b/charts/policy-controller/templates/webhook/service_webhook.yaml
@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
+  {{- with .Values.webhook.service.annotations }}
   annotations:
-    {{- if .Values.webhook.service.annotations }}
-    {{ toYaml .Values.webhook.service.annotations | nindent 4 }}
-    {{- end }}
+     {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     {{- include "policy-controller.labels" . | nindent 4 }}
     control-plane: {{ template "policy-controller.fullname" . }}-webhook
@@ -27,10 +27,10 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
+  {{- with .Values.webhook.service.annotations }}
   annotations:
-    {{- if .Values.webhook.service.annotations }}
-    {{ toYaml .Values.webhook.service.annotations | nindent 4 }}
-    {{- end }}
+     {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     {{- include "policy-controller.labels" . | nindent 4 }}
     control-plane: {{ template "policy-controller.fullname" . }}-webhook

diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml
@@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr
 
 type: application
 
-version: 1.5.1
+version: 1.5.2
 appVersion: 1.3.6
 
 keywords:
@@ -19,24 +19,24 @@ maintainers:
 
 dependencies:
   - name: trillian
-    version: 0.2.28
+    version: 0.2.29
     repository: https://sigstore.github.io/helm-charts
     condition: trillian.enabled
 
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: createtree
-      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.11@sha256:4e3614df07561b096f1bfe1e1f79582b1545d6253bfad0f79235a1a1af74ef03
+      image: ghcr.io/sigstore/scaffolding/createtree:v0.7.15@sha256:ee42272373b46a898b21a0aea21cf703e90048e03f45a4640381b4a04735ffd8
     - name: curlimages/curl
       image: docker.io/curlimages/curl:8.10.1@sha256:d9b4541e214bcd85196d6e92e2753ac6d0ea699f0af5741f8c6cccbfcf00ef4b
     - name: rekor-server
       image: gcr.io/projectsigstore/rekor-server:v1.3.6@sha256:1237f29e2105d7f5451bbe15a3aca8677ddd1bb80620ca2fd06f74262437cf51
     - name: redis
-      image: docker.io/redis:6.2.14-alpine3.20@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e
+      image: docker.io/redis:6.2.16-alpine3.20@sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5
     - name: backfill-redis
       image: ghcr.io/sigstore/rekor/backfill-redis:v1.3.6@sha256:a13cd8b2a554d6116888fd1f383cf6e91fc1716df5eda392b82e6bfc66995ec3
     - name: scaffold_cloud_proxy
-      image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.11@sha256:16364cc06de704959576b23da26798850141ecae0f70510654764467cd9f47be
+      image: ghcr.io/sigstore/scaffolding/cloudsqlproxy:v0.7.15@sha256:862598dc2457fd246dc5363e0bd21462343c89e714dbd4159e49f119e8ff5ca5
     - name: cloud_proxy
-      image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine@sha256:74680d0e49d44af5b6f994a6a29712866cb95d8851b1416676313d0cf567946b
+      image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.0-alpine@sha256:6dc1d9ea84ff43eaeaebe51bb52de9e24dce8d8affd2fda0dc0d218897456c12