Improve Secrets handling across install profiles

README.md

@@ -108,14 +108,14 @@ The Engineering Platform package has the following configurable properties.
 | `platform.ingress.issuer.type` | `private` | The type of ClusterIssuer the platform will use to enable TLS communications. Options: `private`, `letsencrypt_staging`, `letsencrypt`, `custom`. |
 | `platform.ingress.issuer.name` | `""` | A reference to a custom ClusterIssuer previously created on the cluster where the platform will be installed. Required when the type is `custom`. |
 | `platform.ingress.issuer.email` | `""` | The email address that Let's Encrypt will use to send info on expiring certificates or other issues. Required when the type is `letsencrypt_staging` or `letsencrypt`. |
-| `platform.oci_registry.server` | `""` | The server of the OCI Registry where the platform will publish and consume OCI images. |
-| `platform.oci_registry.repository` | `""` | The repository in the OCI Registry where the platform will publish and consume OCI images. |
-| `platform.oci_registry.secret.name` | `supply-chain-registry-credentials` | The name of the Secret holding the credentials to access the OCI registry. |
+| `platform.oci_registry.server` | `""` | The server of the OCI Registry where the platform will publish OCI images. Example: "ghcr.io". |
+| `platform.oci_registry.repository` | `""` | The repository in the OCI Registry where the platform will publish OCI images. Example: "my-org". |
+| `platform.oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. The credentials should provide read-only access to the OCI registry except when installing the platform with one of these profiles: `full`, `dev`, `build`. |
 | `platform.oci_registry.secret.namespace` | `kadras-packages` | The namespace of the Secret holding the credentials to access the OCI registry. |
-| `platform.cosign.secret.name` | `supply-chain-cosign-key-pair` | The name of the Secret holding the Cosign key pair. |
+| `platform.cosign.secret.name` | `""` | The name of the Secret holding the Cosign key pair. |
 | `platform.cosign.secret.namespace` | `kadras-packages` | The namespace of the Secret holding the Cosign key pair. |
 | `platform.git.server` | `https://github.com` | The server hosting the Git repositories used by the plaform. |
-| `platform.git.secret.name` | `supply-chain-git-credentials` | The name of the Secret holding the credentials to access the Git server. |
+| `platform.git.secret.name` | `""` | The name of the Secret holding the credentials to access the Git server. The credentials should provide read-only access to the Git server except when installing the platform with one of these profiles: `full`, `build`. |
 | `platform.git.secret.namespace` | `kadras-packages` | The namespace of the Secret holding the credentials to access the Git server. |
 
 Each Kadras package included in the platform can be configured independently.

package/config/cartographer-delivery.yml

@@ -9,11 +9,9 @@
 #@   values = struct.decode(data.values.cartographer.delivery)
 #@
 #@   #! Compute values for Git server
-#@   if is_any_profile_enabled([profiles.full]):
-#@     if data.values.platform.git.server and data.values.platform.git.secret.name and data.values.platform.git.secret.namespace:
-#@       if not hasattr(data.values.cartographer.delivery, "git_credentials_secret") or not data.values.cartographer.delivery.git_credentials_secret:
-#@         values["git_credentials_secret"] = data.values.platform.git.secret.name
-#@       end
+#@   if data.values.platform.git.server and data.values.platform.git.secret.name and data.values.platform.git.secret.namespace:
+#@     if not hasattr(data.values.cartographer.delivery, "git_credentials_secret") or not data.values.cartographer.delivery.git_credentials_secret:
+#@       values["git_credentials_secret"] = data.values.platform.git.secret.name
 #@     end
 #@   end
 #@

package/config/cartographer-supply-chains.yml

@@ -30,11 +30,9 @@
 #@   end
 #@
 #@   #! Compute values for Git server
-#@   if is_any_profile_enabled([profiles.full]):
-#@     if data.values.platform.git.server and data.values.platform.git.secret.name and data.values.platform.git.secret.namespace:
-#@       if not hasattr(data.values.cartographer.supply_chains, "git_credentials_secret") or not data.values.cartographer.supply_chains.git_credentials_secret:
-#@         values["git_credentials_secret"] = data.values.platform.git.secret.name
-#@       end
+#@   if data.values.platform.git.server and data.values.platform.git.secret.name and data.values.platform.git.secret.namespace:
+#@     if not hasattr(data.values.cartographer.supply_chains, "git_credentials_secret") or not data.values.cartographer.supply_chains.git_credentials_secret:
+#@       values["git_credentials_secret"] = data.values.platform.git.secret.name
 #@     end
 #@   end
 #@

package/config/values-schema.yml

@@ -42,16 +42,16 @@ platform:
 
   #@schema/desc "Settings for the OCI registry that the platform will use."
   oci_registry:
-    #@schema/desc "The server of the OCI Registry where the platform will publish and consume OCI images."
+    #@schema/desc "The server of the OCI Registry where the platform will publish OCI images."
     #@schema/examples ("GitHub Container Registry", "ghcr.io")
     server: ""
-    #@schema/desc "The repository in the OCI Registry where the platform will publish and consume OCI images."
+    #@schema/desc "The repository in the OCI Registry where the platform will publish OCI images."
     #@schema/examples ("Repository on GitHub Container Registry", "my-org")
     repository: ""
     #@schema/desc "Configuration for the Secret holding the credentials to access the OCI registry."
     secret:
-      #@schema/desc "The name of the Secret holding the credentials to access the OCI registry."
-      name: supply-chain-registry-credentials
+      #@schema/desc "The name of the Secret holding the credentials to access the OCI registry. The credentials should provide read-only access to the OCI registry except when installing the platform with one of these profiles: `full`, `dev`, `build`."
+      name: ""
       #@schema/desc "The namespace of the Secret holding the credentials to access the OCI registry."
       namespace: kadras-packages
 
@@ -60,7 +60,7 @@ platform:
     #@schema/desc "Configuration for the Secret holding the Cosign key pair."
     secret:
       #@schema/desc "The name of the Secret holding the Cosign key pair."
-      name: supply-chain-cosign-key-pair
+      name: ""
       #@schema/desc "The namespace of the Secret holding the Cosign key pair."
       namespace: kadras-packages
 
@@ -71,8 +71,8 @@ platform:
     server: https://github.com
     #@schema/desc "Configuration for the Secret holding the credentials to access the Git server."
     secret:
-      #@schema/desc "The name of the Secret holding the credentials to access the Git server."
-      name: supply-chain-git-credentials
+      #@schema/desc "The name of the Secret holding the credentials to access the Git server. The credentials should provide read-only access to the Git server except when installing the platform with one of these profiles: `full`, `build`."
+      name: ""
       #@schema/desc "The namespace of the Secret holding the credentials to access the Git server."
       namespace: kadras-packages
 

package/config/workspace-provisioner.yml

@@ -9,39 +9,33 @@
 #@   values = struct.decode(data.values.workspace_provisioner)
 #@
 #@   #! Compute values for OCI Registry server
-#@   if is_any_profile_enabled([profiles.full]):
-#@     if data.values.platform.oci_registry.secret.name and data.values.platform.oci_registry.secret.namespace:
-#@       if not hasattr(data.values.workspace_provisioner, "oci_registry") or not hasattr(data.values.workspace_provisioner.oci_registry, "secret") or not hasattr(data.values.workspace_provisioner.oci_registry.secret, "name") or not hasattr(data.values.workspace_provisioner.oci_registry.secret, "namespace") or not data.values.workspace_provisioner.oci_registry.secret.name or not data.values.workspace_provisioner.oci_registry.secret.namespace:
-#@         values["oci_registry"] = {}
-#@         values["oci_registry"]["secret"] = {}
-#@         values["oci_registry"]["secret"]["name"] = data.values.platform.oci_registry.secret.name
-#@         values["oci_registry"]["secret"]["namespace"] = data.values.platform.oci_registry.secret.namespace
-#@       end
+#@   if data.values.platform.oci_registry.secret.name and data.values.platform.oci_registry.secret.namespace:
+#@     if not hasattr(data.values.workspace_provisioner, "oci_registry") or not hasattr(data.values.workspace_provisioner.oci_registry, "secret") or not hasattr(data.values.workspace_provisioner.oci_registry.secret, "name") or not hasattr(data.values.workspace_provisioner.oci_registry.secret, "namespace") or not data.values.workspace_provisioner.oci_registry.secret.name or not data.values.workspace_provisioner.oci_registry.secret.namespace:
+#@       values["oci_registry"] = {}
+#@       values["oci_registry"]["secret"] = {}
+#@       values["oci_registry"]["secret"]["name"] = data.values.platform.oci_registry.secret.name
+#@       values["oci_registry"]["secret"]["namespace"] = data.values.platform.oci_registry.secret.namespace
 #@     end
 #@   end
 #@
 #@   #! Compute values for Cosign
-#@   if is_any_profile_enabled([profiles.full]):
-#@     if data.values.platform.cosign.secret.name and data.values.platform.cosign.secret.namespace:
-#@       if not hasattr(data.values.workspace_provisioner, "cosign") or not hasattr(data.values.workspace_provisioner.cosign, "secret") or not hasattr(data.values.workspace_provisioner.cosign.secret, "name") or not hasattr(data.values.workspace_provisioner.cosign.secret, "namespace") or not data.values.workspace_provisioner.cosign.secret.name or not data.values.workspace_provisioner.cosign.secret.namespace:
-#@         values["cosign"] = {}
-#@         values["cosign"]["secret"] = {}
-#@         values["cosign"]["secret"]["name"] = data.values.platform.cosign.secret.name
-#@         values["cosign"]["secret"]["namespace"] = data.values.platform.cosign.secret.namespace
-#@       end
+#@   if data.values.platform.cosign.secret.name and data.values.platform.cosign.secret.namespace:
+#@     if not hasattr(data.values.workspace_provisioner, "cosign") or not hasattr(data.values.workspace_provisioner.cosign, "secret") or not hasattr(data.values.workspace_provisioner.cosign.secret, "name") or not hasattr(data.values.workspace_provisioner.cosign.secret, "namespace") or not data.values.workspace_provisioner.cosign.secret.name or not data.values.workspace_provisioner.cosign.secret.namespace:
+#@       values["cosign"] = {}
+#@       values["cosign"]["secret"] = {}
+#@       values["cosign"]["secret"]["name"] = data.values.platform.cosign.secret.name
+#@       values["cosign"]["secret"]["namespace"] = data.values.platform.cosign.secret.namespace
 #@     end
 #@   end
 #@
 #@   #! Compute values for Git server
-#@   if is_any_profile_enabled([profiles.full]):
-#@     if data.values.platform.git.server and data.values.platform.git.secret.name and data.values.platform.git.secret.namespace:
-#@       if not hasattr(data.values.workspace_provisioner, "git") or not hasattr(data.values.workspace_provisioner.git, "server") or not hasattr(data.values.workspace_provisioner.git, "secret") or not hasattr(data.values.workspace_provisioner.cosign.secret, "name") or not hasattr(data.values.workspace_provisioner.cosign.secret, "namespace") or not data.values.workspace_provisioner.git.server or not data.values.workspace_provisioner.cosign.secret.name or not data.values.workspace_provisioner.cosign.secret.namespace:
-#@         values["git"] = {}
-#@         values["git"]["server"] = data.values.platform.git.server
-#@         values["git"]["secret"] = {}
-#@         values["git"]["secret"]["name"] = data.values.platform.git.secret.name
-#@         values["git"]["secret"]["namespace"] = data.values.platform.git.secret.namespace
-#@       end
+#@   if data.values.platform.git.server and data.values.platform.git.secret.name and data.values.platform.git.secret.namespace:
+#@     if not hasattr(data.values.workspace_provisioner, "git") or not hasattr(data.values.workspace_provisioner.git, "server") or not hasattr(data.values.workspace_provisioner.git, "secret") or not hasattr(data.values.workspace_provisioner.cosign.secret, "name") or not hasattr(data.values.workspace_provisioner.cosign.secret, "namespace") or not data.values.workspace_provisioner.git.server or not data.values.workspace_provisioner.cosign.secret.name or not data.values.workspace_provisioner.cosign.secret.namespace:
+#@       values["git"] = {}
+#@       values["git"]["server"] = data.values.platform.git.server
+#@       values["git"]["secret"] = {}
+#@       values["git"]["secret"]["name"] = data.values.platform.git.secret.name
+#@       values["git"]["secret"]["namespace"] = data.values.platform.git.secret.namespace
 #@     end
 #@   end
 #@