New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TrustRoot crd. #291
Add TrustRoot crd. #291
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add some docs about this?
@JAORMX yeah, I'm just trying to get the rough chainsaw size bits up while sorting how this may look. |
9c2ba8b
to
8c8d85e
Compare
11d31de
to
6e9a02e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was mostly looking at broad strokes controller stuff, not looking too much at the details.
5cc4704
to
669df0b
Compare
Codecov Report
@@ Coverage Diff @@
## main #291 +/- ##
==========================================
- Coverage 58.91% 53.11% -5.80%
==========================================
Files 31 38 +7
Lines 3052 3660 +608
==========================================
+ Hits 1798 1944 +146
- Misses 1152 1585 +433
- Partials 102 131 +29
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
// The time the *entire* chain was valid. This is at max the | ||
// longest interval when *all* certificates in the chain where valid, | ||
// but it MAY be shorter. | ||
// dev.sigstore.common.v1.TimeRange valid_for = 4; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't this be a TTL ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the problem is that it will require a start and optionally an end :) So, I'd like to figure out how this should work hence the TODO :)
// Certificate Transparency Log | ||
CTLog []TransparencyLogInstance `json:"ctLog"` | ||
// Trusted timestamping authorities | ||
TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these optionals ? If so we could use pointers []*CertificateAuthority
and add omitempty
to the json fields
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the protos definition, this appears as timestamp_authorities
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I think we'll need either tlog or tsa here. Though, I suppose anything but CA could be optional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think though that array type has a native nil, so I think the entries in it do not need to be pointers. Just need to add the // +optional above this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am wondering now whether this conflicts with https://github.com/sigstore/policy-controller/pull/391/files#diff-83af2b17cb5361a5b3357d63c88e4965bfa07cb58917fbc0b88dd071cea39ccaR117 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So for consistency, I think it might be better to just specify the trusted certchain in one place (trustroot) rather than bake it into each CIP, just like for Fulcio/Rekor we don't bake the certs/keys in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re having the underscore in the name, that's not right :) For the JSON fields, the convention is camelcase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in the fullness of time the URLs from the keyless/ctlog might just go away and you just refer to the trust root, since the entries in the TrustRoot have the URLs necessary to construct the clients as well as all the other necessary bits.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So for consistency, I think it might be better to just specify the trusted certchain in one place (trustroot) rather than bake it into each CIP, just like for Fulcio/Rekor we don't bake the certs/keys in.
But we bake in the keys, and ctlog references 🤔 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's why I say in fullness of time :) I think CTLog / Fulcio URL will go away and they will just refer to the TrustRoot.
type CertificateAuthority struct { | ||
// The root certificate MUST be self-signed, and so the subject and | ||
// issuer are the same. | ||
Subject DistinguishedName `json:"subject"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you wanna use subject,omitempty
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is required as per the proto comments so that we can ensure the root cert is self signed.
local := client.MemoryLocalStore() | ||
tufClient := client.NewClient(local, remote) | ||
|
||
// TODO(vaikas): What should we do with above tufClient validation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe check the targets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'll add that as part of when I add support for bringing those in (next PR or the one after) since this is getting big already 🤣
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Broad strokes of all of the controller stuff generally lgtm, but I haven't reviewed all of the TUF/reconciler details.
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: Ville Aikas vaikas@chainguard.dev
Summary
This PR starts adding support for being able to support multiple TUF Roots / repositories as well as bring your own keys.
The compress/uncompress will be used to serialize/unserialize air-gapped entries provided by user.
For now only supports the bring your own keys case. Since everything will be boiled down to that, it's the first step to get that wired, then will need to add grabbing the keys/certs from the actual TUF roots / repositories, but since this is getting large as it is, but demonstrates e2e going from a CRD -> Reconcile -> ConfigMap should have the necessary pieces in place to add the TUF Remote / Repository support as a follow up.
High level design document is here:
https://docs.google.com/document/d/1a-tV9YyXHvtoaZXm-eMcqP-zFTWg6Pqfjyl8W4uS9F4/edit#heading=h.ynb0pmylorbd
Release Note
Documentation