Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

migrating buildkite to ci provider #10

Open
wants to merge 15 commits into
base: javan.migrate-codefresh
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 104 additions & 8 deletions config/identity/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,57 +12,93 @@
# See the License for the specific language governing permissions and
# limitations under the License.

define:
- &github-type "github-workflow"
- &gitlab-type "gitlab-pipeline"
- &codefresh-type "codefresh-workflow"
- &buildkite-type "buildkite-job"
oidc-issuers:
https://accounts.google.com:
issuer-url: https://accounts.google.com
client-id: sigstore
type: email
contact: [email protected]
description: "Google OIDC auth"
https://agent.buildkite.com:
issuer-url: https://agent.buildkite.com
client-id: sigstore
type: buildkite-job
type: ci-provider
ci-provider: *buildkite-type
contact: [email protected]
description: "Buildkite Agent OIDC tokens for job identity"
https://allow.pub:
issuer-url: https://allow.pub
client-id: sigstore
type: spiffe
spiffe-trust-domain: allow.pub
contact: [email protected]
description: "Server side signing support for the OCI registry vcr.pub"
https://auth.eclipse.org/auth/realms/sigstore:
issuer-url: https://auth.eclipse.org/auth/realms/sigstore
client-id: sigstore
type: email
contact: [email protected]
description: "Eclipse Foundation Production OIDC provider"
https://dev.gitlab.org:
issuer-url: https://dev.gitlab.org
client-id: sigstore
type: gitlab-pipeline
type: ci-provider
ci-provider: *gitlab-type
contact: [email protected]
description: "GitLab OIDC tokens for job identity"
https://gitlab.archlinux.org:
issuer-url: https://gitlab.archlinux.org
client-id: sigstore
type: gitlab-pipeline
type: ci-provider
ci-provider: *gitlab-type
contact: [email protected]
description: "GitLab OIDC tokens for job identity"
https://gitlab.com:
issuer-url: https://gitlab.com
client-id: sigstore
type: gitlab-pipeline
type: ci-provider
ci-provider: *gitlab-type
contact: [email protected]
description: "GitLab OIDC tokens for job identity"
https://issuer.enforce.dev:
issuer-url: https://issuer.enforce.dev
client-id: sigstore
type: chainguard-identity
contact: [email protected]
description: "Chainguard identity tokens"
https://oauth2.sigstore.dev/auth:
issuer-url: https://oauth2.sigstore.dev/auth
client-id: sigstore
type: email
issuer-claim: $.federated_claims.connector_id
contact: [email protected]
description: "dex address for fulcio"
https://oidc.codefresh.io:
issuer-url: https://oidc.codefresh.io
client-id: sigstore
type: codefresh-workflow
type: ci-provider
ci-provider: *codefresh-type
contact: [email protected]
description: "Codefresh OIDC tokens for job identity"
https://ops.gitlab.net:
issuer-url: https://ops.gitlab.net
client-id: sigstore
type: gitlab-pipeline
type: ci-provider
ci-provider: *gitlab-type
contact: [email protected]
description: "GitLab OIDC tokens for job identity"
https://token.actions.githubusercontent.com:
issuer-url: https://token.actions.githubusercontent.com
client-id: sigstore
type: github-workflow
type: ci-provider
ci-provider: *github-type
contact: [email protected]
description: "GitHub Actions OIDC auth"
meta-issuers:
https://*.oic.prod-aks.azure.com/*:
client-id: sigstore
Expand All @@ -78,4 +114,64 @@ meta-issuers:
type: kubernetes
https://token.actions.githubusercontent.com/*:
client-id: sigstore
type: github-workflow
type: ci-provider
ci-provider: *github-type
ci-issuer-metadata:
*github-type:
default-template-values:
url: "https://github.com"
extension-templates:
github-workflow-trigger: "event_name"
github-workflow-sha: "sha"
github-workflow-name: "workflow"
github-workflow-repository: "repository"
github-workflow-ref: "ref"
build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}"
build-signer-digest: "job_workflow_sha"
runner-environment: "runner_environment"
source-repository-uri: "{{ .url }}/{{ .repository }}"
source-repository-digest: "sha"
source-repository-ref: "ref"
source-repository-identifier: "repository_id"
source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}"
source-repository-owner-identifier: "repository_owner_id"
build-config-uri: "{{ .url }}/{{ .workflow_ref }}"
build-config-digest: "workflow_sha"
build-trigger: "event_name"
run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}"
source-repository-visibility-at-signing: "repository_visibility"
subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}"
*gitlab-type:
default-template-values:
url: "https://gitlab.com"
extension-templates:
build-signer-uri: "https://{{ .ci_config_ref_uri }}"
build-signer-digest: "ci_config_sha"
runner-environment: "runner_environment"
source-repository-uri: "{{ .url }}/{{ .repository }}"
source-repository-digest: "sha"
source-repository-ref: "ref"
source-repository-identifier: "project_id"
source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}"
source-repository-owner-identifier: "namespace_id"
build-config-uri: "https://{{ .ci_config_ref_uri }}"
build-config-digest: "ci_config_sha"
build-trigger: "pipeline_source"
run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}"
source-repository-visibility-at-signing: "repository_visibility"
subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}"
*codefresh-type:
default-template-values:
url: "https://g.codefresh.io"
extension-templates:
build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
runner-environment: "runner_environment"
source-repository-uri: "scm_repo_url"
source-repository-ref: "scm_ref"
build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}"
run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}"
*buildkite-type:
default-template-values:
url: "https://buildkite.com"
subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}"
19 changes: 12 additions & 7 deletions docs/oidc.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,18 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the

To add a new OIDC issuer:

* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)
* Update the end-to-end gRPC tests:
* Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175)
* Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331))
* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml).
* Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)).
* Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one.
* If your issuer is not for a CI provider, you need to follow the next steps:
* Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)
* These next steps are required only for non-ci issuers, as it is already tested for generically. Although, you are welcome to add tests for your provider if you want to.
* Update the end-to-end gRPC tests:
* Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175)
* Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331))

See [this example](https://github.com/sigstore/fulcio/pull/890), although it is out of date as you'll now need to create an issuer type.

Expand Down
23 changes: 0 additions & 23 deletions federation/README.md

This file was deleted.

18 changes: 0 additions & 18 deletions federation/accounts.google.com/config.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions federation/agent.buildkite.com/config.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions federation/auth-staging.eclipse.org/config.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions federation/auth.eclipse.org/config.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions federation/dev.gitlab.org/config.yaml

This file was deleted.

19 changes: 0 additions & 19 deletions federation/external/allow.pub/config.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions federation/gitlab.archlinux.org/config.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions federation/gitlab.com/config.yaml

This file was deleted.

19 changes: 0 additions & 19 deletions federation/issuer.enforce.dev/config.yaml

This file was deleted.

Loading
Loading