notaryproject · patoarvizu · Oct 8, 2019 · Oct 9, 2019 · Oct 9, 2019 · Oct 9, 2019
@@ -115,6 +115,19 @@ $ notary
 
 To build the server and signer, run `docker-compose build`.
 
+## Helm
+
+If you prefer to deploy with [Helm](https://helm.sh), this repo includes a chart in the [helm/](helm/) directory. Assuming you already have a target Kubernetes cluster with Helm/Tiller running, you can quickly launch a Notary service with `helm install -n release-name helm/`. With the default values, this chart will create a containerized mysql database, run the required migrations, and launch a single instance of a server an a single instance of a signer (with their respective service endpoints).
+
+For compatibility, the server is exposed **both** by an `Ingress`, and by a `Service` of `type: LoadBalancer`. Depending on Kubernetes distribution or configuration you're using, it may be easier to use one or the other. Also, if you're running any virtualized or containerized distribution (like [Minikube](https://github.com/kubernetes/minikube), or [k3d](https://github.com/rancher/k3d)), you might need to map host ports to the corresponding service ports (443 for the `Ingress` and 4443 by default on the `Service`).
+
+The chart's default [values.yaml](helm/values.yaml) can give you an idea of the configuration options. One useful setting is `storage.type`, which can be set to `mysql`, `postgres`, or `memory`. If it's set to memory, then the chart will not create a containerized database, and instead set the storage for both the server and the signer to memory. Also, `server.trust` is set to `remote` by default, which means the chart will spin up a signer and point the server there, but if `server.trust` is set to `local`, then no signer will be created (all settings will be ignored). You can combine both `storage.type: memory` and `server.trust: local`, to very quickly spin up a Notary endpoint you can immediately point your CLI to.
+
+### IMPORTANT!
+
+This chart is currently **NOT** meant to be used in production, but rather as a way of quickly deploying Notary in a development or test environment, to explore or validate its use in a Kubernetes environment. It uses self-signed certs that have been distributed publicly, hard-coded, plain-text passwords, doesn't scale, etc.
+
+If you are looking to deploy Notary in Kubernetes in production, the chart will provide a starting point, but it will require considerable improvements before it can be considered prod-ready. At a minimum, you will need to make sure that your secrets are distributed properly and securely (with [KMS](https://aws.amazon.com/kms/), [Vault](https://www.vaultproject.io), etc.), but also make sure you use your own TLS certs, preferably created and distributed dynamically (like with [Let's Encrypt](https://letsencrypt.org)).
 
 ## License
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large)
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Notary
+name: notary
+version: 0.0.0
diff --git a/helm/files/server-config.json.tpl b/helm/files/server-config.json.tpl
@@ -0,0 +1,26 @@
+{
+	"server": {
+		"http_addr": ":{{ .Values.server.port }}",
+		"tls_key_file": "/tls/notary-server.key",
+		"tls_cert_file": "/tls/notary-server.crt"
+	},
+	"trust_service": {
+		"type": "{{ .Values.server.trust.type }}",
+		"hostname": "notarysigner",
+		"port": "{{ .Values.server.trust.port }}",
+		"tls_ca_file": "/tls/root-ca.crt",
+		"key_algorithm": "ecdsa",
+		"tls_client_cert": "/tls/notary-server.crt",
+		"tls_client_key": "/tls/notary-server.key"
+	},
+	"logging": {
+		"level": "{{ .Values.logging.level }}"
+	},
+	"storage": {
+		"backend": "{{ .Values.storage.type }}",
+		"db_url": "{{ template "notary.serverdburl" . }}"
+	},
+	"repositories": {
+		"gun_prefixes": {{ .Values.server.gunPrefixes | toJson }}
+	}
+}
diff --git a/helm/files/signer-config.json.tpl b/helm/files/signer-config.json.tpl
@@ -0,0 +1,16 @@
+{
+	"server": {
+		"grpc_addr": ":{{ .Values.signer.port }}",
+		"tls_cert_file": "/tls/notary-signer.crt",
+		"tls_key_file": "/tls/notary-signer.key",
+		"client_ca_file": "/tls/notary-server.crt"
+	},
+	"logging": {
+		"level": "{{ .Values.logging.level }}"
+	},
+	"storage": {
+		"backend": "{{ .Values.storage.type }}",
+		"db_url": "{{ template "notary.signerdburl" . }}",
+		"default_alias": "{{ .Values.signer.defaultAlias }}"
+	}
+}
diff --git a/helm/fixtures b/helm/fixtures
@@ -0,0 +1 @@
+../fixtures
@@ -0,0 +1 @@
+../migrations
diff --git a/helm/notarysql b/helm/notarysql
@@ -0,0 +1 @@
+../notarysql
@@ -0,0 +1,36 @@
+{{- define "notary.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "notary.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "notary.serverdburl" -}}
+{{- if eq .Values.storage.type "mysql" -}}
+root@tcp(notary-db:3306)/notaryserver
+{{- else if eq .Values.storage.type "postgres" -}}
+server@notary-db:5432/notaryserver?sslmode=verify-ca&sslrootcert=/tls/database-ca.pem&sslcert=/tls/notary-server.pem&sslkey=/tls/notary-server-key.pem
+{{- end -}}
+{{- end -}}
+
+{{- define "notary.signerdburl" -}}
+{{- if eq .Values.storage.type "mysql" -}}
+root@tcp(notary-db:3306)/notarysigner
+{{- else if eq .Values.storage.type "postgres" -}}
+signer@notary-db:5432/notarysigner?sslmode=verify-ca&sslrootcert=/tls/database-ca.pem&sslcert=/tls/notary-signer.pem&sslkey=/tls/notary-signer-key.pem"
+{{- end -}}
+{{- end -}}
+
+{{- define "notary.gunprefixes" -}}
+{{- .Values.server.gunPrefixes | toJson -}}
+{{ end -}}
@@ -0,0 +1,76 @@
+{{- if not (eq .Values.storage.type "memory") }}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: notarysql
+data:
+  {{- if eq .Values.storage.type "mysql" }}
+  {{- range $path, $bytes := .Files.Glob "notarysql/mysql-initdb.d/**" }}
+  {{ base $path }}: |
+{{ $.Files.Get $path | indent 4 }}
+  {{- end }}
+  {{- else if eq .Values.storage.type "postgres" }}
+  {{- range $path, $bytes := .Files.Glob "notarysql/postgresql-initdb.d/**" }}
+  {{ base $path }}: |
+{{ $.Files.Get $path | indent 4 }}
+  {{- end }}
+  {{- end }}
+
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: notary-migrations-server
+data:
+  {{- if eq .Values.storage.type "mysql" }}
+  {{- range $path, $bytes := .Files.Glob "migrations/server/mysql/**" }}
+  {{ base $path }}: |
+{{ $.Files.Get $path | indent 4 }}
+  {{- end }}
+  {{- else if eq .Values.storage.type "postgres" }}
+  {{- range $path, $bytes := .Files.Glob "migrations/server/postgresql/**" }}
+  {{ base $path }}: |
+{{ $.Files.Get $path | indent 4 }}
+  {{- end }}
+  {{- end }}
+
+
+{{- if eq .Values.server.trust.type "remote" }}
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: notary-migrations-signer
+data:
+  {{- if eq .Values.storage.type "mysql" }}
+  {{- range $path, $bytes := .Files.Glob "migrations/signer/mysql/**" }}
+  {{ base $path }}: |
+{{ $.Files.Get $path | indent 4 }}
+  {{- end }}
+  {{- else if eq .Values.storage.type "postgres" }}
+  {{- range $path, $bytes := .Files.Glob "migrations/signer/postgresql/**" }}
+  {{ base $path }}: |
+{{ $.Files.Get $path | indent 4 }}
+  {{- end }}
+  {{- end }}
+
+{{- end }}
+
+---
+
+{{- end }}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: notary-config
+data:
+  server-config.json: |
+{{ tpl (.Files.Get "files/server-config.json.tpl") . | indent 4 }}
+  signer-config.json: |
+{{ tpl (.Files.Get "files/signer-config.json.tpl") . | indent 4 }}