chainloop-dev · jiparis · Jun 5, 2024 · Jun 4, 2024 · Jun 4, 2024 · Jun 4, 2024
diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml
@@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.54.0
+version: 1.54.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.90.1
 

diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
@@ -365,6 +365,38 @@ secretsBackend:
 
 ```
 
+### Deploy in keyless mode with file-based CA
+
+*This feature is experimental, as it doesn't yet support verification.*
+
+You can enable keyless signing mode by providing a custom Certificate Authority.
+For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption:
+
+```bash
+> openssl genrsa -aes256 -out ca.key 4096
+...
+> openssl req -new -x509 -sha256 -key ca.key -out ca.crt
+...
+```
+
+Then you can configure your deployment values with:
+```yaml
+controlplane:
+  keylessSigning:
+    enabled: true
+    backend: fileCA
+    fileCA:
+      cert: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      key: |
+        -----BEGIN ENCRYPTED PRIVATE KEY-----    
+        ...
+        -----END ENCRYPTED PRIVATE KEY-----
+      keyPass: "REDACTED"  
+```
+
 ### Send exceptions to Sentry
 
 You can configure different sentry projects for both the controlplane and the artifact CAS

diff --git a/deployment/chainloop/templates/controlplane/config.secret.yaml b/deployment/chainloop/templates/controlplane/config.secret.yaml
@@ -17,6 +17,16 @@ stringData:
   config.observability.yaml: |
     {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }}
   {{- end }}
+  {{- if and .Values.controlplane.keylessSigning .Values.controlplane.keylessSigning.enabled }}
+  fileca.secret.yaml: |
+    {{- with .Values.controlplane.keylessSigning.fileCA }}
+    certificate_authority:
+      file_ca:
+        cert_path: "/ca_secrets/file_ca.cert"
+        key_path:  "/ca_secrets/file_ca.key"
+        key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}"
+    {{- end }}
+  {{- end }}
   config.secret.yaml: |
     data:
       database:

diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -74,6 +74,10 @@ spec:
               mountPath: /tmp
             - name: jwt-cas-private-key
               mountPath: /secrets
+            {{- if .Values.controlplane.keylessSigning.enabled }}
+            - name: file-ca-cert
+              mountPath: /ca_secrets
+            {{- end }}
             {{- if .Values.controlplane.tlsConfig.secret.name  }}
             - name: server-certs
               mountPath: /data/server-certs
@@ -96,7 +100,7 @@ spec:
         - name: jwt-cas-private-key
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas
-        {{- if .Values.controlplane.tlsConfig.secret.name  }}
+        {{- if .Values.controlplane.tlsConfig.secret.name }}
         - name: server-certs
           secret:
             secretName: {{ .Values.controlplane.tlsConfig.secret.name  }}
@@ -105,4 +109,9 @@ spec:
         - name: gcp-secretmanager-serviceaccountkey
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
+        {{- if .Values.controlplane.keylessSigning.enabled }}
+        - name: file-ca-cert
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
         {{- end }}
diff --git a/deployment/chainloop/templates/controlplane/file_ca.secret.yaml b/deployment/chainloop/templates/controlplane/file_ca.secret.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  file_ca.cert: {{ .Values.controlplane.keylessSigning.fileCA.cert | b64enc | quote }}
+  file_ca.key: {{ .Values.controlplane.keylessSigning.fileCA.key | b64enc | quote }}
+{{- end }}
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -452,6 +452,26 @@ controlplane:
     dsn: ""
     environment: production
 
+  ## @param controlplane.keylessSigning Configuration for keyless signing using one of the supported providers
+  ## @param controlplane.keylessSigning.enabled Activates or deactivates de feature
+  ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" is supported
+  ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA
+  ##       -----BEGIN CERTIFICATE-----
+  ##       ...
+  ##       -----END CERTIFICATE-----
+  ## @param controlplane.keylessSigning.fileCA.key The PEM-encoded private key of the file based CA
+  ##       -----BEGIN RSA PRIVATE KEY-----
+  ##       ...
+  ##       -----END RSA PRIVATE KEY-----
+  ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass
+  keylessSigning:
+    enabled: false
+    backend: fileCA
+    fileCA:
+      cert: ""
+      key: ""
+      keyPass: ""
+
 ## @section Artifact Content Addressable (CAS) API
 ##################################
 #         Artifacts CAS          #