Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tsa secret optional for tuf #744

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Tsa secret optional for tuf #744

wants to merge 14 commits into from
+125 −40

Conversation

cvegagimenez
Copy link

@cvegagimenez cvegagimenez commented Apr 22, 2024
edited
Loading

Description of the change

Make the TSA secret reference optional for TUF chart.

Existing or Associated Issue(s)

#735

Additional Information

Checklist

  • Chart version bumped in Chart.yaml according to semver. Where applicable, update and bump the versions in any associated umbrella chart
  • Variables are documented in the values.yaml and added to the README.md. The helm-docs utility can be used to generate the necessary content. Use helm-docs --dry-run to preview the content.
  • JSON Schema generated.
  • List tests pass for Chart using the Chart Testing tool and the ct lint command.

------------------------------------------------------------------------------------------------------------------------
 Charts to be processed:
------------------------------------------------------------------------------------------------------------------------
 tuf => (version: "0.1.13", path: "charts/tuf")
------------------------------------------------------------------------------------------------------------------------

"sigstore" already exists with the same configuration, skipping
Linting chart "tuf => (version: \"0.1.13\", path: \"charts/tuf\")"
Checking chart "tuf => (version: \"0.1.13\", path: \"charts/tuf\")" for a version bump...
Old chart version: 0.1.12
New chart version: 0.1.13
Chart version ok.
Validating ~/Workspace/helm-charts/charts/tuf/Chart.yaml...
Validation success! 👍

Linting chart with values file "charts/tuf/ci/ci-values.yaml"...

==> Linting charts/tuf
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, 0 chart(s) failed

------------------------------------------------------------------------------------------------------------------------
 ✔︎ tuf => (version: "0.1.13", path: "charts/tuf")
------------------------------------------------------------------------------------------------------------------------
All charts linted successfully```

sabre1041
sabre1041 reviewed May 9, 2024
View reviewed changes
charts/tuf/README.md Outdated
@@ -54,6 +54,7 @@ A framework for securing software update systems - the scaffolding implementatio
| secrets.rekor.name | string | `"rekor-public-key"` | |
| secrets.rekor.path | string | `"rekor.pub"` | |
| secrets.tsa.create | bool | `false` | |
| secrets.tsa.existingSecret | bool | `false` | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not make this enabled and set as true. If secrets.tsa.create is true, a new secret will be created. Otherwise, secrets.tsa.name is the name of the existing secret

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented the changes. I thought it would be better to set it as enabled as false by default since the Charts are independent, but I could change it if you consider the other way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this approach a lot! It would be great if we can implement the same pattern across all of the secrets. Though that probably requires a separate PR to avoid encompassing too much into this issue. Unless you would want to rename the PR for that scope

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As the TSA case, I set the default value to false to be independent.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sabre1041 Any news on this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvegagimenez syntactically this does work. However, in practice, for tuf to run properly, it will need at least one source of content (a secret) in order to start properly. Should we enforce that at least one secret is provided?

Also, would you be able to resolve the conflict in the README.md file?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I also added the same checks for the other TUF objects.

sabre1041
sabre1041 requested changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvegagimenez instead of omitting content when no secrets have been provided, an error should be thrown to ensure that the user provides at least one secret

@vipulagarwal vipulagarwal mentioned this pull request Sep 26, 2024
Open
@sabre1041
Copy link
Contributor

@cvegagimenez This looks good., However, while thinking it through in practice enabled should by default be true as it aligns with the current functionality of the chart. By setting to false, it would be a breaking change for anyone currently leveraging it.

The goal of this PR is to provide a way to opt out of providing secrets a, but in practice, this has now introduced the functionality where you have to opt in to achieve the current functionality. A simple swap of the default values as we should be good to integrate this change.

sabre1041
sabre1041 previously approved these changes Sep 30, 2024
View reviewed changes
Copy link
Contributor

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cpanato
cpanato requested changes Oct 1, 2024
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

need to check the helm docs job i think need to update the readme as well and some small nits

charts/tuf/templates/deployment.yaml Outdated
affinity:
{{ toYaml .Values.deployment.affinity | indent 8 }}
{{- end }}
{{- end }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: new line

charts/tuf/templates/ingress.yaml Outdated
@@ -33,4 +33,4 @@ spec:
secretName: {{ .secretName }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: new line

charts/tuf/templates/_helpers.tpl Outdated
path: {{ .Values.secrets.tsa.path }}
{{- end }}
{{- end }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: new line

@cvegagimenez
Helm Docs for TUF
c716603 
Signed-off-by: Carlos Vega <[email protected]>
@cvegagimenez
Added new lines
e8c7d53 
Signed-off-by: Carlos Vega <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato requested changes

@sabre1041 sabre1041 sabre1041 left review comments

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cvegagimenez @sabre1041 @cpanato