diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index fc68276..7dcf00c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -54,7 +54,7 @@ jobs: # Attest the uploaded artifacts listed in .chainloop.yaml chainloop: - uses: chainloop-dev/labs/.github/workflows/chainloop.yml@a75dff2ef342a1e5c5e1ec5c42fb99f3d1bc03cb + uses: chainloop-dev/labs/.github/workflows/chainloop.yml@main needs: deploy secrets: api_token: ${{ secrets.CHAINLOOP_WF_RELEASE }} diff --git a/docs/guides/deployment/k8s/k8s.mdx b/docs/guides/deployment/k8s/k8s.mdx index 653b4be..128a058 100644 --- a/docs/guides/deployment/k8s/k8s.mdx +++ b/docs/guides/deployment/k8s/k8s.mdx @@ -165,6 +165,19 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ ## How to guides +### CAS upload speeds are slow, what can I do? + +Chainloop uses gRPC streaming to perform artifact uploads. This method is susceptible to being very slow on high latency scenarios. [#375](https://github.com/chainloop-dev/chainloop/issues/375) + +To improve upload speeds, you need to increase [http2 flow control buffer](https://httpwg.org/specs/rfc7540.html#DisableFlowControl). This can be done in NGINX by setting the following annotation in the ingress resource. + +``` +# Improve upload speed by adding client buffering used by http2 control-flows +nginx.ingress.kubernetes.io/client-body-buffer-size: "3M" +``` + +Note: For other reverse proxies, you'll need to find the equivalent configuration. + ### Generate a ECDSA key-pair An ECDSA key-pair is required to perform authentication between the control-plane and the Artifact CAS @@ -376,17 +389,21 @@ chainloop config save \ ### Secrets Backend -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------ | ----------- | -| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` | -| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | -| `secretsBackend.vault.address` | Vault address | | -| `secretsBackend.vault.token` | Vault authentication token | | -| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | -| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | -| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | -| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ----------- | +| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | `vault` | +| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | +| `secretsBackend.vault.address` | Vault address | | +| `secretsBackend.vault.token` | Vault authentication token | | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | +| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | +| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | +| `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | | +| `secretsBackend.azureKeyVault.clientID` | Registered application / service principal client ID | | +| `secretsBackend.azureKeyVault.clientSecret` | Service principal client secret | | +| `secretsBackend.azureKeyVault.vaultURI` | Azure Key Vault URL | | ### Authentication diff --git a/docs/reference/operator/cas-backend/aws-1.png b/docs/reference/operator/cas-backend/aws-1.png new file mode 100644 index 0000000..1a9a33d Binary files /dev/null and b/docs/reference/operator/cas-backend/aws-1.png differ diff --git a/docs/reference/operator/cas-backend/aws-2.png b/docs/reference/operator/cas-backend/aws-2.png new file mode 100644 index 0000000..d4aab9b Binary files /dev/null and b/docs/reference/operator/cas-backend/aws-2.png differ diff --git a/docs/reference/operator/cas-backend/cas-backend.mdx b/docs/reference/operator/cas-backend/cas-backend.mdx index af2a4c5..f2e3aa6 100644 --- a/docs/reference/operator/cas-backend/cas-backend.mdx +++ b/docs/reference/operator/cas-backend/cas-backend.mdx @@ -138,6 +138,76 @@ chainloop cas-backend update oci --id [BACKEND_ID] --username [NEW_USERNAME] --p chainloop cas-backend update oci --id [BACKEND_ID] --default=true ``` +### AWS S3 + +Chainloop also supports storing artifacts in [AWS S3 Blob Storage](https://aws.amazon.com/s3/). + +#### Pre-requisites + +To connect your AWS account to Chainloop you'll need: + +- **S3 Bucket Name** +- **Bucket Region** +- **AccessKeyID** +- **SecretAccessKey** + +**Create an S3 bucket** + +Create an S3 bucket and take note of the bucket name and region + +![](./aws-1.png) + +**Create an IAM user with access to that bucket** + +Next we are going to create a policy that has write/read permissions to the bucket. + +You can use the snippet below by just replacing `[bucketName]` with the actual name of the bucket you created in the step before. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": "arn:aws:s3:::[bucketName]" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject" + ], + "Resource": "arn:aws:s3:::[bucketName]/*" + } + ] +} +``` + +Then create an user, attach the policy to it and click on "create access Key" + +![](./aws-2.png) + +Then select third-party service and copy the access key ID and secret access key + +We are now ready to connect our AWS account to Chainloop + +```bash + $ chainloop cas-backend add aws-s3 \ + --access-key-id [accessKeyID] \ + --secret-access-key [secretAccessKey] \ + --region [region] \ + --bucket [bucketName] +``` + +#### Rotate credentials + +```bash +chainloop cas-backend update aws-s3 --id [BACKEND_ID] --access-key-id [new-accessKeyID] --secret-access-key [new-secretAccessKey] --region [new-region] +``` + ### Azure Blob Storage Chainloop also supports storing artifacts in [Azure Blob Storage](https://azure.microsoft.com/en-us/products/storage/blobs).