diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index 19266e8c2..3ab2e3d77 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -39,31 +39,13 @@ jobs: - name: Install kubeval run: go install github.com/instrumenta/kubeval@v0.16.1 - - run: kubeval config/*.yaml + - name: Run kubeval for deployment + run: kubeval config/deployment.yaml verify-k8s-deployment: runs-on: ubuntu-latest strategy: fail-fast: false # Keep running if one leg fails. - matrix: - issuer: - - "OIDC Issuer" - - "Meta Issuer" - - include: - - issuer: "OIDC Issuer" - issuer-config: | - oidc-issuers: - https://kubernetes.default.svc: - issuer-url: https://kubernetes.default.svc - client-id: sigstore - type: kubernetes - - issuer: "Meta Issuer" - issuer-config: | - meta-issuers: - https://kubernetes.*.svc: - client-id: sigstore - type: kubernetes env: # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic, @@ -122,6 +104,8 @@ jobs: targetPort: 2112 EOF + # Create variable for keep the fulcio config + fulcio-config=$(cat config/config.yaml) # Overwrite the configuration to be what we need for KinD. cat < config/fulcio-config.yaml apiVersion: v1 @@ -131,9 +115,7 @@ jobs: namespace: fulcio-system data: config.yaml: |- - { - ${{ matrix.issuer-config }} - } + $fulcio-config server.yaml: |- host: 0.0.0.0 port: 5555 diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml deleted file mode 100644 index ad3056695..000000000 --- a/config/fulcio-config.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -data: - config.yaml: |- - oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" - meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow - server.yaml: |- - host: 0.0.0.0 - port: 5555 - grpc-port: 5554 - ca: googleca - ct-log-url: http://ct-log/test - log_type: prod -kind: ConfigMap -metadata: - name: fulcio-config - namespace: fulcio-system diff --git a/federation/main.go b/federation/main.go deleted file mode 100644 index 7926f772a..000000000 --- a/federation/main.go +++ /dev/null @@ -1,140 +0,0 @@ -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// - -package main - -import ( - "encoding/json" - "os" - "path/filepath" - - "github.com/sigstore/fulcio/pkg/config" - "gopkg.in/yaml.v3" -) - -var rootPaths = []string{"federation", "federation/external"} -var boilerPlate = `# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -` - -type federationConfig struct { - URL string - Type string - IssuerClaim string - SpiffeTrustDomain string -} - -func main() { - matches := []string{} - for _, rp := range rootPaths { - glob := filepath.Join(rp, "*/config.yaml") - globs, err := filepath.Glob(glob) - if err != nil { - panic(err) - } - matches = append(matches, globs...) - } - fulcioConfig := &config.FulcioConfig{ - OIDCIssuers: map[string]config.OIDCIssuer{}, - MetaIssuers: map[string]config.OIDCIssuer{ - // EKS Cluster OIDC issuers - "https://oidc.eks.*.amazonaws.com/id/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // GKE Cluster OIDC issuers - "https://container.googleapis.com/v1/projects/*/locations/*/clusters/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // AKS Cluster OIDC issuers - "https://oidc.prod-aks.azure.com/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - "https://*.oic.prod-aks.azure.com/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // GitHub Actions OIDC unique enterprise issuers - "https://token.actions.githubusercontent.com/*": { - ClientID: "sigstore", - Type: "github-workflow", - }, - }, - } - for _, m := range matches { - b, err := os.ReadFile(m) - if err != nil { - panic(err) - } - cfg := federationConfig{} - if err := yaml.Unmarshal(b, &cfg); err != nil { - panic(err) - } - - fulcioCfg := config.OIDCIssuer{ - IssuerURL: cfg.URL, - ClientID: "sigstore", - Type: config.IssuerType(cfg.Type), - IssuerClaim: cfg.IssuerClaim, - } - if fulcioCfg.Type == config.IssuerTypeSpiffe { - fulcioCfg.SPIFFETrustDomain = cfg.SpiffeTrustDomain - } - fulcioConfig.OIDCIssuers[cfg.URL] = fulcioCfg - } - - m, err := json.MarshalIndent(fulcioConfig, "", " ") - if err != nil { - panic(err) - } - - // Update the yaml - yb, err := os.ReadFile("config/fulcio-config.yaml") - if err != nil { - panic(err) - } - - cm := map[string]interface{}{} - if err := yaml.Unmarshal(yb, &cm); err != nil { - panic(err) - } - data := cm["data"].(map[string]interface{}) - data["config.json"] = string(m) - - newYaml, err := yaml.Marshal(cm) - if err != nil { - panic(err) - } - - yamlWithBoilerplate := boilerPlate + string(newYaml) - - if err := os.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil { - panic(err) - } -}