From 9ba1ab22669914b01b68010fb03a29f4f1e53411 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 10 Jul 2024 21:33:34 +0000 Subject: [PATCH] remove federation, add contact, description Signed-off-by: Javan lacerda --- config/identity/config.yaml | 25 +++++++++++++++++++ federation/README.md | 23 ----------------- federation/accounts.google.com/config.yaml | 18 ------------- federation/agent.buildkite.com/config.yaml | 18 ------------- .../auth-staging.eclipse.org/config.yaml | 18 ------------- federation/auth.eclipse.org/config.yaml | 18 ------------- federation/dev.gitlab.org/config.yaml | 18 ------------- federation/external/allow.pub/config.yaml | 19 -------------- federation/gitlab.archlinux.org/config.yaml | 18 ------------- federation/gitlab.com/config.yaml | 18 ------------- federation/issuer.enforce.dev/config.yaml | 19 -------------- federation/oauth2.sigstore.dev/config.yaml | 19 -------------- federation/oidc.codefresh.io/config.yaml | 18 ------------- federation/ops.gitlab.net/config.yaml | 18 ------------- .../config.yaml | 18 ------------- pkg/config/config.go | 5 ++++ 16 files changed, 30 insertions(+), 260 deletions(-) delete mode 100644 federation/README.md delete mode 100644 federation/accounts.google.com/config.yaml delete mode 100644 federation/agent.buildkite.com/config.yaml delete mode 100644 federation/auth-staging.eclipse.org/config.yaml delete mode 100644 federation/auth.eclipse.org/config.yaml delete mode 100644 federation/dev.gitlab.org/config.yaml delete mode 100644 federation/external/allow.pub/config.yaml delete mode 100644 federation/gitlab.archlinux.org/config.yaml delete mode 100644 federation/gitlab.com/config.yaml delete mode 100644 federation/issuer.enforce.dev/config.yaml delete mode 100644 federation/oauth2.sigstore.dev/config.yaml delete mode 100644 federation/oidc.codefresh.io/config.yaml delete mode 100644 federation/ops.gitlab.net/config.yaml delete mode 100644 federation/token.actions.githubusercontent.com/config.yaml diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 298d89c20..ecbfd64d6 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -17,52 +17,76 @@ oidc-issuers: issuer-url: https://accounts.google.com client-id: sigstore type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore type: buildkite-job + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore type: gitlab-pipeline + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore type: gitlab-pipeline + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore type: codefresh-workflow + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore type: gitlab-pipeline + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore type: github-workflow + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore @@ -79,3 +103,4 @@ meta-issuers: https://token.actions.githubusercontent.com/*: client-id: sigstore type: github-workflow + diff --git a/federation/README.md b/federation/README.md deleted file mode 100644 index 3d9e575cd..000000000 --- a/federation/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# OIDC Federation Configs - -This directory contains configurations for individual OIDC endpoints that the public good instance of Fulcio should accept identity tokens from. - -## Usage - -To update the k8s `ConfigMap`, run `go run federation/main.go` from the root directory of this repository. - -## Adding New Entries - -We'll happily accept new entries here in the form of a pull request! -Open one up with your endpoint, filling in a directory and a `config.yaml` with the following structure: - -```yaml -url: -contact: -description: -type: -``` - -You'll then have to regenerate the ConfigMap with `go run federation/main.go`, and then send your PR. - -We'll discuss your use-case with you over the pull request, and merge! diff --git a/federation/accounts.google.com/config.yaml b/federation/accounts.google.com/config.yaml deleted file mode 100644 index b21c89a31..000000000 --- a/federation/accounts.google.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://accounts.google.com -contact: tac@sigstore.dev -description: "Google OIDC auth" -type: "email" diff --git a/federation/agent.buildkite.com/config.yaml b/federation/agent.buildkite.com/config.yaml deleted file mode 100644 index bc1d46425..000000000 --- a/federation/agent.buildkite.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://agent.buildkite.com -contact: support@buildkite.com -description: "Buildkite Agent OIDC tokens for job identity" -type: "buildkite-job" diff --git a/federation/auth-staging.eclipse.org/config.yaml b/federation/auth-staging.eclipse.org/config.yaml deleted file mode 100644 index 11c0f91cb..000000000 --- a/federation/auth-staging.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth-staging.eclipse.org/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Staging OIDC provider" -type: "email" diff --git a/federation/auth.eclipse.org/config.yaml b/federation/auth.eclipse.org/config.yaml deleted file mode 100644 index be7a4b2d5..000000000 --- a/federation/auth.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth.eclipse.org/auth/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Production OIDC provider" -type: "email" diff --git a/federation/dev.gitlab.org/config.yaml b/federation/dev.gitlab.org/config.yaml deleted file mode 100644 index 1fe70bccc..000000000 --- a/federation/dev.gitlab.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://dev.gitlab.org -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/external/allow.pub/config.yaml b/federation/external/allow.pub/config.yaml deleted file mode 100644 index 69b164896..000000000 --- a/federation/external/allow.pub/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://allow.pub -contact: evan@phx.io -description: "Server side signing support for the OCI registry vcr.pub" -type: "spiffe" -spiffetrustdomain: "allow.pub" diff --git a/federation/gitlab.archlinux.org/config.yaml b/federation/gitlab.archlinux.org/config.yaml deleted file mode 100644 index e7796b0b0..000000000 --- a/federation/gitlab.archlinux.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.archlinux.org -contact: sigstore@archlinux.org -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/gitlab.com/config.yaml b/federation/gitlab.com/config.yaml deleted file mode 100644 index 8fb05c85b..000000000 --- a/federation/gitlab.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.com -contact: support@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/issuer.enforce.dev/config.yaml b/federation/issuer.enforce.dev/config.yaml deleted file mode 100644 index 45e252a88..000000000 --- a/federation/issuer.enforce.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://issuer.enforce.dev -# TODO(mattmoor): Change to a group. -contact: mattmoor@chainguard.dev -description: "Chainguard identity tokens" -type: "chainguard-identity" diff --git a/federation/oauth2.sigstore.dev/config.yaml b/federation/oauth2.sigstore.dev/config.yaml deleted file mode 100644 index a5782a26c..000000000 --- a/federation/oauth2.sigstore.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oauth2.sigstore.dev/auth -issuerclaim: $.federated_claims.connector_id -contact: tac@sigstore.dev -description: "dex address for fulcio" -type: "email" diff --git a/federation/oidc.codefresh.io/config.yaml b/federation/oidc.codefresh.io/config.yaml deleted file mode 100644 index 8d51a8adb..000000000 --- a/federation/oidc.codefresh.io/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oidc.codefresh.io -contact: support@codefresh.io -description: "Codefresh OIDC tokens for job identity" -type: "codefresh-workflow" diff --git a/federation/ops.gitlab.net/config.yaml b/federation/ops.gitlab.net/config.yaml deleted file mode 100644 index 7984c576f..000000000 --- a/federation/ops.gitlab.net/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://ops.gitlab.net -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/token.actions.githubusercontent.com/config.yaml b/federation/token.actions.githubusercontent.com/config.yaml deleted file mode 100644 index a8208db01..000000000 --- a/federation/token.actions.githubusercontent.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://token.actions.githubusercontent.com -contact: tac@sigstore.dev -description: "GitHub Actions OIDC auth" -type: "github-workflow" diff --git a/pkg/config/config.go b/pkg/config/config.go index 6b5f01f9a..a2296147e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -111,6 +111,11 @@ type OIDCIssuer struct { // Optional, the challenge claim expected for the issuer // Set if using a custom issuer ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"` + // Optional, the description for the issuer + Description string `json:"Description,omitempty" yaml:"description,omitempty"` + // Optional, the contact for the issuer team + // Usually it is a email + Contact string `json:"Contact,omitempty" yaml:"contact,omitempty"` } func metaRegex(issuer string) (*regexp.Regexp, error) {