From b9423e8f65a7bf743734ccb90953b954b64b9a22 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Tue, 17 Oct 2023 22:54:15 +0200 Subject: [PATCH 1/4] chore(docs): update Helm Chart readme with Azure KeyVault info Signed-off-by: Miguel Martinez Trivino --- deployment/chainloop/README.md | 37 +++++++++++++++++++++++++++++--- deployment/chainloop/values.yaml | 1 - devel/README.md | 2 +- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index f9f9cb595..6322c7237 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -90,7 +90,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` -Deploy using GCP secret manager instead of Vault +or using GCP secret manager ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ @@ -104,6 +104,22 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` +Or Azure KeyVault + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=azureKeyVault \ + --set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \ + --set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \ + --set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \ + --set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI] + # Server Auth KeyPair + # ... +``` + Connect to an external PostgreSQL database instead ```console @@ -311,7 +327,7 @@ controlplane: ### Use AWS secret manager -You can swap the secret manager backend with the following settings +Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file ```yaml secretsBackend: @@ -324,7 +340,7 @@ secretsBackend: ### Use GCP secret manager -You can swap the secret manager backend with the following settings +Or [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) with the following settings ```yaml secretsBackend: @@ -334,6 +350,21 @@ secretsBackend: serviceAccountKey: [KEY] ``` +### Use Azure KeyVault as credentials backend + +[Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported + +```yaml +secretsBackend: + backend: azureKeyVault + azureKeyVault: + tenantID: [TENANT_ID] # Active Directory Tenant ID + clientID: [CLIENT_ID] # Registered application / service principal client ID + clientSecret: [CLIENT_SECRET] # Service principal client secret + vaultURI: [VAULT URI] # Azure Key Vault URL + +``` + ### Send exceptions to Sentry You can configure different sentry projects for both the controlplane and the artifact CAS diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index c1b805727..d6595d44f 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -29,7 +29,6 @@ secretsBackend: ## secretPrefix: "chainloop" - # Either vault, AWS secret manager or GCP secret manager enabled at the same time ## @extra secretsBackend.vault.address Vault address ## @extra secretsBackend.vault.token Vault authentication token ## diff --git a/devel/README.md b/devel/README.md index 1d731a177..6083c96ee 100644 --- a/devel/README.md +++ b/devel/README.md @@ -19,7 +19,7 @@ To get up and running you'll need Chainloop requires some configuration to be in place such as - PostgreSQL 14 connection from the Control plane -- Access to a secrets manager. Currently Hashicorp Vault and AWS secret manager are supported. +- Access to a secrets manager. Currently Hashicorp Vault, AWS secret manager, GCP secret manager and Azure KeyVault are supported. - Open ID connect (OIDC) single sign-on credentials. Luckily, you can leverage the provided docker compose file that can be found in the `devel` directory to do all the setup for you. From 78ac366c9e8a300d51808d581422ca61f7b5b721 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Tue, 17 Oct 2023 22:55:39 +0200 Subject: [PATCH 2/4] chore(docs): update Helm Chart readme with Azure KeyVault info Signed-off-by: Miguel Martinez Trivino --- deployment/chainloop/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 6322c7237..0c906ded3 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -104,7 +104,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` -Or Azure KeyVault +or Azure KeyVault ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ From bf0037ec721d33b1232046c0b8745532386d8381 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Wed, 18 Oct 2023 00:11:26 +0200 Subject: [PATCH 3/4] feat(docs): apply feedback Signed-off-by: Miguel Martinez Trivino --- app/artifact-cas/README.md | 2 +- app/controlplane/configs/samples/config.yaml | 1 - deployment/chainloop/README.md | 16 ++++++++-------- deployment/chainloop/values.yaml | 2 +- devel/README.md | 2 +- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/app/artifact-cas/README.md b/app/artifact-cas/README.md index 8ae578ada..cfc0bc8eb 100644 --- a/app/artifact-cas/README.md +++ b/app/artifact-cas/README.md @@ -20,7 +20,7 @@ Its structure contains the following top to down layers. ## System Dependencies -The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager). +The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager). This secret backend is used to download OCI repository credentials (repository path + key pair) during upload/downloads. This makes the Artifact CAS multi-tenant by default since the destination OCI backend gets selected at runtime. diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml index 58c46b680..9f6efb58c 100644 --- a/app/controlplane/configs/samples/config.yaml +++ b/app/controlplane/configs/samples/config.yaml @@ -27,7 +27,6 @@ cas_server: # Where to store credentials such as OCI registries or third party integrations secrets credentials_service: - # You can use either vault or aws secret manager vault: address: ${VAULT_ADDRESS:http://0.0.0.0:8200} token: ${VAULT_TOKEN:notasecret} diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 0c906ded3..77d924159 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -50,7 +50,7 @@ The Helm Chart in this mode includes During installation, you'll need to provide - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) -- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager) +- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager) - ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair). @@ -75,7 +75,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ --set casJWTPublicKey="$(cat public.pem)" ``` -Deploy using AWS secret manager instead of Vault +Deploy using AWS Secrets Manager instead of Vault ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ @@ -90,7 +90,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` -or using GCP secret manager +or using GCP Secrets manager ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ @@ -158,7 +158,7 @@ The Helm Chart in this mode includes During installation, you'll need to provide - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) -- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager)~~ +- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~ - ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~ #### Installation Examples @@ -325,9 +325,9 @@ controlplane: database: chainloop-controlplane-prod ``` -### Use AWS secret manager +### Use AWS secrets manager -Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file +Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file ```yaml secretsBackend: @@ -350,7 +350,7 @@ secretsBackend: serviceAccountKey: [KEY] ``` -### Use Azure KeyVault as credentials backend +### Use Azure KeyVault [Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported @@ -422,7 +422,7 @@ chainloop config save \ | `secretsBackend.vault.token` | Vault authentication token | | | `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | | `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| `secretsBackend.awsSecretManager.region` | AWS Secrets Manager Region | | | `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | | `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | | `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | | diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index d6595d44f..7e677787c 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -38,7 +38,7 @@ secretsBackend: ## @extra secretsBackend.awsSecretManager.accessKey AWS Access KEY ID ## @extra secretsBackend.awsSecretManager.secretKey AWS Secret Key - ## @extra secretsBackend.awsSecretManager.region AWS Secret Manager Region + ## @extra secretsBackend.awsSecretManager.region AWS Secrets Manager Region ## # awsSecretManager: # accessKey: "" diff --git a/devel/README.md b/devel/README.md index 6083c96ee..d42a67543 100644 --- a/devel/README.md +++ b/devel/README.md @@ -19,7 +19,7 @@ To get up and running you'll need Chainloop requires some configuration to be in place such as - PostgreSQL 14 connection from the Control plane -- Access to a secrets manager. Currently Hashicorp Vault, AWS secret manager, GCP secret manager and Azure KeyVault are supported. +- Access to a secrets manager. Currently Hashicorp Vault, AWS Secrets Manager, GCP Secret Manager and Azure KeyVault are supported. - Open ID connect (OIDC) single sign-on credentials. Luckily, you can leverage the provided docker compose file that can be found in the `devel` directory to do all the setup for you. From fc58f03932e8c94182ef45698548fad12ccb0c97 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Wed, 18 Oct 2023 00:12:22 +0200 Subject: [PATCH 4/4] feat(docs): apply feedback Signed-off-by: Miguel Martinez Trivino --- deployment/chainloop/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 77d924159..c27898003 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -90,7 +90,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ # ... ``` -or using GCP Secrets manager +or using GCP Secret Manager ```console helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \