securesign · Gregory-Pereira · Dec 16, 2023 · Dec 16, 2023 · Dec 16, 2023
diff --git a/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml b/charts/trusted-artifact-signer/templates/clientserver-deployment.yaml
@@ -22,7 +22,6 @@ spec:
       containers:
       - name: tas-clients
         image: "{{ template "image" .Values.configs.clientserver.image }}"
-        #image: quay.io/sallyom/tas-clients:httpd
         imagePullPolicy: IfNotPresent
         ports:
           - containerPort: 8080

diff --git a/charts/trusted-artifact-signer/templates/segment-backup-job.yaml b/charts/trusted-artifact-signer/templates/segment-backup-job.yaml
@@ -19,8 +19,7 @@ spec:
       serviceAccountName: segment-backup-job
       containers:
         - name: {{ .Values.configs.segment_backup_job.name }}
-          # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
-          image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
+          image: "{{ template "image" .Values.configs.segment_backup_job.image }}"
           command: ["/bin/bash",  "/opt/app-root/src/script.sh"]
           env:
             - name: RUN_TYPE

diff --git a/charts/trusted-artifact-signer/values.yaml b/charts/trusted-artifact-signer/values.yaml
@@ -27,9 +27,9 @@ configs:
     namespace_create: true
     namespace: trusted-artifact-signer-clientserver
     image:
-      registry: registry.redhat.io
-      repository: rhtas-tech-preview/client-server-rhel9
-      version: sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1
+      registry: quay.io
+      repository: redhat-user-workloads/rhtas-tenant/access-1-0-gamma/client-server-1-0-gamma
+      version: sha256:d8540b72f67c3947287d30913a9277770a43eb37eff2dd3efcb8e24759a106ac
       pullPolicy: IfNotPresent
   ctlog:
     namespace: ctlog-system
@@ -40,7 +40,6 @@ configs:
       - ctlog
       - ctlog-createtree
       - trusted-artifact-signer-ctlog-createctconfig
-
   rekor:
     namespace_create: true
     namespace: rekor-system
@@ -69,7 +68,6 @@ configs:
         - interval: 30s
           port: 2112-tcp
           scheme: http
-
   fulcio:
     namespace_create: true
     namespace: fulcio-system
@@ -108,7 +106,6 @@ configs:
         - interval: 30s
           port: 2112-tcp
           scheme: http
-
   trillian:
     namespace_create: true
     namespace: trillian-system
@@ -118,7 +115,6 @@ configs:
       - trillian-logserver
       - trillian-logsigner
       - trillian-mysql
-
   tuf:
     namespace: tuf-system
     namespace_create: true
@@ -127,7 +123,6 @@ configs:
     rolebindings:
       - tuf
       - tuf-secret-copy-job
-
   cosign_deploy:
     enabled: false
     namespace: cosign
@@ -144,6 +139,13 @@ configs:
       repository: rhtas-tech-preview/cosign-rhel9
       version: sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e
       pullPolicy: IfNotPresent
+  # tsa:
+  #   namespace: tsa-system
+  #   namespace_create: true
+  #   # -- names for rolebindings to add clusterroles to tuf serviceaccounts.
+  #   # The names must match the serviceaccount names in the tuf namespace.
+  #   rolebindings:
+  #     - tsa-server
 
 rbac:
   # -- clusterrole to be added to sigstore component serviceaccounts.
@@ -223,10 +225,6 @@ scaffold:
           className: ""
           annotations:
             route.openshift.io/termination: "edge"
-          hosts:
-          - host: fulcio.appsSubdomain
-            path: /
-
   rekor:
     enabled: true
     forceNamespace: rekor-system
@@ -257,10 +255,6 @@ scaffold:
         className: ""
         annotations:
           route.openshift.io/termination: "edge"
-        hosts:
-          - host: rekor.appsSubdomain
-            path: /
-
     createtree:
       image:
         registry: registry.redhat.io
@@ -384,15 +378,10 @@ scaffold:
       className: ""
       annotations:
         route.openshift.io/termination: "edge"
-      http:
-        hosts:
-          - host: tuf.appsSubdomain
-            path: /
     deployment:
       registry: registry.redhat.io
       repository: rhtas-tech-preview/tuf-server-rhel9
       version: sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9
-
   copySecretJob:
     name: copy-secrets-job
     enabled: true
@@ -405,9 +394,36 @@ scaffold:
 
   tsa:
     enabled: false
+    # enabled: true
     forceNamespace: tsa-system
     namespace:
       create: false
       name: tsa-system
     server:
       fullnameOverride: tsa-server
+      image:
+        registry: quay.io
+        repository: redhat-user-workloads/rhtas-tenant/tsa-1-0-gamma/timestamp-authority-1-0-gamma
+        version: sha256:4a142e1581801501705ab955109dc9a12bfd3e2232efa67b27b07bd7c290a40b
+        imagePullPolicy: IfNotPresent
+      ingress:
+        http:
+          enabled: true
+          className: ""
+          annotations:
+            route.openshift.io/termination: "edge"
+      serviceAccount:
+        create: true
+        name: "tsa-server"
+        mountToken: false
+      securityContext:
+        runAsUser: 1000620001
+        supplementalGroups: [1000620001]
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+      containerSecurityContext:
+        testing: "true"
+
+
diff --git a/examples/values-sigstore-openshift.yaml b/examples/values-sigstore-openshift.yaml
@@ -45,4 +45,11 @@ scaffold:
       http:
         hosts:
           - host: tuf.$OPENSHIFT_APPS_SUBDOMAIN
-            path: /
+            path: /
+  # tsa:
+  #   server:
+  #     ingress:
+  #       http:
+  #         hosts:
+  #           - host: tsa.$OPENSHIFT_APPS_SUBDOMAIN
+  #             path: /
diff --git a/scripts/configure-local-env.sh b/scripts/configure-local-env.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+CERT_FILE_PREFIX="tmp-cert"
+KUBECTL_TOOL="kubectl"
+CERT_ACTION="add"
+TEMPDIR=$(mktemp -d -t rhtas-certs -p /tmp)
+trap 'rm -r "${TEMPDIR}"' EXIT
+
+function display_help {
+  echo "./$(basename "$0") [ -a | --apps-domain APPS_DOMAIN ] [ -gr | --gitops-namespace NAMESPACE ] [ -h | --help ] [ -hr | --helm-revision REVISION ] [ -hr | --helm-repository REPOSITORY ] [ -t | --tool TOOL ]
+
+Deployment of Argo CD Applications to support the managment of SPIFFE/SPIRE on OpenShift
+
+Where:
+  -d  | --delete            Delete certificates from OSX Keychain
+  -h  | --help              Display this help text
+  -t  | --tool              Tool for communicating with OpenShift cluster. Defaults to '${KUBECTL_TOOL}'
+
+"
+}
+
+
+for i in "${@}"
+do
+case $i in
+    -d | --delete )
+    CERT_ACTION="delete"
+    shift
+    ;;
+    -t | --tool )
+    KUBECTL_TOOL="${1}"
+    shift
+    ;;
+    -h | --help )
+    display_help
+    exit 0
+    ;;
+    -*) echo >&2 "Invalid option: " "${@}"
+    exit 1
+    ;;
+esac
+done
+
+# Check if split is installed
+command -v split >/dev/null 2>&1 || { echo >&2 "split is required but not installed.  Aborting."; exit 1; }
+
+# Check if kubectl or compatible is installed
+command -v ${KUBECTL_TOOL} >/dev/null 2>&1 || { echo >&2 "kubectl tool is required but not installed.  Aborting."; exit 1; } 
+
+# Grab the Kube Root Certificates
+${KUBECTL_TOOL} get -n default cm kube-root-ca.crt -o jsonpath='{.data.ca\.crt}' > ${TEMPDIR}/ca.crt
+
+# Split Certificates from bundle
+split -p "-----BEGIN CERTIFICATE-----" "${TEMPDIR}/ca.crt" ${TEMPDIR}/cert-
+
+# Find the ingress-operator certificte and add/remove it to/from the OSX keystore
+for f in ${TEMPDIR}/cert-*; do
+    COMMON_NAME=$(openssl x509 -subject -noout -nameopt multiline -in $f | grep commonName | awk '{ print $3 }')
+    if echo "${COMMON_NAME}" | grep -q "^ingress-operator"; then
+      if [ "${CERT_ACTION}" == "delete" ]; then
+        security find-certificate -c "${COMMON_NAME}" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'
+        echo "'${COMMON_NAME}' removed from keychain"
+      else
+        sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${f}"
+        echo "'${COMMON_NAME}' added to keychain"
+      fi
+    fi
+done
diff --git a/tas-easy-install.sh b/tas-easy-install.sh
@@ -144,6 +144,7 @@ oc -n rekor-system create secret generic rekor-private-key --from-file=private=.
 #OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm install --debug trusted-artifact-signer trusted-artifact-signer/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values -
 OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer  -n trusted-artifact-signer --create-namespace --values -
 
+oc set env -n fulcio-system deployment/fulcio-server SSL_CERT_DIR=/var/run/fulcio
 # Create the script to initialize the environment variables for the service endpoints
 generate_env_script
 
diff --git a/testing/Dockerfile.test b/testing/Dockerfile.test
@@ -0,0 +1,2 @@
+FROM scratch
+ADD test-file.txt /