Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(fulcio/add-env): Add additional env variables #530

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

saisatishkarra
Copy link
Contributor

@saisatishkarra saisatishkarra commented May 18, 2023

Description of the change

Support GCP credentials for external cloud provider workloads

Existing or Associated Issue(s)

Additional Information

Similar changes that were made in TSA

Checklist

  • Chart version bumped in Chart.yaml according to semver. Where applicable, update and bump the versions in any associated umbrella chart
  • Variables are documented in the values.yaml and added to the README.md. The helm-docs utility can be used to generate the necessary content. Use helm-docs --dry-run to preview the content.
  • JSON Schema generated.
  • List tests pass for Chart using the Chart Testing tool and the ct lint command.

@saisatishkarra saisatishkarra force-pushed the feat/fulcio-env-gcp-creds branch from 9bbd178 to 2c3fe7e Compare May 18, 2023 21:31
Support GCP credentials for external cloud provider workloads

Signed-off-by: saisatish karra <[email protected]>
@saisatishkarra saisatishkarra force-pushed the feat/fulcio-env-gcp-creds branch from 2c3fe7e to af3fc29 Compare May 18, 2023 21:41
charts/fulcio/values.yaml Outdated Show resolved Hide resolved
@saisatishkarra saisatishkarra force-pushed the feat/fulcio-env-gcp-creds branch 3 times, most recently from bcf4c93 to 066dec4 Compare May 19, 2023 14:06
@saisatishkarra saisatishkarra requested a review from cpanato May 19, 2023 14:06
@saisatishkarra saisatishkarra force-pushed the feat/fulcio-env-gcp-creds branch from 066dec4 to bef4aba Compare May 19, 2023 14:07
charts/fulcio/README.md Outdated Show resolved Hide resolved
args:
port: 5555
grpcPort: 5554
# valid values: GCP workload identity config json for trusted external cloud providers
creds: ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the name creds is somewhat ambitious

Copy link
Contributor Author

@saisatishkarra saisatishkarra May 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an expected naming suggestion? I used this to maintain the existing convention between TSA and Fulcio helm chart. How about cloud_credential_config?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am good with cloud_credential_config

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed!!

@@ -59,14 +59,27 @@ spec:
- "--kms-cert-chain-path=/etc/fulcio-config/chain.pem"
{{- end }}
- "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}"
{{- if eq .Values.server.args.certificateAuthority "fileca" }}
{{- if .Values.server.env }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesnt have a closing end tag, yet strangely no error is thrown

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The closing {{- end}} for line 64 is at line82

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it

To simplify, this condition should be an or statement that checks the presence of Values.server.env or whether Values.server.args.certificateAuthority == fileca. This would avoid the redundant PASSWORD env variable definition

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the or condition between Values.server.env and Values.server.args.certificateAuthority == fileca would work because there might be a case where there are env variables specified as key-value pairs and the certificateAuthority == "<something not fileca>" at which point it would still try to populate the PASSWORD as a secret ref that is NOT optional and the pod might fail / retry due to lack of missing secret.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that is still fine. having the proposed conditional would still suffice. this conditional would remain in order to capture when it was defined, otherwise only the key/values would be captured. The contents within this conditional block can be removed as its no longer needed

Signed-off-by: saisatish karra <[email protected]>
@saisatishkarra saisatishkarra requested a review from sabre1041 May 21, 2023 19:36
@saisatishkarra
Copy link
Contributor Author

@sabre1041 Fixed the issues. Please review and revert.

@@ -5,7 +5,7 @@ description: |

type: application

version: 2.3.2
version: 2.4.2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
version: 2.4.2
version: 2.4.0

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed!

@@ -59,14 +59,27 @@ spec:
- "--kms-cert-chain-path=/etc/fulcio-config/chain.pem"
{{- end }}
- "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}"
{{- if eq .Values.server.args.certificateAuthority "fileca" }}
{{- if .Values.server.env }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it

To simplify, this condition should be an or statement that checks the presence of Values.server.env or whether Values.server.args.certificateAuthority == fileca. This would avoid the redundant PASSWORD env variable definition

args:
port: 5555
grpcPort: 5554
# valid values: GCP workload identity config json for trusted external cloud providers
creds: ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am good with cloud_credential_config

@@ -11,3 +11,4 @@ data:
{{- if (eq .Values.server.args.certificateAuthority "kmsca")}}
chain.pem: {{.Values.server.args.kms_cert_chain | quote }}
{{- end }}
cloud_credentials: {{.Values.server.args.creds | quote }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a conditional to avoid including when not specified

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added condition!

@saisatishkarra saisatishkarra requested a review from sabre1041 May 25, 2023 13:35
@Sifungurux
Copy link

Hello @saisatishkarra
I really need the feature that enabled to set env as well. Are the feature gone cold

@Racer159
Copy link

Just to add - not having the extra environment variables in the fulcio chart also makes configuring a Vault/OpenBao KMS more difficult since you cannot easily set env vars like VAULT_ADDR - https://github.com/sigstore/sigstore/blob/1bbe33108312349ecb12badff611f23c262c0760/pkg/signature/kms/hashivault/client.go#L101 (you'd have to patch it after the fact unless I am missing something)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants