Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add key support to key management provider #1333

Merged
merged 13 commits into from
Apr 10, 2024
Merged

feat: add key support to key management provider #1333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0b11743
feat: add key support to key management provider
akashsinghal Mar 26, 2024
0976a1a
small comment change
akashsinghal Mar 26, 2024
859f70b
update charts
akashsinghal Mar 26, 2024
f67a0a7
update refs
akashsinghal Mar 26, 2024
33eda7d
Merge branch 'main' into akashsinghal/addkeysupport
akashsinghal Mar 29, 2024
1dc4183
address comments
akashsinghal Mar 29, 2024
251ec0f
Merge branch 'main' into akashsinghal/addkeysupport
akashsinghal Apr 2, 2024
4025773
add key updates for akv
akashsinghal Apr 2, 2024
9ac9cb6
make cert map store operation wait till no error
akashsinghal Apr 2, 2024
da82fe1
Merge branch 'staging' into akashsinghal/addkeysupport
akashsinghal Apr 9, 2024
b9fd37f
address comments
akashsinghal Apr 9, 2024
b3fc5b8
Merge branch 'staging' into akashsinghal/addkeysupport
binbin-li Apr 10, 2024
dae34b6
Merge branch 'staging' into akashsinghal/addkeysupport
akashsinghal Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ Gatekeeper requires TLS for external data provider interactions. As such ratify
helm install ratify \
./charts/ratify --atomic \
--namespace gatekeeper-system \
--set-file notationCert=./test/testdata/notation.crt \
--set-file notationCerts[0]=./test/testdata/notation.crt \
--set-file provider.tls.crt=./tls/certs/tls.crt \
--set-file provider.tls.key=./tls/certs/tls.key \
--set-file provider.tls.cabundle=./tls/certs/ca.crt
Expand Down
2 changes: 1 addition & 1 deletion RELEASES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,6 @@ helm install ratify \
--set image.repository=ghcr.io/deislabs/ratify-dev
--set image.crdRepository=ghcr.io/deislabs/ratify-crds-dev
--set image.tag=dev.<YYYYMMDD>.<ABBREVIATED_GIT_HASH_COMMIT>
--set-file notationCert=./test/testdata/notation.crt
--set-file notationCerts[0]=./test/testdata/notation.crt
```
NOTE: the tag field is the only value that will change when updating to newer dev build images
27 changes: 18 additions & 9 deletions charts/ratify/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
```

## Deprecation Policy

Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in the below parameters will NOT be supported in the next major version release. Existing functionality will remain backwards compatible until the next major version release.

## Parameters

| Parameter | Description | Default |
Expand All @@ -43,7 +47,6 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
| replicaCount | The number of Ratify replicas in deployment | 1 |
| affinity | Pod affinity for the Ratify deployment | `{}` |
| tolerations | Pod tolerations for the Ratify deployment | `[]` |
| notationCert | Public certificate/certificate chain used to create inline certstore used by Notation verifier. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```notationCerts``` to specify an array of verification certificates | `` |
| notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.key | Public certificate used by cosign verifier | `` |
Expand Down Expand Up @@ -120,11 +123,17 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
| azureWorkloadIdentity.clientId | ClientID of AAD application/Managed identity associated with Workload Identity | `` |
| azureManagedIdentity.clientId | ClientID of Managed identity | `` |
| azureManagedIdentity.tenantId | TenantID of Managed Identity resource | `` |
| akvCertConfig.enabled | Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | Vault URI for AKV configured | `` |
| akvCertConfig.cert1Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of certificates | `` |
| akvCertConfig.cert1Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.cert2Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.cert2Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.certificates | An array of certificate objects identified by `name` and `version` stored in AKV | `` |
| akvCertConfig.tenantId | TenantID of the configured AKV resource | `` |
| azurekeyvault.enabled | Enables/disables Azure Key Vault key management provider. If you are using a custom chart, certificate store should be referenced through a Verifier CR. | `false` |
| azurekeyvault.vaultURI | Vault URI for Azure Key Vault | `` |
| azurekeyvault.tenantID | Tenant ID of the configured Azure Key Vault resource | `` |
| azurekeyvault.certificates | An array of certificate objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| notationCert | **DEPRECATED** Please switch to `notationCerts` to specify an array of verification certificates. Public certificate/certificate chain used to create inline certstore used by Notation verifier. | `` |
| akvCertConfig.enabled | **DEPRECATED** Please use `azurekeyvault.enabled` instead. Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | **DEPRECATED** Please use `azurekeyvault.vaultURI` instead. Vault URI for AKV configured | `` |
| akvCertConfig.cert1Name | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact name of the certificate stored in AKV. | `` |
| akvCertConfig.cert1Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV.certificates | `` |
| akvCertConfig.cert2Name | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact name of the certificate stored in AKV. | `` |
| akvCertConfig.cert2Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV. | `` |
| akvCertConfig.certificates | **DEPRECATED** Please use `azurekeyvault.certificates` instead. An array of certificate objects identified by `name` and `version` stored in AKV | `` |
| akvCertConfig.tenantId | **DEPRECATED** Please use `azurekeyvault.certificates` instead. TenantID of the configured AKV resource | `` |
31 changes: 28 additions & 3 deletions charts/ratify/templates/akv-key-management-provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.akvCertConfig.enabled }}
{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }}
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
Expand All @@ -9,7 +9,13 @@ metadata:
spec:
type: azurekeyvault
parameters:
vaultURI: {{ required "vaultURI must be provided when AKV cert config is enabled" .Values.akvCertConfig.vaultURI }}
{{- if .Values.azurekeyvault.vaultURI }}
vaultURI: {{ .Values.azurekeyvault.vaultURI }}
{{- else if .Values.akvCertConfig.vaultURI }}
vaultURI: {{ .Values.akvCertConfig.vaultURI }}
{{- else }}
{{- fail "vaultURI must be provided when azurekeyvault is enabled. please specify azurekeyvault.vaultURI" }}
{{- end }}
certificates:
{{- if .Values.akvCertConfig.cert1Name }}
- name: {{ .Values.akvCertConfig.cert1Name }}
Expand All @@ -25,6 +31,25 @@ spec:
version: {{ .version }}
{{- end }}
{{- end }}
tenantID: {{ required "tenantID must be provided when AKV cert config is enabled" .Values.akvCertConfig.tenantId }}
{{- range .Values.azurekeyvault.certificates }}
{{- if .name }}
- name: {{ .name }}
version: {{ .version }}
{{- end }}
{{- end }}
keys:
{{- range .Values.azurekeyvault.keys }}
{{- if .name }}
- name: {{ .name }}
version: {{ .version }}
{{- end }}
{{- end }}
{{- if .Values.azurekeyvault.tenantID }}
tenantID: {{ .Values.azurekeyvault.tenantID }}
{{- else if .Values.akvCertConfig.tenantID }}
tenantID: {{ .Values.akvCertConfig.tenantID }}
{{- else }}
{{- fail "tenantID must be provided when azurekeyvault is enabled. please specify azurekeyvault.tenantID" }}
{{- end }}
clientID: {{ required "clientID must be provided when use workload identity in akv" .Values.azureWorkloadIdentity.clientId }}
{{ end }}
15 changes: 15 additions & 0 deletions charts/ratify/templates/inline-key-management-provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,19 @@ spec:
parameters:
contentType: certificate
value: {{ $cert | quote }}
{{- end }}
---
{{- range $i, $key := .Values.cosignKeys }}
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
name: {{$fullname}}-cosign-inline-key-{{$i}}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "5"
spec:
type: inline
parameters:
contentType: key
value: {{ $key | quote }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/ratify/templates/verifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ spec:
parameters:
verificationCertStores:
certs:
{{- if .Values.akvCertConfig.enabled }}
{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }}
- kmprovider-akv
{{- else }}
{{- if .Values.notationCert }}
Expand Down
Loading
Loading