diff --git a/app/artifact-cas/README.md b/app/artifact-cas/README.md index 8ae578ada..cfc0bc8eb 100644 --- a/app/artifact-cas/README.md +++ b/app/artifact-cas/README.md @@ -20,7 +20,7 @@ Its structure contains the following top to down layers. ## System Dependencies -The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager). +The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager). This secret backend is used to download OCI repository credentials (repository path + key pair) during upload/downloads. This makes the Artifact CAS multi-tenant by default since the destination OCI backend gets selected at runtime. diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml index 58c46b680..9f6efb58c 100644 --- a/app/controlplane/configs/samples/config.yaml +++ b/app/controlplane/configs/samples/config.yaml @@ -27,7 +27,6 @@ cas_server: # Where to store credentials such as OCI registries or third party integrations secrets credentials_service: - # You can use either vault or aws secret manager vault: address: ${VAULT_ADDRESS:http://0.0.0.0:8200} token: ${VAULT_TOKEN:notasecret} diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index f9f9cb595..c27898003 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -50,7 +50,7 @@ The Helm Chart in this mode includes During installation, you'll need to provide - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) -- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager) +- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager) - ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair). @@ -75,7 +75,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ --set casJWTPublicKey="$(cat public.pem)" ``` -Deploy using AWS secret manager instead of Vault +Deploy using AWS Secrets Manager instead of Vault ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ @@ -90,7 +90,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` -Deploy using GCP secret manager instead of Vault +or using GCP Secret Manager ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ @@ -104,6 +104,22 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` +or Azure KeyVault + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=azureKeyVault \ + --set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \ + --set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \ + --set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \ + --set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI] + # Server Auth KeyPair + # ... +``` + Connect to an external PostgreSQL database instead ```console @@ -142,7 +158,7 @@ The Helm Chart in this mode includes During installation, you'll need to provide - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) -- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager)~~ +- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~ - ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~ #### Installation Examples @@ -309,9 +325,9 @@ controlplane: database: chainloop-controlplane-prod ``` -### Use AWS secret manager +### Use AWS secrets manager -You can swap the secret manager backend with the following settings +Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file ```yaml secretsBackend: @@ -324,7 +340,7 @@ secretsBackend: ### Use GCP secret manager -You can swap the secret manager backend with the following settings +Or [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) with the following settings ```yaml secretsBackend: @@ -334,6 +350,21 @@ secretsBackend: serviceAccountKey: [KEY] ``` +### Use Azure KeyVault + +[Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported + +```yaml +secretsBackend: + backend: azureKeyVault + azureKeyVault: + tenantID: [TENANT_ID] # Active Directory Tenant ID + clientID: [CLIENT_ID] # Registered application / service principal client ID + clientSecret: [CLIENT_SECRET] # Service principal client secret + vaultURI: [VAULT URI] # Azure Key Vault URL + +``` + ### Send exceptions to Sentry You can configure different sentry projects for both the controlplane and the artifact CAS @@ -391,7 +422,7 @@ chainloop config save \ | `secretsBackend.vault.token` | Vault authentication token | | | `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | | `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| `secretsBackend.awsSecretManager.region` | AWS Secrets Manager Region | | | `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | | `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | | `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | | diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index c1b805727..7e677787c 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -29,7 +29,6 @@ secretsBackend: ## secretPrefix: "chainloop" - # Either vault, AWS secret manager or GCP secret manager enabled at the same time ## @extra secretsBackend.vault.address Vault address ## @extra secretsBackend.vault.token Vault authentication token ## @@ -39,7 +38,7 @@ secretsBackend: ## @extra secretsBackend.awsSecretManager.accessKey AWS Access KEY ID ## @extra secretsBackend.awsSecretManager.secretKey AWS Secret Key - ## @extra secretsBackend.awsSecretManager.region AWS Secret Manager Region + ## @extra secretsBackend.awsSecretManager.region AWS Secrets Manager Region ## # awsSecretManager: # accessKey: "" diff --git a/devel/README.md b/devel/README.md index 1d731a177..d42a67543 100644 --- a/devel/README.md +++ b/devel/README.md @@ -19,7 +19,7 @@ To get up and running you'll need Chainloop requires some configuration to be in place such as - PostgreSQL 14 connection from the Control plane -- Access to a secrets manager. Currently Hashicorp Vault and AWS secret manager are supported. +- Access to a secrets manager. Currently Hashicorp Vault, AWS Secrets Manager, GCP Secret Manager and Azure KeyVault are supported. - Open ID connect (OIDC) single sign-on credentials. Luckily, you can leverage the provided docker compose file that can be found in the `devel` directory to do all the setup for you.