From f48f138643c3cfbab6c9d61605b3889a9b8c5c2b Mon Sep 17 00:00:00 2001
From: ianhundere <138915+ianhundere@users.noreply.github.com>
Date: Mon, 29 Jul 2024 15:21:58 -0400
Subject: [PATCH] adds tuf-rollout-restart container to ensure tuf root secret
 is updated.

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
---
 charts/scaffold/Chart.yaml                    |  2 +-
 charts/scaffold/README.md                     |  2 +-
 charts/scaffold/templates/clusterrole.yaml    |  4 ++--
 .../templates/copy-secrets-cronjob.yaml       | 20 +++++++++++++------
 4 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/charts/scaffold/Chart.yaml b/charts/scaffold/Chart.yaml
index bbcda100..f72d63ee 100644
--- a/charts/scaffold/Chart.yaml
+++ b/charts/scaffold/Chart.yaml
@@ -4,7 +4,7 @@ description: Scaffolding the components of the sigstore architecture
 
 type: application
 
-version: 0.6.61
+version: 0.6.62
 keywords:
   - security
   - pki
diff --git a/charts/scaffold/README.md b/charts/scaffold/README.md
index d387c62a..18a2842a 100644
--- a/charts/scaffold/README.md
+++ b/charts/scaffold/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.6.61](https://img.shields.io/badge/Version-0.6.61-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.6.62](https://img.shields.io/badge/Version-0.6.62-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Scaffolding the components of the sigstore architecture
 
diff --git a/charts/scaffold/templates/clusterrole.yaml b/charts/scaffold/templates/clusterrole.yaml
index 7679b131..c2101851 100644
--- a/charts/scaffold/templates/clusterrole.yaml
+++ b/charts/scaffold/templates/clusterrole.yaml
@@ -9,5 +9,5 @@ rules:
     verbs: ["get", "create", "patch"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "delete"{{- end }}]
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "list"]
-{{- end }}
+    verbs: ["get", "list"{{- if .Values.copySecretJob.copySecretCronJob.enabled }}, "update"{{- end }}]
+{{- end }}
\ No newline at end of file
diff --git a/charts/scaffold/templates/copy-secrets-cronjob.yaml b/charts/scaffold/templates/copy-secrets-cronjob.yaml
index 8238a2fd..b02f7452 100644
--- a/charts/scaffold/templates/copy-secrets-cronjob.yaml
+++ b/charts/scaffold/templates/copy-secrets-cronjob.yaml
@@ -56,7 +56,7 @@ spec:
             args: [
                 "-c",
                 "curl {{ .Values.tuf.secrets.rekor.deploymentName}}.{{ .Values.tuf.secrets.rekor.namespace }}.svc.cluster.local/api/v1/log/publicKey -o /tmp/key -v && \
-                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.rekor.name }}\n  namespace: {{ .Values.forceNamespace }}\ndata:\n  key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
+                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.rekor.name }}\n  namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n  key: $(cat /tmp/key | base64 -w 0)\nEOF\n"
             ]
           - name: copy-fulcio-secret
             image: {{ template "scaffold.image" .Values.copySecretJob }}
@@ -64,8 +64,8 @@ spec:
             command: ["/bin/sh"]
             args: [
                 "-c",
-                "kubectl -n {{ .Values.forceNamespace }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
-                kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ .Values.forceNamespace }}/' | kubectl apply -f -"
+                "kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.fulcio.name }} --ignore-not-found && \
+                kubectl -n {{ .Values.tuf.secrets.fulcio.namespace }} get secrets {{ .Values.tuf.secrets.fulcio.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
             ]
           - name: copy-ctlog-secret
             image: {{ template "scaffold.image" .Values.copySecretJob }}
@@ -73,8 +73,8 @@ spec:
             command: ["/bin/sh"]
             args: [
                 "-c",
-                "kubectl -n {{ .Values.forceNamespace }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
-                kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ .Values.forceNamespace }}/' | kubectl apply -f -"
+                "kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} delete secret {{ .Values.tuf.secrets.ctlog.name }} --ignore-not-found && \
+                kubectl -n {{ .Values.tuf.secrets.ctlog.namespace }} get secrets {{ .Values.tuf.secrets.ctlog.name }} -oyaml | sed 's/namespace: .*/namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}/' | kubectl apply -f -"
             ]
           - name: copy-tsa-secret
             image: {{ template "scaffold.image" .Values.copySecretJob }}
@@ -83,7 +83,15 @@ spec:
             args: [
                 "-c",
                 "curl {{ .Values.tuf.secrets.tsa.deploymentName}}.{{ .Values.tuf.secrets.tsa.namespace }}.svc.cluster.local/api/v1/timestamp/certchain -o /tmp/cert-chain -v && \
-                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.tsa.name }}\n  namespace: {{ .Values.forceNamespace }}\ndata:\n  cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
+                kubectl apply -f - <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ .Values.tuf.secrets.tsa.name }}\n  namespace: {{ include "tuf.rawnamespace" .Subcharts.tuf }}\ndata:\n  cert-chain: $(cat /tmp/cert-chain | base64 -w 0)\nEOF\n"
+            ]
+          - name: rollout-restart-tuf
+            image: {{ template "scaffold.image" .Values.copySecretJob }}
+            imagePullPolicy: {{ .Values.copySecretJob.pullPolicy }}
+            command: ["/bin/sh"]
+            args: [
+                "-c",
+                "kubectl -n {{ include "tuf.rawnamespace" .Subcharts.tuf }} rollout restart deployment {{ .Values.tuf.fullnameOverride}}"
             ]
           {{- if .Values.copySecretJob.nodeSelector }}
           nodeSelector: