Skip to content

Commit

Permalink
Added validation to ensure at least one secret is provided to TUF
Browse files Browse the repository at this point in the history
Signed-off-by: Carlos Vega <[email protected]>
  • Loading branch information
cvegagimenez committed Sep 29, 2024
1 parent 0bd3586 commit 46a4a82
Show file tree
Hide file tree
Showing 8 changed files with 51 additions and 64 deletions.
62 changes: 45 additions & 17 deletions charts/tuf/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -87,21 +87,49 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}

{{/*
Check number of TUF secrets
Check number of TUF secrets and render them as structured YAML.
*/}}
{{- define "tuf.enabledSecretsCount" -}}
{{- $count := 0 -}}
{{- if (eq .Values.secrets.rekor.enabled true) -}}
{{- $count = add $count 1 -}}
{{- end -}}
{{- if (eq .Values.secrets.fulcio.enabled true) -}}
{{- $count = add $count 1 -}}
{{- end -}}
{{- if (eq .Values.secrets.ctlog.enabled true) -}}
{{- $count = add $count 1 -}}
{{- end -}}
{{- if (eq .Values.secrets.tsa.enabled true) -}}
{{- $count = add $count 1 -}}
{{- end -}}
{{- $count -}}
{{- end -}}
{{- define "tuf.validateSecrets" }}
{{- if not (or .Values.secrets.rekor.enabled .Values.secrets.rekor.create
.Values.secrets.fulcio.enabled .Values.secrets.fulcio.create
.Values.secrets.ctlog.enabled .Values.secrets.ctlog.create
.Values.secrets.tsa.enabled .Values.secrets.tsa.create) -}}
{{- fail "At least one secret must be provided (enabled or created)." -}}
{{- else }}
{{- include "tuf.secretsList" . | nindent 8 }}
{{- end }}
{{- end }}

{{/*
Render TUF Secrets as structured YAML for the volume sources.
*/}}
{{- define "tuf.secretsList" -}}
{{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }}
- secret:
name: {{ .Values.secrets.ctlog.name }}
items:
- key: {{ .Values.secrets.ctlog.key }}
path: {{ .Values.secrets.ctlog.path }}
{{- end }}
{{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }}
- secret:
name: {{ .Values.secrets.fulcio.name }}
items:
- key: {{ .Values.secrets.fulcio.key }}
path: {{ .Values.secrets.fulcio.path }}
{{- end }}
{{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }}
- secret:
name: {{ .Values.secrets.rekor.name }}
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
{{- end }}
{{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
{{- end }}
{{- end }}
33 changes: 2 additions & 31 deletions charts/tuf/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -49,36 +48,8 @@ spec:
- name: tuf-secrets
projected:
sources:
{{- if or (.Values.secrets.ctlog.enabled) (.Values.secrets.ctlog.create) }}
- secret:
name: {{ .Values.secrets.ctlog.name }}
items:
- key: {{ .Values.secrets.ctlog.key }}
path: {{ .Values.secrets.ctlog.path }}
{{- end }}
{{- if or (.Values.secrets.fulcio.enabled) (.Values.secrets.fulcio.create) }}
- secret:
name: {{ .Values.secrets.fulcio.name }}
items:
- key: {{ .Values.secrets.fulcio.key }}
path: {{ .Values.secrets.fulcio.path }}
{{- end }}
{{- if or (.Values.secrets.rekor.enabled) (.Values.secrets.rekor.create) }}
- secret:
name: {{ .Values.secrets.rekor.name }}
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
{{- end }}
{{- if or (.Values.secrets.tsa.enabled) (.Values.secrets.tsa.create) }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
{{- end }}
{{- include "tuf.validateSecrets" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 0 additions & 2 deletions charts/tuf/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{- if .Values.ingress.create }}
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
Expand Down Expand Up @@ -34,5 +33,4 @@ spec:
secretName: {{ .secretName }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
2 changes: 0 additions & 2 deletions charts/tuf/templates/namespace.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
{{- if .Values.namespace.create }}
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.namespace.name }}
{{- end }}
{{- end }}
4 changes: 1 addition & 3 deletions charts/tuf/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -7,5 +6,4 @@ metadata:
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "update"]
{{- end }}
verbs: ["create", "get", "update"]
4 changes: 1 addition & 3 deletions charts/tuf/templates/rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -10,5 +9,4 @@ roleRef:
name: {{ .Values.roleName }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccountName }}
{{- end }}
name: {{ .Values.serviceAccountName }}
4 changes: 1 addition & 3 deletions charts/tuf/templates/service.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: v1
kind: Service
metadata:
Expand All @@ -12,5 +11,4 @@ spec:
targetPort: {{ .Values.deployment.port }}
selector:
{{- include "tuf.matchLabels" . | nindent 4 }}
type: ClusterIP
{{- end }}
type: ClusterIP
4 changes: 1 addition & 3 deletions charts/tuf/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
{{- if ne (include "tuf.enabledSecretsCount" .) "0" }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccountName }}
{{ include "tuf.namespace" . | indent 2 }}
{{- end }}
{{ include "tuf.namespace" . | indent 2 }}

0 comments on commit 46a4a82

Please sign in to comment.