Add support for search_index params in rekor chart

Follow the pattern used by trillian, which can either manage its own database container or connect to a GCP SQL instance. If a container is created, the trillian mysql image is reused for convenience. Signed-off-by: Colleen Murphy <[email protected]>
sigstore · May 6, 2024 · b745d98 · b745d98
1 parent a9557ed
commit b745d98
Show file tree

Hide file tree

Showing 11 changed files with 1,222 additions and 6 deletions.
diff --git a/charts/rekor/Chart.yaml b/charts/rekor/Chart.yaml
@@ -4,7 +4,7 @@ description: Part of the sigstore project, Rekor is a timestamping server and tr
 
 type: application
 
-version: 1.3.21
+version: 1.4.0
 appVersion: 1.3.6
 
 keywords:

diff --git a/charts/rekor/README.md b/charts/rekor/README.md
@@ -1,6 +1,6 @@
 # rekor
 
-![Version: 1.3.21](https://img.shields.io/badge/Version-1.3.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square)
+![Version: 1.4.0](https://img.shields.io/badge/Version-1.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.6](https://img.shields.io/badge/AppVersion-1.3.6-informational?style=flat-square)
 
 Part of the sigstore project, Rekor is a timestamping server and transparency log for storing signatures, as well as an API based server for validation
 
@@ -59,6 +59,37 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | initContainerImage.curl.registry | string | `"docker.io"` |  |
 | initContainerImage.curl.repository | string | `"curlimages/curl"` |  |
 | initContainerImage.curl.version | string | `"sha256:4bfa3e2c0164fb103fb9bfd4dc956facce32b6c5d47cc09fcec883ce9535d5ac"` | 8.5.0 |
+| mysql.enabled | bool | `false` |  |
+| mysql.gcp.cloudsql.registry | string | `"gcr.io"` |  |
+| mysql.gcp.cloudsql.repository | string | `"cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine"` |  |
+| mysql.gcp.cloudsql.resources.requests.cpu | string | `"1"` |  |
+| mysql.gcp.cloudsql.resources.requests.memory | string | `"2Gi"` |  |
+| mysql.gcp.cloudsql.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| mysql.gcp.cloudsql.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| mysql.gcp.cloudsql.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| mysql.gcp.cloudsql.securityContext.runAsNonRoot | bool | `true` |  |
+| mysql.gcp.cloudsql.unixDomainSocket.enabled | bool | `false` |  |
+| mysql.gcp.cloudsql.unixDomainSocket.path | string | `"/cloudsql"` |  |
+| mysql.gcp.cloudsql.version | string | `"sha256:40a7b65ad15ce73666ddf8f79a7651b59477688c27e22fd47aa59bb9b39757d9"` | crane digest gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.9.0-alpine |
+| mysql.gcp.enabled | bool | `false` |  |
+| mysql.gcp.instance | string | `""` |  |
+| mysql.gcp.scaffoldSQLProxy.registry | string | `"ghcr.io"` |  |
+| mysql.gcp.scaffoldSQLProxy.repository | string | `"sigstore/scaffolding/cloudsqlproxy"` |  |
+| mysql.gcp.scaffoldSQLProxy.resources.requests.cpu | string | `"1"` |  |
+| mysql.gcp.scaffoldSQLProxy.resources.requests.memory | string | `"2Gi"` |  |
+| mysql.gcp.scaffoldSQLProxy.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| mysql.gcp.scaffoldSQLProxy.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| mysql.gcp.scaffoldSQLProxy.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| mysql.gcp.scaffoldSQLProxy.securityContext.runAsNonRoot | bool | `true` |  |
+| mysql.gcp.scaffoldSQLProxy.version | string | `"sha256:7cf71a5173283a5102e4765a829205007dd171511d6f8715f45b7179411ea2e2"` | v0.6.17 which is based on cloud-sql-proxy:2.9.0-alpine |
+| mysql.hostname | string | `""` |  |
+| mysql.image.pullPolicy | string | `"IfNotPresent"` |  |
+| mysql.image.registry | string | `"gcr.io"` |  |
+| mysql.image.repository | string | `"trillian-opensource-ci/db_server"` |  |
+| mysql.name | string | `"mysql"` |  |
+| mysql.port | int | `3306` |  |
+| mysql.replicaCount | int | `1` |  |
+| mysql.strategy.type | string | `"Recreate"` |  |
 | namespace.create | bool | `false` |  |
 | namespace.name | string | `"rekor-system"` |  |
 | redis.args[0] | string | `"--bind"` |  |
@@ -151,6 +182,8 @@ Part of the sigstore project, Rekor is a timestamping server and transparency lo
 | server.replicaCount | int | `1` |  |
 | server.resources | object | `{}` |  |
 | server.retrieve_api.enabled | bool | `true` |  |
+| server.searchIndex.mysql | object | `{}` |  |
+| server.searchIndex.storageProvider | string | `""` |  |
 | server.securityContext.runAsNonRoot | bool | `true` |  |
 | server.securityContext.runAsUser | int | `65533` |  |
 | server.service.ports[0].name | string | `"3000-tcp"` |  |

diff --git a/charts/rekor/templates/_helpers.tpl b/charts/rekor/templates/_helpers.tpl
@@ -100,22 +100,46 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-Create a fully qualified Mysql name.
+Create a fully qualified mysql name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "rekor.mysql.fullname" -}}
-{{- if .Values.mysql.fullnameOverride -}}
+{{- if (.Values.mysql).fullnameOverride -}}
 {{- .Values.mysql.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- if contains $name .Release.Name -}}
-{{- printf "%s-%s" .Release.Name .Values.mysql.name | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-%s" .Release.Name (default "mysql" (.Values.mysql).name) | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s-%s-%s" .Release.Name $name .Values.mysql.name | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-%s-%s" .Release.Name $name (default "mysql" (.Values.mysql).name) | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the hostname for mysql
+*/}}
+{{- define "mysql.hostname" -}}
+{{- default (include "rekor.mysql.fullname" .) (.Values.mysql).hostname }}
+{{- end -}}
+
+{{/*
+Return the database for mysql
+*/}}
+{{- define "mysql.database" -}}
+{{- default (include "rekor.fullname" .) (.Values.mysql).database }}
+{{- end -}}
+
+{{/*
+Return the secret with mysql credentials
+*/}}
+{{- define "mysql.secretName" -}}
+    {{- if ((.Values.mysql).auth).existingSecret -}}
+        {{- printf "%s" .Values.mysql.auth.existingSecret -}}
+    {{- else -}}
+        {{- printf "%s" (include "rekor.mysql.fullname" .) -}}
+    {{- end -}}
+{{- end -}}
 
 {{/*
 Define the rekor.namespace template if set with forceNamespace or .Release.Namespace is set
@@ -320,6 +344,28 @@ Server Arguments
 - {{ printf "--trillian_log_server.sharding_config=%s/%s" .Values.server.sharding.mountPath .Values.server.sharding.filename | quote }}
 - {{ printf "--redis_server.address=%s" (include "redis.hostname" .) | quote }}
 - {{ printf "--redis_server.port=%d" (.Values.redis.port | int) | quote }}
+{{- if (.Values.server.searchIndex).storageProvider }}
+- {{ printf "--search_index.storage_provider=%s" (.Values.server.searchIndex.storageProvider) | quote }}
+{{- end }}
+{{- if eq (.Values.server.searchIndex).storageProvider "mysql" }}
+{{- if and (.Values.mysql.gcp.enabled) (.Values.mysql.gcp.cloudsql.unixDomainSocket.enabled) }}
+- {{ printf "--search_index.mysql.dsn=$(MYSQL_USER):$(MYSQL_PASSWORD)@unix(%s/%s)/$(MYSQL_DATABASE)?parseTime=true" .Values.mysql.gcp.cloudsql.unixDomainSocket.path .Values.mysql.gcp.instance | quote }}
+{{- else }}
+- "--search_index.mysql.dsn=$(MYSQL_USER):$(MYSQL_PASSWORD)@tcp($(MYSQL_HOSTNAME):$(MYSQL_PORT))/$(MYSQL_DATABASE)"
+{{- end }}
+{{- end }}
+{{- if ((.Values.server.searchIndex).mysql).connMaxIdletime }}
+- {{ printf "--search_index.mysql.conn_max_idletime=%s" (.Values.server.searchIndex.mysql.connMaxIdletime) | quote }}
+{{- end }}
+{{- if ((.Values.server.searchIndex).mysql).connMaxLifetime }}
+- {{ printf "--search_index.mysql.conn_max_lifetime=%s" (.Values.server.searchIndex.mysql.connMaxLifetime) | quote }}
+{{- end }}
+{{- if ((.Values.server.searchIndex).mysql).maxOpenConnections }}
+- {{ printf "--search_index.mysql.max_open_connections=%d" (.Values.server.searchIndex.mysql.maxOpenConnections | int) | quote }}
+{{- end }}
+{{- if ((.Values.server.searchIndex).mysql).maxIdleConnections }}
+- {{ printf "--search_index.mysql.max_idle_connections=%d" (.Values.server.searchIndex.mysql.maxIdleConnections | int) | quote }}
+{{- end }}
 - "--rekor_server.address=0.0.0.0"
 - {{ printf "--rekor_server.signer=%s" (.Values.server.signer) | quote }}
 {{- if .Values.server.retrieve_api.enabled }}
@@ -407,3 +453,32 @@ Create the name of the sharding config
 {{- define "rekor.sharding-config" -}}
 {{ printf "%s-sharding-config" (include "rekor.fullname" .) }}
 {{- end }}
+
+{{/*
+Place default environment credentials setup
+*/}}
+{{- define "searchIndex.mysql.envCredentials" -}}
+{{- if ((.Values.server.searchIndex).mysql).envCredentials }}
+{{ toYaml .Values.server.searchIndex.mysql.envCredentials }}
+{{- else }}
+- name: MYSQL_USER
+  valueFrom:
+    secretKeyRef:
+        name: {{ template "mysql.secretName" . }}
+        key: mysql-user
+- name: MYSQL_PASSWORD
+  valueFrom:
+    secretKeyRef:
+        name: {{ template "mysql.secretName" . }}
+        key: mysql-password
+- name: MYSQL_DATABASE
+  valueFrom:
+    secretKeyRef:
+        name: {{ template "mysql.secretName" . }}
+        key: mysql-database
+- name: MYSQL_HOSTNAME
+  value: {{ template "mysql.hostname" . }}
+- name: MYSQL_PORT
+  value: {{ default "3306" (.Values.mysql).port | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rekor/templates/mysql/deployment.yaml b/charts/rekor/templates/mysql/deployment.yaml
@@ -0,0 +1,136 @@
+{{- if (.Values.mysql).enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+{{- if (.Values.mysql).deploymentAnnotations }}
+  annotations:
+    {{ toYaml (.Values.mysql).deploymentAnnotations | nindent 4 }}
+{{- end }}
+  labels:
+    {{- include "rekor.mysql.labels" . | nindent 4 }}
+  name: {{ template "rekor.mysql.fullname" . }}
+{{ include "rekor.namespace" . | indent 2 }}
+spec:
+  selector:
+    {{- if .Values.schedulerName }}
+    schedulerName: "{{ .Values.schedulerName }}"
+    {{- end }}
+    matchLabels:
+      {{- include "rekor.mysql.matchLabels" . | nindent 6 }}
+  replicas: {{ (.Values.mysql).replicaCount }}
+  {{- if (.Values.mysql).strategy }}
+  strategy:
+{{ toYaml (.Values.mysql).strategy | trim | indent 4 }}
+    {{ if eq (.Values.mysql).strategy.type "Recreate" }}rollingUpdate: null{{ end }}
+{{- end }}
+  template:
+    metadata:
+    {{- if (.Values.mysql).podAnnotations }}
+      annotations:
+        {{ toYaml (.Values.mysql).podAnnotations | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "rekor.mysql.labels" . | nindent 8 }}
+        {{- if (.Values.mysql).podLabels}}
+        {{ toYaml (.Values.mysql).podLabels | nindent 8 }}
+        {{- end}}
+    spec:
+      serviceAccountName: {{ template "rekor.serviceAccountName.mysql" . }}
+      {{- if (.Values.mysql).extraInitContainers }}
+      initContainers:
+{{ toYaml (.Values.mysql).extraInitContainers | indent 8 }}
+      {{- end }}
+{{- if (.Values.mysql).priorityClassName }}
+      priorityClassName: "{{ (.Values.mysql).priorityClassName }}"
+{{- end }}
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ template "rekor.name" . }}-{{ (.Values.mysql).name }}
+          image: "{{ template "rekor.image" (.Values.mysql).image }}"
+          imagePullPolicy: "{{ (.Values.mysql).image.pullPolicy }}"
+        {{- if (.Values.mysql).args }}
+          args:
+{{ toYaml (.Values.mysql).args | indent 12 }}
+        {{- end }}
+          env:
+            - name: MYSQL_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mysql.secretName" . }}
+                  key: mysql-root-password
+            - name: MYSQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mysql.secretName" . }}
+                  key: mysql-user
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mysql.secretName" . }}
+                  key: mysql-password
+            - name: MYSQL_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mysql.secretName" . }}
+                  key: mysql-database
+          ports:
+{{- include "rekor.containerPorts" (.Values.mysql).service.ports | indent 12 }}
+{{- if (.Values.mysql).livenessProbe }}
+          livenessProbe:
+{{ toYaml (.Values.mysql).livenessProbe | indent 12 }}
+{{- end }}
+{{- if (.Values.mysql).readinessProbe }}
+          readinessProbe:
+{{ toYaml (.Values.mysql).readinessProbe | indent 12 }}
+{{- end }}
+          resources:
+{{ toYaml (.Values.mysql).resources | indent 12 }}
+          volumeMounts:
+            - name: storage
+              mountPath: {{ (.Values.mysql).persistence.mountPath }}
+              subPath: {{ (.Values.mysql).persistence.subPath }}
+    {{- if (.Values.mysql).containerSecurityContext }}
+          securityContext:
+{{ toYaml (.Values.mysql).containerSecurityContext | indent 12 }}
+    {{- end }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+    {{- end }}
+    {{- if (.Values.mysql).nodeSelector }}
+      nodeSelector:
+{{ toYaml (.Values.mysql).nodeSelector | indent 8 }}
+    {{- end }}
+    {{- with (.Values.mysql).dnsConfig }}
+      dnsConfig:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- if (.Values.mysql).securityContext }}
+      securityContext:
+{{ toYaml (.Values.mysql).securityContext | indent 8 }}
+    {{- end }}
+    {{- if (.Values.mysql).tolerations }}
+      tolerations:
+{{ toYaml (.Values.mysql).tolerations | indent 8 }}
+    {{- end }}
+    {{- if (.Values.mysql).affinity }}
+      affinity:
+{{ toYaml (.Values.mysql).affinity | indent 8 }}
+    {{- end }}
+      volumes:
+  {{- if not (.Values.mysql).persistence.enabled }}
+        - name: storage
+          emptyDir: {}
+  {{- else if (.Values.mysql).persistence.existingClaim }}
+        - name: storage
+          persistentVolumeClaim:
+            claimName: {{ (.Values.mysql).persistence.existingClaim }}
+  {{- else }}
+        - name: storage
+          persistentVolumeClaim:
+            claimName: {{ template "rekor.mysql.fullname" . }}
+  {{- end }}
+  {{- end }}
diff --git a/charts/rekor/templates/mysql/pvc.yaml b/charts/rekor/templates/mysql/pvc.yaml
@@ -0,0 +1,27 @@
+{{- if and (.Values.mysql).enabled (.Values.mysql.persistence).enabled (not (.Values.mysql.persistence).existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+{{- if (.Values.mysql.persistence).annotations }}
+  annotations:
+{{ toYaml (.Values.mysql.persistence).annotations | indent 4 }}
+{{- end }}
+  labels:
+    {{- include "rekor.mysql.labels" . | nindent 4 }}
+{{- if (.Values.mysql.persistence).labels }}
+{{ toYaml (.Values.mysql.persistence).labels | indent 4 }}
+{{- end }}
+  name: {{ template "rekor.mysql.fullname" . }}
+{{ include "rekor.namespace" . | indent 2 }}
+spec:
+  accessModes:
+  {{- range (.Values.mysql.persistence).accessModes }}
+    - {{ . | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ (.Values.mysql.persistence).size | quote }}
+{{- if (.Values.mysql.persistence).storageClass }}
+  storageClassName: {{ (.Values.mysql.persistence).storageClass }}
+{{- end }}
+{{- end }}
diff --git a/charts/rekor/templates/mysql/secret.yaml b/charts/rekor/templates/mysql/secret.yaml
@@ -0,0 +1,31 @@
+{{- if and (and .Values.mysql .Values.mysql.auth) (not .Values.mysql.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+{{- if and .Values.mysql.secret .Values.mysql.secret.annotations }}
+  annotations:
+{{ toYaml .Values.mysql.secret.annotations | indent 4 }}
+{{- end }}
+  labels:
+{{- if and .Values.mysql.secret .Values.mysql.secret.labels }}
+{{ toYaml .Values.mysql.secret.labels | indent 4 }}
+{{- end }}
+  name: {{ template "rekor.mysql.fullname" . }}
+{{ include "rekor.namespace" . | indent 2 }}
+type: Opaque
+data:
+  {{- if .Values.mysql.enabled -}}
+  {{- if not (empty .Values.mysql.auth.rootPassword) }}
+  mysql-root-password: {{ .Values.mysql.auth.rootPassword | b64enc | quote }}
+  {{- else }}
+  mysql-root-password: {{ (include "rekor.randomSecret" (dict "secretName" (include "rekor.mysql.fullname" .) "key" "mysql-root-password" "context" $)) | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+  {{- if not (empty (.Values.mysql.auth).password) }}
+  mysql-password: {{ .Values.mysql.auth.password | b64enc | quote }}
+  {{- else }}
+  mysql-password: {{ (include "rekor.randomSecret" (dict "secretName" (include "rekor.mysql.fullname" .) "key" "mysql-password" "context" $)) | b64enc | quote }}
+  {{- end }}
+  mysql-user: {{ .Values.mysql.auth.username | b64enc | quote }}
+  mysql-database:  {{ (include "mysql.database" .) | b64enc | quote }}
+{{- end }}
diff --git a/charts/rekor/templates/mysql/service.yaml b/charts/rekor/templates/mysql/service.yaml
@@ -0,0 +1,22 @@
+{{- if (.Values.mysql).enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+{{- if (.Values.mysql.service).annotations }}
+  annotations:
+{{ toYaml (.Values.mysql.service).annotations | indent 4 }}
+{{- end }}
+  labels:
+    {{- include "rekor.mysql.labels" . | nindent 4 }}
+{{- if (.Values.mysql.service).labels }}
+{{ toYaml (.Values.mysql.service).labels | indent 4 }}
+{{- end }}
+  name: {{ template "rekor.mysql.fullname" . }}
+{{ include "rekor.namespace" . | indent 2 }}
+spec:
+  ports:
+    {{- tpl (toYaml (.Values.mysql.service).ports) . | nindent 4 }}
+  selector:
+    {{- include "rekor.mysql.matchLabels" . | nindent 4 }}
+  type: "{{ (.Values.mysql.service).type }}"
+{{- end -}}