Tsa secret optional for tuf

[cvegagimenez]

Description of the change

Make the TSA secret reference optional for TUF chart.

Existing or Associated Issue(s)

#735

Additional Information

Checklist

• Chart version bumped in Chart.yaml according to semver. Where applicable, update and bump the versions in any associated umbrella chart
• Variables are documented in the values.yaml and added to the README.md. The helm-docs utility can be used to generate the necessary content. Use helm-docs --dry-run to preview the content.
• JSON Schema generated.
• List tests pass for Chart using the Chart Testing tool and the ct lint command.

------------------------------------------------------------------------------------------------------------------------
 Charts to be processed:
------------------------------------------------------------------------------------------------------------------------
 tuf => (version: "0.1.13", path: "charts/tuf")
------------------------------------------------------------------------------------------------------------------------

"sigstore" already exists with the same configuration, skipping
Linting chart "tuf => (version: \"0.1.13\", path: \"charts/tuf\")"
Checking chart "tuf => (version: \"0.1.13\", path: \"charts/tuf\")" for a version bump...
Old chart version: 0.1.12
New chart version: 0.1.13
Chart version ok.
Validating ~/Workspace/helm-charts/charts/tuf/Chart.yaml...
Validation success! 👍

Linting chart with values file "charts/tuf/ci/ci-values.yaml"...

==> Linting charts/tuf
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, 0 chart(s) failed

------------------------------------------------------------------------------------------------------------------------
 ✔︎ tuf => (version: "0.1.13", path: "charts/tuf")
------------------------------------------------------------------------------------------------------------------------
All charts linted successfully```

[sabre1041]

Why not make this enabled and set as true. If secrets.tsa.create is true, a new secret will be created. Otherwise, secrets.tsa.name is the name of the existing secret

[cvegagimenez]

I implemented the changes. I thought it would be better to set it as enabled as false by default since the Charts are independent, but I could change it if you consider the other way.

[sabre1041]

I like this approach a lot! It would be great if we can implement the same pattern across all of the secrets. Though that probably requires a separate PR to avoid encompassing too much into this issue. Unless you would want to rename the PR for that scope

[cvegagimenez]

As the TSA case, I set the default value to false to be independent.

[cvegagimenez]

@sabre1041 Any news on this?

[sabre1041]

@cvegagimenez syntactically this does work. However, in practice, for tuf to run properly, it will need at least one source of content (a secret) in order to start properly. Should we enforce that at least one secret is provided?

Also, would you be able to resolve the conflict in the README.md file?

[cvegagimenez]

Done. I also added the same checks for the other TUF objects.

[sabre1041]

@cvegagimenez instead of omitting content when no secrets have been provided, an error should be thrown to ensure that the user provides at least one secret

[sabre1041]

@cvegagimenez This looks good., However, while thinking it through in practice enabled should by default be true as it aligns with the current functionality of the chart. By setting to false, it would be a breaking change for anyone currently leveraging it.

The goal of this PR is to provide a way to opt out of providing secrets a, but in practice, this has now introduced the functionality where you have to opt in to achieve the current functionality. A simple swap of the default values as we should be good to integrate this change.

[sabre1041]

LGTM

[cpanato]

thanks

need to check the helm docs job i think need to update the readme as well and some small nits

[haydentherapper]

@cpanato does this look good to you?

[cpanato]

thanks

and sorry for the delay

[cpanato]

but need to update the docs, can you please take a look?

[vipulagarwal]

but need to update the docs, can you please take a look?

@cpanato the README was updated
is there anything else missing? would you like the description field to be populated?

[cvegagimenez]

@cpanato , the tests are failing but I am not able to find the issue. Could you help here?

{"level":"fatal","ts":1728294947.0237236,"logger":"fallback","caller":"server/main.go:247","msg":"failed to parse /var/run/tuf-secrets/tsa.certchain.pem: unmarshaling certificates: error during PEM decoding","stacktrace":"main.main\n\tgithub.com/sigstore/scaffolding/cmd/tuf/server/main.go:247\nruntime.main\n\truntime/proc.go:272"}

[vipulagarwal]

why are we removing the nodeSelector, tolerations and affinity features for tuf deployment?

[cvegagimenez]

Completely right. Already fixed. Thanks!

[vipulagarwal]

@cpanato , the tests are failing but I am not able to find the issue. Could you help here?

{"level":"fatal","ts":1728294947.0237236,"logger":"fallback","caller":"server/main.go:247","msg":"failed to parse /var/run/tuf-secrets/tsa.certchain.pem: unmarshaling certificates: error during PEM decoding","stacktrace":"main.main\n\tgithub.com/sigstore/scaffolding/cmd/tuf/server/main.go:247\nruntime.main\n\truntime/proc.go:272"}

Looking at previous test runs, we always had this error but it was somehow still passing the chart installation (incorrect behaviour). The error happens because by default all the secrets are enabled and scaffolding tuf server expects a valid certificate for tsa certificate chain.

The test failing now is the correct behavior, presumable a result of latest scaffolding tuf server image. To fix the actual problem, we could set create: true for TSA secret but this enables it by default for everyone using the default values.

Edit: Or update scaffolding code to ignore empty tsa.certchain.pem file

[cpanato]

thanks