Skip to content

feat(chart): Replace Vault dependency to use Bitnami chart #935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
javirln merged 2 commits into from
Jun 11, 2024
Merged

feat(chart): Replace Vault dependency to use Bitnami chart #935

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
aebd593
feat(chart): Replace Vault dependency to use Bitnami chart
javirln Jun 11, 2024
0d9c573
Tackle feedback
javirln Jun 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions deployment/chainloop/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 2.13.3
version: 2.20.2
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 12.12.10
- name: vault
repository: https://helm.releases.hashicorp.com
version: 0.24.1
digest: sha256:1b95f8a9f568f84ea7311e984c3a4c85270254dd33b42c9f6e9f606dc3f525e2
generated: "2023-10-19T09:44:57.183038226+02:00"
repository: https://charts.bitnami.com/bitnami
version: 1.4.5
digest: sha256:f36d00d6d657f2e9f7f1dc6df78e852471cff214b8a7a8ad9722351b978aefdf
generated: "2024-06-10T14:18:12.118269+02:00"
9 changes: 6 additions & 3 deletions deployment/chainloop/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
# Copyright Chainloop, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0

apiVersion: v2
name: chainloop
description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process.

type: application
# Bump the patch (not minor, not major) version on each change in the Chart Source code
version: 1.56.0
version: 1.56.1
# Do not update appVersion, this is handled automatically by the release process
appVersion: v0.91.1

Expand All @@ -20,5 +23,5 @@ dependencies:
version: 12.x.x
- condition: development
name: vault
repository: https://helm.releases.hashicorp.com
version: 0.24.x
repository: https://charts.bitnami.com/bitnami
version: 1.4.x
29 changes: 19 additions & 10 deletions deployment/chainloop/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,11 @@ chainloop config save \
| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` |
| `controlplane.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` |
| `controlplane.sentry.environment` | Environment tag | `production` |
| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` |
| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` |
| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` |
| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` |
| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` |

### Artifact Content Addressable (CAS) API

Expand Down Expand Up @@ -630,16 +635,20 @@ chainloop config save \

### Dependencies

| Name | Description | Value |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | -------------- |
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
| `postgresql.auth.username` | Name for a custom user to create | `chainloop` |
| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` |
| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` |
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
| `vault.server.dev.enabled` | Enable development mode (unsealed, in-memory, insecure) | `true` |
| `vault.server.dev.devRootToken` | Connection token | `notapassword` |
| Name | Description | Value |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------ |----------------------------------------------------------------------------------------------------------------------------|
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
| `postgresql.auth.username` | Name for a custom user to create | `chainloop` |
| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` |
| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` |
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` |
| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | <pre><code>storage "inmem" {}<br/>disable_mlock = true<br/>ui = true<br/>service_registration "kubernetes" {}</code></pre> |
| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` |
| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` |
| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` |
| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` |

## License

Expand Down
Binary file removed deployment/chainloop/charts/common-2.13.3.tgz
View file
Open in desktop
Binary file not shown.
Binary file added deployment/chainloop/charts/common-2.20.2.tgz
View file
Open in desktop
Binary file not shown.
Binary file removed deployment/chainloop/charts/vault-0.24.1.tgz
View file
Open in desktop
Binary file not shown.
Binary file added deployment/chainloop/charts/vault-1.4.5.tgz
View file
Open in desktop
Binary file not shown.
22 changes: 18 additions & 4 deletions deployment/chainloop/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- define "chainloop.postgresql.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
Expand Down Expand Up @@ -61,14 +65,24 @@ WBiBSPaJtz6JYk/fye4=
{{- with .Values.secretsBackend }}
secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
{{- if eq .backend "vault" }}
{{- $tokenEnvVar := "" }}
{{- range $.Values.vault.server.extraEnvVars }}
{{- if eq .name "VAULT_DEV_ROOT_TOKEN_ID" }}
{{- $tokenEnvVar = .value }}
{{- end }}
{{- end }}
vault:
{{- if and $.Values.development (or (not .vault) not .vault.address) }}
address: {{ printf "http://%s:8200" (include "chainloop.vault.fullname" $) | quote }}
token: {{ $.Values.vault.server.dev.devRootToken | quote }}
{{- else if (required "vault backend selected but configuration not provided" .vault ) }}
address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }}
{{- if $tokenEnvVar }}
token: {{ $tokenEnvVar | quote }}
{{- else }}
{{- required "VAULT_DEV_ROOT_TOKEN_ID environment variable is required when development mode is enabled" (index $.Values.vault.server.extraEnvVars "VAULT_DEV_ROOT_TOKEN_ID") }}
{{- end }}
{{- else if (required "vault backend selected but configuration not provided" .vault ) }}
address: {{ required "vault address required" .vault.address | quote }}
token: {{ required "vault token required" .vault.token | quote }}
{{- end }}
{{- end }}

{{- else if eq .backend "awsSecretManager" }}
awsSecretManager:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/config.configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: ConfigMap
metadata:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/config.secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: Secret
metadata:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/deployment_sqlproxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{ if .Values.controlplane.sqlProxy.enabled }}
apiVersion: apps/v1
kind: Deployment
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/file_ca.secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
apiVersion: v1
kind: Secret
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if eq "gcpSecretManager" .Values.secretsBackend.backend }}
apiVersion: v1
kind: Secret
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/gke_monitoring.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if .Values.GKEMonitoring.enabled -}}
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/hpa.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if .Values.controlplane.autoscaling.enabled }}
apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
kind: HorizontalPodAutoscaler
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if .Values.controlplane.ingress.enabled }}
{{- $fullName := include "chainloop.controlplane.fullname" . -}}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/ingress_grpc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if .Values.controlplane.ingressAPI.enabled }}
{{- $fullName := printf "%s-%s" (include "chainloop.controlplane.fullname" .) "api" -}}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: Secret
metadata:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/service_grpc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: Service
metadata:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/service_http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: Service
metadata:
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/service_sql-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{ if .Values.controlplane.sqlProxy.enabled }}
apiVersion: v1
kind: Service
Expand Down
5 changes: 5 additions & 0 deletions deployment/chainloop/templates/controlplane/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if .Values.controlplane.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
Expand Down
38 changes: 30 additions & 8 deletions deployment/chainloop/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# Copyright Chainloop, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0

## Default values for Chainloop Helm Chart

## @skip global
Expand Down Expand Up @@ -452,7 +455,7 @@ controlplane:
dsn: ""
environment: production

## @param controlplane.keylessSigning Configuration for keyless signing using one of the supported providers
## Configuration for keyless signing using one of the supported providers
## @param controlplane.keylessSigning.enabled Activates or deactivates de feature
## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" is supported
## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA
Expand Down Expand Up @@ -809,12 +812,31 @@ postgresql:
# Vault server running in development mode --set development=true
# IMPORTANT: This is not meant to run in production

## Hashicorp Vault chart configuration
## ref: https://github.com/hashicorp/vault-helm/blob/main/values.yaml
## @param vault.server.dev.enabled Enable development mode (unsealed, in-memory, insecure)
## @param vault.server.dev.devRootToken Connection token
## Bitnami Hashicorp Vault chart configuration
## ref: https://github.com/bitnami/charts/blob/main/bitnami/vault/values.yaml
## @param vault.server.args Arguments to pass to the vault server. This is useful for setting the server in development mode
## @param vault.server.config Configuration for the vault server. Small override of default Bitnami configuration
## @param vault.server.extraEnvVars[0].name Root token for the vault server
## @param vault.server.extraEnvVars[0].value The value of the root token. Default: notasecret
## @param vault.server.extraEnvVars[1].name Address to listen on development mode
## @param vault.server.extraEnvVars[1].value The address to listen on. Default: [::]:8200
vault:
server:
dev:
enabled: true
devRootToken: "notapassword"
## This configuration is only for development purposes and should not be used in production. Development
## mode is configured by --set development=true, which enables this Vault chart
args: [
"server",
"-dev"
]
extraEnvVars:
- name: VAULT_DEV_ROOT_TOKEN_ID
value: "notasecret"
- name: VAULT_DEV_LISTEN_ADDRESS
value: "[::]:8200"
config: |
storage "inmem" {}

disable_mlock = true
ui = true

service_registration "kubernetes" {}