Skip to content

Update chart to support azure msi oras auth provider#424

Merged
sajayantony merged 1 commit intonotaryproject:mainfrom
fseldow:xinhl/msichart
Nov 17, 2022
Merged

Update chart to support azure msi oras auth provider#424
sajayantony merged 1 commit intonotaryproject:mainfrom
fseldow:xinhl/msichart

Conversation

@fseldow
Copy link
Copy Markdown
Contributor

@fseldow fseldow commented Nov 14, 2022

Description

Chart update to support Azure MSI as oras auth provider.
Chart update to support AKV cert from multiple keyvault and certs

Fixes # 314

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

@fseldow fseldow changed the title Update chart to support msi Update chart to support azure msi oras auth provider and multiple akv keyvault and certs Nov 14, 2022
binbin-li
binbin-li reviewed Nov 14, 2022
View reviewed changes
charts/ratify/templates/deployment.yaml Outdated
readOnly: true
{{- if .Values.akvCertConfig.enabled }}
{{- range $index, $secretProviders := .Values.akvCertConfig.secretProviders }}
- mountPath: "/usr/local/ratify-certs/notary-{{ $index }}"
Copy link
Copy Markdown
Contributor

@binbin-li binbin-li Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a concern on the new notary trust store. A notary verifier can only load certs from one specified directory. If we have multiple cert directory, how do you plan to integrate with notation?

Copy link
Copy Markdown
Contributor Author

@fseldow fseldow Nov 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a good question. The change is based on current ratify verifier configuration that will declare the cert path. And for AKV csi secret, certs from multiple keyvaults have to be mount on container with different volumeMount. Volume mountPath is unique for container configuration.

So my idea is that when we transfer to trust store:
Option 1. we do not use akv csi secret to download the cert, ratify creates its own azure provider to download it.
Option 2. according to the cert path declared in verifier crd, ratify pod will initially copy the certs to specified directory.

WDYT?

Copy link
Copy Markdown
Contributor

@binbin-li binbin-li Nov 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

synced offline, notation verifier will support in-memory certs soon, then we could support mount arbitrary number of directories to certs. We could just keep Chart update to support Azure MSI as oras auth provider. in this PR to unblock it. And have Chart update to support AKV cert from multiple keyvault and certs in a following PR once notation side is done.

@fseldow fseldow mentioned this pull request Nov 15, 2022
Merged
10 tasks
@fseldow fseldow changed the title Update chart to support azure msi oras auth provider and multiple akv keyvault and certs Update chart to support azure msi oras auth provider Nov 16, 2022
@fseldow fseldow force-pushed the xinhl/msichart branch 2 times, most recently from 3a24389 to a9febb4 Compare November 16, 2022 07:59
binbin-li
binbin-li previously approved these changes Nov 16, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@binbin-li binbin-li left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@sajayantony sajayantony merged commit fb63b16 into notaryproject:main Nov 17, 2022
binbin-li referenced this pull request in binbin-li/ratify Nov 18, 2022
@fseldow @binbin-li
Update chart to support azure msi oras auth provider (#424)
3d01fbb
bspaans pushed a commit to bspaans/ratify that referenced this pull request Oct 17, 2023
@fseldow
Update chart to support azure msi oras auth provider (notaryproject#424)
d7f8b6d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@binbin-li binbin-li binbin-li approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fseldow @binbin-li @sajayantony