Fulcio e2e testing / K8s OIDC / ephemeralca
#219
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There are several parts to this change: 1. Implement a new `ephemeralca` that just generates an in-memory certificate, 1. Rename `pkg/ca/pkcs11ca` to `pkg/ca/x509ca` since it had nothing `PKCS11` specific (shared with `ephemeralca` logic), 1. Add support for Kubernetes OIDC via Service Account Projected Volumes, 1. Have the KinD e2e test use `ephemeralca` and `cosign sign` an image. I can split some of these pieces apart, but wanted to get this all working end-to-end, since a key goal was enabling e2e testing on KinD. This follows a lot of the ideas from: https://github.com/mattmoor/kind-oidc Related: sigstore#212 Fixes: sigstore#194 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this pull request
Oct 27, 2021
This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.
To consume this you would add the following to your Kubernetes pod spec:
```yaml
containers:
- name: my-container-name
image: ...
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
```
This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.
Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).
Related: sigstore/fulcio#219
Related: sigstore/fulcio#212
Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this pull request
Oct 27, 2021
This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.
To consume this you would add the following to your Kubernetes pod spec:
```yaml
containers:
- name: my-container-name
image: ...
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
```
This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.
Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).
Related: sigstore/fulcio#219
Related: sigstore/fulcio#212
Signed-off-by: Matt Moore <mattomata@gmail.com>
lukehinds
reviewed
Oct 28, 2021
| @@ -25,12 +25,11 @@ import ( | |||
| "net/url" | |||
| "time" | |||
|
|
|||
| "github.com/ThalesIgnite/crypto11" | |||
There was a problem hiding this comment.
We need the crypto11 library for handling the pkcs11 session (that references the privkey instance) and I can't see any type assertion for the interface that replaces it?
There was a problem hiding this comment.
The only use of this (in this file) was the type in the signature of the function, and that parameter was passed to a function that takes interface{}. The library will still be linked into the final executable as it is still referenced in both ./pkg/pkcs11 and ./cmd/app
There was a problem hiding this comment.
We lose a tiny bit of type safety here I guess but it does make it easier to call. I don't think it matters much either way.
dlorenc
pushed a commit
to sigstore/cosign
that referenced
this pull request
Oct 28, 2021
This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.
To consume this you would add the following to your Kubernetes pod spec:
```yaml
containers:
- name: my-container-name
image: ...
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
```
This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.
Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).
Related: sigstore/fulcio#219
Related: sigstore/fulcio#212
Signed-off-by: Matt Moore <mattomata@gmail.com>
dlorenc
approved these changes
Oct 28, 2021
wlynch
pushed a commit
to wlynch/sigstore
that referenced
this pull request
Jun 3, 2022
This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.
To consume this you would add the following to your Kubernetes pod spec:
```yaml
containers:
- name: my-container-name
image: ...
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
```
This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.
Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).
Related: sigstore/fulcio#219
Related: sigstore/fulcio#212
Signed-off-by: Matt Moore <mattomata@gmail.com>
wlynch
pushed a commit
to wlynch/sigstore
that referenced
this pull request
Jun 6, 2022
This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.
To consume this you would add the following to your Kubernetes pod spec:
```yaml
containers:
- name: my-container-name
image: ...
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
```
This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.
Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).
Related: sigstore/fulcio#219
Related: sigstore/fulcio#212
Signed-off-by: Matt Moore <mattomata@gmail.com>
Signed-off-by: Billy Lynch <billy@chainguard.dev>
wlynch
pushed a commit
to wlynch/sigstore
that referenced
this pull request
Jun 8, 2022
This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.
To consume this you would add the following to your Kubernetes pod spec:
```yaml
containers:
- name: my-container-name
image: ...
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
```
This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.
Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).
Related: sigstore/fulcio#219
Related: sigstore/fulcio#212
Signed-off-by: Matt Moore <mattomata@gmail.com>
Signed-off-by: Billy Lynch <billy@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are several parts to this change:
ephemeralcathat just generates an in-memory certificate,pkg/ca/pkcs11catopkg/ca/x509casince it had nothingPKCS11specific (shared withephemeralcalogic),ephemeralcaandcosign signan image.I can split some of these pieces apart, but wanted to get this all working end-to-end, since a key goal was enabling e2e testing on KinD.
This follows a lot of the ideas from: https://github.com/mattmoor/kind-oidc
Signed-off-by: Matt Moore mattomata@gmail.com
Ticket Link
Related: #212
Fixes: #194
Release Note