fulcio: AWS KMS support #831
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sfox-equinix
force-pushed
the
aws-kms-support
branch
from
1217ba3
to
a065f07
Compare
vipulagarwal
suggested changes
Sep 6, 2024
|
can we please split the changes out into two PRs (one for fulcio, one for rekor)? otherwise the release logic won't be happy. |
Prior to this commit, the chart did not provide a way to supply AWS credentials for AWS KMS. This commit adds support for AWS KMS by allowing users to supply an AWS region ID and IAM credentials. AWS KMS users must specify the "cloudPlatform" parameter with a value of "aws" and specify "certificateAuthority" as "kmsca". The chart will then look for a kubernetes secret named by the "awsCredentialsSecret" parameter. The AWS region ID can be supplied using the newly-added "awsRegion" parameter. Signed-off-by: Stephen Fox <[email protected]>
sfox-equinix
force-pushed
the
aws-kms-support
branch
from
ffa9a72
to
408e947
Compare
sfox-equinix
changed the title
4 tasks
|
Hi @bobcallaway - I split the rekor changes out into this pull request: #832 I rebased the current pull request to be for fulcio only. |
bobcallaway
previously approved these changes
Sep 10, 2024
ubernetes is the new kubernetes. Co-authored-by: Bob Callaway <[email protected]> Signed-off-by: sfox-equinix <[email protected]>
bobcallaway
approved these changes
Sep 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
This commit adds support for AWS KMS keys to the fulcio chart. The following variables were added:
kmsType- The KMS type (e.g.,aws)awsKmsCredentialsSecretName- The name of an existing Kubernetes secret containing the IAM credentials to authenticate with AWS KMSaccessKeyIdandsecretAccessKeyawsKmsRegion- The AWS region string where the KMS key is hostedUsers must set
kmsTypeto the valueawsin order to use this feature.Existing or Associated Issue(s)
N/A
Additional Information
I tested these changes using a privately-hosted Sigstore instance. To use AWS KMS keys, users will need to supply the following changes via the values files:
kmsTypetoawsin values.yamlcertificateAuthorityto akmscain values.yamlkms_resourceto aawskms://string in values.yamlkms_cert_chainto a PEM blob containing the signers certificate (should be the first certificate in the file), optionally followed by any parent certificatesawsKmsRegionto the desired region string in values.yamlawsKmsCredentialsSecretNameChecklist
Chart.yamlaccording to semver. Where applicable, update and bump the versions in any associated umbrella chartvalues.yamland added to the README.md. The helm-docs utility can be used to generate the necessary content. Usehelm-docs --dry-runto preview the content.ct lintcommand. (**Note: This fails for me with the error:Error loading configuration: 'chart_schema.yaml' neither specified nor found in default locations)