-
Notifications
You must be signed in to change notification settings - Fork 52
/
300-rekor.yaml
66 lines (66 loc) · 2.11 KB
/
300-rekor.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rekor
namespace: rekor-system
---
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
namespace: rekor-system
name: rekor
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/min-scale: "1"
spec:
serviceAccountName: rekor
containers:
- name: rekor
# This has been built from here to pick up the file based signer change:
# https://github.com/sigstore/rekor/actions/runs/3061668501/jobs/4941722492
# Which contains this change that we need.
# https://github.com/sigstore/rekor/pull/1049
image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server@sha256:91a6fa93804e1c0b48942a6a0e38b30b851a9f281a65e84a05cd85c138450d7f
ports:
- containerPort: 3000
args: [
"serve",
"--trillian_log_server.address=log-server.trillian-system.svc",
"--trillian_log_server.port=80",
"--rekor_server.address=0.0.0.0",
"--redis_server.address=redis.rekor-system.svc",
"--redis_server.port=6379",
"--enable_retrieve_api=true",
"--trillian_log_server.tlog_id=$(TREE_ID)",
"--log_type=prod",
"--rekor_server.signer=/var/run/rekor-secrets/signing-secret",
"--rekor_server.signer-pwd=$(SECRET_SIGNING_PWD)",
"--enable_attestation_storage=true",
"--attestation_storage_bucket=file:///tmp/",
# "--rekor_server.timestamp_chain=$(TIMESTAMP_CHAIN)"
]
env:
- name: TREE_ID
valueFrom:
configMapKeyRef:
name: rekor-config
key: treeID
- name: SECRET_SIGNING_PWD
valueFrom:
secretKeyRef:
name: rekor-secrets
key: signing-secret-password
volumeMounts:
- name: rekor-secrets
mountPath: "/var/run/rekor-secrets"
readOnly: true
volumes:
- name: rekor-secrets
secret:
secretName: rekor-signing-secret
items:
- key: signing-secret
path: signing-secret