Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade fulcios to use of the google privateca api at v1 #218

Merged
merged 4 commits into from Nov 29, 2021
Merged

Upgrade fulcios to use of the google privateca api at v1 #218

merged 4 commits into from Nov 29, 2021

Conversation

n3wscott
Copy link
Contributor

@n3wscott n3wscott commented Oct 27, 2021
edited

Signed-off-by: Scott Nichols n3wscott@chainguard.dev

Summary

We were still on a v1beta1 api for the googleca private ca. This adds a flag to use the v1 of the api. We are still needing to update the cert to v1.

The new flag --gcp_private_ca_version selects v1 by default to allow us to drop the flag when we move to v1 certs and then delete the flag and the v1beta1 codepaths.

Ticket Link

Relates to a checkbox in #191

Release Note

Fulcio now can use the v1 api for google privateca.

@n3wscott
Upgrade fulcios usage of the goole privateca api to v1
00d621a 
Signed-off-by: Scott Nichols <n3wscott@chainguard.dev>
@dlorenc
Copy link
Member

dlorenc commented Oct 27, 2021

This needs a hold until we move off of the beta1 cert right?

@n3wscott
Copy link
Contributor Author

This needs a hold until we move off of the beta1 cert right?

hm, let me look into that. As far as the docs talked about it, it is the api to talk with the cert issuer and I did not see anything about v1 vs v1beta1 certs but.... let me look

@dlorenc
Copy link
Member

dlorenc commented Oct 27, 2021

hm, let me look into that. As far as the docs talked about it, it is the api to talk with the cert issuer and I did not see anything about v1 vs v1beta1 certs but.... let me look

The "collection path" to actually address the cert changed (they added a "certpool" concept), so that's why very few things work with both...

@bobcallaway
Copy link
Member

I tried this a couple weeks ago and it did not work for me with the beta objects

@n3wscott
Copy link
Contributor Author

Okay, how about this strat @bobcallaway and @dlorenc? We can select which version and use that API. We are free to upgrade to v1 and not need to change the code. When we do that we can drop the code path.

@n3wscott
Adding a flag to select the google private ca api version at runtime
c0bc54f 
Signed-off-by: Scott Nichols <n3wscott@chainguard.dev>
@bobcallaway
Copy link
Member

+1 to the concept. we should probably write a proper interface for the CA as the code as it stands is a bit wonky. I have a fair bit of that work done but if this unblocks you we can start with this and generalize later.

@dlorenc
Copy link
Member

dlorenc commented Oct 27, 2021

Awesome, this is great.

@n3wscott n3wscott changed the title Upgrade fulcios usage of the goole privateca api to v1 Upgrade fulcios to use of the google privateca api at v1 Oct 27, 2021
@n3wscott
Copy link
Contributor Author

updated the title and description to include the fact that there is a flag now.

@bobcallaway
Copy link
Member

@n3wscott I took a pass at breaking this apart in #220 more cleanly - I'd appreciate any comments you have on that

@haydentherapper
Copy link
Contributor

I'm working on updating this PR.

@n3wscott
Merge branch 'main' into v1-googleca
54a25de 
Signed-off-by: Scott Nichols <n3wscott@chainguard.dev>
@n3wscott
Copy link
Contributor Author

sorry @haydentherapper I just updated it!

@n3wscott
lint fix.
bcdb31a 
Signed-off-by: Scott Nichols <n3wscott@chainguard.dev>
@haydentherapper
Copy link
Contributor

Thanks @n3wscott! Is there anything else that needs to be updated with the PR now?

mattmoor
mattmoor approved these changes Nov 29, 2021
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. @bobcallaway anything else?

bobcallaway
bobcallaway approved these changes Nov 29, 2021
View reviewed changes
Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bobcallaway bobcallaway merged commit 229be8b into sigstore:main Nov 29, 2021
@n3wscott
Copy link
Contributor Author

@haydentherapper we need to use the new V1 cert and change the flags we use to start the server. I am a little unclear how that works

@dlorenc
Copy link
Member

dlorenc commented Nov 30, 2021

@asraa and I caught up yesterday. There's one more missing PR in cosign to add the new root cert, then we can test this!

@asraa asraa mentioned this pull request Nov 30, 2021
Merged
@haydentherapper haydentherapper mentioned this pull request Nov 30, 2021
Closed
@n3wscott n3wscott mentioned this pull request Dec 1, 2021
Merged
dlorenc referenced this pull request in dlorenc/fulcio Dec 1, 2021
@dlorenc
Fix the k8s subject parsing.
6c0d417 
This got dropped unintentionally during the interface refactor in #218 and #220.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
@dlorenc dlorenc mentioned this pull request Dec 1, 2021
Merged
dlorenc pushed a commit that referenced this pull request Dec 1, 2021
Fix the k8s subject parsing. (#254)
7add627 
This got dropped unintentionally during the interface refactor in #218 and #220.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor approved these changes

@bobcallaway bobcallaway bobcallaway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@n3wscott @dlorenc @bobcallaway @haydentherapper @mattmoor