-
Notifications
You must be signed in to change notification settings - Fork 19
/
values-sigstore-openshift.yaml
50 lines (49 loc) · 1.66 KB
/
values-sigstore-openshift.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# With this example, it is expected that there is a secret with the fulcio root & signing keys
# named 'fulcio-secret-rh' in namespace 'fulcio-system' and a secret 'rekor-private-key'
# with rekor signing keys in the 'rekor-system' namespace.
# secret names must match secret names in scaffold.tuf, that default to
# 'fulcio-secret-rh' and 'rekor-private-key'
# For root & key requirements, see ../requirements-keys-certs.md
# Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below.
# Base domain is results of "oc get dns cluster -o jsonpath='{ .spec.baseDomain }'"
---
global:
appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN
configs:
cosign_deploy:
enabled: true
fulcio:
namespace_create: false
rekor:
namespace_create: false
rekorui:
subdomain: rekorui.$OPENSHIFT_APPS_SUBDOMAIN
# github.com/sigstore/helm-charts/charts
scaffold:
fulcio:
server:
ingress:
http:
hosts:
- host: fulcio.$OPENSHIFT_APPS_SUBDOMAIN
path: /
config:
contents:
OIDCIssuers:
# https://<keycloak_instance>.<keycloak_ns>.<openshift_apps_subdomain>/auth/realms/trusted-artifact-signer
? https://keycloak-keycloak-system.$OPENSHIFT_APPS_SUBDOMAIN/auth/realms/trusted-artifact-signer
: IssuerURL: https://keycloak-keycloak-system.$OPENSHIFT_APPS_SUBDOMAIN/auth/realms/trusted-artifact-signer
ClientID: trusted-artifact-signer
Type: email
rekor:
server:
ingress:
hosts:
- host: rekor.$OPENSHIFT_APPS_SUBDOMAIN
path: /
tuf:
ingress:
http:
hosts:
- host: tuf.$OPENSHIFT_APPS_SUBDOMAIN
path: /