Skip to content

Commit

Permalink
fix: add certificates to chart value (#1172)
Browse files Browse the repository at this point in the history
  • Loading branch information
susanshi authored Nov 15, 2023
1 parent 29a38b6 commit a47bdc6
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 8 deletions.
9 changes: 5 additions & 4 deletions charts/ratify/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,9 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
| azureManagedIdentity.tenantId | TenantID of Managed Identity resource | `` |
| akvCertConfig.enabled | Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | Vault URI for AKV configured | `` |
| akvCertConfig.cert1Name | Exact name of the certificate stored in AKV | `` |
| akvCertConfig.cert1Version | Exact version of certificate to use from AKV | `` |
| akvCertConfig.cert2Name | Exact name of the certificate stored in AKV | `` |
| akvCertConfig.cert2Version | Exact version of certificate to use from AKV | `` |
| akvCertConfig.cert1Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of certificates | `` |
| akvCertConfig.cert1Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.cert2Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.cert2Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.certificates | An array of certificate objects identified by certificateName and certificateVersion stored in AKV | ``
| akvCertConfig.tenantId | TenantID of the configured AKV resource | `` |
13 changes: 11 additions & 2 deletions charts/ratify/templates/akv-certificate-provider.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,23 @@ spec:
vaultURI: {{ required "vaultURI must be provided when AKV cert config is enabled" .Values.akvCertConfig.vaultURI }}
certificates: |
array:
{{- if .Values.akvCertConfig.cert1Name }}
- |
certificateName: {{ required "cert1Name must be provided when AKV cert config is enabled" .Values.akvCertConfig.cert1Name }}
certificateVersion: {{ .Values.akvCertConfig.cert1Version }}
certificateName: {{ .Values.akvCertConfig.cert1Name }}
certificateVersion: {{ .Values.akvCertConfig.cert1Version }}
{{ end }}
{{- if .Values.akvCertConfig.cert2Name }}
- |
certificateName: {{ .Values.akvCertConfig.cert2Name }}
certificateVersion: {{ .Values.akvCertConfig.cert2Version }}
{{ end }}
{{- range .Values.akvCertConfig.certificates }}
{{- if .certificateName }}
- |
certificateName: {{ .certificateName }}
certificateVersion: {{ .certificateVersion }}
{{- end }}
{{- end }}
tenantID: {{ required "tenantID must be provided when AKV cert config is enabled" .Values.akvCertConfig.tenantId }}
clientID: {{ required "clientID must be provided when use workload identity in akv" .Values.azureWorkloadIdentity.clientId }}
{{ end }}
1 change: 1 addition & 0 deletions charts/ratify/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ akvCertConfig:
cert1Version:
cert2Name:
cert2Version:
certificates:
tenantId:

oras:
Expand Down
4 changes: 2 additions & 2 deletions scripts/azure-ci-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,8 @@ deploy_ratify() {
--set gatekeeper.version=${GATEKEEPER_VERSION} \
--set akvCertConfig.enabled=true \
--set akvCertConfig.vaultURI=${VAULT_URI} \
--set akvCertConfig.cert1Name=${NOTATION_PEM_NAME} \
--set akvCertConfig.cert2Name=${NOTATION_CHAIN_PEM_NAME} \
--set akvCertConfig.certificates[0].certificateName=${NOTATION_PEM_NAME} \
--set akvCertConfig.certificates[1].certificateName=${NOTATION_CHAIN_PEM_NAME} \
--set akvCertConfig.tenantId=${TENANT_ID} \
--set oras.authProviders.azureWorkloadIdentityEnabled=true \
--set azureWorkloadIdentity.clientId=${IDENTITY_CLIENT_ID} \
Expand Down

0 comments on commit a47bdc6

Please sign in to comment.