diff --git a/assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz b/assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz new file mode 100644 index 000000000..83e06b337 Binary files /dev/null and b/assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz differ diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/.helmignore b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/Chart.yaml b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/Chart.yaml new file mode 100644 index 000000000..6d203cd61 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/Chart.yaml @@ -0,0 +1,13 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel Trusted Certificate Issuer + catalog.cattle.io/release-name: tcs-issuer +apiVersion: v2 +appVersion: 0.1.0 +description: A Helm chart for Trusted Certificate Service for Kubernetes Platform +home: https://github.com/intel/trusted-certificate-issuer +icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 +kubeVersion: '>= 1.19-0' +name: tcs-issuer +type: application +version: 0.1.0 diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/app-readme.md b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/app-readme.md new file mode 100644 index 000000000..d091e9ab6 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/app-readme.md @@ -0,0 +1,11 @@ +# Trusted Certificate Service + +## Introduction + +Trusted Certificate Service (TCS) is a Kubernetes certificate signing application, which protects the signing keys using Intel's SGX technology. TCS supports [Kubernetes Certificate Signing Request](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and [cert-manager certificate request](https://cert-manager.io/docs/concepts/certificaterequest/) APIs. The APIs provides an easy integration to Kubernetes applications such as Istio. + +## Prerequisites + +- Helm 3.x +- Kubernetes cluster with at least one SGX node (e.g., Azure DCsv3 instance) +- Cert-manager \ No newline at end of file diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/NOTES.txt b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/NOTES.txt new file mode 100644 index 000000000..c5615c64c --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/NOTES.txt @@ -0,0 +1 @@ +Thank you for installing {{ .Chart.Name }}. diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/tcs_issuer.yaml b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/tcs_issuer.yaml new file mode 100644 index 000000000..7f4b1f99b --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/templates/tcs_issuer.yaml @@ -0,0 +1,376 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tcs-leader-election-role + namespace: {{ .Release.Namespace | quote }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tcs-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tcs-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: tcs-role +rules: +- apiGroups: + - '*' + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - cert-manager.io + resources: + - certificaterequests/finalizers + verbs: + - update +- apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/finalizers + verbs: + - update +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/status + verbs: + - get + - patch + - update +- apiGroups: + - certificates.k8s.io + resourceNames: + - tcsclusterissuer.tcs.intel.com/* + - tcsissuer.tcs.intel.com/* + resources: + - signers + verbs: + - sign +- apiGroups: + - tcs.intel.com + resources: + - quoteattestations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tcs.intel.com + resources: + - quoteattestations/finalizers + verbs: + - update +- apiGroups: + - tcs.intel.com + resources: + - quoteattestations/status + verbs: + - get + - patch + - update +- apiGroups: + - tcs.intel.com + resources: + - tcsclusterissuers + - tcsissuers + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - tcs.intel.com + resources: + - tcsclusterissuers/status + - tcsissuers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tcs-leader-election-rolebinding + namespace: {{ .Release.Namespace | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tcs-leader-election-role +subjects: +- kind: ServiceAccount + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tcs-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tcs-proxy-role +subjects: +- kind: ServiceAccount + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tcs-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tcs-role +subjects: +- kind: ServiceAccount + name: tcs-issuer-serviceaccount + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: v1 +data: + tcs_issuer_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8083 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: bb9c3a43.sgx.intel.com +kind: ConfigMap +metadata: + name: tcs-config + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: v1 +data: + sopin: V0lwbUJCybc2Oc6M06Vz + userpin: U3BnbGIyTUl3ZV9lSHUy +kind: Secret +metadata: + name: tcs-issuer-pkcs11-conf + namespace: {{ .Release.Namespace | quote }} +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: tcs-issuer + name: tcs-metrics-service + namespace: {{ .Release.Namespace | quote }} +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: tcs-issuer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: tcs-issuer + name: tcs-controller + namespace: {{ .Release.Namespace | quote }} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: tcs-issuer + template: + metadata: + annotations: + sgx.intel.com/quote-provider: aesmd + labels: + control-plane: tcs-issuer + spec: + containers: + - args: + - --leader-elect + - --zap-devel + - --zap-log-level=5 + - --metrics-bind-address=:8082 + - --health-probe-bind-address=:8083 + - --user-pin=$USER_PIN + - --so-pin=$SO_PIN + {{- if .Values.controllerExtraArgs }} + {{- with .Values.controllerExtraArgs }} + {{- tpl . $ | trim | nindent 8 }} + {{- end }} + {{- end }} + command: + - /tcs-issuer + env: + - name: USER_PIN + valueFrom: + secretKeyRef: + key: userpin + name: tcs-issuer-pkcs11-conf + - name: SO_PIN + valueFrom: + secretKeyRef: + key: sopin + name: tcs-issuer-pkcs11-conf + image: "{{ .Values.image.hub }}/{{ .Values.image.name }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8083 + initialDelaySeconds: 10 + periodSeconds: 180 + name: tcs-issuer + readinessProbe: + httpGet: + path: /readyz + port: 8083 + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 30Mi + sgx.intel.com/enclave: 1 + sgx.intel.com/epc: 512Ki + requests: + cpu: 100m + memory: 20Mi + sgx.intel.com/enclave: 1 + sgx.intel.com/epc: 512Ki + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /home/tcs-issuer/tokens + name: tokens-dir + initContainers: + - command: + - /bin/chown + - -R + - 5000:5000 + - /home/tcs-issuer/tokens + image: busybox + imagePullPolicy: IfNotPresent + name: init + volumeMounts: + - mountPath: /home/tcs-issuer/tokens + name: tokens-dir + serviceAccountName: tcs-issuer-serviceaccount + terminationGracePeriodSeconds: 10 + volumes: + - hostPath: + path: /var/lib/tcs-issuer/tokens + type: DirectoryOrCreate + name: tokens-dir diff --git a/charts/intel-tcs-issuer/tcs-issuer/0.1.0/values.yaml b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/values.yaml new file mode 100644 index 000000000..2f21cb9b5 --- /dev/null +++ b/charts/intel-tcs-issuer/tcs-issuer/0.1.0/values.yaml @@ -0,0 +1,10 @@ +image: + hub: intel + name: trusted-certificate-issuer + tag: "latest" + pullPolicy: Always + +# Any extra arguments for tcs-controller +controllerExtraArgs: {} +#controllerExtraArgs: |- +# - --csr-full-cert-chain=true diff --git a/index.yaml b/index.yaml index 89484bf33..0d73e406f 100755 --- a/index.yaml +++ b/index.yaml @@ -4636,6 +4636,24 @@ entries: urls: - assets/sysdig/sysdig-1.9.200.tgz version: 1.9.200 + tcs-issuer: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel Trusted Certificate Issuer + catalog.cattle.io/release-name: tcs-issuer + apiVersion: v2 + appVersion: 0.1.0 + created: "2022-06-29T10:32:33.302669+03:00" + description: A Helm chart for Trusted Certificate Service for Kubernetes Platform + digest: ac32f402a14d249acb94a7cea9141c7efe5d7761230380c5ac2f508b7df2a638 + home: https://github.com/intel/trusted-certificate-issuer + icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 + kubeVersion: '>= 1.19-0' + name: tcs-issuer + type: application + urls: + - assets/intel-tcs-issuer/tcs-issuer-0.1.0.tgz + version: 0.1.0 traefik: - annotations: catalog.cattle.io/certified: partner