add uninstall cmd and other installer updated

rh-pre-commit.version: 2.0.3
rh-pre-commit.check-secrets: ENABLED

.github/workflows/test.yaml

@@ -2,11 +2,12 @@ name: Lint Charts
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main,release-1.0.gamma ]
   pull_request:
-    branches: [ main ]
+    branches: [ main,release-1.0.gamma ]
     paths:
       - "charts/**"
+      - "tas-installer/**"
       - ".github/**"
 
 jobs:
@@ -88,32 +89,12 @@ jobs:
         run: |
           oc create ns fulcio-system
           oc create ns rekor-system
+          # TODO: this should not be necessary
+          oc create ns trusted-artifact-signer-monitoring
           oc -n fulcio-system create secret generic fulcio-secret-rh --from-file=private=./kind/testing-only-cert-key/file_ca_key.pem --from-file=public=./kind/testing-only-cert-key/file_ca_pub.pem --from-file=cert=./kind/testing-only-cert-key/fulcio-root.pem  --from-literal=password=secure --dry-run=client -o yaml | oc apply -f-
           oc -n rekor-system create secret generic rekor-private-key --from-file=private=./kind/testing-only-cert-key/rekor_key.pem --dry-run=client -o yaml | oc apply -f-
         shell: bash
 
-      - name: Install Keycloak
-        run: |
-          #install OLM
-          kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/crds.yaml
-          # wait for a while to be sure CRDs are installed
-          sleep 1
-          kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml
-          kubectl create --kustomize keycloak/operator/overlay/kind
-          until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
-          do
-            echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
-            kubectl get pods -n keycloak-system
-            sleep 10
-          done
-          kubectl create --kustomize keycloak/resources/overlay/kind
-          until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
-          do
-            printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)
-            sleep 10
-          done
-        shell: bash
-
       # tests are in charts/trusted-artifact-signer/templates/tests
       - name: Run chart-testing (install)
         run: |

charts/trusted-artifact-signer/README.md

@@ -128,14 +128,15 @@ Kubernetes: `>= 1.19.0-0`
 | configs.rekor.signer.secret.name | Name of the secret to create with the private key data. This name must match the value in scaffold.rekor.server.signer.signerFileSecretOptions.secretName. | string | `""` |
 | configs.rekor.signer.secret.private_key | Private encrypted signing key | string | `""` |
 | configs.rekor.signer.secret.private_key_file | File containing a private encrypted signing key | string | `""` |
+| configs.segment_backup_job.enabled |  | bool | `false` |
 | configs.segment_backup_job.image.pullPolicy |  | string | `"IfNotPresent"` |
 | configs.segment_backup_job.image.registry |  | string | `"registry.redhat.io"` |
 | configs.segment_backup_job.image.repository |  | string | `"rhtas-tech-preview/segment-backup-job-rhel9"` |
 | configs.segment_backup_job.image.version |  | string | `"sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44"` |
 | configs.segment_backup_job.name |  | string | `"segment-backup-job"` |
 | configs.segment_backup_job.namespace |  | string | `"trusted-artifact-signer-monitoring"` |
+| configs.segment_backup_job.namespace_create |  | bool | `false` |
 | configs.segment_backup_job.rolebindings[0] |  | string | `"segment-backup-job"` |
-| configs.tas_monitoring.namespace |  | string | `"trusted-artifact-signer-monitoring"` |
 | configs.trillian.namespace |  | string | `"trillian-system"` |
 | configs.trillian.namespace_create |  | bool | `true` |
 | configs.trillian.rolebindings | names for rolebindings to add clusterroles to trillian serviceaccounts. The names must match the serviceaccount names in the trillian namespace. | list | `["trillian-logserver","trillian-logsigner","trillian-mysql"]` |

charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.configs.segment_backup_job.enabled }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -34,4 +35,5 @@ spec:
                     type: RuntimeDefault
                   capabilities:
                     drop:
-                    - ALL
+                    - ALL
+{{- end}}

charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.configs.segment_backup_job.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -16,4 +17,5 @@ rules:
   - routes
   verbs:
   - get
-  - list 
+  - list 
+{{- end}}

charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-
+{{- if .Values.configs.segment_backup_job.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -10,4 +10,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: segment-backup-job
-  namespace: {{ .Values.configs.segment_backup_job.namespace }}
+  namespace: {{ .Values.configs.segment_backup_job.namespace }}
+{{- end}}

charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml

@@ -1,7 +1,9 @@
+{{- if .Values.configs.segment_backup_job.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: segment-backup-job
   namespace: {{ .Values.configs.segment_backup_job.namespace }}
 secrets:
-- name: pull-secret
+- name: pull-secret
+{{- end}}

charts/trusted-artifact-signer/templates/segment-backup-job.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.configs.segment_backup_job.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -30,4 +31,5 @@ spec:
               type: RuntimeDefault
             capabilities:
               drop:
-              - ALL
+              - ALL
+{{- end}}

charts/trusted-artifact-signer/templates/tests/test-sign-verify.yaml

@@ -21,7 +21,7 @@ spec:
             runAsUser: 1000
     containers:
       - name: cosign
-        image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}"
+        image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}@{{ .Values.configs.cosign_deploy.image.version }}"
         env:
         - name: OIDC_AUTHENTICATION_REALM
           value: "sigstore"

charts/trusted-artifact-signer/values.schema.json

@@ -227,6 +227,7 @@
                 },
                 "segment_backup_job": {
                     "properties": {
+                        "enabled": true,
                         "image": {
                             "properties": {
                                 "pullPolicy": {
@@ -249,6 +250,9 @@
                         "namespace": {
                             "type": "string"
                         },
+                        "namespace_create": {
+                            "type": "boolean"
+                        },
                         "rolebindings": {
                             "items": {
                                 "type": "string"
@@ -257,13 +261,6 @@
                         }
                     }
                 },
-                "tas_monitoring": {
-                    "properties": {
-                        "namespace": {
-                            "type": "string"
-                        }
-                    }
-                },
                 "trillian": {
                     "properties": {
                         "namespace": {

charts/trusted-artifact-signer/values.schema.tmpl.json

@@ -19,13 +19,6 @@
         "configs": {
             "type": "object",
             "properties": {
-                "tas_monitoring": {
-                    "properties": {
-                        "namespace": {
-                            "type": "string"
-                        }
-                    }
-                },
                 "segment_backup_job":{
                     "properties": {
                         "name": {
@@ -34,6 +27,9 @@
                         "namespace": {
                             "type" : "string"
                         },
+                        "namespace_create": {
+                            "type": "boolean"
+                        },
                         "image": {
                             "properties": {
                                 "pullPolicy": {

charts/trusted-artifact-signer/values.yaml

@@ -5,11 +5,9 @@ global:
   appsSubdomain: ""
 
 configs:
-  tas_monitoring:
-    namespace: trusted-artifact-signer-monitoring
   segment_backup_job:
-    name: segment-backup-job
-    namespace: trusted-artifact-signer-monitoring
+    enabled: false
+    namespace_create: false
     image:
       registry:  registry.redhat.io
       repository: rhtas-tech-preview/segment-backup-job-rhel9
@@ -29,7 +27,7 @@ configs:
     image:
       registry: registry.redhat.io
       repository: rhtas-tech-preview/client-server-rhel9
-      version: "sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1"
+      version: sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1
       pullPolicy: IfNotPresent
   ctlog:
     namespace: ctlog-system
@@ -142,7 +140,7 @@ configs:
     image:
       registry: registry.redhat.io
       repository: rhtas-tech-preview/cosign-rhel9
-      version: "sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e"
+      version: sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e
       pullPolicy: IfNotPresent
 
 rbac:
@@ -162,7 +160,7 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/ct-server-rhel9
-        version: "sha256:6124a531097c91bf8c872393a6f313c035ca03eca316becd3c350930d978929f"
+        version: sha256:6124a531097c91bf8c872393a6f313c035ca03eca316becd3c350930d978929f
         pullPolicy: IfNotPresent
     createctconfig:
       backoffLimit: 30
@@ -176,7 +174,7 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/createctconfig-rhel9
-        version: "sha256:10155f8c2b73b12599124895b2db0c9e08b2c3953df7361574fd08467c42fd04"
+        version: sha256:10155f8c2b73b12599124895b2db0c9e08b2c3953df7361574fd08467c42fd04
         pullPolicy: IfNotPresent
     createcerts:
       fullnameOverride: ctlog-createcerts
@@ -186,7 +184,7 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/createtree-rhel9
-        version: "sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab"
+        version: sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab
         pullPolicy: IfNotPresent
   fulcio:
     enabled: true
@@ -204,14 +202,14 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/createcerts-rhel9
-        version: "sha256:0ac3fa62bd38a5e098d60aa06bf1dc960e2567c5caa68bf415c7372efc08ee8f"
+        version: sha256:0ac3fa62bd38a5e098d60aa06bf1dc960e2567c5caa68bf415c7372efc08ee8f
         pullPolicy: IfNotPresent
     server:
       fullnameOverride: fulcio-server
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/fulcio-rhel9
-        version: "sha256:0421d44d2da8dd87f05118293787d95686e72c65c0f56dfb9461a61e259b8edc"
+        version: sha256:0421d44d2da8dd87f05118293787d95686e72c65c0f56dfb9461a61e259b8edc
         pullPolicy: IfNotPresent
       # If content and/or files not provided in configs.fulcio.secret
       # then this secret must exist in fulcio-system ns. See ../quickstart-with-keycloak.md
@@ -243,7 +241,7 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/rekor-server-rhel9
-        version: "sha256:8ee7d5dd2fa1c955d64ab83d716d482a3feda8e029b861241b5b5dfc6f1b258e"
+        version: sha256:8ee7d5dd2fa1c955d64ab83d716d482a3feda8e029b861241b5b5dfc6f1b258e
         pullPolicy: IfNotPresent
       # when providing contents of secret with configs.rekor.signer
       # the signer sections must also be provided here
@@ -265,13 +263,13 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/createtree-rhel9
-        version: "sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab"
+        version: sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab
         pullPolicy: IfNotPresent
     backfillredis:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/backfill-redis-rhel9
-        version: "sha256:13299c22ffebc0551077f19578a9ec7b21883ce1c3a04f951e3290bd49c98ee7"
+        version: sha256:13299c22ffebc0551077f19578a9ec7b21883ce1c3a04f951e3290bd49c98ee7
         pullPolicy: IfNotPresent
   trillian:
     enabled: true
@@ -284,13 +282,13 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/createdb-rhel9
-        version: "sha256:c2067866e8cd73710bcdb218cb78bb3fcc5b314339a466de2b5af56b3b456be8"
+        version: sha256:c2067866e8cd73710bcdb218cb78bb3fcc5b314339a466de2b5af56b3b456be8
         pullPolicy: IfNotPresent
     initContainerImage:
       netcat:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/trillian-netcat-rhel9
-        version: "sha256:b9fa895af8967cceb7a05ed7c9f2b80df047682ed11c87249ca2edba86492f6e"
+        version: sha256:b9fa895af8967cceb7a05ed7c9f2b80df047682ed11c87249ca2edba86492f6e
       curl:
         registry: registry.access.redhat.com
         repository: ubi9/ubi-minimal
@@ -306,7 +304,7 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhel9/redis-6
-        version: "sha256:031a5a63611e1e6a9fec47492a32347417263b79ad3b63bcee72fc7d02d64c94"
+        version: sha256:031a5a63611e1e6a9fec47492a32347417263b79ad3b63bcee72fc7d02d64c94
         pullPolicy: IfNotPresent
 
     logSigner:
@@ -315,7 +313,7 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/trillian-logsigner-rhel9
-        version: "sha256:fa2717c1d54400ca74cc3e9038bdf332fa834c0f5bc3215139c2d0e3579fc292"
+        version: sha256:fa2717c1d54400ca74cc3e9038bdf332fa834c0f5bc3215139c2d0e3579fc292
         pullPolicy: IfNotPresent
     logServer:
       name: trillian-logserver
@@ -325,19 +323,19 @@ scaffold:
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/trillian-logserver-rhel9
-        version: "sha256:43bfc6b7b8ed902592f19b830103d9030b59862f959c97c376cededba2ac3a03"
+        version: sha256:43bfc6b7b8ed902592f19b830103d9030b59862f959c97c376cededba2ac3a03
         pullPolicy: IfNotPresent
     mysql:
       fullnameOverride: trillian-mysql
       gcp:
         scaffoldSQLProxy:
           registry: registry.redhat.io
           repository: rhtas-tech-preview/cloudsqlproxy-rhel9
-          version: "sha256:f6879364d41b2adbe339c6de1dae5d17be575ea274786895448ee4277831cb7f"
+          version: sha256:f6879364d41b2adbe339c6de1dae5d17be575ea274786895448ee4277831cb7f
       image:
         registry: registry.redhat.io
         repository: rhtas-tech-preview/trillian-database-rhel9
-        version: "sha256:fe4758ff57a9a6943a4655b21af63fb579384dc51838af85d0089c04290b4957"
+        version: sha256:fe4758ff57a9a6943a4655b21af63fb579384dc51838af85d0089c04290b4957
         pullPolicy: IfNotPresent
       args: []
       securityContext:
@@ -391,7 +389,7 @@ scaffold:
     deployment:
       registry: registry.redhat.io
       repository: rhtas-tech-preview/tuf-server-rhel9
-      version: "sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9"
+      version: sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9
 
   copySecretJob:
     name: copy-secrets-job

ct.yaml

@@ -2,4 +2,4 @@ chart-dirs:
   - charts
 validate-maintainers: false
 remote: origin
-target-branch: main
+target-branch: release-1.0.gamma

examples/values-kind-sigstore.yaml

@@ -32,7 +32,6 @@ scaffold:
     config:
       contents:
         OIDCIssuers:
-          # https://<keycloak_instance>.<keycloak_ns>.<openshift_apps_subdomain>/auth/realms/sigstore
           ? http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore
           : IssuerURL: http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore
             ClientID: sigstore

kind/kind-up-test.sh

@@ -53,5 +53,5 @@ do
 done
 
 # install charts
-helm upgrade -i trusted-artifact-signer --debug ./charts/trusted-artifact-signer --wait --wait-for-jobs --timeout 10m -n sigstore --create-namespace --values ./examples/values-kind-sigstore.yaml && \
-helm test trusted-artifact-signer -n sigstore
+helm upgrade -i trusted-artifact-signer --debug ./charts/trusted-artifact-signer --wait --wait-for-jobs --timeout 10m -n trusted-artifact-signer --create-namespace --values ./examples/values-kind-sigstore.yaml && \
+helm test trusted-artifact-signer -n trusted-artifact-signer