diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index 19266e8c2..b6fd57230 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -53,17 +53,10 @@ jobs: include: - issuer: "OIDC Issuer" issuer-config: | - oidc-issuers: - https://kubernetes.default.svc: - issuer-url: https://kubernetes.default.svc - client-id: sigstore - type: kubernetes + "oidc-issuers:\n https://kubernetes.default.svc:\n issuer-url: \"https://kubernetes.default.svc\"\n client-id: \"sigstore\"\n type: \"kubernetes\"" - issuer: "Meta Issuer" - issuer-config: | - meta-issuers: - https://kubernetes.*.svc: - client-id: sigstore - type: kubernetes + issuer-config: + "meta-issuers:\n https://kubernetes.*.svc: \n client-id: \"sigstore\"\n type: \"kubernetes\"" env: # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic, @@ -131,9 +124,7 @@ jobs: namespace: fulcio-system data: config.yaml: |- - { - ${{ matrix.issuer-config }} - } + ${{ matrix.issuer-config }} server.yaml: |- host: 0.0.0.0 port: 5555 @@ -145,7 +136,7 @@ jobs: ct-log-url: "" log_type: prod EOF - + cat config/fulcio-config.yaml # Create secret needed to use fileca cat < config/fulcio-secret.yaml apiVersion: v1 diff --git a/cmd/app/serve.go b/cmd/app/serve.go index de0b28194..016e42ba0 100644 --- a/cmd/app/serve.go +++ b/cmd/app/serve.go @@ -87,7 +87,7 @@ func newServeCmd() *cobra.Command { cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)") cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log") cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs") - cmd.Flags().String("config-path", "/etc/fulcio-config/config.json", "path to fulcio config json") + cmd.Flags().String("config-path", "/etc/fulcio-config/config.yaml", "path to fulcio config yaml") cmd.Flags().String("pkcs11-config-path", "config/crypto11.conf", "path to fulcio pkcs11 config file") cmd.Flags().String("fileca-cert", "", "Path to CA certificate") cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key") diff --git a/config/config.yaml b/config/config.yaml deleted file mode 100644 index 189503bd9..000000000 --- a/config/config.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow -meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow \ No newline at end of file diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml deleted file mode 100644 index ad3056695..000000000 --- a/config/fulcio-config.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -data: - config.yaml: |- - oidc-issuers: - https://accounts.google.com: - issuer-url: https://accounts.google.com - client-id: sigstore - type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" - https://agent.buildkite.com: - issuer-url: https://agent.buildkite.com - client-id: sigstore - type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" - https://allow.pub: - issuer-url: https://allow.pub - client-id: sigstore - type: spiffe - spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" - https://auth-staging.eclipse.org/realms/sigstore: - issuer-url: https://auth-staging.eclipse.org/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" - https://auth.eclipse.org/auth/realms/sigstore: - issuer-url: https://auth.eclipse.org/auth/realms/sigstore - client-id: sigstore - type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" - https://dev.gitlab.org: - issuer-url: https://dev.gitlab.org - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://gitlab.archlinux.org: - issuer-url: https://gitlab.archlinux.org - client-id: sigstore - type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" - https://gitlab.com: - issuer-url: https://gitlab.com - client-id: sigstore - type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://issuer.enforce.dev: - issuer-url: https://issuer.enforce.dev - client-id: sigstore - type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" - https://oauth2.sigstore.dev/auth: - issuer-url: https://oauth2.sigstore.dev/auth - client-id: sigstore - type: email - issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" - https://oidc.codefresh.io: - issuer-url: https://oidc.codefresh.io - client-id: sigstore - type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" - https://ops.gitlab.net: - issuer-url: https://ops.gitlab.net - client-id: sigstore - type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" - https://token.actions.githubusercontent.com: - issuer-url: https://token.actions.githubusercontent.com - client-id: sigstore - type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" - meta-issuers: - https://*.oic.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: - client-id: sigstore - type: kubernetes - https://oidc.eks.*.amazonaws.com/id/*: - client-id: sigstore - type: kubernetes - https://oidc.prod-aks.azure.com/*: - client-id: sigstore - type: kubernetes - https://token.actions.githubusercontent.com/*: - client-id: sigstore - type: github-workflow - server.yaml: |- - host: 0.0.0.0 - port: 5555 - grpc-port: 5554 - ca: googleca - ct-log-url: http://ct-log/test - log_type: prod -kind: ConfigMap -metadata: - name: fulcio-config - namespace: fulcio-system diff --git a/config/identity/config.yaml b/config/identity/config.yaml new file mode 100644 index 000000000..b7eccb14e --- /dev/null +++ b/config/identity/config.yaml @@ -0,0 +1,85 @@ +# Copyright 2024 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +oidc-issuers: + https://accounts.google.com: + issuer-url: https://accounts.google.com + client-id: sigstore + type: email + https://agent.buildkite.com: + issuer-url: https://agent.buildkite.com + client-id: sigstore + type: buildkite-job + https://allow.pub: + issuer-url: https://allow.pub + client-id: sigstore + type: spiffe + spiffe-trust-domain: allow.pub + https://auth-staging.eclipse.org/realms/sigstore: + issuer-url: https://auth-staging.eclipse.org/realms/sigstore + client-id: sigstore + type: email + https://auth.eclipse.org/auth/realms/sigstore: + issuer-url: https://auth.eclipse.org/auth/realms/sigstore + client-id: sigstore + type: email + https://dev.gitlab.org: + issuer-url: https://dev.gitlab.org + client-id: sigstore + type: gitlab-pipeline + https://gitlab.archlinux.org: + issuer-url: https://gitlab.archlinux.org + client-id: sigstore + type: gitlab-pipeline + https://gitlab.com: + issuer-url: https://gitlab.com + client-id: sigstore + type: gitlab-pipeline + https://issuer.enforce.dev: + issuer-url: https://issuer.enforce.dev + client-id: sigstore + type: chainguard-identity + https://oauth2.sigstore.dev/auth: + issuer-url: https://oauth2.sigstore.dev/auth + client-id: sigstore + type: email + issuer-claim: $.federated_claims.connector_id + https://oidc.codefresh.io: + issuer-url: https://oidc.codefresh.io + client-id: sigstore + type: codefresh-workflow + https://ops.gitlab.net: + issuer-url: https://ops.gitlab.net + client-id: sigstore + type: gitlab-pipeline + https://token.actions.githubusercontent.com: + issuer-url: https://token.actions.githubusercontent.com + client-id: sigstore + type: github-workflow +meta-issuers: + https://*.oic.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://container.googleapis.com/v1/projects/*/locations/*/clusters/*: + client-id: sigstore + type: kubernetes + https://oidc.eks.*.amazonaws.com/id/*: + client-id: sigstore + type: kubernetes + https://oidc.prod-aks.azure.com/*: + client-id: sigstore + type: kubernetes + https://token.actions.githubusercontent.com/*: + client-id: sigstore + type: github-workflow diff --git a/docker-compose.yml b/docker-compose.yml index bc9eafdf6..a720943c9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,7 +37,7 @@ services: - "${FULCIO_METRICS_PORT:-2112}:2112" volumes: - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication - - ${FULCIO_CONFIG:-./config/config.yaml}:/etc/fulcio-config/config.yaml:z + - ${FULCIO_CONFIG:-./config/identity/config.yaml}:/etc/fulcio-config/config.yaml:z healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"] interval: 10s diff --git a/federation/main.go b/federation/main.go deleted file mode 100644 index 7926f772a..000000000 --- a/federation/main.go +++ /dev/null @@ -1,140 +0,0 @@ -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// - -package main - -import ( - "encoding/json" - "os" - "path/filepath" - - "github.com/sigstore/fulcio/pkg/config" - "gopkg.in/yaml.v3" -) - -var rootPaths = []string{"federation", "federation/external"} -var boilerPlate = `# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -` - -type federationConfig struct { - URL string - Type string - IssuerClaim string - SpiffeTrustDomain string -} - -func main() { - matches := []string{} - for _, rp := range rootPaths { - glob := filepath.Join(rp, "*/config.yaml") - globs, err := filepath.Glob(glob) - if err != nil { - panic(err) - } - matches = append(matches, globs...) - } - fulcioConfig := &config.FulcioConfig{ - OIDCIssuers: map[string]config.OIDCIssuer{}, - MetaIssuers: map[string]config.OIDCIssuer{ - // EKS Cluster OIDC issuers - "https://oidc.eks.*.amazonaws.com/id/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // GKE Cluster OIDC issuers - "https://container.googleapis.com/v1/projects/*/locations/*/clusters/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // AKS Cluster OIDC issuers - "https://oidc.prod-aks.azure.com/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - "https://*.oic.prod-aks.azure.com/*": { - ClientID: "sigstore", - Type: "kubernetes", - }, - // GitHub Actions OIDC unique enterprise issuers - "https://token.actions.githubusercontent.com/*": { - ClientID: "sigstore", - Type: "github-workflow", - }, - }, - } - for _, m := range matches { - b, err := os.ReadFile(m) - if err != nil { - panic(err) - } - cfg := federationConfig{} - if err := yaml.Unmarshal(b, &cfg); err != nil { - panic(err) - } - - fulcioCfg := config.OIDCIssuer{ - IssuerURL: cfg.URL, - ClientID: "sigstore", - Type: config.IssuerType(cfg.Type), - IssuerClaim: cfg.IssuerClaim, - } - if fulcioCfg.Type == config.IssuerTypeSpiffe { - fulcioCfg.SPIFFETrustDomain = cfg.SpiffeTrustDomain - } - fulcioConfig.OIDCIssuers[cfg.URL] = fulcioCfg - } - - m, err := json.MarshalIndent(fulcioConfig, "", " ") - if err != nil { - panic(err) - } - - // Update the yaml - yb, err := os.ReadFile("config/fulcio-config.yaml") - if err != nil { - panic(err) - } - - cm := map[string]interface{}{} - if err := yaml.Unmarshal(yb, &cm); err != nil { - panic(err) - } - data := cm["data"].(map[string]interface{}) - data["config.json"] = string(m) - - newYaml, err := yaml.Marshal(cm) - if err != nil { - panic(err) - } - - yamlWithBoilerplate := boilerPlate + string(newYaml) - - if err := os.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil { - panic(err) - } -} diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go index 34744b62d..f829a65c9 100644 --- a/pkg/config/fulcio_config_test.go +++ b/pkg/config/fulcio_config_test.go @@ -34,7 +34,7 @@ type FulcioConfigMap struct { func TestLoadFulcioConfig(t *testing.T) { _, path, _, _ := runtime.Caller(0) basepath := filepath.Dir(path) - b, err := os.ReadFile(basepath + "/../../config/config.yaml") + b, err := os.ReadFile(basepath + "/../../config/identity/config.yaml") if err != nil { t.Errorf("read file: %v", err) }