Skip to content

Deprecate createcerts #1103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cmurphy merged 1 commit into from
Dec 12, 2025
Merged

Deprecate createcerts #1103

cmurphy merged 1 commit into from
Dec 12, 2025
+40 −2

Conversation

@cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Dec 11, 2025

Using createcerts to have the Fulcio chart automatically generate its roots for the fileca certificate authority mode is deprecated. Instead, users should generate their key material out of band. This way, the CTLog chart can share the Fulcio root in its configuration instead of implicitly trusting Fulcio's rootCerts endpoint.

Relates to sigstore/scaffolding#1833

This is how the installation/upgrade message now appears if createcerts.enabled is not set to false:

Release "fulcio" has been upgraded. Happy Helming!
NAME: fulcio
LAST DEPLOYED: Thu Dec 11 10:41:09 2025
NAMESPACE: fulcio-system
STATUS: deployed
REVISION: 4
TEST SUITE: None
NOTES:
**DEPRECATED**: createcerts is deprecated. If using the fileca certificate authority, create the fulcio-secrets secret containing the private signing key, encryption password, and certiticate authority manually.
To dismiss this message, set createcerts.enabled=false in your values.yaml.

Description of the change

Existing or Associated Issue(s)

Additional Information

Checklist

  • Chart version bumped in Chart.yaml according to semver. Where applicable, update and bump the versions in any associated umbrella chart
  • Variables are documented in the values.yaml and added to the README.md. The helm-docs utility can be used to generate the necessary content. Use helm-docs --dry-run to preview the content.
  • JSON Schema generated.
  • List tests pass for Chart using the Chart Testing tool and the ct lint command.

@cmurphy cmurphy requested review from a team as code owners December 11, 2025 18:47
haydentherapper
haydentherapper previously approved these changes Dec 11, 2025
View reviewed changes
charts/fulcio/templates/NOTES.txt Outdated
@@ -0,0 +1,4 @@
{{- if (.Values.createcerts).enabled -}}
**DEPRECATED**: createcerts is deprecated. If using the fileca certificate authority, create the fulcio-secrets secret containing the private signing key, encryption password, and certiticate authority manually.
Copy link
Contributor

@haydentherapper haydentherapper Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we mention that the secret name should be set in Values.server.secret along with the secret keys (private, cert, and and password, or is that self-explanatory from the chart?

@cmurphy
Deprecate createcerts
8202e22 
Using createcerts to have the Fulcio chart automatically generate its
roots for the fileca certificate authority mode is deprecated. Instead,
users should generate their key material out of band. This way, the
CTLog chart can share the Fulcio root in its configuration instead of
implicitly trusting Fulcio's rootCerts endpoint.

Signed-off-by: Colleen Murphy <[email protected]>
@cmurphy cmurphy force-pushed the deprecate-createcerts branch from 4a7c448 to 8202e22 Compare December 12, 2025 00:08
@cmurphy cmurphy merged commit 2776d88 into sigstore:main Dec 12, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cmurphy @haydentherapper