-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tsa secret optional for tuf #744
base: main
Are you sure you want to change the base?
Tsa secret optional for tuf #744
Conversation
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
charts/tuf/README.md
Outdated
@@ -54,6 +54,7 @@ A framework for securing software update systems - the scaffolding implementatio | |||
| secrets.rekor.name | string | `"rekor-public-key"` | | | |||
| secrets.rekor.path | string | `"rekor.pub"` | | | |||
| secrets.tsa.create | bool | `false` | | | |||
| secrets.tsa.existingSecret | bool | `false` | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not make this enabled
and set as true
. If secrets.tsa.create
is true
, a new secret will be created. Otherwise, secrets.tsa.name
is the name of the existing secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I implemented the changes. I thought it would be better to set it as enabled
as false
by default since the Charts are independent, but I could change it if you consider the other way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this approach a lot! It would be great if we can implement the same pattern across all of the secrets. Though that probably requires a separate PR to avoid encompassing too much into this issue. Unless you would want to rename the PR for that scope
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the TSA case, I set the default value to false
to be independent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sabre1041 Any news on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cvegagimenez syntactically this does work. However, in practice, for tuf to run properly, it will need at least one source of content (a secret) in order to start properly. Should we enforce that at least one secret is provided?
Also, would you be able to resolve the conflict in the README.md
file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I also added the same checks for the other TUF objects.
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cvegagimenez instead of omitting content when no secrets have been provided, an error should be thrown to ensure that the user provides at least one secret
Signed-off-by: Carlos Vega <[email protected]>
69e91b6
to
46a4a82
Compare
@cvegagimenez This looks good., However, while thinking it through in practice The goal of this PR is to provide a way to opt out of providing secrets a, but in practice, this has now introduced the functionality where you have to opt in to achieve the current functionality. A simple swap of the default values as we should be good to integrate this change. |
Signed-off-by: Carlos Vega <[email protected]>
Signed-off-by: Carlos Vega <[email protected]>
6ce1d8b
to
91c9839
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
need to check the helm docs job i think need to update the readme as well and some small nits
charts/tuf/templates/deployment.yaml
Outdated
affinity: | ||
{{ toYaml .Values.deployment.affinity | indent 8 }} | ||
{{- end }} | ||
{{- end }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: new line
charts/tuf/templates/ingress.yaml
Outdated
@@ -33,4 +33,4 @@ spec: | |||
secretName: {{ .secretName }} | |||
{{- end }} | |||
{{- end -}} | |||
{{- end -}} | |||
{{- end -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: new line
charts/tuf/templates/_helpers.tpl
Outdated
path: {{ .Values.secrets.tsa.path }} | ||
{{- end }} | ||
{{- end }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: new line
Signed-off-by: Carlos Vega <[email protected]>
23368d7
to
c716603
Compare
Signed-off-by: Carlos Vega <[email protected]>
029239c
to
e8c7d53
Compare
Signed-off-by: Carlos Vega <[email protected]>
Description of the change
Make the TSA secret reference optional for TUF chart.
Existing or Associated Issue(s)
#735
Additional Information
Checklist
Chart.yaml
according to semver. Where applicable, update and bump the versions in any associated umbrella chartvalues.yaml
and added to the README.md. The helm-docs utility can be used to generate the necessary content. Usehelm-docs --dry-run
to preview the content.ct lint
command.