From 3ca1ba181d8681aabec66849430c6b04c8a61ba6 Mon Sep 17 00:00:00 2001
From: sallyom <somalley@redhat.com>
Date: Mon, 11 Dec 2023 14:22:32 -0500
Subject: [PATCH 1/2] installer: make chart url configureble
Signed-off-by: sallyom <somalley@redhat.com>
---
.gitignore | 4 +++-
charts/trusted-artifact-signer/Chart.yaml | 2 +-
charts/trusted-artifact-signer/README.md | 2 +-
tas-installer/cmd/install.go | 14 ++++++++------
tas-installer/internal/install/install.go | 4 ++--
tas-installer/pkg/helm/helm.go | 15 +++++++--------
6 files changed, 22 insertions(+), 19 deletions(-)
diff --git a/.gitignore b/.gitignore
index 91759212..492ca11e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,8 @@ Chart.lock
# Vim swap files
*.swp
+*.tgz
+
*tas-env-variables*
keys-cert
./keys-cert/*.pem
@@ -12,4 +14,4 @@ keys-cert
.idea
tas-install
-pull-secret.json
\ No newline at end of file
+pull-secret.json
diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml
index cf0a43e2..5222e6b3 100644
--- a/charts/trusted-artifact-signer/Chart.yaml
+++ b/charts/trusted-artifact-signer/Chart.yaml
@@ -33,4 +33,4 @@ sources:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.28
+version: 0.1.29
diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md
index 0e07f57a..8e6e7af8 100644
--- a/charts/trusted-artifact-signer/README.md
+++ b/charts/trusted-artifact-signer/README.md
@@ -3,7 +3,7 @@
A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift
- 
+ 
## Overview
diff --git a/tas-installer/cmd/install.go b/tas-installer/cmd/install.go
index 050dc449..51e11fbf 100644
--- a/tas-installer/cmd/install.go
+++ b/tas-installer/cmd/install.go
@@ -18,9 +18,10 @@ const (
)
var (
- helmChartVersion string
- helmValuesFile string
- oidcConfig oidc.OIDCConfig
+ helmChartLocation string
+ helmChartVersion string
+ helmValuesFile string
+ oidcConfig oidc.OIDCConfig
)
var installCmd = &cobra.Command{
@@ -70,7 +71,7 @@ func installTas(tasNamespace string) error {
},
func() error {
log.Print("installing helm chart")
- if err := install.HandleHelmChartInstall(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil {
+ if err := install.HandleHelmChartInstall(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartLocation, helmChartVersion); err != nil {
return err
}
return nil
@@ -85,8 +86,9 @@ func installTas(tasNamespace string) error {
}
func init() {
- installCmd.PersistentFlags().StringVar(&helmChartVersion, "chartVersion", "0.1.26", "Version of the Helm chart")
- installCmd.PersistentFlags().StringVar(&helmValuesFile, "valuesFile", "", "Custom values file for chart configuration")
+ installCmd.PersistentFlags().StringVar(&helmChartVersion, "chart-version", "0.1.29", "Version of the Helm chart")
+ installCmd.PersistentFlags().StringVar(&helmChartLocation, "chart-location", "./charts/trusted-artifact-signer", "/local/path/to/chart or oci://registry/repo location of Helm chart")
+ installCmd.PersistentFlags().StringVar(&helmValuesFile, "values", "", "path to custom values file for chart configuration")
installCmd.PersistentFlags().StringVar(&oidcConfig.IssuerURL, "oidc-issuer-url", "", "Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]")
installCmd.PersistentFlags().StringVar(&oidcConfig.ClientID, "oidc-client-id", "", "Specify the OIDC client ID")
installCmd.PersistentFlags().StringVar(&oidcConfig.Type, "oidc-type", "", "Specify the OIDC type")
diff --git a/tas-installer/internal/install/install.go b/tas-installer/internal/install/install.go
index 86f8065e..bf15847d 100644
--- a/tas-installer/internal/install/install.go
+++ b/tas-installer/internal/install/install.go
@@ -13,8 +13,8 @@ import (
"time"
)
-func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion string) error {
- if err := helm.InstallTrustedArtifactSigner(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil {
+func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, helmChartLocation, helmValuesFile, helmChartVersion string) error {
+ if err := helm.InstallTrustedArtifactSigner(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartLocation, helmChartVersion); err != nil {
return err
}
return nil
diff --git a/tas-installer/pkg/helm/helm.go b/tas-installer/pkg/helm/helm.go
index 12fbbde2..b3d0eb29 100644
--- a/tas-installer/pkg/helm/helm.go
+++ b/tas-installer/pkg/helm/helm.go
@@ -37,8 +37,7 @@ func UninstallTrustedArtifactSigner(tasNamespace, tasReleaseName string) (*relea
return action.NewUninstall(actionConfig).Run(tasReleaseName)
}
-func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, pathToValuesFile, chartVersion string) error {
- chartUrl := "charts/trusted-artifact-signer"
+func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, pathToValuesFile, chartLocation, chartVersion string) error {
tv := templatedValues{
OpenShiftAppsSubdomain: kc.ClusterCommonName,
@@ -89,13 +88,13 @@ func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oi
for _, rel := range releases {
if rel.Name == tasReleaseName && rel.Namespace == tasNamespace {
exists = true
- if err := upgradeRelease(actionConfig, client, settings, tasNamespace, chartUrl, chartVersion, values); err != nil {
+ if err := upgradeRelease(actionConfig, client, settings, tasNamespace, chartLocation, chartVersion, values); err != nil {
return err
}
}
}
if !exists {
- if err := installNewRelease(actionConfig, client, settings, tasNamespace, tasReleaseName, chartUrl, chartVersion, values); err != nil {
+ if err := installNewRelease(actionConfig, client, settings, tasNamespace, tasReleaseName, chartLocation, chartVersion, values); err != nil {
return err
}
}
@@ -111,7 +110,7 @@ func actionConfig(tasNamespace string) (*action.Configuration, *cli.EnvSettings,
return actionConfig, settings, nil
}
-func installNewRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, tasReleaseName, chartURL, chartVersion string, values map[string]interface{}) error {
+func installNewRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, tasReleaseName, chartLocation, chartVersion string, values map[string]interface{}) error {
install := action.NewInstall(actionConfig)
install.ReleaseName = tasReleaseName
install.Namespace = tasNamespace
@@ -119,7 +118,7 @@ func installNewRelease(actionConfig *action.Configuration, client *registry.Clie
install.Version = chartVersion
install.SetRegistryClient(client)
- chartPath, err := install.LocateChart(chartURL, settings)
+ chartPath, err := install.LocateChart(chartLocation, settings)
if err != nil {
return err
}
@@ -137,13 +136,13 @@ func installNewRelease(actionConfig *action.Configuration, client *registry.Clie
return nil
}
-func upgradeRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, chartURL, chartVersion string, values map[string]interface{}) error {
+func upgradeRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, chartLocation, chartVersion string, values map[string]interface{}) error {
upgrade := action.NewUpgrade(actionConfig)
upgrade.Namespace = tasNamespace
upgrade.Version = chartVersion
upgrade.SetRegistryClient(client)
- chartPath, err := upgrade.LocateChart(chartURL, settings)
+ chartPath, err := upgrade.LocateChart(chartLocation, settings)
if err != nil {
return err
}
From fed7a217d4d71d52aded0e5a37d50e889b818d09 Mon Sep 17 00:00:00 2001
From: sallyom <somalley@redhat.com>
Date: Mon, 11 Dec 2023 17:00:38 -0500
Subject: [PATCH 2/2] update docs/README
---
README.md | 7 ++-
charts/trusted-artifact-signer/Chart.yaml | 2 +-
charts/trusted-artifact-signer/README.md | 55 ++++++++++++++-----
.../trusted-artifact-signer/README.md.gotmpl | 52 ++++++++++++++----
docs/quick-start-with-sigstore-issuer.md | 30 ++++++++++
docs/tas-install.md | 51 +++++++++++++++++
tas-installer/cmd/install.go | 2 +-
7 files changed, 169 insertions(+), 30 deletions(-)
create mode 100644 docs/quick-start-with-sigstore-issuer.md
create mode 100644 docs/tas-install.md
diff --git a/README.md b/README.md
index f20cc781..f6f65879 100644
--- a/README.md
+++ b/README.md
@@ -8,8 +8,11 @@ This chart extends all the features in the upstream chart in addition to includi
### Installing from the Chart Repository
-For a quickstart on how to install Sigstore components on OpenShift refer to the
-[quickstart quide](docs/quick-start-with-keycloak.md)
+For a quickstart on how to install Sigstore components on OpenShift with OpenShift SSO (Keycloak), refer to the
+[quickstart quide with keycloak](docs/quick-start-with-keycloak.md)
+
+For a quickstart on how to install Sigstore components on OpenShift with the upstream Sigstore OIDC Issuer URL, refer to the
+[quickstart quide](docs/quick-start-with-sigstore-issuer.md)
## Scaffolding Chart
diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml
index 5222e6b3..e3130190 100644
--- a/charts/trusted-artifact-signer/Chart.yaml
+++ b/charts/trusted-artifact-signer/Chart.yaml
@@ -33,4 +33,4 @@ sources:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.29
+version: 0.1.30
diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md
index 8e6e7af8..c7a73920 100644
--- a/charts/trusted-artifact-signer/README.md
+++ b/charts/trusted-artifact-signer/README.md
@@ -3,14 +3,17 @@
A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift
- 
+ 
## Overview
This wrapper chart builds on top of the [Scaffold](https://github.com/sigstore/helm-charts/tree/main/charts/scaffold)
chart from the Sigstore project to both simplify and satisfy the requirements for deployment within an OpenShift
-If you have already read this document and want a quick no-fail path to installing a Sigstore stack with RH SSO,
+Refer to the quick-start to install Sigstore components on OpenShift with the upstream Sigstore OIDC Issuer URL,
+[quickstart quide](docs/quick-start-with-sigstore-issuer.md)
+
+For a quick no-fail path to installing a Sigstore stack with RH SSO,
follow [quick start](../../docs/quick-start-with-keycloak.md)
The chart enhances the scaffold chart by taking care of the following:
@@ -35,15 +38,48 @@ scaffold:
### Sample Implementation
-#### Prerequisites
-
-The following must be satisfied prior to deploying the sample implementation:
+The installer and the quick start with RedHat SSO script include the creation of the necessary secrets:
* Fulcio root CA certificate and signing keys
* More information in [requirements-keys-certs.md](../../docs/requirements-keys-certs.md)
* OpenID Token Issuer endpoint
+ * The public Sigstore OIDC Issuer URL `https://oauth2.sigstore.dev/auth` is configured in the absence of any other OIDC provider.
* Keycloak/RHSSO requirements can be followed and deployed in OpenShift with [keycloak-example.md](../../docs/keycloak-example.md)
+To add configuration options to the TAS installation, either provide a custom `values.yaml` or provide available flags to the `tas-install`
+command.
+
+#### Configure the install with the `tas-install` command flags.
+
+Here are the available options for use with `tas-install`. For any other customization, you may provide a `values.yaml` with necessary
+information.
+
+```
+ $ ./tas-install install -h
+Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster.
+
+ This command performs a series of actions:
+ 1. Initializes the Kubernetes client to interact with your cluster
+ 2. Sets up necessary certificates
+ 3. Configures secrets
+ 4. Deploys TAS to openshift
+
+Usage:
+ tas-installer install [flags]
+
+Flags:
+ --chart-location string /local/path/to/chart or oci://registry/repo location of Helm chart (default "./charts/trusted-artifact-signer")
+ --chart-version string Version of the Helm chart (default "0.1.29")
+ -h, --help help for install
+ --oidc-client-id string Specify the OIDC client ID
+ --oidc-issuer-url string Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]
+ --oidc-type string Specify the OIDC type
+ --values string path to custom values file for chart configuration
+
+Global Flags:
+ --kubeconfig string Specify the kubeconfig path (default "/Users/somalley/.kube/config")
+```
+
#### Update the values file
Helm values files are available in the examples directory that provides a baseline to work off of.
@@ -55,15 +91,6 @@ to curate the deployment of the chart:
2. Perform any additional customizations as desired
-### Installing the Chart
-
-When logged in as an elevated OpenShift user, execute the following to install the chart referencing the
-customized values file. The OPENSHIFT_APPS_SUBDOMAIN will be substituted in the values file with `envsubst` below:
-
-```shell
-OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n sigstore --create-namespace --values -
-```
-
### Monitor Sigstore Components with Grafana
For real-time analytics through Grafana, refer to our [enable-grafana-monitoring.md](../../docs/enable-grafana-monitoring.md) guide.
diff --git a/charts/trusted-artifact-signer/README.md.gotmpl b/charts/trusted-artifact-signer/README.md.gotmpl
index f25cb8ad..b211649f 100644
--- a/charts/trusted-artifact-signer/README.md.gotmpl
+++ b/charts/trusted-artifact-signer/README.md.gotmpl
@@ -8,7 +8,10 @@
This wrapper chart builds on top of the [Scaffold](https://github.com/sigstore/helm-charts/tree/main/charts/scaffold)
chart from the Sigstore project to both simplify and satisfy the requirements for deployment within an OpenShift
-If you have already read this document and want a quick no-fail path to installing a Sigstore stack with RH SSO,
+Refer to the quick-start to install Sigstore components on OpenShift with the upstream Sigstore OIDC Issuer URL,
+[quickstart quide](docs/quick-start-with-sigstore-issuer.md)
+
+For a quick no-fail path to installing a Sigstore stack with RH SSO,
follow [quick start](../../docs/quick-start-with-keycloak.md)
The chart enhances the scaffold chart by taking care of the following:
@@ -33,15 +36,48 @@ scaffold:
### Sample Implementation
-#### Prerequisites
-
-The following must be satisfied prior to deploying the sample implementation:
+The installer and the quick start with RedHat SSO script include the creation of the necessary secrets:
* Fulcio root CA certificate and signing keys
* More information in [requirements-keys-certs.md](../../docs/requirements-keys-certs.md)
* OpenID Token Issuer endpoint
+ * The public Sigstore OIDC Issuer URL `https://oauth2.sigstore.dev/auth` is configured in the absence of any other OIDC provider.
* Keycloak/RHSSO requirements can be followed and deployed in OpenShift with [keycloak-example.md](../../docs/keycloak-example.md)
+To add configuration options to the TAS installation, either provide a custom `values.yaml` or provide available flags to the `tas-install`
+command.
+
+#### Configure the install with the `tas-install` command flags.
+
+Here are the available options for use with `tas-install`. For any other customization, you may provide a `values.yaml` with necessary
+information.
+
+```
+ $ ./tas-install install -h
+Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster.
+
+ This command performs a series of actions:
+ 1. Initializes the Kubernetes client to interact with your cluster
+ 2. Sets up necessary certificates
+ 3. Configures secrets
+ 4. Deploys TAS to openshift
+
+Usage:
+ tas-installer install [flags]
+
+Flags:
+ --chart-location string /local/path/to/chart or oci://registry/repo location of Helm chart (default "./charts/trusted-artifact-signer")
+ --chart-version string Version of the Helm chart (default "0.1.29")
+ -h, --help help for install
+ --oidc-client-id string Specify the OIDC client ID
+ --oidc-issuer-url string Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]
+ --oidc-type string Specify the OIDC type
+ --values string path to custom values file for chart configuration
+
+Global Flags:
+ --kubeconfig string Specify the kubeconfig path (default "/Users/somalley/.kube/config")
+```
+
#### Update the values file
Helm values files are available in the examples directory that provides a baseline to work off of.
@@ -53,14 +89,6 @@ to curate the deployment of the chart:
2. Perform any additional customizations as desired
-### Installing the Chart
-
-When logged in as an elevated OpenShift user, execute the following to install the chart referencing the
-customized values file. The OPENSHIFT_APPS_SUBDOMAIN will be substituted in the values file with `envsubst` below:
-
-```shell
-OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n sigstore --create-namespace --values -
-```
### Monitor Sigstore Components with Grafana
diff --git a/docs/quick-start-with-sigstore-issuer.md b/docs/quick-start-with-sigstore-issuer.md
new file mode 100644
index 00000000..8b4351f1
--- /dev/null
+++ b/docs/quick-start-with-sigstore-issuer.md
@@ -0,0 +1,30 @@
+## Quick Start with Sigstore Public OIDC Issuer
+
+1. Use the installer's `install` command to install the required signing keys and root certificate for keyless signing and install the sigstore stack.
+
+To build the installer
+
+```
+go build -C tas-installer -o ../tas-install
+```
+
+The installer expects a `kubeconfig` file at `$HOME/.kube/config`,, or that the flag `--kubeconfig /path/to/kubeconfig` is provided.
+By default, the fulcio server is configured to use the upstream public OIDC issuer at `oauth2.sigstore.dev/auth`. An interactive browser
+based flow in which you will authenticate with Google, GitHub, or MicroSoft will be initiated when signing artifacts..
+
+First, the user is prompted for information in order to create rekor and fulcio signing keys as well as the fulcio root certificate.
+Then, the Trusted Artifact Signer resources will be created. The stack is ready to use when all jobs have been completed. The job
+in the `tuf-system` namespace will be the last to complete, and can take several minutes.
+
+```shell
+./tas-install install
+```
+
+ Watch `oc get jobs -A` and when the `tuf-system` job is complete, the TAS stack should be ready to sign & verify artifacts.
+
+Once complete, move to the [Sign & Verify document](sign-verify.md) to test the Sigstore stack.
+
+If there is already a helm release `trusted-artifact-signer` installed, the command `./tas-install install` will perform an upgrade.
+In this case, it will reuse the signing keys and certificate secrets from the connected cluster's `fulcio-system` and `rekor-system`
+namespaces.
+
diff --git a/docs/tas-install.md b/docs/tas-install.md
new file mode 100644
index 00000000..460b80b1
--- /dev/null
+++ b/docs/tas-install.md
@@ -0,0 +1,51 @@
+## Trusted Artifact Signer Installer
+
+The `tas-install` command is experimental. To build it, run the following from the repository root.
+
+```
+go build -C tas-installer -o ../tas-install
+```
+
+### Install
+
+```
+ $ ./tas-install install -h
+Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster.
+
+ This command performs a series of actions:
+ 1. Initializes the Kubernetes client to interact with your cluster
+ 2. Sets up necessary certificates
+ 3. Configures secrets
+ 4. Deploys TAS to openshift
+
+Usage:
+ tas-installer install [flags]
+
+Flags:
+ --chart-location string /local/path/to/chart or oci://registry/repo location of Helm chart (default "./charts/trusted-artifact-signer")
+ --chart-version string Version of the Helm chart (default "0.1.29")
+ -h, --help help for install
+ --oidc-client-id string Specify the OIDC client ID
+ --oidc-issuer-url string Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]
+ --oidc-type string Specify the OIDC type
+ --values string path to custom values file for chart configuration
+
+Global Flags:
+ --kubeconfig string Specify the kubeconfig path (default "$HOME/.kube/config")
+```
+
+### Uninstall
+
+```
+$ ./tas-install uninstall -h
+Removes installation of Trusted Artifact Signer (TAS) on a Kubernetes cluster.
+
+Usage:
+ tas-installer uninstall [flags]
+
+Flags:
+ -h, --help help for uninstall
+
+Global Flags:
+ --kubeconfig string Specify the kubeconfig path (default "$HOME/.kube/config")
+```
diff --git a/tas-installer/cmd/install.go b/tas-installer/cmd/install.go
index 51e11fbf..f4eacfe5 100644
--- a/tas-installer/cmd/install.go
+++ b/tas-installer/cmd/install.go
@@ -86,7 +86,7 @@ func installTas(tasNamespace string) error {
}
func init() {
- installCmd.PersistentFlags().StringVar(&helmChartVersion, "chart-version", "0.1.29", "Version of the Helm chart")
+ installCmd.PersistentFlags().StringVar(&helmChartVersion, "chart-version", "0.1.30", "Version of the Helm chart")
installCmd.PersistentFlags().StringVar(&helmChartLocation, "chart-location", "./charts/trusted-artifact-signer", "/local/path/to/chart or oci://registry/repo location of Helm chart")
installCmd.PersistentFlags().StringVar(&helmValuesFile, "values", "", "path to custom values file for chart configuration")
installCmd.PersistentFlags().StringVar(&oidcConfig.IssuerURL, "oidc-issuer-url", "", "Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]")