From 0ec033588c98591c9ec3b907c4a3f67689a30621 Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Wed, 10 Nov 2021 11:38:59 +0100 Subject: [PATCH 1/2] feat: support secret key ref Signed-off-by: hectorj2f --- charts/cosigned/README.md | 6 ++---- charts/cosigned/templates/webhook/cosign_secret.yaml | 6 ++++-- charts/cosigned/templates/webhook/deployment_webhook.yaml | 6 ++++++ charts/cosigned/values.yaml | 3 +++ 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md index c059d4c8..ff528c6c 100644 --- a/charts/cosigned/README.md +++ b/charts/cosigned/README.md @@ -18,9 +18,7 @@ The previous command generates two key files `cosign.key` and `cosign.pub`. Next kubectl create namespace cosign-system kubectl create secret generic mysecret -n \ -cosign-system --from-file=cosign.pub=./cosign.pub \ ---from-file=cosign.key=./cosign.key \ ---from-literal=cosign.password=$COSIGN_PASSWORD +cosign-system --from-file=cosign.pub=./cosign.pub ``` Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above: @@ -30,7 +28,7 @@ helm repo add sigstore https://sigstore.github.io/helm-charts helm repo update -helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret +helm install cosigned -n cosign-system sigstore/cosigned --devel --set cosign.secretKeyRef.name=mysecret ``` ### Enabling Admission control diff --git a/charts/cosigned/templates/webhook/cosign_secret.yaml b/charts/cosigned/templates/webhook/cosign_secret.yaml index fcede41f..28ae53d9 100644 --- a/charts/cosigned/templates/webhook/cosign_secret.yaml +++ b/charts/cosigned/templates/webhook/cosign_secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.cosign.cosignPub }} apiVersion: v1 kind: Secret metadata: @@ -7,6 +8,7 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque data: - cosign.key: {{ .Values.cosign.cosignKey}} - cosign.password: {{ .Values.cosign.cosignPassword}} + cosign.key: {{ default "" .Values.cosign.cosignKey}} + cosign.password: {{ default "" .Values.cosign.cosignPassword}} cosign.pub: {{ .Values.cosign.cosignPub}} +{{- end -}} \ No newline at end of file diff --git a/charts/cosigned/templates/webhook/deployment_webhook.yaml b/charts/cosigned/templates/webhook/deployment_webhook.yaml index 0f17c12a..fe6d9fc2 100644 --- a/charts/cosigned/templates/webhook/deployment_webhook.yaml +++ b/charts/cosigned/templates/webhook/deployment_webhook.yaml @@ -48,7 +48,13 @@ spec: {{- end }} {{- end }} args: + {{- if and .Values.cosign.secretKeyRef }} + {{- if .Values.cosign.secretKeyRef.name }} + - -secret-name="{{ .Values.cosign.secretKeyRef.name }}" + {{- end }} + {{- else }} - -secret-name={{ template "cosigned.fullname" . }}-cosign-key + {{- end }} {{- range $key, $value := .Values.webhook.extraArgs }} - -{{ $key }}={{ $value }} {{- end }} diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index 27f87f96..fe73f1aa 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -1,9 +1,12 @@ cosign: + secretKeyRef: + name: # add the values in base64 encoded cosignKey: cosignPub: cosignPassword: + webhook: name: webhook image: From 118ff608021070ac5d0eb78b2b7672ac569a6881 Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Wed, 10 Nov 2021 12:07:50 +0100 Subject: [PATCH 2/2] chore: bump Chart version Signed-off-by: hectorj2f --- charts/cosigned/Chart.yaml | 2 +- charts/cosigned/values.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml index aa6b16cb..06ec8552 100644 --- a/charts/cosigned/Chart.yaml +++ b/charts/cosigned/Chart.yaml @@ -8,7 +8,7 @@ sources: type: application name: cosigned -version: v0.1.0 +version: v0.1.1 appVersion: v1.3.0 maintainers: diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index fe73f1aa..37b8a5f8 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -6,7 +6,6 @@ cosign: cosignPub: cosignPassword: - webhook: name: webhook image: