From ba2ab00cf9087644990e8d7e24ef690f6f8f0d75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Ku=C4=87?= Date: Sat, 8 Jul 2023 23:44:28 +0200 Subject: [PATCH 1/5] Add GCP Secret Manager support to Helm Charts and update the README file for deployment to reflect that MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Kuć --- deployment/chainloop/README.md | 48 ++++++++++++++++----- deployment/chainloop/templates/_helpers.tpl | 6 +++ 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index a81aa95a5..b3409ec7f 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -89,6 +89,19 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` +Deploy using GCP secret manager instead of Vault + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \ + --set secretsBackend.gcpSecretManager.authKey=[GCP Auth KEY] \ + # Server Auth KeyPair + # ... +``` + Connect to an external PostgreSQL database instead ```console @@ -292,6 +305,19 @@ secretsBackend: secretKey: [SECRET] region: [REGION] ``` + +### Use GCP secret manager + +You can swap the secret manager backend with the following settings + +```yaml +secretsBackend: + backend: gcpSecretManager + gcpSecretManager: + projectId: [PROJECT_ID] + authKey: [KEY] +``` + ### Send exceptions to Sentry ```yaml @@ -332,15 +358,17 @@ chainloop config save \ ### Secrets Backend -| Name | Description | Value | -| ------------------------------------------- | -------------------------------------------------------------------- | ----------- | -| `secretsBackend.backend` | Secrets backend type ("vault" or "awsSecretManager") | `vault` | -| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | -| `secretsBackend.vault.address` | Vault address | | -| `secretsBackend.vault.token` | Vault authentication token | | -| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | -| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| Name | Description | Value | +| ------------------------------------------- | --------------------------------------------------------------------- | ----------- | +| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager", "gcpSecretManager")| `vault` | +| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | +| `secretsBackend.vault.address` | Vault address | | +| `secretsBackend.vault.token` | Vault authentication token | | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | +| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | +| `secretsBackend.gcpSecretManager.authKey` | GCP Auth Key | | ### Authentication @@ -507,4 +535,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl index 542621ee9..95f050859 100644 --- a/deployment/chainloop/templates/_helpers.tpl +++ b/deployment/chainloop/templates/_helpers.tpl @@ -77,6 +77,12 @@ awsSecretManager: creds: accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }} secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }} + +{{- else if eq .backend "gcpSecretManager" }} + secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }} + projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }} + authKey: {{ required "auth key required" .gcpSecretManager.authKey | quote }} + {{- end }} {{- end }} {{- end -}} From 346b277178abd2fe20e332fd5850c0119c846419 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Ku=C4=87?= Date: Sat, 8 Jul 2023 23:50:40 +0200 Subject: [PATCH 2/5] Update default values for the GCP secret manager in the Helm Chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Kuć --- deployment/chainloop/values.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index 460e8db20..2a9ea8267 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -30,14 +30,14 @@ sentry: ## Location where to store sensitive data. If development.true? and no overrides provided, the setup will connect to a development instance of Vault secretsBackend: - ## @param secretsBackend.backend Secrets backend type ("vault" or "awsSecretManager") + ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") ## backend: "vault" # "awsSecretManager" ## @param secretsBackend.secretPrefix Prefix that will be pre-pended to all secrets in the storage backend ## secretPrefix: "chainloop" - # Either vault or AWS secret manager enabled at the same time + # Either vault, AWS secret manager or GCP secret manager enabled at the same time ## @extra secretsBackend.vault.address Vault address ## @extra secretsBackend.vault.token Vault authentication token ## @@ -54,6 +54,13 @@ secretsBackend: # secretKey: "" # region: "" + ## @extra secretsBackend.gcpSecretManager.projectId GCP Project ID + ## @extra secretsBackend.gcpSecretManager.authKey GCP Auth Key + ## + # gcpSecretManager: + # projectId: "" + # authKey: "" + ## @section Authentication ## @@ -621,4 +628,4 @@ vault: server: dev: enabled: true - devRootToken: "notapassword" \ No newline at end of file + devRootToken: "notapassword" From 1db6e3e7b09e130fab86bd3764bd49b431f0995c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Ku=C4=87?= Date: Mon, 10 Jul 2023 18:47:38 +0200 Subject: [PATCH 3/5] Update the README to include the --set for the secretsBackend.backend property MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Kuć --- deployment/chainloop/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index b3409ec7f..7017e7a0e 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -96,6 +96,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # Open ID Connect (OIDC) # ... # Secrets backend + --set secretsBackend.backend=gcpSecretManager \ --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \ --set secretsBackend.gcpSecretManager.authKey=[GCP Auth KEY] \ # Server Auth KeyPair From c5bc3e7c984bb1cb8041ca7746d7249817dcc0f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Ku=C4=87?= Date: Mon, 10 Jul 2023 18:53:15 +0200 Subject: [PATCH 4/5] Include the proper parent key for GCP Secret Manager in Helm Charts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Kuć --- deployment/chainloop/templates/_helpers.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl index 95f050859..880d617ed 100644 --- a/deployment/chainloop/templates/_helpers.tpl +++ b/deployment/chainloop/templates/_helpers.tpl @@ -79,6 +79,7 @@ awsSecretManager: secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }} {{- else if eq .backend "gcpSecretManager" }} +gcpSecretManager: secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }} projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }} authKey: {{ required "auth key required" .gcpSecretManager.authKey | quote }} From 08fb488ec79ec7eb4ace1e5632841f10ad9a06eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Ku=C4=87?= Date: Mon, 10 Jul 2023 18:54:34 +0200 Subject: [PATCH 5/5] Bump the Helm Chart version to 1.7.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rafał Kuć --- deployment/chainloop/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index 08101e301..4c87b753c 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.7.0 +version: 1.7.1 # Do not update appVersion, this is handled automatically by the release process appVersion: v0.12.0 @@ -21,4 +21,4 @@ dependencies: - condition: development name: vault repository: https://helm.releases.hashicorp.com - version: 0.24.x \ No newline at end of file + version: 0.24.x