feat(fulcio/add-env): Add additional env variables

Support GCP credentials for external cloud provider workloads
sigstore · May 18, 2023 · 9bbd178 · 9bbd178
1 parent 8a9e00a
commit 9bbd178
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 9 deletions.
diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.2.0
+version: 2.3.0
 appVersion: 1.2.0
 
 keywords:

diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square)
+![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -109,10 +109,12 @@ helm uninstall [RELEASE_NAME]
 | namespace.name | string | `"fulcio-system"` |  |
 | server.args.aws_hsm_root_ca_path | string | `nil` |  |
 | server.args.certificateAuthority | string | `"fileca"` |  |
+| server.args.creds | string | `""` |  |
 | server.args.gcp_private_ca_parent | string | `"projects/test/locations/us-east1/caPools/test"` |  |
 | server.args.grpcPort | int | `5554` |  |
 | server.args.hsm_caroot_id | string | `nil` |  |
 | server.args.port | int | `5555` |  |
+| server.env.GOOGLE_APPLICATION_CREDENTIALS | string | `"/etc/fulcio-config/cloud_credentials"` |  |
 | server.grpcSvcPort | int | `5554` |  |
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"gcr.io"` |  |

diff --git a/charts/fulcio/templates/fulcio-configmap.yaml b/charts/fulcio/templates/fulcio-configmap.yaml
@@ -11,3 +11,4 @@ data:
   {{- if (eq .Values.server.args.certificateAuthority "kmsca")}}
   chain.pem: {{.Values.server.args.kms_cert_chain | quote }}
   {{- end }}
+  cloud_credentials: {{.Values.server.args.creds | quote }}
diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml
@@ -59,14 +59,27 @@ spec:
             - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem"
             {{- end }}
             - "--ct-log-url=http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}"
-          {{- if eq .Values.server.args.certificateAuthority "fileca" }}
+{{- if .Values.server.env }}
           env:
-            - name: PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.server.secret }}
-                  key: password
-          {{- end }}
+{{- range $key, $value := .Values.server.env }}
+          - name: "{{ $key }}"
+            value: "{{ $value }}"
+{{- end }}
+{{- if eq .Values.server.args.certificateAuthority "fileca" }}
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.server.secret }}
+                key: password
+{{- end }}
+{{- else if eq .Values.server.args.certificateAuthority "fileca" }}
+          env:
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.server.secret }}
+                key: password
+{{- end }}
           volumeMounts:
             - name: fulcio-config
               mountPath: /etc/fulcio-config

diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
@@ -20,9 +20,14 @@ server:
     # crane digest gcr.io/projectsigstore/fulcio:v1.2.0
     # -- v1.2.0
     version: sha256:17ae9911f54892224c85355a1f8559cfecf75343093f2eaeea1a5c4724283d12
+  env:
+    # Valid values: path to workload identity config or service account key JSON file
+    GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials
   args:
     port: 5555
     grpcPort: 5554
+    # valid values: GCP workload identity config json for trusted external cloud providers
+    creds: ""
     # Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
     certificateAuthority: fileca
     # kms_resource: gcpkms://....