feat(fulcio/add-env): Add additional env variables

[saisatishkarra]

Description of the change

Support GCP credentials for external cloud provider workloads

Existing or Associated Issue(s)

Additional Information

Similar changes that were made in TSA

• 2d4695f
• f120177

Checklist

• Chart version bumped in Chart.yaml according to semver. Where applicable, update and bump the versions in any associated umbrella chart
• Variables are documented in the values.yaml and added to the README.md. The helm-docs utility can be used to generate the necessary content. Use helm-docs --dry-run to preview the content.
• JSON Schema generated.
• List tests pass for Chart using the Chart Testing tool and the ct lint command.

[sabre1041]

the name creds is somewhat ambitious

[saisatishkarra]

Is there an expected naming suggestion? I used this to maintain the existing convention between TSA and Fulcio helm chart. How about cloud_credential_config?

[sabre1041]

I am good with cloud_credential_config

[saisatishkarra]

fixed!!

[sabre1041]

This doesnt have a closing end tag, yet strangely no error is thrown

[saisatishkarra]

The closing {{- end}} for line 64 is at line82

[sabre1041]

Got it

To simplify, this condition should be an or statement that checks the presence of Values.server.env or whether Values.server.args.certificateAuthority == fileca. This would avoid the redundant PASSWORD env variable definition

[saisatishkarra]

I don't think the or condition between Values.server.env and Values.server.args.certificateAuthority == fileca would work because there might be a case where there are env variables specified as key-value pairs and the certificateAuthority == "<something not fileca>" at which point it would still try to populate the PASSWORD as a secret ref that is NOT optional and the pod might fail / retry due to lack of missing secret.

[sabre1041]

that is still fine. having the proposed conditional would still suffice. this conditional would remain in order to capture when it was defined, otherwise only the key/values would be captured. The contents within this conditional block can be removed as its no longer needed

[saisatishkarra]

@sabre1041 Fixed the issues. Please review and revert.

[sabre1041]

Suggested change

	version: 2.4.2
	version: 2.4.0

[saisatishkarra]

Fixed!

[sabre1041]

Got it

To simplify, this condition should be an or statement that checks the presence of Values.server.env or whether Values.server.args.certificateAuthority == fileca. This would avoid the redundant PASSWORD env variable definition

[sabre1041]

I am good with cloud_credential_config

[sabre1041]

Add a conditional to avoid including when not specified

[saisatishkarra]

Added condition!

[Sifungurux]

Hello @saisatishkarra
I really need the feature that enabled to set env as well. Are the feature gone cold

[Racer159]

Just to add - not having the extra environment variables in the fulcio chart also makes configuring a Vault/OpenBao KMS more difficult since you cannot easily set env vars like VAULT_ADDR - https://github.com/sigstore/sigstore/blob/1bbe33108312349ecb12badff611f23c262c0760/pkg/signature/kms/hashivault/client.go#L101 (you'd have to patch it after the fact unless I am missing something)

[Sifungurux]

This is really still needed