Add trusted-certificate-issuer helm chart (#4)

Author: poussa

charts/trusted-certificate-issuer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/trusted-certificate-issuer/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: tcs-issuer
+description: A Helm chart for Trusted Certificate Issuer
+home: https://github.com/intel/trusted-certificate-issuer
+type: application
+version: 0.2.0
+appVersion: "0.2.0"

charts/trusted-certificate-issuer/README.md

@@ -0,0 +1,82 @@
+# Trusted Certificate Issuer Helm chart
+
+Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. Kubernetes certificate signing request (CSR) and cert-manager CertificateRequest APIs are both supported.
+
+This document covers how to install Trusted Certificate Service (TCS) issuer (TCI) by using Helm charts.
+
+To learn more check the documentation [here](https://github.com/intel/trusted-certificate-issuer).
+
+## Prerequisites
+
+- Helm 3.x
+- Kubernetes cluster with SGX node
+- cert-manager Custom Resource Definitions ([CRDs](https://cert-manager.io/docs/installation/helm/#3-install-customresourcedefinitions))
+
+## Installing the Chart
+
+Use the following command to install TCI (to namespace `intel-system` which will be created).
+
+The Intel's Helm charts repository:
+
+```console
+$ helm repo add intel https://intel.github.io/helm-charts
+$ helm repo update
+```
+Install the chart:
+
+> NOTE: This will also install the CRDs.
+
+```console
+$ helm install tci intel/tcs-issuer -n intel-system --create-namespace
+```
+
+Use the following command to verify the installation status.
+
+```console
+$ helm ls -n intel-system
+```
+
+## Uninstalling the Chart
+
+In case you want to uninstall TCI, use the following command:
+
+> NOTE: the below command does not uninstall the CRDs. 
+
+```console
+$ helm delete tci -n intel-system
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the TCS issuer chart and their default values. You can change the default values either via `helm --set <parameter=value>` or editing the `values.yaml` and passing the file to helm via `helm install -f values.yaml ...` option.
+
+| Parameter | Description | Default 
+| --- | --- | --- |
+| `image.hub`| Image repository | intel |
+| `image.name`| Image name | trusted-certificate-issuer |
+| `image.tag`| Image tag | Chart's appVersion |
+| `image.pullPolicy`| Image pull policy | IfNotPresent |
+| `controllerExtraArgs`| List of extra arguments passed to the controller  | <empty> |
+| `imagePullSecrets`| Array of secrets pull an image from a private container image registry or repository  | <empty> |
+| `pkcs11.sopin`| Create service account | V0lwbUJCybc2Oc6M06Vz |
+| `pkcs11.userpin`| Create service account | U3BnbGIyTUl3ZV9lSHUy |
+| `serviceAccount.create`| Create service account | true |
+| `serviceAccount.annotations`| Dictionary of service account annotations | <empty> |
+| `serviceAccount.name`| Name of the service account | Full name of the chart |
+| `podAnnotations`| Dictionary of pod annotations | sgx.intel.com/quote-provider: aesmd |
+| `podSecurityContext`| Dictionary of pod security context settings | <empty> |
+| `service.type`| Service type | ClusterIP |
+| `service.port`| Service port | 8443 |
+| `resources.limits.cpu`| CPU limit | 500m |
+| `resources.limits.memory`| Memory limit | 100Mi |
+| `resources.limits.sgx.intel.com/enclave`| SGX enclave limit | 1 |
+| `resources.limits.sgx.intel.com/epc`| SGX epc memory limit | 512Ki |
+| `resources.requests.cpu`| CPU request | 100m |
+| `resources.requests.memory`| Memory request | 20Mi |
+| `resources.requests.sgx.intel.com/enclave`| SGX enclave request | 1 |
+| `resources.requests.sgx.intel.com/epc`| SGX epc memory request | 512Ki |
+| `nodeSelector`| Dictionary of node selector settings | <empty> |
+| `tolerations`| Array of tolerations settings | <empty> |
+| `affinity`| Dictionary of affinity settings | <empty> |
+
+

charts/trusted-certificate-issuer/templates/NOTES.txt

@@ -0,0 +1 @@
+Thank you for installing {{ .Chart.Name }}.

charts/trusted-certificate-issuer/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "trusted-certificate-issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "trusted-certificate-issuer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "trusted-certificate-issuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "trusted-certificate-issuer.labels" -}}
+helm.sh/chart: {{ include "trusted-certificate-issuer.chart" . }}
+{{ include "trusted-certificate-issuer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "trusted-certificate-issuer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "trusted-certificate-issuer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "trusted-certificate-issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "trusted-certificate-issuer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/trusted-certificate-issuer/templates/deployment.yaml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "trusted-certificate-issuer.fullname" . }}
+  labels:
+    {{- include "trusted-certificate-issuer.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "trusted-certificate-issuer.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "trusted-certificate-issuer.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "trusted-certificate-issuer.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - args:
+          - --leader-elect
+          - --zap-devel
+          - --zap-log-level=5
+          - --metrics-bind-address=:8082
+          - --health-probe-bind-address=:8083
+          - --user-pin=$USER_PIN
+          - --so-pin=$SO_PIN
+          - --use-random-nonce=true
+          {{- if .Values.controllerExtraArgs }}
+          {{- with .Values.controllerExtraArgs }}
+          {{- tpl . $ | trim | indent 8 }}
+          {{- end }}
+          {{- end }}
+          command:
+          - /tcs-issuer
+          env:
+          - name: USER_PIN
+            valueFrom:
+              secretKeyRef:
+                key: userpin
+                name: tcs-issuer-pkcs11-conf
+          - name: SO_PIN
+            valueFrom:
+              secretKeyRef:
+                key: sopin
+                name: tcs-issuer-pkcs11-conf
+          name: {{ .Chart.Name }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+          image: "{{ .Values.image.hub }}/{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8083
+            initialDelaySeconds: 10
+            periodSeconds: 180
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8083
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - mountPath: /home/tcs-issuer/tokens
+            name: tokens-dir
+      initContainers:
+      - command:
+        - /bin/chown
+        - -R
+        - 5000:5000
+        - /home/tcs-issuer/tokens
+        image: busybox
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        name: init
+        volumeMounts:
+        - mountPath: /home/tcs-issuer/tokens
+          name: tokens-dir
+      volumes:
+      - hostPath:
+          path: /var/lib/tcs-issuer/tokens
+          type: DirectoryOrCreate
+        name: tokens-dir
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}