Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
Homepage: https://sigstore.dev/
The following components are also included as either direct components or through chart dependencies:
Note:
0.3.0NOT backwards compatibleIn version
0.3.0, we will be introducing a second ingress in support of the new gRPC endpoint as introduced inv0.4.0of Fulcio.The change in particular is the structure of the ingress values.
Previously
server: ingress: enabled: true hosts: - host: fulcio.localhost path: /Now
server: ingress: http: enabled: true hosts: - host: fulcio.localhost path: / grpc: enabled: false
To install the helm chart with default values run following command. The Values section describes the configuration options for this chart.
helm dependency update .
helm install [RELEASE_NAME] .To uninstall the Helm chart run following command.
helm uninstall [RELEASE_NAME]| Name | Url | |
|---|---|---|
| The Sigstore Authors |
| Repository | Name | Version |
|---|---|---|
| https://sigstore.github.io/helm-charts | ctlog | 0.2.66 |
| Key | Type | Default | Description |
|---|---|---|---|
| config.contents | object | {} |
|
| config.format | string | "json" |
|
| createcerts.affinity | object | {} |
|
| createcerts.annotations | object | {} |
|
| createcerts.enabled | bool | true |
|
| createcerts.image.pullPolicy | string | "IfNotPresent" |
|
| createcerts.image.registry | string | "ghcr.io" |
|
| createcerts.image.repository | string | "sigstore/scaffolding/createcerts" |
|
| createcerts.image.version | string | "sha256:7f59f7c08d1a82ac5fbd6d0f1f9082152dadc8d59022c52780eb3648f4b88112" |
|
| createcerts.name | string | "createcerts" |
|
| createcerts.nodeSelector | object | {} |
|
| createcerts.podAnnotations | object | {} |
|
| createcerts.podLabels | object | {} |
|
| createcerts.replicaCount | int | 1 |
|
| createcerts.securityContext.runAsNonRoot | bool | true |
|
| createcerts.securityContext.runAsUser | int | 65533 |
|
| createcerts.serviceAccount.annotations | object | {} |
|
| createcerts.serviceAccount.create | bool | true |
|
| createcerts.serviceAccount.mountToken | bool | true |
|
| createcerts.serviceAccount.name | string | "" |
|
| createcerts.tolerations | list | [] |
|
| createcerts.ttlSecondsAfterFinished | int | 3600 |
|
| ctlog.createcerts.fullnameOverride | string | "ctlog-createcerts" |
|
| ctlog.createcerts.name | string | "ctlog-createcerts" |
|
| ctlog.createctconfig.logPrefix | string | "fulcio" |
|
| ctlog.createtree.fullnameOverride | string | "ctlog-createtree" |
|
| ctlog.createtree.name | string | "ctlog-createtree" |
|
| ctlog.enabled | bool | true |
|
| ctlog.forceNamespace | string | "ctlog-system" |
|
| ctlog.fullnameOverride | string | "ctlog" |
|
| ctlog.name | string | "ctlog" |
|
| ctlog.namespace.create | bool | true |
|
| ctlog.namespace.name | string | "ctlog-system" |
|
| forceNamespace | string | "" |
|
| imagePullSecrets | list | [] |
|
| init.containerResources | object | {} |
|
| init.enabled | bool | false |
|
| init.image.curl.imagePullPolicy | string | "IfNotPresent" |
|
| init.image.curl.registry | string | "docker.io" |
|
| init.image.curl.repository | string | "curlimages/curl" |
|
| init.image.curl.version | string | "sha256:935d9100e9ba842cdb060de42472c7ca90cfe9a7c96e4dacb55e79e560b3ff40" |
8.17.0 |
| namespace.create | bool | false |
|
| namespace.name | string | "fulcio-system" |
|
| neg.grpc.name | string | "" |
|
| neg.grpc.port | int | 5554 |
|
| neg.http.name | string | "" |
|
| neg.http.port | int | 80 |
|
| server.affinity | object | {} |
|
| server.args.aws_hsm_root_ca_path | string | nil |
|
| server.args.certificateAuthority | string | "fileca" |
|
| server.args.ct_log_origin | string | "" |
|
| server.args.ct_log_url | string | "" |
|
| server.args.disable_ct_log | bool | false |
|
| server.args.gcp_private_ca_parent | string | "projects/test/locations/us-east1/caPools/test" |
|
| server.args.grpcPort | int | 5554 |
|
| server.args.hsm_caroot_id | string | nil |
|
| server.args.port | int | 5555 |
|
| server.awsKmsCredentialsSecretName | string | "aws-kms-credentials" |
kubernetes secret name containing IAM credentials for use with AWS KMS |
| server.awsKmsRegion | string | "us-east-1" |
AWS region if using AWS KMS for signing key |
| server.grpcSvcPort | int | 5554 |
|
| server.image.pullPolicy | string | "IfNotPresent" |
|
| server.image.registry | string | "ghcr.io" |
|
| server.image.repository | string | "sigstore/fulcio" |
|
| server.image.version | string | "v1.8.8@sha256:ef72cf56c64b7455ceda5268d1cc801b92992e7ce36b744b40b7761684d60753" |
|
| server.ingress.grpc.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | "GRPC" |
|
| server.ingress.grpc.className | string | "" |
|
| server.ingress.grpc.enabled | bool | false |
|
| server.ingress.grpc.hosts[0].host | string | "fulcio.localhost" |
|
| server.ingress.grpc.hosts[0].path | string | "/dev.sigstore.fulcio.v2.CA" |
|
| server.ingress.grpc.tls[0].hosts[0] | string | "fulcio.localhost" |
|
| server.ingress.grpc.tls[0].secretName | string | "fulcio-grpc-ingress-tls" |
|
| server.ingress.http.annotations | object | {} |
|
| server.ingress.http.className | string | "nginx" |
|
| server.ingress.http.enabled | bool | true |
|
| server.ingress.http.hosts[0].host | string | "fulcio.localhost" |
|
| server.ingress.http.hosts[0].path | string | "/" |
|
| server.ingress.http.tls | list | [] |
|
| server.ingresses[0].annotations | object | {} |
|
| server.ingresses[0].backendConfigSpec.healthCheck.port | int | 5555 |
|
| server.ingresses[0].backendConfigSpec.healthCheck.requestPath | string | "/healthz" |
|
| server.ingresses[0].backendConfigSpec.healthCheck.type | string | "HTTP" |
|
| server.ingresses[0].backendConfigSpec.logging.enable | bool | true |
|
| server.ingresses[0].backendConfigSpec.securityPolicy.name | string | "fulcio-security-policy" |
|
| server.ingresses[0].className | string | "gce" |
|
| server.ingresses[0].enabled | bool | false |
|
| server.ingresses[0].frontendConfigSpec.redirectToHttps.enabled | bool | true |
|
| server.ingresses[0].frontendConfigSpec.sslPolicy | string | "fulcio-ssl-policy" |
|
| server.ingresses[0].grpc | bool | true |
|
| server.ingresses[0].hosts[0].host | string | "fulcio.localhost" |
|
| server.ingresses[0].hosts[0].path | string | "/" |
|
| server.ingresses[0].http | bool | true |
|
| server.ingresses[0].name | string | "gce-ingress" |
|
| server.ingresses[0].staticGlobalIP | string | "lb-ext-ip" |
|
| server.ingresses[0].tls | list | [] |
|
| server.kmsType | string | "none" |
KMS type for signing key (possible values: "" / "none", "aws") |
| server.livenessProbe | object | {"failureThreshold":3,"httpGet":{"path":"/healthz","port":5555,"scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} |
Liveness probe for the fulcio server container. httpGet.port should match server.args.port. |
| server.logging.production | bool | false |
|
| server.name | string | "server" |
|
| server.nodeSelector | object | {} |
|
| server.podLabels | object | {} |
Additional labels to add to the server pod |
| server.readinessProbe | object | {"failureThreshold":3,"httpGet":{"path":"/healthz","port":5555,"scheme":"HTTP"},"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} |
Readiness probe for the fulcio server container. httpGet.port should match server.args.port. |
| server.replicaCount | int | 1 |
|
| server.secret | string | "fulcio-server-secret" |
|
| server.securityContext.runAsNonRoot | bool | true |
|
| server.securityContext.runAsUser | int | 65533 |
|
| server.service.ports[0].name | string | "http" |
|
| server.service.ports[0].port | int | 80 |
|
| server.service.ports[0].protocol | string | "TCP" |
|
| server.service.ports[0].targetPort | int | 5555 |
|
| server.service.ports[1].name | string | "grpc" |
|
| server.service.ports[1].port | int | 5554 |
|
| server.service.ports[1].protocol | string | "TCP" |
|
| server.service.ports[1].targetPort | int | 5554 |
|
| server.service.ports[2].name | string | "2112-tcp" |
|
| server.service.ports[2].port | int | 2112 |
|
| server.service.ports[2].protocol | string | "TCP" |
|
| server.service.ports[2].targetPort | int | 2112 |
|
| server.service.type | string | "ClusterIP" |
|
| server.serviceAccount.annotations | object | {} |
|
| server.serviceAccount.create | bool | true |
|
| server.serviceAccount.mountToken | bool | true |
|
| server.serviceAccount.name | string | "" |
|
| server.svcPort | int | 80 |
|
| server.tolerations | list | [] |
To enabled access from external resources, an Ingress resource is created. The configuration necessary for each Ingress resource is primarily dependent on the specific Ingress Controller being used. In most cases, implementation specific configuration is specified as annotations on the Ingress resources. These can be applied using the server.ingress.annotations parameter.
Warning: versions prior to
0.3.0of this chart use different ingresses.In version
0.3.0a second ingress is introduced. This ingress exposes the gRPC endpoint as introduced in v0.4.0 of Fulcio.The change in particular is the structure of the ingress values. Prior to
0.3.0:server: ingress: enabled: true hosts: - host: fulcio.localhost path: /Since
0.3.0:server: ingress: http: enabled: true hosts: - host: fulcio.localhost path: / grpc: enabled: false
Fulcio supports the following options for certificate authority backends: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca. For all except fileca, set the appropriate values in values.yaml to configure the CA roots for the given backend.
For fileca, the signing keys and certificates need to be generated manually and uploaded as a Secret that the Fulcio deployment can mount. For example:
pass=mysecurepassword
openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -passout "pass:${pass}" -topk8 -out "/pki/key.pem" # generate the signing key
openssl req -x509 -new -key /pki/key.pem -out /pki/cert.pem -sha256 -days 100 -subj "/O=test/CN=self.signed.ca" -passin "pass:${pass}" # generate the self-signed certificate
kubectl -n fulcio-system create secret generic --from-file=private=/pki/key.pem --from-file=cert=/pki/cert.pem --from-literal=password=$pass fulcio-server-secret # upload to Kubernetes
Alternatively, use a secure system like ExternalSecret to safely store and populate key material.
By default, createcerts.enabled is set to true and will automatically generate key material. This setting is deprecated and it is recommended to change this setting to false and generate your own key material. This way, the root certificate can be shared out of band with the CTlog chart and it does not need to implicitly trust the Fulcio HTTP server to provide the correct root.