Skip to content

Commit

Permalink
Move configuration to yaml format (#1720)
Browse files Browse the repository at this point in the history
Migrate the configuration file from json to yaml
Also removes the fulcio-config.yaml file that isn't used
Concentrate the issuers and meta-issuers in a single file that can be found at config/identity/config.yaml
Also removes the https://auth-staging.eclipse.org/realms/sigstore from the list of issuers, as it is unavailable.
Removes the federation script as it has not been used, and switches over to a test that's run to check validity of the configuration.

Ref #1111

Signed-off-by: Javan lacerda <[email protected]>
  • Loading branch information
javanlacerda authored Jul 15, 2024
1 parent bdc2230 commit b879601
Show file tree
Hide file tree
Showing 13 changed files with 223 additions and 318 deletions.
16 changes: 6 additions & 10 deletions .github/workflows/verify-k8s.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,11 @@ jobs:

include:
- issuer: "OIDC Issuer"
issuer-config: |
"OIDCIssuers": {"https://kubernetes.default.svc": {"IssuerURL": "https://kubernetes.default.svc","ClientID": "sigstore","Type": "kubernetes"}}
issuer-config:
"oidc-issuers:\n https://kubernetes.default.svc:\n issuer-url: \"https://kubernetes.default.svc\"\n client-id: \"sigstore\"\n type: \"kubernetes\""
- issuer: "Meta Issuer"
issuer-config: |
"MetaIssuers": {"https://kubernetes.*.svc": {"ClientID": "sigstore","Type": "kubernetes"}}
issuer-config:
"meta-issuers:\n https://kubernetes.*.svc: \n client-id: \"sigstore\"\n type: \"kubernetes\""
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic,
Expand Down Expand Up @@ -124,10 +123,8 @@ jobs:
name: fulcio-config
namespace: fulcio-system
data:
config.json: |-
{
${{ matrix.issuer-config }}
}
config.yaml: |-
${{ matrix.issuer-config }}
server.yaml: |-
host: 0.0.0.0
port: 5555
Expand All @@ -139,7 +136,6 @@ jobs:
ct-log-url: ""
log_type: prod
EOF
# Create secret needed to use fileca
cat <<EOF > config/fulcio-secret.yaml
apiVersion: v1
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,5 +91,4 @@ jobs:
- name: check-config
run: |
set -e
go run federation/main.go
git diff --exit-code
go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config
2 changes: 1 addition & 1 deletion cmd/app/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func newServeCmd() *cobra.Command {
cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)")
cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log")
cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs")
cmd.Flags().String("config-path", "/etc/fulcio-config/config.json", "path to fulcio config json")
cmd.Flags().String("config-path", "/etc/fulcio-config/config.yaml", "path to fulcio config yaml")
cmd.Flags().String("pkcs11-config-path", "config/crypto11.conf", "path to fulcio pkcs11 config file")
cmd.Flags().String("fileca-cert", "", "Path to CA certificate")
cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key")
Expand Down
35 changes: 0 additions & 35 deletions config/config.jsn

This file was deleted.

121 changes: 0 additions & 121 deletions config/fulcio-config.yaml

This file was deleted.

81 changes: 81 additions & 0 deletions config/identity/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# Copyright 2024 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

oidc-issuers:
https://accounts.google.com:
issuer-url: https://accounts.google.com
client-id: sigstore
type: email
https://agent.buildkite.com:
issuer-url: https://agent.buildkite.com
client-id: sigstore
type: buildkite-job
https://allow.pub:
issuer-url: https://allow.pub
client-id: sigstore
type: spiffe
spiffe-trust-domain: allow.pub
https://auth.eclipse.org/auth/realms/sigstore:
issuer-url: https://auth.eclipse.org/auth/realms/sigstore
client-id: sigstore
type: email
https://dev.gitlab.org:
issuer-url: https://dev.gitlab.org
client-id: sigstore
type: gitlab-pipeline
https://gitlab.archlinux.org:
issuer-url: https://gitlab.archlinux.org
client-id: sigstore
type: gitlab-pipeline
https://gitlab.com:
issuer-url: https://gitlab.com
client-id: sigstore
type: gitlab-pipeline
https://issuer.enforce.dev:
issuer-url: https://issuer.enforce.dev
client-id: sigstore
type: chainguard-identity
https://oauth2.sigstore.dev/auth:
issuer-url: https://oauth2.sigstore.dev/auth
client-id: sigstore
type: email
issuer-claim: $.federated_claims.connector_id
https://oidc.codefresh.io:
issuer-url: https://oidc.codefresh.io
client-id: sigstore
type: codefresh-workflow
https://ops.gitlab.net:
issuer-url: https://ops.gitlab.net
client-id: sigstore
type: gitlab-pipeline
https://token.actions.githubusercontent.com:
issuer-url: https://token.actions.githubusercontent.com
client-id: sigstore
type: github-workflow
meta-issuers:
https://*.oic.prod-aks.azure.com/*:
client-id: sigstore
type: kubernetes
https://container.googleapis.com/v1/projects/*/locations/*/clusters/*:
client-id: sigstore
type: kubernetes
https://oidc.eks.*.amazonaws.com/id/*:
client-id: sigstore
type: kubernetes
https://oidc.prod-aks.azure.com/*:
client-id: sigstore
type: kubernetes
https://token.actions.githubusercontent.com/*:
client-id: sigstore
type: github-workflow
2 changes: 1 addition & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ services:
- "${FULCIO_METRICS_PORT:-2112}:2112"
volumes:
- ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication
- ${FULCIO_CONFIG:-./config/config.jsn}:/etc/fulcio-config/config.json:z
- ${FULCIO_CONFIG:-./config/identity/config.yaml}:/etc/fulcio-config/config.yaml:z
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"]
interval: 10s
Expand Down
4 changes: 1 addition & 3 deletions docs/oidc.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the

To add a new OIDC issuer:

* Add a file under the [`federation` folder](https://github.com/sigstore/fulcio/tree/main/federation) with the URL, new issuer type name, and contact ([example](https://github.com/sigstore/fulcio/blob/8975dfd/federation/agent.buildkite.com/config.yaml))
* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml) by running `go run federation/main.go`
* Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)
Expand Down
Loading

0 comments on commit b879601

Please sign in to comment.