Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tsa secret optional for tuf #744

Merged
merged 16 commits into from
Oct 14, 2024
Merged

Tsa secret optional for tuf #744

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
e413ede
Make optional the secret TSA secret reference for TUF chart
cvegagimenez Apr 22, 2024
d156f58
Bump TUF chart version to 0.1.13
cvegagimenez Apr 22, 2024
106dbea
Renamed Values.secrets.tsa.existingSecret to Values.secrets.tsa.enabled
cvegagimenez May 9, 2024
f2346b7
Regenerated docs
cvegagimenez May 9, 2024
e54a0b3
Added enabled value for secrets defined in tuf
cvegagimenez May 10, 2024
55c4421
Merge branch 'main' into tsa-secret-optional-for-tuf
cvegagimenez Jul 11, 2024
89630d3
Merge branch 'main' into tsa-secret-optional-for-tuf
cvegagimenez Sep 26, 2024
0bd3586
Avoid creating Tuf objects if there is no secrets
cvegagimenez Sep 26, 2024
46a4a82
Added validation to ensure at least one secret is provided to TUF
cvegagimenez Sep 29, 2024
db6ba2b
Enabled secret as default for TUF
cvegagimenez Sep 30, 2024
91c9839
Bump version to 0.1.19
cvegagimenez Sep 30, 2024
c716603
Helm Docs for TUF
cvegagimenez Oct 1, 2024
e8c7d53
Added new lines
cvegagimenez Oct 1, 2024
62f5ded
Merge branch 'main' into tsa-secret-optional-for-tuf
cvegagimenez Oct 1, 2024
71247bc
Helm Docs for TUF
cvegagimenez Oct 7, 2024
88f2633
Restored NodeSelector, Tolerations and Affinity
cvegagimenez Oct 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/tuf/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: tuf
description: A framework for securing software update systems - the scaffolding implementation
type: application
version: 0.1.12
version: 0.1.13
appVersion: "0.6.17"

home: https://sigstore.dev/
Expand Down
3 changes: 2 additions & 1 deletion charts/tuf/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# tuf

![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square)
![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.17](https://img.shields.io/badge/AppVersion-0.6.17-informational?style=flat-square)

A framework for securing software update systems - the scaffolding implementation

Expand Down Expand Up @@ -54,6 +54,7 @@ A framework for securing software update systems - the scaffolding implementatio
| secrets.rekor.name | string | `"rekor-public-key"` | |
| secrets.rekor.path | string | `"rekor.pub"` | |
| secrets.tsa.create | bool | `false` | |
| secrets.tsa.existingSecret | bool | `false` | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not make this enabled and set as true. If secrets.tsa.create is true, a new secret will be created. Otherwise, secrets.tsa.name is the name of the existing secret

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented the changes. I thought it would be better to set it as enabled as false by default since the Charts are independent, but I could change it if you consider the other way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this approach a lot! It would be great if we can implement the same pattern across all of the secrets. Though that probably requires a separate PR to avoid encompassing too much into this issue. Unless you would want to rename the PR for that scope

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As the TSA case, I set the default value to false to be independent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sabre1041 Any news on this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvegagimenez syntactically this does work. However, in practice, for tuf to run properly, it will need at least one source of content (a secret) in order to start properly. Should we enforce that at least one secret is provided?

Also, would you be able to resolve the conflict in the README.md file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I also added the same checks for the other TUF objects.

| secrets.tsa.key | string | `"cert-chain"` | |
| secrets.tsa.name | string | `"tsa-cert-chain"` | |
| secrets.tsa.path | string | `"tsa.certchain.pem"` | |
Expand Down
2 changes: 2 additions & 0 deletions charts/tuf/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,13 @@ spec:
items:
- key: {{ .Values.secrets.rekor.key }}
path: {{ .Values.secrets.rekor.path }}
{{- if or (.Values.secrets.tsa.existingSecret) (.Values.secrets.tsa.create) }}
- secret:
name: {{ .Values.secrets.tsa.name }}
items:
- key: {{ .Values.secrets.tsa.key }}
path: {{ .Values.secrets.tsa.path }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
Expand Down
6 changes: 6 additions & 0 deletions charts/tuf/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,12 @@
false
]
},
"existingSecret": {
"type": "boolean",
"examples": [
false
]
},
"name": {
"type": "string",
"examples": [
Expand Down
1 change: 1 addition & 0 deletions charts/tuf/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ secrets:
path: ctfe.pub
tsa:
create: false
existingSecret: false
name: tsa-cert-chain
key: cert-chain
path: tsa.certchain.pem
Expand Down