From a8314701ee6b079cd525fdf7993825d0eea3fcdd Mon Sep 17 00:00:00 2001 From: Shaked Klein Orbach Date: Sun, 15 Sep 2024 19:15:21 +0300 Subject: [PATCH 1/3] allow bringing the SA from outside the chart --- charts/kyverno-notation-aws/templates/serviceaccount.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/kyverno-notation-aws/templates/serviceaccount.yaml b/charts/kyverno-notation-aws/templates/serviceaccount.yaml index dcbc096..ab48353 100644 --- a/charts/kyverno-notation-aws/templates/serviceaccount.yaml +++ b/charts/kyverno-notation-aws/templates/serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if .Values.serviceAccount.enabled }} apiVersion: v1 kind: ServiceAccount metadata: @@ -7,3 +8,4 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +{{- end -}} From ba138adc1e6638e7f7c41266dc812a0f0be39b92 Mon Sep 17 00:00:00 2001 From: Shaked Klein Orbach Date: Sun, 15 Sep 2024 19:15:52 +0300 Subject: [PATCH 2/3] allow bringing the SA from outside the chart --- charts/kyverno-notation-aws/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kyverno-notation-aws/values.yaml b/charts/kyverno-notation-aws/values.yaml index 9a7b7bc..2904cd6 100644 --- a/charts/kyverno-notation-aws/values.yaml +++ b/charts/kyverno-notation-aws/values.yaml @@ -48,7 +48,7 @@ deployment: # Service account configuration serviceAccount: - + enabled: true # -- The ServiceAccount name name: From ec1483d27f0fe644e0d17f52431ab88a69625063 Mon Sep 17 00:00:00 2001 From: Shaked Klein Orbach Date: Mon, 23 Sep 2024 21:33:04 +0300 Subject: [PATCH 3/3] enable passing region through values file this should allow passing things like us-gov-west-1, otherwise it is impossible to validate the signature --- charts/kyverno-notation-aws/templates/deployment.yaml | 4 ++-- charts/kyverno-notation-aws/values.yaml | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/kyverno-notation-aws/templates/deployment.yaml b/charts/kyverno-notation-aws/templates/deployment.yaml index be5bbd8..4735818 100644 --- a/charts/kyverno-notation-aws/templates/deployment.yaml +++ b/charts/kyverno-notation-aws/templates/deployment.yaml @@ -61,7 +61,7 @@ spec: - name: POD_NAMESPACE valueFrom: fieldRef: - fieldPath: metadata.namespace + fieldPath: metadata.namespace - name: SERVICE_NAME value: {{ template "kyverno-notation-aws.serviceName" . }} - name: DEPLOYMENT_NAME @@ -71,7 +71,7 @@ spec: fieldRef: fieldPath: metadata.name - name: AWS_REGION - value: us-west-2 + value: {{ .Values.region }} - name: DEFAULT_TRUST_POLICY value: aws-signer-trust-policy volumeMounts: diff --git a/charts/kyverno-notation-aws/values.yaml b/charts/kyverno-notation-aws/values.yaml index 2904cd6..a1701cc 100644 --- a/charts/kyverno-notation-aws/values.yaml +++ b/charts/kyverno-notation-aws/values.yaml @@ -1,3 +1,5 @@ +region: us-west-2 + # -- (string) Override the name of the chart nameOverride: ~ @@ -39,10 +41,10 @@ deployment: # registry: bar.example.com # username: barbaz # password: secret2 - + # -- Allow insecure registry specifies whether to allow insecure connections to registries. Not recommended. allowInsecureRegistry: false - + # -- Max signature attempts specifies the maximum number of signature envelopes that will be processed for verification maxSignatureAttempts: 30 @@ -59,7 +61,7 @@ serviceAccount: # Config map configuration configMap: - + # -- The notation-plugin-config configmap name name: notation-plugin-config