feat(chart): Replace Vault dependency to use Bitnami chart (#935)

javirln · web-flow · commit f2ee48b5078e · 2024-06-11T14:34:05.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/deployment/chainloop/Chart.lock b/deployment/chainloop/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: common
   repository: https://charts.bitnami.com/bitnami
-  version: 2.13.3
+  version: 2.20.2
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 12.12.10
 - name: vault
-  repository: https://helm.releases.hashicorp.com
-  version: 0.24.1
-digest: sha256:1b95f8a9f568f84ea7311e984c3a4c85270254dd33b42c9f6e9f606dc3f525e2
-generated: "2023-10-19T09:44:57.183038226+02:00"
+  repository: https://charts.bitnami.com/bitnami
+  version: 1.4.5
+digest: sha256:f36d00d6d657f2e9f7f1dc6df78e852471cff214b8a7a8ad9722351b978aefdf
+generated: "2024-06-10T14:18:12.118269+02:00"
diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml
@@ -1,10 +1,13 @@
+# Copyright Chainloop, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
 apiVersion: v2
 name: chainloop
 description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process.
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.56.0
+version: 1.56.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.91.1
 
@@ -20,5 +23,5 @@ dependencies:
     version: 12.x.x
   - condition: development
     name: vault
-    repository: https://helm.releases.hashicorp.com
-    version: 0.24.x
+    repository: https://charts.bitnami.com/bitnami
+    version: 1.4.x
diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
@@ -561,6 +561,11 @@ chainloop config save \
 | `controlplane.sentry.enabled`                                | Enable sentry.io alerting                                                | `false`      |
 | `controlplane.sentry.dsn`                                    | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""`         |
 | `controlplane.sentry.environment`                            | Environment tag                                                          | `production` |
+| `controlplane.keylessSigning.enabled`                        | Activates or deactivates de feature                                      | `false`      |
+| `controlplane.keylessSigning.backend`                        | The backend to use. Currently only "fileCA" is supported                 | `fileCA`     |
+| `controlplane.keylessSigning.fileCA.cert`                    | The PEM-encoded certificate of the file based CA                         | `""`         |
+| `controlplane.keylessSigning.fileCA.key`                     | The PEM-encoded private key of the file based CA                         | `""`         |
+| `controlplane.keylessSigning.fileCA.keyPass`                 | The secret key pass                                                      | `""`         |
 
 ### Artifact Content Addressable (CAS) API
 
@@ -630,16 +635,20 @@ chainloop config save \
 
 ### Dependencies
 
-| Name                                 | Description                                                                                            | Value          |
-| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | -------------- |
-| `postgresql.enabled`                 | Switch to enable or disable the PostgreSQL helm chart                                                  | `true`         |
-| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false`        |
-| `postgresql.auth.username`           | Name for a custom user to create                                                                       | `chainloop`    |
-| `postgresql.auth.password`           | Password for the custom user to create                                                                 | `chainlooppwd` |
-| `postgresql.auth.database`           | Name for a custom database to create                                                                   | `chainloop-cp` |
-| `postgresql.auth.existingSecret`     | Name of existing secret to use for PostgreSQL credentials                                              | `""`           |
-| `vault.server.dev.enabled`           | Enable development mode (unsealed, in-memory, insecure)                                                | `true`         |
-| `vault.server.dev.devRootToken`      | Connection token                                                                                       | `notapassword` |
+| Name                                 | Description                                                                                            | Value                                                                                                                      |
+| ------------------------------------ | ------------------------------------------------------------------------------------------------------ |----------------------------------------------------------------------------------------------------------------------------|
+| `postgresql.enabled`                 | Switch to enable or disable the PostgreSQL helm chart                                                  | `true`                                                                                                                     |
+| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false`                                                                                                                    |
+| `postgresql.auth.username`           | Name for a custom user to create                                                                       | `chainloop`                                                                                                                |
+| `postgresql.auth.password`           | Password for the custom user to create                                                                 | `chainlooppwd`                                                                                                             |
+| `postgresql.auth.database`           | Name for a custom database to create                                                                   | `chainloop-cp`                                                                                                             |
+| `postgresql.auth.existingSecret`     | Name of existing secret to use for PostgreSQL credentials                                              | `""`                                                                                                                       |
+| `vault.server.args`                  | Arguments to pass to the vault server. This is useful for setting the server in development mode       | `["server","-dev"]`                                                                                                        |
+| `vault.server.config`                | Configuration for the vault server. Small override of default Bitnami configuration                    | <pre><code>storage "inmem" {}<br/>disable_mlock = true<br/>ui = true<br/>service_registration "kubernetes" {}</code></pre> |
+| `vault.server.extraEnvVars[0].name`  | Root token for the vault server                                                                        | `VAULT_DEV_ROOT_TOKEN_ID`                                                                                                  |
+| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret                                                       | `notasecret`                                                                                                               |
+| `vault.server.extraEnvVars[1].name`  | Address to listen on development mode                                                                  | `VAULT_DEV_LISTEN_ADDRESS`                                                                                                 |
+| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200                                                           | `[::]:8200`                                                                                                                |
 
 ## License
 
diff --git a/deployment/chainloop/charts/common-2.13.3.tgz b/deployment/chainloop/charts/common-2.13.3.tgz
diff --git a/deployment/chainloop/charts/common-2.20.2.tgz b/deployment/chainloop/charts/common-2.20.2.tgz
diff --git a/deployment/chainloop/charts/vault-0.24.1.tgz b/deployment/chainloop/charts/vault-0.24.1.tgz
diff --git a/deployment/chainloop/charts/vault-1.4.5.tgz b/deployment/chainloop/charts/vault-1.4.5.tgz
diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl
@@ -1,3 +1,7 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
 
 {{- define "chainloop.postgresql.fullname" -}}
 {{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
@@ -61,14 +65,24 @@ WBiBSPaJtz6JYk/fye4=
 {{- with .Values.secretsBackend }}
 secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
 {{- if eq .backend "vault" }}
+{{- $tokenEnvVar := "" }}
+{{- range $.Values.vault.server.extraEnvVars }}
+  {{- if eq .name "VAULT_DEV_ROOT_TOKEN_ID" }}
+    {{- $tokenEnvVar = .value }}
+  {{- end }}
+{{- end }}
 vault:
   {{- if and $.Values.development (or (not .vault) not .vault.address) }}
-  address: {{ printf "http://%s:8200" (include "chainloop.vault.fullname" $) | quote }}
-  token: {{ $.Values.vault.server.dev.devRootToken | quote }}
-  {{- else if (required "vault backend selected but configuration not provided" .vault ) }}
+  address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }}
+  {{- if $tokenEnvVar }}
+  token: {{ $tokenEnvVar | quote }}
+  {{- else }}
+  {{- required "VAULT_DEV_ROOT_TOKEN_ID environment variable is required when development mode is enabled" (index $.Values.vault.server.extraEnvVars "VAULT_DEV_ROOT_TOKEN_ID") }}
+  {{- end }}
+{{- else if (required "vault backend selected but configuration not provided" .vault ) }}
   address: {{ required "vault address required" .vault.address | quote }}
   token: {{ required "vault token required" .vault.token | quote }}
-  {{- end }}
+{{- end }}
 
 {{- else if eq .backend "awsSecretManager" }}
 awsSecretManager:
diff --git a/deployment/chainloop/templates/controlplane/config.configmap.yaml b/deployment/chainloop/templates/controlplane/config.configmap.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/deployment/chainloop/templates/controlplane/config.secret.yaml b/deployment/chainloop/templates/controlplane/config.secret.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/deployment/chainloop/templates/controlplane/deployment_sqlproxy.yaml b/deployment/chainloop/templates/controlplane/deployment_sqlproxy.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{ if .Values.controlplane.sqlProxy.enabled }}
 apiVersion: apps/v1
 kind: Deployment
diff --git a/deployment/chainloop/templates/controlplane/file_ca.secret.yaml b/deployment/chainloop/templates/controlplane/file_ca.secret.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
 apiVersion: v1
 kind: Secret
diff --git a/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml b/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
 apiVersion: v1
 kind: Secret
diff --git a/deployment/chainloop/templates/controlplane/gke_monitoring.yaml b/deployment/chainloop/templates/controlplane/gke_monitoring.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.GKEMonitoring.enabled -}}
 apiVersion: monitoring.googleapis.com/v1
 kind: PodMonitoring
diff --git a/deployment/chainloop/templates/controlplane/hpa.yaml b/deployment/chainloop/templates/controlplane/hpa.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.controlplane.autoscaling.enabled }}
 apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
 kind: HorizontalPodAutoscaler
diff --git a/deployment/chainloop/templates/controlplane/ingress.yaml b/deployment/chainloop/templates/controlplane/ingress.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.controlplane.ingress.enabled }}
 {{- $fullName := include "chainloop.controlplane.fullname" . -}}
 apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
diff --git a/deployment/chainloop/templates/controlplane/ingress_grpc.yaml b/deployment/chainloop/templates/controlplane/ingress_grpc.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.controlplane.ingressAPI.enabled }}
 {{- $fullName := printf "%s-%s" (include "chainloop.controlplane.fullname" .) "api" -}}
 apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
diff --git a/deployment/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml b/deployment/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/deployment/chainloop/templates/controlplane/service_grpc.yaml b/deployment/chainloop/templates/controlplane/service_grpc.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/deployment/chainloop/templates/controlplane/service_http.yaml b/deployment/chainloop/templates/controlplane/service_http.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/deployment/chainloop/templates/controlplane/service_sql-proxy.yaml b/deployment/chainloop/templates/controlplane/service_sql-proxy.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{ if .Values.controlplane.sqlProxy.enabled }}
 apiVersion: v1
 kind: Service
diff --git a/deployment/chainloop/templates/controlplane/serviceaccount.yaml b/deployment/chainloop/templates/controlplane/serviceaccount.yaml
@@ -1,3 +1,8 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
 {{- if .Values.controlplane.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -1,3 +1,6 @@
+# Copyright Chainloop, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
 ## Default values for Chainloop Helm Chart
 
 ## @skip global
@@ -452,7 +455,7 @@ controlplane:
     dsn: ""
     environment: production
 
-  ## @param controlplane.keylessSigning Configuration for keyless signing using one of the supported providers
+  ## Configuration for keyless signing using one of the supported providers
   ## @param controlplane.keylessSigning.enabled Activates or deactivates de feature
   ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" is supported
   ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA
@@ -809,12 +812,31 @@ postgresql:
 # Vault server running in development mode --set development=true
 # IMPORTANT: This is not meant to run in production
 
-## Hashicorp Vault chart configuration
-## ref: https://github.com/hashicorp/vault-helm/blob/main/values.yaml
-## @param vault.server.dev.enabled Enable development mode (unsealed, in-memory, insecure)
-## @param vault.server.dev.devRootToken Connection token
+## Bitnami Hashicorp Vault chart configuration
+## ref: https://github.com/bitnami/charts/blob/main/bitnami/vault/values.yaml
+## @param vault.server.args Arguments to pass to the vault server. This is useful for setting the server in development mode
+## @param vault.server.config Configuration for the vault server. Small override of default Bitnami configuration
+## @param vault.server.extraEnvVars[0].name Root token for the vault server
+## @param vault.server.extraEnvVars[0].value The value of the root token. Default: notasecret
+## @param vault.server.extraEnvVars[1].name Address to listen on development mode
+## @param vault.server.extraEnvVars[1].value The address to listen on. Default: [::]:8200
 vault:
   server:
-    dev:
-      enabled: true
-      devRootToken: "notapassword"
+    ## This configuration is only for development purposes and should not be used in production. Development
+    ## mode is configured by --set development=true, which enables this Vault chart
+    args: [
+      "server",
+      "-dev"
+    ]
+    extraEnvVars:
+      - name: VAULT_DEV_ROOT_TOKEN_ID
+        value: "notasecret"
+      - name: VAULT_DEV_LISTEN_ADDRESS
+        value: "[::]:8200"
+    config: |
+      storage "inmem" {}
+
+      disable_mlock = true
+      ui = true
+
+      service_registration "kubernetes" {}
