Infra flags for fulcio / rekor / oidc values #462
Conversation
This change allows users to specify their own values for: * Fulcio * Rekor * OIDC Issuer * OIDC Client ID * OIDC Secret All flags are marked as experimental Signed-off-by: Luke Hinds <lhinds@redhat.com>
Signed-off-by: Luke Hinds <lhinds@redhat.com>
|
Looks like you might need to plumb the flag through to the e2e tests to point at localhost |
Signed-off-by: Luke Hinds <lhinds@redhat.com>
Signed-off-by: Luke Hinds <lhinds@redhat.com>
Signed-off-by: Luke Hinds <lhinds@redhat.com>
| @@ -50,6 +51,7 @@ func applyVerifyFlags(cmd *VerifyCommand, flagset *flag.FlagSet) { | |||
| flagset.StringVar(&cmd.KeyRef, "key", "", "path to the public key file, URL, KMS URI or Kubernetes Secret") | |||
| flagset.BoolVar(&cmd.Sk, "sk", false, "whether to use a hardware security key") | |||
| flagset.StringVar(&cmd.Slot, "slot", "", "security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)") | |||
| flagset.StringVar(&cmd.RekorURL, "rekor-url", "https://rekor.sigstore.dev", "address of rekor STL server") | |||
There was a problem hiding this comment.
I honestly prefer url, as it is a url. Are we using rekor-server anywhere else in cosign?
There was a problem hiding this comment.
rekor-server was used everywhere else in this PR except here, so I assumed that's what you intended here as well.
There was a problem hiding this comment.
IMHO we should probably s/rekor-server/rekor-url/
pkg/cosign/fulcio/fulcio.go
Outdated
| @@ -165,7 +153,7 @@ type Signer struct { | |||
| *signature.ECDSASignerVerifier | |||
| } | |||
|
|
|||
| func NewSigner(ctx context.Context, idToken string) (*Signer, error) { | |||
| func NewSigner(ctx context.Context, idToken, oidcIssuer string, oidcClientID string, oidcClientSecret string, fulcioClient string, rekorClient string) (*Signer, error) { | |||
There was a problem hiding this comment.
You can combine all these argument names and use one string argument type e.g. oidIssuer, oidcClientID, oidcClientSecret, fulcioClient, rekorClient string to be more Go idiomatic. This comment applies above as well.
There was a problem hiding this comment.
Any reason not to keep these named fulcioURL and rekorURL for consistency?
There was a problem hiding this comment.
You can combine all these argument names and use one string argument type e.g. oidIssuer, oidcClientID, oidcClientSecret, fulcioClient, rekorClient string to be more Go idiomatic. This comment applies above as well.
Yup, good call.
Any reason not to keep these named fulcioURL and rekorURL for consistency?
I think I was sticking to the convention already set in the struct, I will have check.
There was a problem hiding this comment.
I'd be in favor of changing these to "URL" or "Endpoint" to be more descriptive
There was a problem hiding this comment.
Looking into it we don't need rekorClient there(so removed it) and the fulcioClient is an connection instance from getFulcioClient
Signed-off-by: Luke Hinds <lhinds@redhat.com>
Signed-off-by: Luke Hinds <lhinds@redhat.com>
Signed-off-by: Luke Hinds <lhinds@redhat.com>
Implements flags for fulco, rekor and OIDC values to allow a user to set their own custom values.
The defaults fall to the public good service