-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Updating akv cert provider to use getSecret #957
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #957 +/- ##
==========================================
+ Coverage 56.99% 57.45% +0.46%
==========================================
Files 90 90
Lines 5292 5326 +34
==========================================
+ Hits 3016 3060 +44
+ Misses 1970 1956 -14
- Partials 306 310 +4
☔ View full report in Codecov by Sentry. |
```bash | ||
az keyvault certificate import \ | ||
--vault-name ${AKV_NAME} \ | ||
-n ${KEY_NAME} \ | ||
-f ${CERT_PATH} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any steps that walk the reader through creating a certificate? Or is that assumed knowledge or a prerequisite?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ve actually deleted the entire kv import step, customer should follow https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push#build-and-sign-a-container-image from the prereq section of this quick start.
|
||
data := []byte(*secretBundle.Value) | ||
|
||
if *secretBundle.ContentType == PKCS12ContentType { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as mentioned in: #695 (comment), does pkcs12 works now in Golang?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed offline, we will keep the current implementation but provided more guidance in documentation.
|
||
```bash | ||
az keyvault set-policy --name ${AKV_NAME} \ | ||
--certificate-permissions get \ | ||
--secret-permissions get \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log an issue to update the ratify terraform resource
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue logged at #973
…to getSecretAKV2
Signed-off-by: Susan Shi <huish@microsoft.com>
Hi @akashsinghal and @binbin-li , i ve addressed the feedback and merged with latest main. Please give another round of review, please review aks rest result and clean up log at https://github.com/susanshi/ratify/actions/runs/5793405981/job/15701535090, and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
certsStatus = append(certsStatus, certProperty) | ||
} | ||
default: | ||
logrus.Warnf("certificate '%s', version '%s': azure keyvualt certificate provider detected unknown block type %s", certName, version, block.Type) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "keyvault" is mispelled in multiple places keyvualt
--> keyvault
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Susan Shi <huish@microsoft.com>
fix: fix cert-rotator test (ratify-project#992) chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.33 (ratify-project#988) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Akash Singhal <akashsinghal@microsoft.com> feat: add graceful shutdown for http server (ratify-project#949) fix: Updating akv cert provider to use getSecret (ratify-project#957) Signed-off-by: Susan Shi <huish@microsoft.com> chore: bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (ratify-project#997) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: bump actions/setup-go from 4.0.1 to 4.1.0 (ratify-project#996) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> fix: adding experimental to dynamic plugin flag (ratify-project#980) refactor: refactor error handling (ratify-project#956) docs: add notaryv2 upgrade doc (ratify-project#999) chore: update assign.yaml template chore: update library templates chore: update library templates2 chore: update library templates fix typo chore: update library templates array
Signed-off-by: Susan Shi <huish@microsoft.com>
Description
What this PR does / why we need it:
Fixes #695
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #695
Type of change
Please delete options that are not relevant.
main
branch)How Has This Been Tested?
-Uploaded existing test cert chain in e2e integration, inline root cert is no longer needed
Manual validation includes:
Checklist:
Post Merge Requirements
Helm Chart Change