diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index 480ea4116..2fcca7115 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -131,6 +131,18 @@ jobs: # local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image sudo echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts + - name: Generate temporary CA files + run: | + openssl req -x509 \ + -newkey ed25519 \ + -sha256 \ + -keyout "${{ github.run_id }}-key.pem" \ + -out "${{ github.run_id }}-cert.pem" \ + -subj "/CN=ed25519" \ + -days 36500 \ + -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ + -passout pass:"${{ github.run_id }}" + - name: Deploy fulcio-dev run: | # Reduce the resource requests of Fulcio @@ -173,12 +185,26 @@ jobs: server.yaml: |- host: 0.0.0.0 port: 5555 - ca: ephemeralca - gcp_private_ca_version: v1 + ca: fileca + fileca-cert: /etc/fulcio-secret/cert.pem + fileca-key: /etc/fulcio-secret/key.pem + fileca-key-passwd: "${{ github.run_id }}" ct-log-url: "" log_type: prod EOF + # Create secret needed to use fileca + cat < config/fulcio-secret.yaml + apiVersion: v1 + kind: Secret + metadata: + name: fulcio-secret + namespace: fulcio-dev + data: + cert.pem: $(cat ${{ github.run_id }}-cert.pem | base64 -w 0) + key.pem: $(cat ${{ github.run_id }}-key.pem | base64 -w 0) + EOF + kubectl create ns fulcio-dev ko apply -Bf config/ diff --git a/config/deployment.yaml b/config/deployment.yaml index b1bb9f01e..170a429bc 100644 --- a/config/deployment.yaml +++ b/config/deployment.yaml @@ -52,6 +52,9 @@ spec: volumeMounts: - name: fulcio-config mountPath: /etc/fulcio-config + - name: fulcio-secret + mountPath: /etc/fulcio-secret + readOnly: true - name: oidc-info mountPath: /var/run/fulcio resources: @@ -62,6 +65,10 @@ spec: - name: fulcio-config configMap: name: fulcio-config + - name: fulcio-secret + secret: + secretName: fulcio-secret + optional: true - name: oidc-info projected: sources: