diff --git a/.gitignore b/.gitignore index 91759212..492ca11e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,8 @@ Chart.lock # Vim swap files *.swp +*.tgz + *tas-env-variables* keys-cert ./keys-cert/*.pem @@ -12,4 +14,4 @@ keys-cert .idea tas-install -pull-secret.json \ No newline at end of file +pull-secret.json diff --git a/README.md b/README.md index f20cc781..f6f65879 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,11 @@ This chart extends all the features in the upstream chart in addition to includi ### Installing from the Chart Repository -For a quickstart on how to install Sigstore components on OpenShift refer to the -[quickstart quide](docs/quick-start-with-keycloak.md) +For a quickstart on how to install Sigstore components on OpenShift with OpenShift SSO (Keycloak), refer to the +[quickstart quide with keycloak](docs/quick-start-with-keycloak.md) + +For a quickstart on how to install Sigstore components on OpenShift with the upstream Sigstore OIDC Issuer URL, refer to the +[quickstart quide](docs/quick-start-with-sigstore-issuer.md) ## Scaffolding Chart diff --git a/charts/trusted-artifact-signer/Chart.yaml b/charts/trusted-artifact-signer/Chart.yaml index cf0a43e2..e3130190 100644 --- a/charts/trusted-artifact-signer/Chart.yaml +++ b/charts/trusted-artifact-signer/Chart.yaml @@ -33,4 +33,4 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.28 +version: 0.1.30 diff --git a/charts/trusted-artifact-signer/README.md b/charts/trusted-artifact-signer/README.md index 0e07f57a..c7a73920 100644 --- a/charts/trusted-artifact-signer/README.md +++ b/charts/trusted-artifact-signer/README.md @@ -3,14 +3,17 @@ A Helm chart for deploying Sigstore scaffold chart that is opinionated for OpenShift -![Version: 0.1.28](https://img.shields.io/badge/Version-0.1.28-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.1.30](https://img.shields.io/badge/Version-0.1.30-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Overview This wrapper chart builds on top of the [Scaffold](https://github.com/sigstore/helm-charts/tree/main/charts/scaffold) chart from the Sigstore project to both simplify and satisfy the requirements for deployment within an OpenShift -If you have already read this document and want a quick no-fail path to installing a Sigstore stack with RH SSO, +Refer to the quick-start to install Sigstore components on OpenShift with the upstream Sigstore OIDC Issuer URL, +[quickstart quide](docs/quick-start-with-sigstore-issuer.md) + +For a quick no-fail path to installing a Sigstore stack with RH SSO, follow [quick start](../../docs/quick-start-with-keycloak.md) The chart enhances the scaffold chart by taking care of the following: @@ -35,15 +38,48 @@ scaffold: ### Sample Implementation -#### Prerequisites - -The following must be satisfied prior to deploying the sample implementation: +The installer and the quick start with RedHat SSO script include the creation of the necessary secrets: * Fulcio root CA certificate and signing keys * More information in [requirements-keys-certs.md](../../docs/requirements-keys-certs.md) * OpenID Token Issuer endpoint + * The public Sigstore OIDC Issuer URL `https://oauth2.sigstore.dev/auth` is configured in the absence of any other OIDC provider. * Keycloak/RHSSO requirements can be followed and deployed in OpenShift with [keycloak-example.md](../../docs/keycloak-example.md) +To add configuration options to the TAS installation, either provide a custom `values.yaml` or provide available flags to the `tas-install` +command. + +#### Configure the install with the `tas-install` command flags. + +Here are the available options for use with `tas-install`. For any other customization, you may provide a `values.yaml` with necessary +information. + +``` + $ ./tas-install install -h +Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster. + + This command performs a series of actions: + 1. Initializes the Kubernetes client to interact with your cluster + 2. Sets up necessary certificates + 3. Configures secrets + 4. Deploys TAS to openshift + +Usage: + tas-installer install [flags] + +Flags: + --chart-location string /local/path/to/chart or oci://registry/repo location of Helm chart (default "./charts/trusted-artifact-signer") + --chart-version string Version of the Helm chart (default "0.1.29") + -h, --help help for install + --oidc-client-id string Specify the OIDC client ID + --oidc-issuer-url string Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name] + --oidc-type string Specify the OIDC type + --values string path to custom values file for chart configuration + +Global Flags: + --kubeconfig string Specify the kubeconfig path (default "/Users/somalley/.kube/config") +``` + #### Update the values file Helm values files are available in the examples directory that provides a baseline to work off of. @@ -55,15 +91,6 @@ to curate the deployment of the chart: 2. Perform any additional customizations as desired -### Installing the Chart - -When logged in as an elevated OpenShift user, execute the following to install the chart referencing the -customized values file. The OPENSHIFT_APPS_SUBDOMAIN will be substituted in the values file with `envsubst` below: - -```shell -OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n sigstore --create-namespace --values - -``` - ### Monitor Sigstore Components with Grafana For real-time analytics through Grafana, refer to our [enable-grafana-monitoring.md](../../docs/enable-grafana-monitoring.md) guide. diff --git a/charts/trusted-artifact-signer/README.md.gotmpl b/charts/trusted-artifact-signer/README.md.gotmpl index f25cb8ad..b211649f 100644 --- a/charts/trusted-artifact-signer/README.md.gotmpl +++ b/charts/trusted-artifact-signer/README.md.gotmpl @@ -8,7 +8,10 @@ This wrapper chart builds on top of the [Scaffold](https://github.com/sigstore/helm-charts/tree/main/charts/scaffold) chart from the Sigstore project to both simplify and satisfy the requirements for deployment within an OpenShift -If you have already read this document and want a quick no-fail path to installing a Sigstore stack with RH SSO, +Refer to the quick-start to install Sigstore components on OpenShift with the upstream Sigstore OIDC Issuer URL, +[quickstart quide](docs/quick-start-with-sigstore-issuer.md) + +For a quick no-fail path to installing a Sigstore stack with RH SSO, follow [quick start](../../docs/quick-start-with-keycloak.md) The chart enhances the scaffold chart by taking care of the following: @@ -33,15 +36,48 @@ scaffold: ### Sample Implementation -#### Prerequisites - -The following must be satisfied prior to deploying the sample implementation: +The installer and the quick start with RedHat SSO script include the creation of the necessary secrets: * Fulcio root CA certificate and signing keys * More information in [requirements-keys-certs.md](../../docs/requirements-keys-certs.md) * OpenID Token Issuer endpoint + * The public Sigstore OIDC Issuer URL `https://oauth2.sigstore.dev/auth` is configured in the absence of any other OIDC provider. * Keycloak/RHSSO requirements can be followed and deployed in OpenShift with [keycloak-example.md](../../docs/keycloak-example.md) +To add configuration options to the TAS installation, either provide a custom `values.yaml` or provide available flags to the `tas-install` +command. + +#### Configure the install with the `tas-install` command flags. + +Here are the available options for use with `tas-install`. For any other customization, you may provide a `values.yaml` with necessary +information. + +``` + $ ./tas-install install -h +Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster. + + This command performs a series of actions: + 1. Initializes the Kubernetes client to interact with your cluster + 2. Sets up necessary certificates + 3. Configures secrets + 4. Deploys TAS to openshift + +Usage: + tas-installer install [flags] + +Flags: + --chart-location string /local/path/to/chart or oci://registry/repo location of Helm chart (default "./charts/trusted-artifact-signer") + --chart-version string Version of the Helm chart (default "0.1.29") + -h, --help help for install + --oidc-client-id string Specify the OIDC client ID + --oidc-issuer-url string Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name] + --oidc-type string Specify the OIDC type + --values string path to custom values file for chart configuration + +Global Flags: + --kubeconfig string Specify the kubeconfig path (default "/Users/somalley/.kube/config") +``` + #### Update the values file Helm values files are available in the examples directory that provides a baseline to work off of. @@ -53,14 +89,6 @@ to curate the deployment of the chart: 2. Perform any additional customizations as desired -### Installing the Chart - -When logged in as an elevated OpenShift user, execute the following to install the chart referencing the -customized values file. The OPENSHIFT_APPS_SUBDOMAIN will be substituted in the values file with `envsubst` below: - -```shell -OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }') envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer -n sigstore --create-namespace --values - -``` ### Monitor Sigstore Components with Grafana diff --git a/docs/quick-start-with-sigstore-issuer.md b/docs/quick-start-with-sigstore-issuer.md new file mode 100644 index 00000000..8b4351f1 --- /dev/null +++ b/docs/quick-start-with-sigstore-issuer.md @@ -0,0 +1,30 @@ +## Quick Start with Sigstore Public OIDC Issuer + +1. Use the installer's `install` command to install the required signing keys and root certificate for keyless signing and install the sigstore stack. + +To build the installer + +``` +go build -C tas-installer -o ../tas-install +``` + +The installer expects a `kubeconfig` file at `$HOME/.kube/config`,, or that the flag `--kubeconfig /path/to/kubeconfig` is provided. +By default, the fulcio server is configured to use the upstream public OIDC issuer at `oauth2.sigstore.dev/auth`. An interactive browser +based flow in which you will authenticate with Google, GitHub, or MicroSoft will be initiated when signing artifacts.. + +First, the user is prompted for information in order to create rekor and fulcio signing keys as well as the fulcio root certificate. +Then, the Trusted Artifact Signer resources will be created. The stack is ready to use when all jobs have been completed. The job +in the `tuf-system` namespace will be the last to complete, and can take several minutes. + +```shell +./tas-install install +``` + + Watch `oc get jobs -A` and when the `tuf-system` job is complete, the TAS stack should be ready to sign & verify artifacts. + +Once complete, move to the [Sign & Verify document](sign-verify.md) to test the Sigstore stack. + +If there is already a helm release `trusted-artifact-signer` installed, the command `./tas-install install` will perform an upgrade. +In this case, it will reuse the signing keys and certificate secrets from the connected cluster's `fulcio-system` and `rekor-system` +namespaces. + diff --git a/docs/tas-install.md b/docs/tas-install.md new file mode 100644 index 00000000..460b80b1 --- /dev/null +++ b/docs/tas-install.md @@ -0,0 +1,51 @@ +## Trusted Artifact Signer Installer + +The `tas-install` command is experimental. To build it, run the following from the repository root. + +``` +go build -C tas-installer -o ../tas-install +``` + +### Install + +``` + $ ./tas-install install -h +Installs Trusted Artifact Signer (TAS) on a Kubernetes cluster. + + This command performs a series of actions: + 1. Initializes the Kubernetes client to interact with your cluster + 2. Sets up necessary certificates + 3. Configures secrets + 4. Deploys TAS to openshift + +Usage: + tas-installer install [flags] + +Flags: + --chart-location string /local/path/to/chart or oci://registry/repo location of Helm chart (default "./charts/trusted-artifact-signer") + --chart-version string Version of the Helm chart (default "0.1.29") + -h, --help help for install + --oidc-client-id string Specify the OIDC client ID + --oidc-issuer-url string Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name] + --oidc-type string Specify the OIDC type + --values string path to custom values file for chart configuration + +Global Flags: + --kubeconfig string Specify the kubeconfig path (default "$HOME/.kube/config") +``` + +### Uninstall + +``` +$ ./tas-install uninstall -h +Removes installation of Trusted Artifact Signer (TAS) on a Kubernetes cluster. + +Usage: + tas-installer uninstall [flags] + +Flags: + -h, --help help for uninstall + +Global Flags: + --kubeconfig string Specify the kubeconfig path (default "$HOME/.kube/config") +``` diff --git a/tas-installer/cmd/install.go b/tas-installer/cmd/install.go index 050dc449..f4eacfe5 100644 --- a/tas-installer/cmd/install.go +++ b/tas-installer/cmd/install.go @@ -18,9 +18,10 @@ const ( ) var ( - helmChartVersion string - helmValuesFile string - oidcConfig oidc.OIDCConfig + helmChartLocation string + helmChartVersion string + helmValuesFile string + oidcConfig oidc.OIDCConfig ) var installCmd = &cobra.Command{ @@ -70,7 +71,7 @@ func installTas(tasNamespace string) error { }, func() error { log.Print("installing helm chart") - if err := install.HandleHelmChartInstall(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil { + if err := install.HandleHelmChartInstall(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartLocation, helmChartVersion); err != nil { return err } return nil @@ -85,8 +86,9 @@ func installTas(tasNamespace string) error { } func init() { - installCmd.PersistentFlags().StringVar(&helmChartVersion, "chartVersion", "0.1.26", "Version of the Helm chart") - installCmd.PersistentFlags().StringVar(&helmValuesFile, "valuesFile", "", "Custom values file for chart configuration") + installCmd.PersistentFlags().StringVar(&helmChartVersion, "chart-version", "0.1.30", "Version of the Helm chart") + installCmd.PersistentFlags().StringVar(&helmChartLocation, "chart-location", "./charts/trusted-artifact-signer", "/local/path/to/chart or oci://registry/repo location of Helm chart") + installCmd.PersistentFlags().StringVar(&helmValuesFile, "values", "", "path to custom values file for chart configuration") installCmd.PersistentFlags().StringVar(&oidcConfig.IssuerURL, "oidc-issuer-url", "", "Specify the OIDC issuer URL e.g for keycloak: https://[keycloak-domain]/auth/realms/[realm-name]") installCmd.PersistentFlags().StringVar(&oidcConfig.ClientID, "oidc-client-id", "", "Specify the OIDC client ID") installCmd.PersistentFlags().StringVar(&oidcConfig.Type, "oidc-type", "", "Specify the OIDC type") diff --git a/tas-installer/internal/install/install.go b/tas-installer/internal/install/install.go index 86f8065e..bf15847d 100644 --- a/tas-installer/internal/install/install.go +++ b/tas-installer/internal/install/install.go @@ -13,8 +13,8 @@ import ( "time" ) -func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion string) error { - if err := helm.InstallTrustedArtifactSigner(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartVersion); err != nil { +func HandleHelmChartInstall(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, helmChartLocation, helmValuesFile, helmChartVersion string) error { + if err := helm.InstallTrustedArtifactSigner(kc, oidcConfig, tasNamespace, tasReleaseName, helmValuesFile, helmChartLocation, helmChartVersion); err != nil { return err } return nil diff --git a/tas-installer/pkg/helm/helm.go b/tas-installer/pkg/helm/helm.go index 12fbbde2..b3d0eb29 100644 --- a/tas-installer/pkg/helm/helm.go +++ b/tas-installer/pkg/helm/helm.go @@ -37,8 +37,7 @@ func UninstallTrustedArtifactSigner(tasNamespace, tasReleaseName string) (*relea return action.NewUninstall(actionConfig).Run(tasReleaseName) } -func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, pathToValuesFile, chartVersion string) error { - chartUrl := "charts/trusted-artifact-signer" +func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oidc.OIDCConfig, tasNamespace, tasReleaseName, pathToValuesFile, chartLocation, chartVersion string) error { tv := templatedValues{ OpenShiftAppsSubdomain: kc.ClusterCommonName, @@ -89,13 +88,13 @@ func InstallTrustedArtifactSigner(kc *kubernetes.KubernetesClient, oidcConfig oi for _, rel := range releases { if rel.Name == tasReleaseName && rel.Namespace == tasNamespace { exists = true - if err := upgradeRelease(actionConfig, client, settings, tasNamespace, chartUrl, chartVersion, values); err != nil { + if err := upgradeRelease(actionConfig, client, settings, tasNamespace, chartLocation, chartVersion, values); err != nil { return err } } } if !exists { - if err := installNewRelease(actionConfig, client, settings, tasNamespace, tasReleaseName, chartUrl, chartVersion, values); err != nil { + if err := installNewRelease(actionConfig, client, settings, tasNamespace, tasReleaseName, chartLocation, chartVersion, values); err != nil { return err } } @@ -111,7 +110,7 @@ func actionConfig(tasNamespace string) (*action.Configuration, *cli.EnvSettings, return actionConfig, settings, nil } -func installNewRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, tasReleaseName, chartURL, chartVersion string, values map[string]interface{}) error { +func installNewRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, tasReleaseName, chartLocation, chartVersion string, values map[string]interface{}) error { install := action.NewInstall(actionConfig) install.ReleaseName = tasReleaseName install.Namespace = tasNamespace @@ -119,7 +118,7 @@ func installNewRelease(actionConfig *action.Configuration, client *registry.Clie install.Version = chartVersion install.SetRegistryClient(client) - chartPath, err := install.LocateChart(chartURL, settings) + chartPath, err := install.LocateChart(chartLocation, settings) if err != nil { return err } @@ -137,13 +136,13 @@ func installNewRelease(actionConfig *action.Configuration, client *registry.Clie return nil } -func upgradeRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, chartURL, chartVersion string, values map[string]interface{}) error { +func upgradeRelease(actionConfig *action.Configuration, client *registry.Client, settings *cli.EnvSettings, tasNamespace, chartLocation, chartVersion string, values map[string]interface{}) error { upgrade := action.NewUpgrade(actionConfig) upgrade.Namespace = tasNamespace upgrade.Version = chartVersion upgrade.SetRegistryClient(client) - chartPath, err := upgrade.LocateChart(chartURL, settings) + chartPath, err := upgrade.LocateChart(chartLocation, settings) if err != nil { return err }