New chart: Chainloop

[javirln]

Description of the change

This PR adds a new chart to the catalog: Chainloop, an open-source software supply chain control plane, the evidence store and a single source of truth for artifacts, metadata plus a declarative attestation crafting process.

This solution is compounded by 4 different components:

• Chainloop controlplane (mandatory)
• Chainloop artifact proxy (mandatory)
• PostgreSQL (optional, enabled by default)
• Vault (optional)

We included support for the following K8s objects for every component:

• Ingress & Ingress TLS secrets.
• HPA & PDB.
• Persistence via PVCs.
• TLS certs for mTLS communications.
• Custom configuration provided via values or existing ConfigMap.
• Network Policies.
• ServiceMonitor for GKE monitoring Operator.

A more in depth explanation and guides to the Chainloop chart can be found here.

Additional information

The Helm Chart can be deployed in two different modes, standard and development.

If development is active, a Vault Chart will be installed along with the rest of services for secret management.

While the default deployment mode, standard relies on external dependencies to be available in advance.

Important notice

The current implementation of the Chainloop Chart requires a Dex instance configured as an OIDC provider. We found an external Dex chart not provided by Bitnami and considered using it but we were wondering if you would consider to package it as part of your catalog?. Additionally, we noticed that Bitnami's Argo-CD includes Dex templates within its chart. Could this be an option for us as well?

Additionally we keep working on adding more integration tests to the Chart.

How do we build the images?

The images are built using a GoReleaser action that takes as source of truth a Dockerfile. Here the links:

• Controlplane: https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/Dockerfile.goreleaser
• CAS: https://github.com/chainloop-dev/chainloop/blob/main/app/artifact-cas/Dockerfile.goreleaser
• CLI: https://github.com/chainloop-dev/chainloop/blob/main/app/cli/Dockerfile.goreleaser

All those images are then pushed to GHCR: https://github.com/orgs/chainloop-dev/packages?repo_name=chainloop

All of them based on scratch

Checklist

• Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes - only affect README.md files.
• Variables are documented in the values.yaml and added to the README.md using [readme-generator-for-helm]-(https://github.com/bitnami/readme-generator-for-helm)
• Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
• All commits signed off and in agreement of Developer Certificate of Origin (DCO)

[javsalgar]

Hi!

Thank you so much for the PR! Could you fix the action errors? Specially the license headers, as we cannot accept a contribution unless the copyright headers match the requirements.

[javirln]

Hi!

Thank you so much for the PR! Could you fix the action errors? Specially the license headers, as we cannot accept a contribution unless the copyright headers match the requirements.

Thanks Salme for the quick reply :)

We have just question regarding the license header changes. We have indeed added them but probably with the wrong scope.

diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml
index 291efc4f94..b88420c8f3 100644
--- a/bitnami/chainloop/Chart.yaml
+++ b/bitnami/chainloop/Chart.yaml
@@ -1,4 +1,4 @@
-# Copyright Chainloop, Inc. All Rights Reserved.
+# Copyright Broadcom, Inc. All Rights Reserved.
 # SPDX-License-Identifier: APACHE-2.0

What entitles the change on the header? That you folks take ownership and control on Chart from the moment is merged?

[javirln]

Hello Salme,

Regarding the license headers, no worries on the question, we have updated it to be compliant, so I think we are good on that side! :D

Additionally I wanted to highlight something I wrote on the description:

The current implementation of the Chainloop Chart requires a Dex instance configured as an OIDC provider. We found an external Dex chart not provided by Bitnami and considered using it but we were wondering if you would consider to package it as part of your catalog?. Additionally, we noticed that Bitnami's Argo-CD includes Dex templates within its chart. Could this be an option for us as well?

Our take is that for the moment we could embed the Dex manifests in the chart to the make it work if it's ok!

[migmartri]

Hi team, I've made some changes which include

• Use of Bitnami's image structure to make it compatible with Helm dt
• Global options support, for now registry and pull secrets

[migmartri]

The current implementation of the Chainloop Chart requires a Dex instance configured as an OIDC provider. We found an external Dex chart not provided by Bitnami and considered using it but we were wondering if you would consider to package it as part of your catalog?. Additionally, we noticed that Bitnami's Argo-CD includes Dex templates within its chart. Could this be an option for us as well?

We will replace upstream dex for a variation of the templates found here. @javsalgar let me know if you'd prefer if we follow some other approach. To us, we just need an OIDC provider, it doesn't need to be dex, so happy for recommendations if you have any other in the catalog.

Thanks

[migruiz4]

Hi @javirln @migmartri,

Thank you very much for your contribution!

I have noticed that most of the files in this PR haven't been created using the template chart as base, and therefore missing many features that are common between all the charts in our catalog.

Some examples:

• The Deployment manifests are missing several features under .spec.template.spec, including features such as extraEnvVars, extraInitContainers, sidecars, etc.
• The SQL proxy deployment is mostly hardcoded and does not allow any templating.
• The NOTES.txt is missing bitnami checks and should be aligned with the style used in other charts.
• The Service manifests are missing features under .spec.

I would appreciate it if you could adapt those manifests and include the missing values.

Additionally, I have noticed the gce-proxy image is hardcoded and does not allow users to set it in the values.yaml.

I'm currently working on releasing all the required images as part of the Bitnami catalog, including the gce-proxy image. I will let you know once they are available so we can update the chart to use them.

[migruiz4]

Suggested change

	icon: https://bitnami.com/assets/stacks/chainloop-control-plane/img/chainloop-control-plane-stack-220x234.png
	icon: https://bitnami.com/assets/stacks/chainloop/img/chainloop-stack-220x234.png

[migruiz4]

Thank you very much for implementing the feedback!
Some additional comments, in this case they are mostly minor details

[javirln]

@migruiz4 everything addressed, thanks again for the review :D

[migmartri]

Ditto, thanks @migruiz4 for the detailed review :)

…

On Thu, Aug 8, 2024, 6:08 PM Javier Rodríguez ***@***.***> wrote: @migruiz4 <https://github.com/migruiz4> everything addressed, thanks again for the review :D — Reply to this email directly, view it on GitHub <#27100 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAF7S5C6YRHHYARJHAJTLLZQOJXFAVCNFSM6AAAAABJEQZIS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWGE4DMMZVGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[migruiz4]

Amazing work @javirln @migmartri, thank you very much!

[migmartri]

Thanks a lot, @migruiz4, for the thorough review; you helped us a lot to improve our chart 🥇

Re: the image used in the chart and Bitnami listing, could you use this logo instead?

or this one?

Thanks a lot!

[javsalgar]

Hi!

You mean without the bitnami hexagon?

[migmartri]

Hi!

You mean without the bitnami hexagon?

No, the hexagon is fine; it's just that's the one you put; it's a slightly different infinite loop icon.

The icon you used

The icon I am proposing to put in the hexagon

Thanks

[javsalgar]

Hi! I used the image and it shows like this. Does it work? Or maybe the logo is too small?

[migmartri]

hi @javsalgar, this looks ok, but it would be great, if possible, to try this version, which removed most of the padding around the logo.

Thanks for checking on this @javsalgar, you guys rock :)

[javsalgar]

Could you remove the black border? It's doing something strange with the logo

[migmartri]

hi @javsalgar, sorry I didn't understand the request, what black border?

[javsalgar]

Never mind, I fixed it myself. This is how it looks now

It will take a bit to be available

[migmartri]

Never mind, I fixed it myself. This is how it looks now

It will take a bit to be available

Awesome thanks!