Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds optional cronJob to copySecretJob to avoid stale secrets. #792

Merged
merged 2 commits into from
Oct 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/scaffold/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture

type: application

version: 0.6.61
version: 0.6.62
keywords:
- security
- pki
Expand Down
39 changes: 30 additions & 9 deletions charts/scaffold/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

<!-- This README.md is generated. Please edit README.md.gotmpl -->

![Version: 0.6.61](https://img.shields.io/badge/Version-0.6.61-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.6.62](https://img.shields.io/badge/Version-0.6.62-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

Scaffolding the components of the sigstore architecture

Expand Down Expand Up @@ -49,6 +49,11 @@ helm uninstall [RELEASE_NAME]
|-----|------|---------|-------------|
| copySecretJob.affinity | object | `{}` | |
| copySecretJob.backoffLimit | int | `6` | |
| copySecretJob.copySecretCronJob.backoffLimit | int | `2` | |
| copySecretJob.copySecretCronJob.enabled | bool | `false` | |
| copySecretJob.copySecretCronJob.failedJobsHistoryLimit | int | `1` | |
| copySecretJob.copySecretCronJob.schedule | string | `"*/5 * * * 1-5"` | |
| copySecretJob.copySecretCronJob.successfulJobsHistoryLimit | int | `1` | |
| copySecretJob.enabled | bool | `false` | |
| copySecretJob.imagePullPolicy | string | `"IfNotPresent"` | |
| copySecretJob.name | string | `"copy-secrets-job"` | |
Expand Down Expand Up @@ -91,6 +96,30 @@ helm uninstall [RELEASE_NAME]
| rekor.server.fullnameOverride | string | `"rekor-server"` | |
| rekor.tolerations | list | `[]` | |
| rekor.trillian.enabled | bool | `false` | |
| secrets.ctlog.create | bool | `false` | |
| secrets.ctlog.deploymentName | string | `"ctlog"` | |
| secrets.ctlog.key | string | `"public"` | |
| secrets.ctlog.name | string | `"ctlog-public-key"` | |
| secrets.ctlog.namespace | string | `"ctlog-system"` | |
| secrets.ctlog.path | string | `"ctfe.pub"` | |
| secrets.fulcio.create | bool | `false` | |
| secrets.fulcio.deploymentName | string | `"fulcio-server"` | |
| secrets.fulcio.key | string | `"cert"` | |
| secrets.fulcio.name | string | `"fulcio-server-secret"` | |
| secrets.fulcio.namespace | string | `"fulcio-system"` | |
| secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | |
| secrets.rekor.create | bool | `false` | |
| secrets.rekor.deploymentName | string | `"rekor-server"` | |
| secrets.rekor.key | string | `"key"` | |
| secrets.rekor.name | string | `"rekor-public-key"` | |
| secrets.rekor.namespace | string | `"rekor-system"` | |
| secrets.rekor.path | string | `"rekor.pub"` | |
| secrets.tsa.create | bool | `false` | |
| secrets.tsa.deploymentName | string | `"tsa-server"` | |
| secrets.tsa.key | string | `"cert-chain"` | |
| secrets.tsa.name | string | `"tsa-cert-chain"` | |
| secrets.tsa.namespace | string | `"tsa-system"` | |
| secrets.tsa.path | string | `"tsa.certchain.pem"` | |
| trillian.affinity | object | `{}` | |
| trillian.enabled | bool | `true` | |
| trillian.forceNamespace | string | `"trillian-system"` | |
Expand Down Expand Up @@ -121,14 +150,6 @@ helm uninstall [RELEASE_NAME]
| tuf.namespace.create | bool | `true` | |
| tuf.namespace.name | string | `"tuf-system"` | |
| tuf.nodeSelector | object | `{}` | |
| tuf.secrets.ctlog.name | string | `"ctlog-public-key"` | |
| tuf.secrets.ctlog.path | string | `"ctfe.pub"` | |
| tuf.secrets.fulcio.name | string | `"fulcio-server-secret"` | |
| tuf.secrets.fulcio.path | string | `"fulcio_v1.crt.pem"` | |
| tuf.secrets.rekor.name | string | `"rekor-public-key"` | |
| tuf.secrets.rekor.path | string | `"rekor.pub"` | |
| tuf.secrets.tsa.name | string | `"tsa-cert-chain"` | |
| tuf.secrets.tsa.path | string | `"tsa.certchain.pem"` | |
| tuf.tolerations | list | `[]` | |

----------------------------------------------
Expand Down
1 change: 0 additions & 1 deletion charts/scaffold/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,3 @@ Create the image path for the passed in image field
{{- printf "%s/%s:%s" .registry .repository .version -}}
{{- end -}}
{{- end -}}

6 changes: 3 additions & 3 deletions charts/scaffold/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ metadata:
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "patch"]
verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
{{- end }}
verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}]
{{- end }}
108 changes: 108 additions & 0 deletions charts/scaffold/templates/copy-secrets-cronjob.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{{- if and .Values.copySecretJob.enabled .Values.copySecretJob.copySecretCronJob.enabled }}
apiVersion: batch/v1
kind: CronJob
metadata:
{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
name: {{ .Values.copySecretJob.name }}-scheduled
spec:
schedule: "{{ .Values.copySecretJob.copySecretCronJob.schedule }}"
successfulJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.successfulJobsHistoryLimit }}
failedJobsHistoryLimit: {{ default 2 .Values.copySecretJob.copySecretCronJob.failedJobsHistoryLimit }}
jobTemplate:
spec:
backoffLimit: {{ default 6 .Values.copySecretJob.copySecretCronJob.backoffLimit }}
template:
spec:
restartPolicy: OnFailure
serviceAccountName: {{ .Values.copySecretJob.serviceaccount }}
initContainers:
- name: wait-for-rekor-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.rekor.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.rekor.namespace }}"
]
- name: wait-for-fulcio-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.fulcio.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.fulcio.namespace }}"
]
- name: wait-for-ctlog-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.ctlog.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.ctlog.namespace }}"
]
- name: wait-for-tsa-deployment-readiness
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl rollout status deployment {{ .Values.tuf.secrets.tsa.deploymentName }} --timeout=120s -n {{ .Values.tuf.secrets.tsa.namespace }}"
]
containers:
- name: copy-rekor-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.rekor.name }}\n namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
]
- name: copy-fulcio-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
]
- name: copy-ctlog-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
]
- name: copy-tsa-secret
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n name: {{ .Values.tuf.secrets.tsa.name }}\n namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
]
- name: rollout-restart-tuf
image: {{ template "scaffold.image" .Values.copySecretJob }}
imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
command: ["/bin/sh"]
args: [
"-c",
"kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} rollout restart deployment {{ .Values.tuf.fullnameOverride}}"
]
{{- if .Values.copySecretJob.nodeSelector }}
nodeSelector:
{{ toYaml .Values.copySecretJob.nodeSelector | indent 12 }}
{{- end }}
{{- if .Values.copySecretJob.tolerations }}
tolerations:
{{ toYaml .Values.copySecretJob.tolerations | indent 12 }}
{{- end }}
{{- if .Values.copySecretJob.affinity }}
affinity:
{{ toYaml .Values.copySecretJob.affinity | indent 12 }}
{{- end }}
{{- end }}
6 changes: 3 additions & 3 deletions charts/scaffold/templates/copy-secrets-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ apiVersion: batch/v1
kind: Job
metadata:
{{ include "tuf.namespace" .Subcharts.tuf | indent 2 }}
name: {{ .Values.copySecretJob.name }}
name: {{ .Values.copySecretJob.name }}{{- if not .Values.copySecretJob.copySecretCronJob.enabled }}{{- else }}-immediate{{- end }}
spec:
backoffLimit: {{ .Values.copySecretJob.backoffLimit }}
backoffLimit: {{ default 6 .Values.copySecretJob.backoffLimit }}
template:
spec:
restartPolicy: OnFailure
Expand Down Expand Up @@ -90,4 +90,4 @@ spec:
affinity:
{{ toYaml .Values.copySecretJob.affinity | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
Loading