Skip to content

feat(keyless): add keyless config to deployment template #878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiparis merged 8 commits into from
Jun 5, 2024
Merged

feat(keyless): add keyless config to deployment template #878

jiparis merged 8 commits into from
Jun 5, 2024

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Jun 4, 2024
edited by migmartri
Loading

This PR adds the secrets and configuration to support keyless signing in the K8s deployment.

Before and after applying keyless configuration in values.yaml

--- before.yaml	2024-06-04 19:01:52
+++ after.yaml	2024-06-04 19:02:02
@@ -129,6 +129,12 @@
   # We store it also as a different key so it can be reused during upgrades by the common.secrets.passwords.manage helper
   generated_jws_hmac_secret: "REDACTED"
 stringData:
+  fileca.secret.yaml: |
+    certificate_authority:
+      file_ca:
+        cert_path: "/ca_secrets/file_ca.cert"
+        key_path:  "/ca_secrets/file_ca.key"
+        key_pass: "REDACTED"
   config.secret.yaml: |
     data:
       database:
@@ -156,6 +162,24 @@
       # Private key used to sign the JWTs meant to be consumed by the CAS
       cas_robot_account_private_key_path: "/secrets/cas.private.key"
 ---
+# Source: chainloop/templates/controlplane/file_ca.secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-chainloop-controlplane-keyless-file-ca
+  labels:
+    app.kubernetes.io/name: chainloop
+    helm.sh/chart: chainloop-1.54.1
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/version: "v0.90.1"
+    app.kubernetes.io/part-of: chainloop
+    app.kubernetes.io/component: controlplane
+type: Opaque
+data:
+  file_ca.cert: "REDACTED"
+  file_ca.key: "REDACTED"
+---
 # Source: chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml
 apiVersion: v1
 kind: Secret
@@ -776,7 +800,7 @@
     metadata:
       annotations:
         checksum/config: 8efedc33a9689b3bc5e07902d1acbe52f02dbe48b9a3c0186d3b281b82ce53db
-        checksum/secret-config: 20313929688b2c1fccc0283e6104a90e9f222f9494fc0cffb4b5b1449deaf23c
+        checksum/secret-config: ab779eb86eecaced7d6350510fdf93b2a88a7242d307f5a517c9d39a6e2e17eb
         checksum/cas-private-key: 83da145aeffe6a714534836f62e2eb177f6dfbfb7fbf257c3548fff320950073
         kubectl.kubernetes.io/default-container: controlplane
       labels:
@@ -838,6 +862,8 @@
               mountPath: /tmp
             - name: jwt-cas-private-key
               mountPath: /secrets
+            - name: file-ca-cert
+              mountPath: /ca_secrets
       volumes:
         - name: config
           projected:
@@ -852,6 +878,9 @@
         - name: jwt-cas-private-key
           secret:
             secretName: test-chainloop-controlplane-jwt-cas
+        - name: file-ca-cert
+          secret:
+            secretName: test-chainloop-controlplane-keyless-file-ca
 ---
 # Source: chainloop/charts/postgresql/templates/primary/statefulset.yaml
 apiVersion: apps/v1

Refs #865

@jiparis
feat(keyless): add keyless config to vault deployment
330ecdb 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@migmartri
Copy link
Member

migmartri commented Jun 4, 2024

thanks!

It would be great if you could show a diff of doing a helm template before and after the change.

migmartri
migmartri reviewed Jun 4, 2024
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first, it looks good to me!

We are missing though a section in the readme documenting this feature. Like Enable Keyless signing using local file CA or smth like that. You can see in the readme examples of excerps of snippets about enabling different features.

Please do not merge until we double check that there is no render problem.

Another thing you need to do is to bump the chart version (patch version)

chainloop/deployment/chainloop/Chart.yaml

Lines 6 to 7 in 65be1d6

# Bump the patch (not minor, not major) version on each change in the Chart Source code
version: 1.52.0

@jiparis
Copy link
Member Author

jiparis commented Jun 4, 2024

At first, it looks good to me!

We are missing though a section in the readme documenting this feature. Like Enable Keyless signing using local file CA or smth like that. You can see in the readme examples of excerps of snippets about enabling different features.

Please do not merge until we double check that there is no render problem.

Another thing you need to do is to bump the chart version (patch version)

chainloop/deployment/chainloop/Chart.yaml

Lines 6 to 7 in 65be1d6

# Bump the patch (not minor, not major) version on each change in the Chart Source code
version: 1.52.0

Sure, let me ammend some changes.

jiparis added 4 commits June 4, 2024 18:02
@jiparis
Merge branch 'main' into feat-865-deploy
85278f2 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
update chart version
873d250 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'main' into feat-865-deploy
2714486
@jiparis
Merge branch 'main' into feat-865-deploy
c1f6cc9 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@migmartri migmartri changed the title feat(keyless): add keyless config to vault deployment feat(keyless): add keyless config to deployment template Jun 4, 2024
@jiparis
add documentation
1b00ca4 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri approved these changes Jun 4, 2024
View reviewed changes
@jiparis
Add documentation
0adb851 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri approved these changes Jun 4, 2024
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

deployment/chainloop/README.md Outdated

### Deploy in keyless mode with file-based CA

*This feature is experimental, as it doesn't still support verification.*
Copy link
Member

@migmartri migmartri Jun 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/still/yet

Copy link
Member Author

@jiparis jiparis Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😞 those false friends ...

@jiparis
fix typo
b4a2ae9 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 844e986 into chainloop-dev:main Jun 5, 2024
@jiparis jiparis deleted the feat-865-deploy branch June 5, 2024 07:09
@jiparis jiparis mentioned this pull request Jun 5, 2024
Closed
@BrewTestBot BrewTestBot mentioned this pull request Jun 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiparis @migmartri