Skip to content

Commit

Permalink
feat: add key support to key management provider (ratify-project#1333)
Browse files Browse the repository at this point in the history
  • Loading branch information
@akashsinghal
akashsinghal authored Apr 10, 2024
1 parent 9ac7d5a commit 2894b51
Show file tree
Hide file tree
Showing 23 changed files with 626 additions and 193 deletions.
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ Gatekeeper requires TLS for external data provider interactions. As such ratify
helm install ratify \
./charts/ratify --atomic \
--namespace gatekeeper-system \
--set-file notationCert=./test/testdata/notation.crt \
--set-file notationCerts[0]=./test/testdata/notation.crt \
--set-file provider.tls.crt=./tls/certs/tls.crt \
--set-file provider.tls.key=./tls/certs/tls.key \
--set-file provider.tls.cabundle=./tls/certs/ca.crt
Expand Down
2 changes: 1 addition & 1 deletion RELEASES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,6 @@ helm install ratify \
--set image.repository=ghcr.io/deislabs/ratify-dev
--set image.crdRepository=ghcr.io/deislabs/ratify-crds-dev
--set image.tag=dev.<YYYYMMDD>.<ABBREVIATED_GIT_HASH_COMMIT>
--set-file notationCert=./test/testdata/notation.crt
--set-file notationCerts[0]=./test/testdata/notation.crt
```
NOTE: the tag field is the only value that will change when updating to newer dev build images
27 changes: 18 additions & 9 deletions charts/ratify/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
```

## Deprecation Policy

Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in the below parameters will NOT be supported in the next major version release. Existing functionality will remain backwards compatible until the next major version release.

## Parameters

| Parameter | Description | Default |
Expand All @@ -43,7 +47,6 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
| replicaCount | The number of Ratify replicas in deployment | 1 |
| affinity | Pod affinity for the Ratify deployment | `{}` |
| tolerations | Pod tolerations for the Ratify deployment | `[]` |
| notationCert | Public certificate/certificate chain used to create inline certstore used by Notation verifier. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```notationCerts``` to specify an array of verification certificates | `` |
| notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.key | Public certificate used by cosign verifier | `` |
Expand Down Expand Up @@ -120,11 +123,17 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
| azureWorkloadIdentity.clientId | ClientID of AAD application/Managed identity associated with Workload Identity | `` |
| azureManagedIdentity.clientId | ClientID of Managed identity | `` |
| azureManagedIdentity.tenantId | TenantID of Managed Identity resource | `` |
| akvCertConfig.enabled | Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | Vault URI for AKV configured | `` |
| akvCertConfig.cert1Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of certificates | `` |
| akvCertConfig.cert1Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.cert2Name | Exact name of the certificate stored in AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.cert2Version | Exact version of certificate to use from AKV. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```akvCertConfig.certificates``` to specify an array of verification certificates | `` |
| akvCertConfig.certificates | An array of certificate objects identified by `name` and `version` stored in AKV | `` |
| akvCertConfig.tenantId | TenantID of the configured AKV resource | `` |
| azurekeyvault.enabled | Enables/disables Azure Key Vault key management provider. If you are using a custom chart, certificate store should be referenced through a Verifier CR. | `false` |
| azurekeyvault.vaultURI | Vault URI for Azure Key Vault | `` |
| azurekeyvault.tenantID | Tenant ID of the configured Azure Key Vault resource | `` |
| azurekeyvault.certificates | An array of certificate objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| notationCert | **DEPRECATED** Please switch to `notationCerts` to specify an array of verification certificates. Public certificate/certificate chain used to create inline certstore used by Notation verifier. | `` |
| akvCertConfig.enabled | **DEPRECATED** Please use `azurekeyvault.enabled` instead. Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | **DEPRECATED** Please use `azurekeyvault.vaultURI` instead. Vault URI for AKV configured | `` |
| akvCertConfig.cert1Name | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact name of the certificate stored in AKV. | `` |
| akvCertConfig.cert1Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV.certificates | `` |
| akvCertConfig.cert2Name | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact name of the certificate stored in AKV. | `` |
| akvCertConfig.cert2Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV. | `` |
| akvCertConfig.certificates | **DEPRECATED** Please use `azurekeyvault.certificates` instead. An array of certificate objects identified by `name` and `version` stored in AKV | `` |
| akvCertConfig.tenantId | **DEPRECATED** Please use `azurekeyvault.certificates` instead. TenantID of the configured AKV resource | `` |
31 changes: 28 additions & 3 deletions charts/ratify/templates/akv-key-management-provider.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.akvCertConfig.enabled }}
{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }}
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
Expand All @@ -9,7 +9,13 @@ metadata:
spec:
type: azurekeyvault
parameters:
vaultURI: {{ required "vaultURI must be provided when AKV cert config is enabled" .Values.akvCertConfig.vaultURI }}
{{- if .Values.azurekeyvault.vaultURI }}
vaultURI: {{ .Values.azurekeyvault.vaultURI }}
{{- else if .Values.akvCertConfig.vaultURI }}
vaultURI: {{ .Values.akvCertConfig.vaultURI }}
{{- else }}
{{- fail "vaultURI must be provided when azurekeyvault is enabled. please specify azurekeyvault.vaultURI" }}
{{- end }}
certificates:
{{- if .Values.akvCertConfig.cert1Name }}
- name: {{ .Values.akvCertConfig.cert1Name }}
Expand All @@ -25,6 +31,25 @@ spec:
version: {{ .version }}
{{- end }}
{{- end }}
tenantID: {{ required "tenantID must be provided when AKV cert config is enabled" .Values.akvCertConfig.tenantId }}
{{- range .Values.azurekeyvault.certificates }}
{{- if .name }}
- name: {{ .name }}
version: {{ .version }}
{{- end }}
{{- end }}
keys:
{{- range .Values.azurekeyvault.keys }}
{{- if .name }}
- name: {{ .name }}
version: {{ .version }}
{{- end }}
{{- end }}
{{- if .Values.azurekeyvault.tenantID }}
tenantID: {{ .Values.azurekeyvault.tenantID }}
{{- else if .Values.akvCertConfig.tenantID }}
tenantID: {{ .Values.akvCertConfig.tenantID }}
{{- else }}
{{- fail "tenantID must be provided when azurekeyvault is enabled. please specify azurekeyvault.tenantID" }}
{{- end }}
clientID: {{ required "clientID must be provided when use workload identity in akv" .Values.azureWorkloadIdentity.clientId }}
{{ end }}
15 changes: 15 additions & 0 deletions charts/ratify/templates/inline-key-management-provider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,19 @@ spec:
parameters:
contentType: certificate
value: {{ $cert | quote }}
{{- end }}
---
{{- range $i, $key := .Values.cosignKeys }}
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
name: {{$fullname}}-cosign-inline-key-{{$i}}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "5"
spec:
type: inline
parameters:
contentType: key
value: {{ $key | quote }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/ratify/templates/verifier.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ spec:
parameters:
verificationCertStores:
certs:
{{- if .Values.akvCertConfig.enabled }}
{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }}
- kmprovider-akv
{{- else }}
{{- if .Values.notationCert }}
Expand Down
Loading

0 comments on commit 2894b51

Please sign in to comment.