feat(fulcio/add-env): Add additional env variables

Support GCP credentials for external cloud provider workloads

Signed-off-by: saisatish karra <[email protected]>

charts/fulcio/Chart.yaml

@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.3.2
+version: 2.4.2
 appVersion: 1.3.1
 
 keywords:

charts/fulcio/README.md

@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.3.2](https://img.shields.io/badge/Version-2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square)
+![Version: 2.4.2](https://img.shields.io/badge/Version-2.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -109,12 +109,14 @@ helm uninstall [RELEASE_NAME]
 | namespace.name | string | `"fulcio-system"` |  |
 | server.args.aws_hsm_root_ca_path | string | `nil` |  |
 | server.args.certificateAuthority | string | `"fileca"` |  |
+| server.args.creds | string | `""` |  |
 | server.args.ct_log_url | string | `""` |  |
 | server.args.disable_ct_log | bool | `false` |  |
 | server.args.gcp_private_ca_parent | string | `"projects/test/locations/us-east1/caPools/test"` |  |
 | server.args.grpcPort | int | `5554` |  |
 | server.args.hsm_caroot_id | string | `nil` |  |
 | server.args.port | int | `5555` |  |
+| server.env.GOOGLE_APPLICATION_CREDENTIALS | string | `"/etc/fulcio-config/cloud_credentials"` |  |
 | server.grpcSvcPort | int | `5554` |  |
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"gcr.io"` |  |

charts/fulcio/templates/fulcio-configmap.yaml

@@ -11,3 +11,4 @@ data:
   {{- if (eq .Values.server.args.certificateAuthority "kmsca")}}
   chain.pem: {{.Values.server.args.kms_cert_chain | quote }}
   {{- end }}
+  cloud_credentials: {{.Values.server.args.creds | quote }}

charts/fulcio/templates/fulcio-deployment.yaml

@@ -59,14 +59,27 @@ spec:
             - "--kms-cert-chain-path=/etc/fulcio-config/chain.pem"
             {{- end }}
             - "--ct-log-url={{ if .Values.server.args.disable_ct_log }}{{ else if .Values.server.args.ct_log_url }}{{ .Values.server.args.ct_log_url }}{{ else }}http://{{ .Values.ctlog.name }}.{{ .Values.ctlog.namespace.name }}.svc/{{ .Values.ctlog.createctconfig.logPrefix }}{{ end }}"
-          {{- if eq .Values.server.args.certificateAuthority "fileca" }}
+{{- if .Values.server.env }}
           env:
-            - name: PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.server.secret }}
-                  key: password
-          {{- end }}
+{{- range $key, $value := .Values.server.env }}
+          - name: "{{ $key }}"
+            value: "{{ $value }}"
+{{- end }}
+{{- if eq .Values.server.args.certificateAuthority "fileca" }}
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.server.secret }}
+                key: password
+{{- end }}
+{{- else if eq .Values.server.args.certificateAuthority "fileca" }}
+          env:
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.server.secret }}
+                key: password
+{{- end }}
           volumeMounts:
             - name: fulcio-config
               mountPath: /etc/fulcio-config

charts/fulcio/values.schema.json

@@ -82,6 +82,7 @@
                 "grpcSvcPort",
                 "image",
                 "args",
+                "env",
                 "serviceAccount",
                 "service",
                 "ingress",
@@ -259,7 +260,15 @@
                             "examples": [
                                 "https://ct.example.com/"
                             ]
+                        },
+                        "creds": {
+                            "type": "string",
+                            "default": "",
+                            "title": "Google Cloud Web Identity JSON config / Service Account token key json",
+                            "description": "If set, Fulcio will use these credentials to impersonate GCP service account from trusted external cloud providers",
+                            "examples": []
                         }
+
                     },
                     "examples": [
                         {
@@ -272,6 +281,18 @@
                         }
                     ]
                 },
+                "env": {
+                    "type": "object",
+                    "default": {},
+                    "title": "The env Schema",
+                    "required": [],
+                    "properties": {},
+                    "examples": [
+                        {
+                            "GOOGLE_APPLICATION_CREDENTIALS": "/etc/fulcio-config/cloud_credentials"
+                        }
+                    ]
+                },
                 "serviceAccount": {
                     "type": "object",
                     "default": {},

charts/fulcio/values.yaml

@@ -20,9 +20,14 @@ server:
     # crane digest gcr.io/projectsigstore/fulcio:v1.3.1
     # -- v1.3.1
     version: sha256:c920be2d367214562cda7d53d3af3529edf2dfd9326b24909ece450092b97b18
+  env:
+    # Valid values: path to workload identity config or service account key JSON file
+    GOOGLE_APPLICATION_CREDENTIALS: /etc/fulcio-config/cloud_credentials
   args:
     port: 5555
     grpcPort: 5554
+    # valid values: GCP workload identity config json for trusted external cloud providers
+    creds: ""
     # Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
     certificateAuthority: fileca
     # kms_resource: gcpkms://....