From 0efc1bfe1d048926eea16ed0aa0dcbf3011a146e Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Thu, 29 Aug 2024 15:52:41 -0400 Subject: [PATCH 1/5] Pin kubectl version Fixes https://github.com/github/package-security/issues/1843 Signed-off-by: Cody Soyland --- charts/policy-controller/README.md | 2 +- charts/policy-controller/templates/_helpers.tpl | 3 +++ charts/policy-controller/values.yaml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index 3b71c2a..f21d6d4 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -21,7 +21,7 @@ The Helm chart for Policy Controller | installCRDs | bool | `true` | | | leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | | leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | -| leasescleanup.image.version | string | `"latest-dev"` | | +| leasescleanup.image.version | string | `"sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a"` | | | loglevel | string | `"info"` | | | serviceMonitor.enabled | bool | `false` | | | webhook.configData | object | `{}` | | diff --git a/charts/policy-controller/templates/_helpers.tpl b/charts/policy-controller/templates/_helpers.tpl index dacf24e..8b66a2d 100644 --- a/charts/policy-controller/templates/_helpers.tpl +++ b/charts/policy-controller/templates/_helpers.tpl @@ -124,6 +124,9 @@ Create the image path for the passed in image field Create the image path for the passed in leases-cleanup image field */}} {{- define "leases-cleanup.image" -}} +{{- if eq (substr 0 7 .version) "sha256:" -}} +{{- printf "%s@%s" .repository .version -}} +{{- else -}} {{- printf "%s:%s" .repository .version -}} {{- end -}} diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index 3281dbe..c6a5832 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -70,7 +70,7 @@ webhook: leasescleanup: image: repository: cgr.dev/chainguard/kubectl - version: latest-dev + version: sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a # crane digest cgr.dev/chainguard/kubectl:latest pullPolicy: IfNotPresent ## common node selector for all the pods From 4def6fbe18341d46220433c2261d959e64785864 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 18 Sep 2024 10:18:34 -0400 Subject: [PATCH 2/5] Add missing end tag Signed-off-by: Cody Soyland --- charts/policy-controller/templates/_helpers.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/policy-controller/templates/_helpers.tpl b/charts/policy-controller/templates/_helpers.tpl index 8b66a2d..c54259e 100644 --- a/charts/policy-controller/templates/_helpers.tpl +++ b/charts/policy-controller/templates/_helpers.tpl @@ -129,6 +129,7 @@ Create the image path for the passed in leases-cleanup image field {{- else -}} {{- printf "%s:%s" .repository .version -}} {{- end -}} +{{- end -}} {{/* */}} From 2675ac820fc750c9c1f197f531bbc0c9af907bc5 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 18 Sep 2024 10:20:51 -0400 Subject: [PATCH 3/5] Bump policy-controller version to v0.10.0-github7 Signed-off-by: Cody Soyland --- charts/policy-controller/Chart.yaml | 4 ++-- charts/policy-controller/templates/crds/trustroots.yaml | 8 +++++++- charts/policy-controller/values.yaml | 4 ++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml index 0a0f648..0c350f8 100644 --- a/charts/policy-controller/Chart.yaml +++ b/charts/policy-controller/Chart.yaml @@ -8,8 +8,8 @@ sources: type: application name: policy-controller -version: "v0.10.0-github5" -appVersion: "v0.10.0-github5" +version: "v0.10.0-github7" +appVersion: "v0.10.0-github7" maintainers: - name: codysoyland diff --git a/charts/policy-controller/templates/crds/trustroots.yaml b/charts/policy-controller/templates/crds/trustroots.yaml index f9336a5..9f61f27 100644 --- a/charts/policy-controller/templates/crds/trustroots.yaml +++ b/charts/policy-controller/templates/crds/trustroots.yaml @@ -46,7 +46,7 @@ spec: type: object properties: mirror: - description: 'Mirror is the remote mirror, for example: https://sigstore-tuf-root.storage.googleapis.com' + description: 'Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev' type: string root: description: Root is the base64 encoded, json trusted initial root. @@ -54,6 +54,9 @@ spec: targets: description: Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted. type: string + trustedRootTarget: + description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. + type: string repository: description: Repository contains the serialized TUF remote repository. type: object @@ -67,6 +70,9 @@ spec: targets: description: Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted. type: string + trustedRootTarget: + description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. + type: string sigstoreKeys: description: SigstoreKeys contains the serialized keys. type: object diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index c6a5832..cf9a811 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -16,8 +16,8 @@ webhook: name: webhook image: repository: ghcr.io/github/policy-controller-webhook - # crane digest ghcr.io/github/policy-controller-webhook:v0.10.0-github5 - version: sha256:048a124b6f287a742956006730844ff5553d00bc12ec99ed1793480d7fbec814 + # crane digest ghcr.io/github/policy-controller-webhook:v0.10.0-github7 + version: sha256:0bc1630678ffb1623c139d6f0cfdb512a2041033ec94c83a3820f7eddd6b0aab pullPolicy: IfNotPresent env: {} extraArgs: {} From 71a4d2a7a7c4da811c4fc427d7a59114faec8bdf Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 18 Sep 2024 13:44:50 -0400 Subject: [PATCH 4/5] Fix linter warning Signed-off-by: Cody Soyland --- charts/policy-controller/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index cf9a811..d725130 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -70,7 +70,8 @@ webhook: leasescleanup: image: repository: cgr.dev/chainguard/kubectl - version: sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a # crane digest cgr.dev/chainguard/kubectl:latest + # crane digest cgr.dev/chainguard/kubectl:latest + version: sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a pullPolicy: IfNotPresent ## common node selector for all the pods From 21ff4ad6176b201997d1f165d354b0abd23324ba Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 18 Sep 2024 13:57:22 -0400 Subject: [PATCH 5/5] Remove errant space Signed-off-by: Cody Soyland --- charts/policy-controller/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index d725130..af36daf 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -71,7 +71,7 @@ leasescleanup: image: repository: cgr.dev/chainguard/kubectl # crane digest cgr.dev/chainguard/kubectl:latest - version: sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a + version: sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a pullPolicy: IfNotPresent ## common node selector for all the pods