Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use V5 ESRP task with backing MI + AKV #102542

Merged
merged 1 commit into from
May 23, 2024
Merged

Use V5 ESRP task with backing MI + AKV #102542

merged 1 commit into from
May 23, 2024

Conversation

hoyosjs
Copy link
Member

@hoyosjs hoyosjs commented May 22, 2024

This PR moves to using WIF + AKV RBAC to support signing diagnostic files without need of manual cert or secret rotation.

@hoyosjs hoyosjs requested a review from a team May 22, 2024 05:29
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label May 22, 2024
@hoyosjs
Copy link
Member Author

hoyosjs commented May 22, 2024

Validated in https://dev.azure.com/dnceng/internal/_build/results?buildId=2457899&view=logs&j=c12ca575-f7e0-56f7-d748-65e7ec322168&t=9e374a1d-1c29-5f22-8afc-9bb96bb6561c

@jkoritzinsky
Copy link
Member

With this, could we theoretically move to using the ESRP CLI with managed identity? (To make DAC signing in the VMR easier and to simplify our infra in the repo around signing the dac and embedding it in the single file host)

@hoyosjs hoyosjs added area-Interop-coreclr area-Infrastructure-coreclr and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners area-Interop-coreclr labels May 22, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @hoyosjs
See info in area-owners.md if you want to be subscribed.

@hoyosjs hoyosjs mentioned this pull request May 22, 2024
Merged
@dotnet dotnet deleted a comment from github-actions bot May 22, 2024
@dotnet dotnet deleted a comment from github-actions bot May 22, 2024
@dotnet dotnet deleted a comment from github-actions bot May 22, 2024
@dotnet dotnet deleted a comment from github-actions bot May 22, 2024
@dotnet dotnet deleted a comment from github-actions bot May 22, 2024
@dotnet dotnet deleted a comment from github-actions bot May 22, 2024
@hoyosjs
Copy link
Member Author

hoyosjs commented May 22, 2024

With this, could we theoretically move to using the ESRP CLI with managed identity? (To make DAC signing in the VMR easier and to simplify our infra in the repo around signing the dac and embedding it in the single file host)

I still need to check - that requires us to install the cert machine wide. That feels a little wide scoped for the purpose of locking down this account.

@hoyosjs hoyosjs mentioned this pull request May 23, 2024
Merged
@hoyosjs hoyosjs merged commit 0778285 into dotnet:main May 23, 2024
82 checks passed
@hoyosjs
Copy link
Member Author

hoyosjs commented May 24, 2024

/backport to release/9.0-preview5

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/9.0-preview5: https://github.com/dotnet/runtime/actions/runs/9230551811

@github-actions github-actions bot mentioned this pull request May 24, 2024
Merged
@hoyosjs hoyosjs deleted the juhoyosa/v5-sign-dac branch May 24, 2024 22:27
steveharter pushed a commit to steveharter/runtime that referenced this pull request May 28, 2024
@hoyosjs @steveharter
Use V5 ESRP task with backing MI + AKV (dotnet#102542)
dfdfbbe
Ruihan-Yin pushed a commit to Ruihan-Yin/runtime that referenced this pull request May 30, 2024
@hoyosjs @Ruihan-Yin
Use V5 ESRP task with backing MI + AKV (dotnet#102542)
e00ff4e
@github-actions github-actions bot locked and limited conversation to collaborators Jun 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@thaystg thaystg thaystg approved these changes

@mikelle-rogers mikelle-rogers mikelle-rogers approved these changes

Assignees

@hoyosjs hoyosjs

Labels
area-Infrastructure-coreclr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hoyosjs @jkoritzinsky @thaystg @mikelle-rogers