-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(fulcio/add-env): Add additional env variables #530
base: main
Are you sure you want to change the base?
feat(fulcio/add-env): Add additional env variables #530
Conversation
9bbd178
to
2c3fe7e
Compare
Support GCP credentials for external cloud provider workloads Signed-off-by: saisatish karra <[email protected]>
2c3fe7e
to
af3fc29
Compare
bcf4c93
to
066dec4
Compare
Signed-off-by: saisatish karra <[email protected]>
066dec4
to
bef4aba
Compare
charts/fulcio/values.yaml
Outdated
args: | ||
port: 5555 | ||
grpcPort: 5554 | ||
# valid values: GCP workload identity config json for trusted external cloud providers | ||
creds: "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the name creds
is somewhat ambitious
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there an expected naming suggestion? I used this to maintain the existing convention between TSA and Fulcio helm chart. How about cloud_credential_config
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am good with cloud_credential_config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!!
@@ -59,14 +59,27 @@ spec: | |||
- "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" | |||
{{- end }} | |||
- "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" | |||
{{- if eq .Values.server.args.certificateAuthority "fileca" }} | |||
{{- if .Values.server.env }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesnt have a closing end tag, yet strangely no error is thrown
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The closing {{- end}}
for line 64 is at line82
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
To simplify, this condition should be an or
statement that checks the presence of Values.server.env
or whether Values.server.args.certificateAuthority
== fileca
. This would avoid the redundant PASSWORD
env variable definition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the or
condition between Values.server.env
and Values.server.args.certificateAuthority == fileca
would work because there might be a case where there are env variables specified as key-value pairs and the certificateAuthority
== "<something not fileca>"
at which point it would still try to populate the PASSWORD
as a secret ref that is NOT optional
and the pod might fail / retry due to lack of missing secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that is still fine. having the proposed conditional would still suffice. this conditional would remain in order to capture when it was defined, otherwise only the key/values would be captured. The contents within this conditional block can be removed as its no longer needed
Signed-off-by: saisatish karra <[email protected]>
@sabre1041 Fixed the issues. Please review and revert. |
charts/fulcio/Chart.yaml
Outdated
@@ -5,7 +5,7 @@ description: | | |||
|
|||
type: application | |||
|
|||
version: 2.3.2 | |||
version: 2.4.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
version: 2.4.2 | |
version: 2.4.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
@@ -59,14 +59,27 @@ spec: | |||
- "--kms-cert-chain-path=/etc/fulcio-config/chain.pem" | |||
{{- end }} | |||
- "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}" | |||
{{- if eq .Values.server.args.certificateAuthority "fileca" }} | |||
{{- if .Values.server.env }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it
To simplify, this condition should be an or
statement that checks the presence of Values.server.env
or whether Values.server.args.certificateAuthority
== fileca
. This would avoid the redundant PASSWORD
env variable definition
charts/fulcio/values.yaml
Outdated
args: | ||
port: 5555 | ||
grpcPort: 5554 | ||
# valid values: GCP workload identity config json for trusted external cloud providers | ||
creds: "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am good with cloud_credential_config
@@ -11,3 +11,4 @@ data: | |||
{{- if (eq .Values.server.args.certificateAuthority "kmsca")}} | |||
chain.pem: {{.Values.server.args.kms_cert_chain | quote }} | |||
{{- end }} | |||
cloud_credentials: {{.Values.server.args.creds | quote }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a conditional to avoid including when not specified
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added condition!
Signed-off-by: saisatish karra <[email protected]>
Hello @saisatishkarra |
Just to add - not having the extra environment variables in the fulcio chart also makes configuring a Vault/OpenBao KMS more difficult since you cannot easily set env vars like |
Description of the change
Support GCP credentials for external cloud provider workloads
Existing or Associated Issue(s)
Additional Information
Similar changes that were made in TSA
Checklist
Chart.yaml
according to semver. Where applicable, update and bump the versions in any associated umbrella chartvalues.yaml
and added to the README.md. The helm-docs utility can be used to generate the necessary content. Usehelm-docs --dry-run
to preview the content.ct lint
command.