diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index 1990e622e..1bbfa99f0 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.19.0 +version: 1.19.1 # Do not update appVersion, this is handled automatically by the release process appVersion: v0.20.0 diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 3d67aa19c..f9f9cb595 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -383,17 +383,21 @@ chainloop config save \ ### Secrets Backend -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------ | ----------- | -| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` | -| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | -| `secretsBackend.vault.address` | Vault address | | -| `secretsBackend.vault.token` | Vault authentication token | | -| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | -| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | -| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | -| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ----------- | +| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | `vault` | +| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | +| `secretsBackend.vault.address` | Vault address | | +| `secretsBackend.vault.token` | Vault authentication token | | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | +| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | +| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | +| `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | | +| `secretsBackend.azureKeyVault.clientID` | Registered application / service principal client ID | | +| `secretsBackend.azureKeyVault.clientSecret` | Service principal client secret | | +| `secretsBackend.azureKeyVault.vaultURI` | Azure Key Vault URL | | ### Authentication diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl index 6b1c27b19..f19f34bdb 100644 --- a/deployment/chainloop/templates/_helpers.tpl +++ b/deployment/chainloop/templates/_helpers.tpl @@ -84,7 +84,12 @@ gcpSecretManager: {{- if eq .gcpSecretManager.serviceAccountKey "" }} {{- fail ".Values.secretsBackend.gcpSecretManager.serviceAccountKey not set" }} {{- end }} - +{{- else if eq .backend "azureKeyVault" }} +azure_key_vault: + tenant_id: {{ required "AD tenantID required" .azureKeyVault.tenantID | quote }} + client_id: {{ required "Service principal ID required" .azureKeyVault.clientID | quote }} + client_secret: {{ required "Service principal secret required" .azureKeyVault.clientSecret | quote }} + vault_uri: {{ required "Azure Vault URL required" .azureKeyVault.vaultURI | quote }} {{- end }} {{- end }} {{- end -}} diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index a8656311f..c1b805727 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -22,9 +22,9 @@ GKEMonitoring: ## Location where to store sensitive data. If development.true? and no overrides provided, the setup will connect to a development instance of Vault secretsBackend: - ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") + ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") ## - backend: "vault" # "awsSecretManager" + backend: "vault" # "awsSecretManager | gcpSecretManager | azureKeyVault" ## @param secretsBackend.secretPrefix Prefix that will be pre-pended to all secrets in the storage backend ## secretPrefix: "chainloop" @@ -53,6 +53,17 @@ secretsBackend: # projectId: "" # serviceAccountKey: "" + ## @extra secretsBackend.azureKeyVault.tenantID Active Directory Tenant ID + ## @extra secretsBackend.azureKeyVault.clientID Registered application / service principal client ID + ## @extra secretsBackend.azureKeyVault.clientSecret Service principal client secret + ## @extra secretsBackend.azureKeyVault.vaultURI Azure Key Vault URL + ## + # azureKeyVault: + # tenantID: "" + # clientID: "" + # clientSecret: "" + # vaultURI: "" + ## @section Authentication ## @@ -634,6 +645,7 @@ cas: ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/backend-protocol ## Tell Nginx Ingress Controller to expect gRPC traffic nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/client-body-buffer-size # Improve upload speed by adding client buffering used by http2 control-flows # https://github.com/chainloop-dev/chainloop/issues/375 nginx.ingress.kubernetes.io/client-body-buffer-size: "3M"