set verify k8s workflow for get configg directly

Signed-off-by: Javan lacerda <[email protected]>

.github/workflows/verify-k8s.yml

@@ -53,17 +53,10 @@ jobs:
         include:
         - issuer: "OIDC Issuer"
           issuer-config: |
-            oidc-issuers:
-              https://kubernetes.default.svc:
-                issuer-url: https://kubernetes.default.svc
-                client-id: sigstore
-                type: kubernetes
+            "oidc-issuers:\n  https://kubernetes.default.svc:\n    issuer-url: \"https://kubernetes.default.svc\"\n    client-id: \"sigstore\"\n    type: \"kubernetes\""
         - issuer: "Meta Issuer"
-          issuer-config: |
-            meta-issuers:
-              https://kubernetes.*.svc:
-                client-id: sigstore
-                type: kubernetes
+          issuer-config:
+            "meta-issuers:\n  https://kubernetes.*.svc: \n    client-id: \"sigstore\"\n    type: \"kubernetes\""
     env:
       # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
       # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic,
@@ -131,9 +124,7 @@ jobs:
             namespace: fulcio-system
           data:
             config.yaml: |-
-              {
-                ${{ matrix.issuer-config }}
-              }
+              ${{ matrix.issuer-config }}
             server.yaml: |-
               host: 0.0.0.0
               port: 5555
@@ -145,7 +136,7 @@ jobs:
               ct-log-url: ""
               log_type: prod
           EOF
-
+          cat config/fulcio-config.yaml
           # Create secret needed to use fileca
           cat <<EOF > config/fulcio-secret.yaml
           apiVersion: v1

cmd/app/serve.go

@@ -87,7 +87,7 @@ func newServeCmd() *cobra.Command {
 	cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)")
 	cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log")
 	cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs")
-	cmd.Flags().String("config-path", "/etc/fulcio-config/config.json", "path to fulcio config json")
+	cmd.Flags().String("config-path", "/etc/fulcio-config/config.yaml", "path to fulcio config yaml")
 	cmd.Flags().String("pkcs11-config-path", "config/crypto11.conf", "path to fulcio pkcs11 config file")
 	cmd.Flags().String("fileca-cert", "", "Path to CA certificate")
 	cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key")

config/identity/config.yaml

@@ -0,0 +1,85 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+oidc-issuers:
+  https://accounts.google.com:
+    issuer-url: https://accounts.google.com
+    client-id: sigstore
+    type: email
+  https://agent.buildkite.com:
+    issuer-url: https://agent.buildkite.com
+    client-id: sigstore
+    type: buildkite-job
+  https://allow.pub:
+    issuer-url: https://allow.pub
+    client-id: sigstore
+    type: spiffe
+    spiffe-trust-domain: allow.pub
+  https://auth-staging.eclipse.org/realms/sigstore:
+    issuer-url: https://auth-staging.eclipse.org/realms/sigstore
+    client-id: sigstore
+    type: email
+  https://auth.eclipse.org/auth/realms/sigstore:
+    issuer-url: https://auth.eclipse.org/auth/realms/sigstore
+    client-id: sigstore
+    type: email
+  https://dev.gitlab.org:
+    issuer-url: https://dev.gitlab.org
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://gitlab.archlinux.org:
+    issuer-url: https://gitlab.archlinux.org
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://gitlab.com:
+    issuer-url: https://gitlab.com
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://issuer.enforce.dev:
+    issuer-url: https://issuer.enforce.dev
+    client-id: sigstore
+    type: chainguard-identity
+  https://oauth2.sigstore.dev/auth:
+    issuer-url: https://oauth2.sigstore.dev/auth
+    client-id: sigstore
+    type: email
+    issuer-claim: $.federated_claims.connector_id
+  https://oidc.codefresh.io:
+    issuer-url: https://oidc.codefresh.io
+    client-id: sigstore
+    type: codefresh-workflow
+  https://ops.gitlab.net:
+    issuer-url: https://ops.gitlab.net
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://token.actions.githubusercontent.com:
+    issuer-url: https://token.actions.githubusercontent.com
+    client-id: sigstore
+    type: github-workflow
+meta-issuers:
+  https://*.oic.prod-aks.azure.com/*:
+    client-id: sigstore
+    type: kubernetes
+  https://container.googleapis.com/v1/projects/*/locations/*/clusters/*:
+    client-id: sigstore
+    type: kubernetes
+  https://oidc.eks.*.amazonaws.com/id/*:
+    client-id: sigstore
+    type: kubernetes
+  https://oidc.prod-aks.azure.com/*:
+    client-id: sigstore
+    type: kubernetes
+  https://token.actions.githubusercontent.com/*:
+    client-id: sigstore
+    type: github-workflow

docker-compose.yml

@@ -37,7 +37,7 @@ services:
       - "${FULCIO_METRICS_PORT:-2112}:2112"
     volumes:
       - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication
-      - ${FULCIO_CONFIG:-./config/config.yaml}:/etc/fulcio-config/config.yaml:z
+      - ${FULCIO_CONFIG:-./config/identity/config.yaml}:/etc/fulcio-config/config.yaml:z
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"]
       interval: 10s