Add ctlog-tiles chart #1098
Add ctlog-tiles chart #1098
Conversation
cmurphy
force-pushed
the
ctlog-tiles
branch
3 times, most recently
from
1f3b70e to
38bbe6c
Compare
charts/ctlog-tiles/Chart.yaml
Outdated
| description: Tiles-based certificate log (TesseraCT) | ||
| type: application | ||
| version: 0.1.0 | ||
| appVersion: v0.1.1-0.20251112113307-52b154e44576 |
There was a problem hiding this comment.
https://github.com/transparency-dev/tesseract/releases/tag/v0.1.1 just got released, so we can bump it in scaffolding
| Create a secret for the private key: | ||
|
|
||
| ``` | ||
| kubectl -n ctlog-tiles-system create secret generic ctlog-signing-key --from-file=signing-key=/path/to/privkey.pem |
There was a problem hiding this comment.
Can we give instructions on generating the private key too, just an openssl incantation?
| {{- toYaml .Values.securityContext | nindent 12 }} | ||
| image: "{{ template "ctlog-tiles.image" .Values.image }}" | ||
| imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
| #env: |
There was a problem hiding this comment.
Why is this section commented out?
| {{- end }} | ||
| {{- if ((.Values.server.posix).storageDir).volume }} | ||
| - name: {{ .Values.server.posix.storageDir.name -}} | ||
| {{- toYaml .Values.server.posix.storageDir.volume | nindent 10 }} |
There was a problem hiding this comment.
Just wondering, why do we specify a volume rather than a specific volume type? Is this because hostPath would just be used in testing but a prod deployment would use a persistent volume?
There was a problem hiding this comment.
Right, it's easier in local development to just give the whole YAML of the volume section so that you can easily use emptyDir or hostPath, but in real life you'd use something more robust and secure. We also do this in the TUF chart.
cmurphy
force-pushed
the
ctlog-tiles
branch
3 times, most recently
from
b6cfa28 to
cbc3613
Compare
haydentherapper
left a comment
haydentherapper
left a comment
There was a problem hiding this comment.
Looks great, but actually clicking approve!
Add a chart named ctlog-tiles to support TesseraCT as an alternative CT log for Fulcio. The POSIX and GCP backends are supported. This chart has a unique way of crafting the image string based on which personality (posix or gcp) is chosen. This lets values.yaml/Chart.yaml still be the source of truth for the image version, which is consistent with how Sigstore charts are used in the public good instance (as opposed to overriding the image version in the infrastructure values.yaml). This is closely based on the rekor-tiles chart. It creates NEGs but no explicit Ingress gateway, since a multi-purpose load balancer needs to be created externally to link the service to the backend bucket. Signed-off-by: Colleen Murphy <[email protected]>
2 participants
Add a chart named ctlog-tiles to support TesseraCT as an alternative CT log for Fulcio. The POSIX and GCP backends are supported.
This chart has a unique way of crafting the image string based on which personality (posix or gcp) is chosen. This lets values.yaml/Chart.yaml still be the source of truth for the image version, which is consistent with how Sigstore charts are used in the public good instance (as opposed to overriding the image version in the infrastructure values.yaml).
This is closely based on the rekor-tiles chart. It creates NEGs but no explicit Ingress gateway, since a multi-purpose load balancer needs to be created externally to link the service to the backend bucket.
Relates to sigstore/rekor-tiles#73
Description of the change
Existing or Associated Issue(s)
Additional Information
Checklist
Chart.yamlaccording to semver. Where applicable, update and bump the versions in any associated umbrella chartvalues.yamland added to the README.md. The helm-docs utility can be used to generate the necessary content. Usehelm-docs --dry-runto preview the content.ct lintcommand.