Add TrustRoot crd. #291
Add TrustRoot crd. #291
Conversation
|
@JAORMX yeah, I'm just trying to get the rough chainsaw size bits up while sorting how this may look. |
vaikas
force-pushed
the
tuf-roots-crd
branch
from
9c2ba8b
to
8c8d85e
Compare
vaikas
force-pushed
the
tuf-roots-crd
branch
4 times, most recently
from
11d31de
to
6e9a02e
Compare
vaikas
force-pushed
the
tuf-roots-crd
branch
2 times, most recently
from
5cc4704
to
669df0b
Compare
Codecov Report
@@ Coverage Diff @@
## main #291 +/- ##
==========================================
- Coverage 58.91% 53.11% -5.80%
==========================================
Files 31 38 +7
Lines 3052 3660 +608
==========================================
+ Hits 1798 1944 +146
- Misses 1152 1585 +433
- Partials 102 131 +29
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
| // The time the *entire* chain was valid. This is at max the | ||
| // longest interval when *all* certificates in the chain where valid, | ||
| // but it MAY be shorter. | ||
| // dev.sigstore.common.v1.TimeRange valid_for = 4; |
There was a problem hiding this comment.
Wouldn't this be a TTL ?
There was a problem hiding this comment.
I think the problem is that it will require a start and optionally an end :) So, I'd like to figure out how this should work hence the TODO :)
| // Certificate Transparency Log | ||
| CTLog []TransparencyLogInstance `json:"ctLog"` | ||
| // Trusted timestamping authorities | ||
| TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities"` |
There was a problem hiding this comment.
Are these optionals ? If so we could use pointers []*CertificateAuthority and add omitempty to the json fields
There was a problem hiding this comment.
In the protos definition, this appears as timestamp_authorities
There was a problem hiding this comment.
yeah, I think we'll need either tlog or tsa here. Though, I suppose anything but CA could be optional.
There was a problem hiding this comment.
I think though that array type has a native nil, so I think the entries in it do not need to be pointers. Just need to add the // +optional above this.
There was a problem hiding this comment.
I am wondering now whether this conflicts with https://github.com/sigstore/policy-controller/pull/391/files#diff-83af2b17cb5361a5b3357d63c88e4965bfa07cb58917fbc0b88dd071cea39ccaR117 .
There was a problem hiding this comment.
So for consistency, I think it might be better to just specify the trusted certchain in one place (trustroot) rather than bake it into each CIP, just like for Fulcio/Rekor we don't bake the certs/keys in.
There was a problem hiding this comment.
re having the underscore in the name, that's not right :) For the JSON fields, the convention is camelcase.
There was a problem hiding this comment.
I think in the fullness of time the URLs from the keyless/ctlog might just go away and you just refer to the trust root, since the entries in the TrustRoot have the URLs necessary to construct the clients as well as all the other necessary bits.
There was a problem hiding this comment.
So for consistency, I think it might be better to just specify the trusted certchain in one place (trustroot) rather than bake it into each CIP, just like for Fulcio/Rekor we don't bake the certs/keys in.
But we bake in the keys, and ctlog references 🤔 .
There was a problem hiding this comment.
Yeah, that's why I say in fullness of time :) I think CTLog / Fulcio URL will go away and they will just refer to the TrustRoot.
| type CertificateAuthority struct { | ||
| // The root certificate MUST be self-signed, and so the subject and | ||
| // issuer are the same. | ||
| Subject DistinguishedName `json:"subject"` |
There was a problem hiding this comment.
Don't you wanna use subject,omitempty
There was a problem hiding this comment.
I think this is required as per the proto comments so that we can ensure the root cert is self signed.
| local := client.MemoryLocalStore() | ||
| tufClient := client.NewClient(local, remote) | ||
|
|
||
| // TODO(vaikas): What should we do with above tufClient validation |
There was a problem hiding this comment.
maybe check the targets
There was a problem hiding this comment.
Yeah, I'll add that as part of when I add support for bringing those in (next PR or the one after) since this is getting big already 🤣
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas vaikas@chainguard.dev
Summary
This PR starts adding support for being able to support multiple TUF Roots / repositories as well as bring your own keys.
The compress/uncompress will be used to serialize/unserialize air-gapped entries provided by user.
For now only supports the bring your own keys case. Since everything will be boiled down to that, it's the first step to get that wired, then will need to add grabbing the keys/certs from the actual TUF roots / repositories, but since this is getting large as it is, but demonstrates e2e going from a CRD -> Reconcile -> ConfigMap should have the necessary pieces in place to add the TUF Remote / Repository support as a follow up.
High level design document is here:
https://docs.google.com/document/d/1a-tV9YyXHvtoaZXm-eMcqP-zFTWg6Pqfjyl8W4uS9F4/edit#heading=h.ynb0pmylorbd
Release Note
Documentation