diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index ad06ea98..0e741a64 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -2,11 +2,12 @@ name: Lint Charts on: push: - branches: [ main ] + branches: [ main,release-1.0.gamma ] pull_request: - branches: [ main ] + branches: [ main,release-1.0.gamma ] paths: - "charts/**" + - "tas-installer/**" - ".github/**" jobs: @@ -88,32 +89,12 @@ jobs: run: | oc create ns fulcio-system oc create ns rekor-system + # TODO: this should not be necessary + oc create ns trusted-artifact-signer-monitoring oc -n fulcio-system create secret generic fulcio-secret-rh --from-file=private=./kind/testing-only-cert-key/file_ca_key.pem --from-file=public=./kind/testing-only-cert-key/file_ca_pub.pem --from-file=cert=./kind/testing-only-cert-key/fulcio-root.pem --from-literal=password=secure --dry-run=client -o yaml | oc apply -f- oc -n rekor-system create secret generic rekor-private-key --from-file=private=./kind/testing-only-cert-key/rekor_key.pem --dry-run=client -o yaml | oc apply -f- shell: bash - - name: Install Keycloak - run: | - #install OLM - kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/crds.yaml - # wait for a while to be sure CRDs are installed - sleep 1 - kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml - kubectl create --kustomize keycloak/operator/overlay/kind - until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ] - do - echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" - kubectl get pods -n keycloak-system - sleep 10 - done - kubectl create --kustomize keycloak/resources/overlay/kind - until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] - do - printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) - sleep 10 - done - shell: bash - # tests are in charts/trusted-artifact-signer/templates/tests - name: Run chart-testing (install) run: | diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md index 84f2279a..df50ba9e 100644 --- a/charts/trusted-artifact-signer/README.md +++ b/charts/trusted-artifact-signer/README.md @@ -128,14 +128,15 @@ Kubernetes: `>= 1.19.0-0` | configs.rekor.signer.secret.name | Name of the secret to create with the private key data. This name must match the value in scaffold.rekor.server.signer.signerFileSecretOptions.secretName. | string | `""` | | configs.rekor.signer.secret.private_key | Private encrypted signing key | string | `""` | | configs.rekor.signer.secret.private_key_file | File containing a private encrypted signing key | string | `""` | +| configs.segment_backup_job.enabled | | bool | `false` | | configs.segment_backup_job.image.pullPolicy | | string | `"IfNotPresent"` | | configs.segment_backup_job.image.registry | | string | `"registry.redhat.io"` | | configs.segment_backup_job.image.repository | | string | `"rhtas-tech-preview/segment-backup-job-rhel9"` | | configs.segment_backup_job.image.version | | string | `"sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44"` | | configs.segment_backup_job.name | | string | `"segment-backup-job"` | | configs.segment_backup_job.namespace | | string | `"trusted-artifact-signer-monitoring"` | +| configs.segment_backup_job.namespace_create | | bool | `false` | | configs.segment_backup_job.rolebindings[0] | | string | `"segment-backup-job"` | -| configs.tas_monitoring.namespace | | string | `"trusted-artifact-signer-monitoring"` | | configs.trillian.namespace | | string | `"trillian-system"` | | configs.trillian.namespace_create | | bool | `true` | | configs.trillian.rolebindings | names for rolebindings to add clusterroles to trillian serviceaccounts. The names must match the serviceaccount names in the trillian namespace. | list | `["trillian-logserver","trillian-logsigner","trillian-mysql"]` | diff --git a/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml b/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml index 08494fe0..df20577c 100644 --- a/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml +++ b/charts/trusted-artifact-signer/templates/segment-backup-cronjob.yaml @@ -1,3 +1,4 @@ +{{- if .Values.configs.segment_backup_job.enabled }} apiVersion: batch/v1 kind: CronJob metadata: @@ -34,4 +35,5 @@ spec: type: RuntimeDefault capabilities: drop: - - ALL \ No newline at end of file + - ALL +{{- end}} \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml index d791d745..1f1d159f 100644 --- a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml +++ b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.configs.segment_backup_job.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16,4 +17,5 @@ rules: - routes verbs: - get - - list \ No newline at end of file + - list +{{- end}} diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml index 1484b04e..c34bc807 100644 --- a/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml +++ b/charts/trusted-artifact-signer/templates/segment-backup-job-clusterrolebinding.yaml @@ -1,4 +1,4 @@ - +{{- if .Values.configs.segment_backup_job.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10,4 +10,5 @@ roleRef: subjects: - kind: ServiceAccount name: segment-backup-job - namespace: {{ .Values.configs.segment_backup_job.namespace }} \ No newline at end of file + namespace: {{ .Values.configs.segment_backup_job.namespace }} +{{- end}} \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml index aac61c07..198ad254 100644 --- a/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml +++ b/charts/trusted-artifact-signer/templates/segment-backup-job-sa.yaml @@ -1,7 +1,9 @@ +{{- if .Values.configs.segment_backup_job.enabled }} apiVersion: v1 kind: ServiceAccount metadata: name: segment-backup-job namespace: {{ .Values.configs.segment_backup_job.namespace }} secrets: -- name: pull-secret \ No newline at end of file +- name: pull-secret +{{- end}} \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml index 6c3908c9..096d6514 100644 --- a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml +++ b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml @@ -1,3 +1,4 @@ +{{- if .Values.configs.segment_backup_job.enabled }} apiVersion: batch/v1 kind: Job metadata: @@ -30,4 +31,5 @@ spec: type: RuntimeDefault capabilities: drop: - - ALL \ No newline at end of file + - ALL +{{- end}} \ No newline at end of file diff --git a/charts/trusted-artifact-signer/templates/tests/test-sign-verify.yaml b/charts/trusted-artifact-signer/templates/tests/test-sign-verify.yaml index 09a50dce..84c4722c 100644 --- a/charts/trusted-artifact-signer/templates/tests/test-sign-verify.yaml +++ b/charts/trusted-artifact-signer/templates/tests/test-sign-verify.yaml @@ -21,7 +21,7 @@ spec: runAsUser: 1000 containers: - name: cosign - image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}:{{ .Values.configs.cosign_deploy.image.version }}" + image: "{{ .Values.configs.cosign_deploy.image.registry }}/{{ .Values.configs.cosign_deploy.image.repository }}@{{ .Values.configs.cosign_deploy.image.version }}" env: - name: OIDC_AUTHENTICATION_REALM value: "sigstore" diff --git a/charts/trusted-artifact-signer/values.schema.json b/charts/trusted-artifact-signer/values.schema.json index 58baa32e..515653b0 100644 --- a/charts/trusted-artifact-signer/values.schema.json +++ b/charts/trusted-artifact-signer/values.schema.json @@ -227,6 +227,7 @@ }, "segment_backup_job": { "properties": { + "enabled": true, "image": { "properties": { "pullPolicy": { @@ -249,6 +250,9 @@ "namespace": { "type": "string" }, + "namespace_create": { + "type": "boolean" + }, "rolebindings": { "items": { "type": "string" @@ -257,13 +261,6 @@ } } }, - "tas_monitoring": { - "properties": { - "namespace": { - "type": "string" - } - } - }, "trillian": { "properties": { "namespace": { diff --git a/charts/trusted-artifact-signer/values.schema.tmpl.json b/charts/trusted-artifact-signer/values.schema.tmpl.json index 8237d325..502b43f6 100644 --- a/charts/trusted-artifact-signer/values.schema.tmpl.json +++ b/charts/trusted-artifact-signer/values.schema.tmpl.json @@ -19,13 +19,6 @@ "configs": { "type": "object", "properties": { - "tas_monitoring": { - "properties": { - "namespace": { - "type": "string" - } - } - }, "segment_backup_job":{ "properties": { "name": { @@ -34,6 +27,9 @@ "namespace": { "type" : "string" }, + "namespace_create": { + "type": "boolean" + }, "image": { "properties": { "pullPolicy": { diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml index 107e9aa7..94565f20 100644 --- a/charts/trusted-artifact-signer/values.yaml +++ b/charts/trusted-artifact-signer/values.yaml @@ -5,11 +5,9 @@ global: appsSubdomain: "" configs: - tas_monitoring: - namespace: trusted-artifact-signer-monitoring segment_backup_job: - name: segment-backup-job - namespace: trusted-artifact-signer-monitoring + enabled: false + namespace_create: false image: registry: registry.redhat.io repository: rhtas-tech-preview/segment-backup-job-rhel9 @@ -29,7 +27,7 @@ configs: image: registry: registry.redhat.io repository: rhtas-tech-preview/client-server-rhel9 - version: "sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1" + version: sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1 pullPolicy: IfNotPresent ctlog: namespace: ctlog-system @@ -142,7 +140,7 @@ configs: image: registry: registry.redhat.io repository: rhtas-tech-preview/cosign-rhel9 - version: "sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e" + version: sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e pullPolicy: IfNotPresent rbac: @@ -162,7 +160,7 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/ct-server-rhel9 - version: "sha256:6124a531097c91bf8c872393a6f313c035ca03eca316becd3c350930d978929f" + version: sha256:6124a531097c91bf8c872393a6f313c035ca03eca316becd3c350930d978929f pullPolicy: IfNotPresent createctconfig: backoffLimit: 30 @@ -176,7 +174,7 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/createctconfig-rhel9 - version: "sha256:10155f8c2b73b12599124895b2db0c9e08b2c3953df7361574fd08467c42fd04" + version: sha256:10155f8c2b73b12599124895b2db0c9e08b2c3953df7361574fd08467c42fd04 pullPolicy: IfNotPresent createcerts: fullnameOverride: ctlog-createcerts @@ -186,7 +184,7 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/createtree-rhel9 - version: "sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab" + version: sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab pullPolicy: IfNotPresent fulcio: enabled: true @@ -204,14 +202,14 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/createcerts-rhel9 - version: "sha256:0ac3fa62bd38a5e098d60aa06bf1dc960e2567c5caa68bf415c7372efc08ee8f" + version: sha256:0ac3fa62bd38a5e098d60aa06bf1dc960e2567c5caa68bf415c7372efc08ee8f pullPolicy: IfNotPresent server: fullnameOverride: fulcio-server image: registry: registry.redhat.io repository: rhtas-tech-preview/fulcio-rhel9 - version: "sha256:0421d44d2da8dd87f05118293787d95686e72c65c0f56dfb9461a61e259b8edc" + version: sha256:0421d44d2da8dd87f05118293787d95686e72c65c0f56dfb9461a61e259b8edc pullPolicy: IfNotPresent # If content and/or files not provided in configs.fulcio.secret # then this secret must exist in fulcio-system ns. See ../quickstart-with-keycloak.md @@ -243,7 +241,7 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/rekor-server-rhel9 - version: "sha256:8ee7d5dd2fa1c955d64ab83d716d482a3feda8e029b861241b5b5dfc6f1b258e" + version: sha256:8ee7d5dd2fa1c955d64ab83d716d482a3feda8e029b861241b5b5dfc6f1b258e pullPolicy: IfNotPresent # when providing contents of secret with configs.rekor.signer # the signer sections must also be provided here @@ -265,13 +263,13 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/createtree-rhel9 - version: "sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab" + version: sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab pullPolicy: IfNotPresent backfillredis: image: registry: registry.redhat.io repository: rhtas-tech-preview/backfill-redis-rhel9 - version: "sha256:13299c22ffebc0551077f19578a9ec7b21883ce1c3a04f951e3290bd49c98ee7" + version: sha256:13299c22ffebc0551077f19578a9ec7b21883ce1c3a04f951e3290bd49c98ee7 pullPolicy: IfNotPresent trillian: enabled: true @@ -284,13 +282,13 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/createdb-rhel9 - version: "sha256:c2067866e8cd73710bcdb218cb78bb3fcc5b314339a466de2b5af56b3b456be8" + version: sha256:c2067866e8cd73710bcdb218cb78bb3fcc5b314339a466de2b5af56b3b456be8 pullPolicy: IfNotPresent initContainerImage: netcat: registry: registry.redhat.io repository: rhtas-tech-preview/trillian-netcat-rhel9 - version: "sha256:b9fa895af8967cceb7a05ed7c9f2b80df047682ed11c87249ca2edba86492f6e" + version: sha256:b9fa895af8967cceb7a05ed7c9f2b80df047682ed11c87249ca2edba86492f6e curl: registry: registry.access.redhat.com repository: ubi9/ubi-minimal @@ -306,7 +304,7 @@ scaffold: image: registry: registry.redhat.io repository: rhel9/redis-6 - version: "sha256:031a5a63611e1e6a9fec47492a32347417263b79ad3b63bcee72fc7d02d64c94" + version: sha256:031a5a63611e1e6a9fec47492a32347417263b79ad3b63bcee72fc7d02d64c94 pullPolicy: IfNotPresent logSigner: @@ -315,7 +313,7 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/trillian-logsigner-rhel9 - version: "sha256:fa2717c1d54400ca74cc3e9038bdf332fa834c0f5bc3215139c2d0e3579fc292" + version: sha256:fa2717c1d54400ca74cc3e9038bdf332fa834c0f5bc3215139c2d0e3579fc292 pullPolicy: IfNotPresent logServer: name: trillian-logserver @@ -325,7 +323,7 @@ scaffold: image: registry: registry.redhat.io repository: rhtas-tech-preview/trillian-logserver-rhel9 - version: "sha256:43bfc6b7b8ed902592f19b830103d9030b59862f959c97c376cededba2ac3a03" + version: sha256:43bfc6b7b8ed902592f19b830103d9030b59862f959c97c376cededba2ac3a03 pullPolicy: IfNotPresent mysql: fullnameOverride: trillian-mysql @@ -333,11 +331,11 @@ scaffold: scaffoldSQLProxy: registry: registry.redhat.io repository: rhtas-tech-preview/cloudsqlproxy-rhel9 - version: "sha256:f6879364d41b2adbe339c6de1dae5d17be575ea274786895448ee4277831cb7f" + version: sha256:f6879364d41b2adbe339c6de1dae5d17be575ea274786895448ee4277831cb7f image: registry: registry.redhat.io repository: rhtas-tech-preview/trillian-database-rhel9 - version: "sha256:fe4758ff57a9a6943a4655b21af63fb579384dc51838af85d0089c04290b4957" + version: sha256:fe4758ff57a9a6943a4655b21af63fb579384dc51838af85d0089c04290b4957 pullPolicy: IfNotPresent args: [] securityContext: @@ -391,7 +389,7 @@ scaffold: deployment: registry: registry.redhat.io repository: rhtas-tech-preview/tuf-server-rhel9 - version: "sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9" + version: sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9 copySecretJob: name: copy-secrets-job diff --git a/ct.yaml b/ct.yaml index f178aec1..94dba334 100644 --- a/ct.yaml +++ b/ct.yaml @@ -2,4 +2,4 @@ chart-dirs: - charts validate-maintainers: false remote: origin -target-branch: main +target-branch: release-1.0.gamma diff --git a/examples/values-kind-sigstore.yaml b/examples/values-kind-sigstore.yaml index 0e85a9b3..c903fc64 100644 --- a/examples/values-kind-sigstore.yaml +++ b/examples/values-kind-sigstore.yaml @@ -32,7 +32,6 @@ scaffold: config: contents: OIDCIssuers: - # https://../auth/realms/sigstore ? http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore : IssuerURL: http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore ClientID: sigstore diff --git a/kind/kind-up-test.sh b/kind/kind-up-test.sh index 92fa00f2..7598c0de 100755 --- a/kind/kind-up-test.sh +++ b/kind/kind-up-test.sh @@ -53,5 +53,5 @@ do done # install charts -helm upgrade -i trusted-artifact-signer --debug ./charts/trusted-artifact-signer --wait --wait-for-jobs --timeout 10m -n sigstore --create-namespace --values ./examples/values-kind-sigstore.yaml && \ -helm test trusted-artifact-signer -n sigstore +helm upgrade -i trusted-artifact-signer --debug ./charts/trusted-artifact-signer --wait --wait-for-jobs --timeout 10m -n trusted-artifact-signer --create-namespace --values ./examples/values-kind-sigstore.yaml && \ +helm test trusted-artifact-signer -n trusted-artifact-signer diff --git a/tas-installer/cmd/install.go b/tas-installer/cmd/install.go index e4276266..082a1b4b 100644 --- a/tas-installer/cmd/install.go +++ b/tas-installer/cmd/install.go @@ -3,6 +3,8 @@ package cmd import ( "fmt" "log" + "path/filepath" + "securesign/sigstore-ocp/tas-installer/internal/install" "securesign/sigstore-ocp/tas-installer/pkg/certs" "securesign/sigstore-ocp/tas-installer/pkg/secrets" @@ -10,6 +12,10 @@ import ( "github.com/spf13/cobra" ) +const ( + keysCertDir = "keys-cert" +) + var ( helmChartVersion string helmValuesFile string @@ -39,8 +45,17 @@ func init() { func installTas(tasNamespace string) error { installSteps := []func() error{ - func() error { return install.HandleCertSetup(kc) }, - func() error { return install.HandleNamespacesCreate(kc, tasNamespacesAll) }, + func() error { return install.HandleCertSetup(kc, keysCertDir) }, + func() error { + createns, err := install.HandleNamespacesCreate(kc, tasNamespacesAll) + if err != nil { + return err + } + for _, ns := range createns { + log.Printf("namespace: %s successfully created", ns) + } + return nil + }, func() error { return install.DeleteSegmentBackupJobIfExists(kc, monitoringNamespace, segmentBackupJob) }, @@ -52,7 +67,11 @@ func installTas(tasNamespace string) error { return secrets.ConfigureSystemSecrets(kc, rekorNamespace, rekorPrivateKey, nil, getRekorSecretFiles()) }, func() error { - return install.HandleHelmChartInstall(kc, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion) + log.Print("installing helm chart") + if err := install.HandleHelmChartInstall(kc, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil { + return err + } + return nil }, } for _, step := range installSteps { @@ -64,15 +83,15 @@ func installTas(tasNamespace string) error { } func init() { - installCmd.PersistentFlags().StringVar(&helmChartVersion, "chartVersion", "0.1.24", "Version of the Helm chart") + installCmd.PersistentFlags().StringVar(&helmChartVersion, "chartVersion", "0.1.26", "Version of the Helm chart") installCmd.PersistentFlags().StringVar(&helmValuesFile, "valuesFile", "", "Custom values file for chart configuration") } func getFulcioSecretFiles() map[string]string { return map[string]string{ - "private": "./keys-cert/file_ca_key.pem", - "public": "./keys-cert/file_ca_pub.pem", - "cert": "./keys-cert/fulcio-root.pem", + "private": filepath.Join(keysCertDir, certs.FulcioPrivateKey), + "public": filepath.Join(keysCertDir, certs.FulcioPublicKey), + "cert": filepath.Join(keysCertDir, certs.FulcioRootCert), } } @@ -84,6 +103,6 @@ func getFulcioLiteralSecrets() map[string]string { func getRekorSecretFiles() map[string]string { return map[string]string{ - "private": "./keys-cert/rekor_key.pem", + "private": filepath.Join(keysCertDir, certs.RekorSigningKey), } } diff --git a/tas-installer/cmd/root.go b/tas-installer/cmd/root.go index f1a3531e..ee638e42 100644 --- a/tas-installer/cmd/root.go +++ b/tas-installer/cmd/root.go @@ -13,7 +13,7 @@ import ( const ( fulcioNamespace = "fulcio-system" rekorNamespace = "rekor-system" - monitoringNamespace = "sigstore-monitoring" + monitoringNamespace = "trusted-artifact-signer-monitoring" tasNamespace = "trusted-artifact-signer" tasReleaseName = "trusted-artifact-signer" fulcioCertSecretName = "fulcio-secret-rh" @@ -35,9 +35,7 @@ var rootCmd = &cobra.Command{ Long: `Installs Red Hat Trusted Artifact Signer (TAS) on Kubernetes For a successful installation, you must have provide the path to a kubeconfig file, or have - one in $HOME/.kube/config. Additionally, the following CLI tools must all be in your $PATH environment. - - oc - used to install Keycloak `, + one in $HOME/.kube/config. Additionally, the following CLI tools must all be in your $PATH environment.`, PersistentPreRunE: func(cmd *cobra.Command, args []string) error { var err error diff --git a/tas-installer/cmd/uninstall.go b/tas-installer/cmd/uninstall.go index 4e52f687..94a6dd4c 100644 --- a/tas-installer/cmd/uninstall.go +++ b/tas-installer/cmd/uninstall.go @@ -24,11 +24,19 @@ func init() { } func uninstallTas() error { - if err := uninstall.HandleHelmChartUninstall(tasNamespace, tasReleaseName); err != nil { + log.Print("uninstalling helm chart") + msg, err := uninstall.HandleHelmChartUninstall(tasNamespace, tasReleaseName) + if err != nil { log.Print(err.Error()) + } else { + log.Print(msg) } - if err := uninstall.HandleNamespacesDelete(kc, tasNamespacesAll); err != nil { + deletens, err := uninstall.HandleNamespacesDelete(kc, tasNamespacesAll) + if err != nil { return err } + for _, ns := range deletens { + log.Printf("namespace: %s successfully deleted", ns) + } return nil } diff --git a/tas-installer/internal/install/install.go b/tas-installer/internal/install/install.go index 6bb35536..5ad0c41b 100644 --- a/tas-installer/internal/install/install.go +++ b/tas-installer/internal/install/install.go @@ -13,26 +13,23 @@ import ( ) func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion string) error { - fmt.Println("Installing helm chart") if err := helm.InstallTrustedArtifactSigner(kc, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil { return err } - fmt.Println("Helm Chart Successfully installed") return nil } -func HandleNamespacesCreate(kc *kubernetes.KubernetesClient, namespaces []string) error { - var err error +func HandleNamespacesCreate(kc *kubernetes.KubernetesClient, namespaces []string) ([]string, error) { + createns := []string{} for _, ns := range namespaces { - if err = kc.CreateNamespaceIfNotExists(ns); err != nil { - if err == kubernetes.ErrNamespaceAlreadyExists { - fmt.Printf("namespace %s already exists skipping create", ns) + if err := kc.CreateNamespaceIfNotExists(ns); err != nil { + if err != kubernetes.ErrNamespaceAlreadyExists { + return createns, err } - return err } - fmt.Printf("namespace: %s successfully created \n", ns) + createns = append(createns, ns) } - return err + return createns, nil } func HandlePullSecretSetup(kc *kubernetes.KubernetesClient, pullSecretName, namespace string) error { @@ -81,12 +78,12 @@ func HandlePullSecretSetup(kc *kubernetes.KubernetesClient, pullSecretName, name return nil } -func HandleCertSetup(kc *kubernetes.KubernetesClient) error { +func HandleCertSetup(kc *kubernetes.KubernetesClient, dir string) error { certConfig, err := ui.PromptForCertInfo(kc) if err != nil { return err } - certs.SetupCerts(kc, certConfig) + certs.SetupCerts(kc, certConfig, dir) return nil } diff --git a/tas-installer/internal/uninstall/uninstall.go b/tas-installer/internal/uninstall/uninstall.go index 09c041b5..9a4b2db2 100644 --- a/tas-installer/internal/uninstall/uninstall.go +++ b/tas-installer/internal/uninstall/uninstall.go @@ -7,25 +7,25 @@ import ( "securesign/sigstore-ocp/tas-installer/pkg/kubernetes" ) -func HandleHelmChartUninstall(tasNamespace, tasReleaseName string) error { - fmt.Println("Uninstalling helm chart") +func HandleHelmChartUninstall(tasNamespace, tasReleaseName string) (string, error) { info, err := helm.UninstallTrustedArtifactSigner(tasNamespace, tasReleaseName) if err != nil { - return err + return "", err } - fmt.Printf("Uninstalled helm release: %s namespace: %s %s\n", info.Release.Name, info.Release.Namespace, info.Info) - return nil + msg := fmt.Sprintf("Uninstalled helm release: %s namespace: %s %s\n", info.Release.Name, info.Release.Namespace, info.Info) + return msg, nil } -func HandleNamespacesDelete(kc *kubernetes.KubernetesClient, namespaces []string) error { +func HandleNamespacesDelete(kc *kubernetes.KubernetesClient, namespaces []string) ([]string, error) { + deletens := []string{} for _, ns := range namespaces { deleted, err := kc.DeleteNamespaceIfExists(ns) if err != nil { - return err + return deletens, err } if deleted { - fmt.Printf("namespace: %s successfully deleted \n", ns) + deletens = append(deletens, ns) } } - return nil + return deletens, nil } diff --git a/tas-installer/pkg/certs/certs.go b/tas-installer/pkg/certs/certs.go index ad86b098..912f256b 100644 --- a/tas-installer/pkg/certs/certs.go +++ b/tas-installer/pkg/certs/certs.go @@ -9,18 +9,26 @@ import ( "encoding/pem" "math/big" "os" + "path/filepath" "securesign/sigstore-ocp/tas-installer/pkg/kubernetes" "securesign/sigstore-ocp/tas-installer/ui" "time" ) +const ( + FulcioPrivateKey = "file_ca_key.pem" + FulcioPublicKey = "file_ca_pub.pem" + FulcioRootCert = "fulcio-root.pem" + RekorSigningKey = "rekor_key.pem" +) + var ( certPassword string ) -func SetupCerts(kc *kubernetes.KubernetesClient, certConfig *ui.CertConfig) error { +func SetupCerts(kc *kubernetes.KubernetesClient, certConfig *ui.CertConfig, dir string) error { certPassword = certConfig.CertPassword - err := os.MkdirAll("./keys-cert", 0755) + err := os.MkdirAll(dir, 0755) if err != nil { return err } @@ -29,16 +37,16 @@ func SetupCerts(kc *kubernetes.KubernetesClient, certConfig *ui.CertConfig) erro if err != nil { return err } - if err = createCAKey(cakey, certConfig); err != nil { + if err = createCAKey(cakey, certConfig, dir); err != nil { return err } - if err = createCAPub(cakey, certConfig); err != nil { + if err = createCAPub(cakey, certConfig, dir); err != nil { return err } - if err = createFulcioCA(cakey, certConfig); err != nil { + if err = createFulcioCA(cakey, certConfig, dir); err != nil { return err } - if err = createRekorKey(certConfig); err != nil { + if err = createRekorKey(certConfig, dir); err != nil { return err } @@ -49,7 +57,7 @@ func GetCertPassword() string { return certPassword } -func createCAKey(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { +func createCAKey(key *ecdsa.PrivateKey, certConfig *ui.CertConfig, dir string) error { mKey, err := x509.MarshalECPrivateKey(key) if err != nil { return err @@ -60,7 +68,7 @@ func createCAKey(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { return err } - file, err := os.Create("./keys-cert/file_ca_key.pem") + file, err := os.Create(filepath.Join(dir, FulcioPrivateKey)) if err != nil { return err } @@ -71,13 +79,13 @@ func createCAKey(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { return nil } -func createCAPub(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { +func createCAPub(key *ecdsa.PrivateKey, certConfig *ui.CertConfig, dir string) error { mPubKey, err := x509.MarshalPKIXPublicKey(key.Public()) if err != nil { return err } - publicF, err := os.Create("./keys-cert/file_ca_pub.pem") + publicF, err := os.Create(filepath.Join(dir, FulcioPublicKey)) if err != nil { return err } @@ -94,7 +102,7 @@ func createCAPub(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { return nil } -func createRekorKey(certConfig *ui.CertConfig) error { +func createRekorKey(certConfig *ui.CertConfig, dir string) error { key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { return err @@ -105,7 +113,7 @@ func createRekorKey(certConfig *ui.CertConfig) error { return err } - file, err := os.Create("./keys-cert/rekor_key.pem") + file, err := os.Create(filepath.Join(dir, RekorSigningKey)) if err != nil { return err } @@ -122,7 +130,7 @@ func createRekorKey(certConfig *ui.CertConfig) error { return nil } -func createFulcioCA(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { +func createFulcioCA(key *ecdsa.PrivateKey, certConfig *ui.CertConfig, dir string) error { notBefore := time.Now() notAfter := notBefore.Add(365 * 24 * 10 * time.Hour) @@ -149,7 +157,7 @@ func createFulcioCA(key *ecdsa.PrivateKey, certConfig *ui.CertConfig) error { return err } - f, err := os.Create("./keys-cert/fulcio-root.pem") + f, err := os.Create(filepath.Join(dir, FulcioRootCert)) if err != nil { return err } diff --git a/tas-installer/pkg/helm/helm.go b/tas-installer/pkg/helm/helm.go index 53fabdc0..8e348087 100644 --- a/tas-installer/pkg/helm/helm.go +++ b/tas-installer/pkg/helm/helm.go @@ -87,11 +87,15 @@ func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, tasNamespace, for _, rel := range releases { if rel.Name == tasReleaseName && rel.Namespace == tasNamespace { exists = true - upgradeRelease(actionConfig, client, settings, tasNamespace, chartUrl, chartVersion, values) + if err := upgradeRelease(actionConfig, client, settings, tasNamespace, chartUrl, chartVersion, values); err != nil { + return err + } } } if !exists { - installNewRelease(actionConfig, client, settings, tasNamespace, tasReleaseName, chartUrl, chartVersion, values) + if err := installNewRelease(actionConfig, client, settings, tasNamespace, tasReleaseName, chartUrl, chartVersion, values); err != nil { + return err + } } return nil } diff --git a/tas-installer/pkg/helm/values-openshift.tmpl b/tas-installer/pkg/helm/values-openshift.tmpl index f43aa599..566c9cd0 100644 --- a/tas-installer/pkg/helm/values-openshift.tmpl +++ b/tas-installer/pkg/helm/values-openshift.tmpl @@ -2,6 +2,9 @@ global: appsSubdomain: {{ .OpenShiftAppsSubdomain }} configs: + segment_backup_job: + enabled: false + namespace_create: false cosign_deploy: enabled: true fulcio: diff --git a/tas-installer/pkg/kubernetes/namespace.go b/tas-installer/pkg/kubernetes/namespace.go index 015eb577..92befb5c 100644 --- a/tas-installer/pkg/kubernetes/namespace.go +++ b/tas-installer/pkg/kubernetes/namespace.go @@ -26,7 +26,7 @@ func (kc *KubernetesClient) DeleteNamespaceIfExists(ns string) (bool, error) { return exists, err } } - return false, nil + return exists, nil } func (kc *KubernetesClient) CreateNamespaceIfNotExists(ns string) error {