Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: adds cert-utility. #1870

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: adds cert-utility. #1870

wants to merge 10 commits into from
+3,825 −0

Conversation

ianhundere
Copy link

@ianhundere ianhundere commented Nov 21, 2024
edited
Loading

closes #1869

Summary

currently, there is no standard method for creating cert chains for fulcio or tsa. the community has used an assortment of open source scripts/tools, but i thought it would be nice to have a small cloud agnostic go app to create/sign (via awskms, gcpkms, or azurekms) certificates. the smallstep crypto library is fairly comprehensive in its kms/cert capabilities.

@haydentherapper / @bobcallaway gave the go ahead in proceeding w/ this work.

Release Note

  • Adds certificate utility to create and sign certificates via AWS KMS, Google Cloud KMS, or Azure Key Vault.

Documentation

added docs to ./docs folder and updated README.md to point to docs.

@ianhundere ianhundere changed the title feat: adds cert templates. feat: adds cert-utility. Nov 22, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 22, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 73.95349% with 112 lines in your changes missing coverage. Please review.

Project coverage is 51.02%. Comparing base (cf238ac) to head (49b38dc).
Report is 253 commits behind head on main.

Files with missing lines Patch % Lines
pkg/certmaker/certmaker.go 62.83% 64 Missing and 20 partials ⚠️
pkg/certmaker/template.go 86.76% 12 Missing and 6 partials ⚠️
cmd/certificate_maker/certificate_maker.go 85.29% 8 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1870      +/-   ##
==========================================
- Coverage   57.93%   51.02%   -6.91%     
==========================================
  Files          50       73      +23     
  Lines        3119     5634    +2515     
==========================================
+ Hits         1807     2875    +1068     
- Misses       1154     2497    +1343     
- Partials      158      262     +104

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 5 times, most recently from 2fbc59f to aa6d7aa Compare November 25, 2024 20:03
@ianhundere ianhundere marked this pull request as ready for review November 25, 2024 20:18
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 16 times, most recently from 61d9f68 to 8193f47 Compare December 1, 2024 06:39
@ianhundere
Copy link
Author

ianhundere commented Dec 1, 2024
edited
Loading

i think this is ready for 👀 now. just a couple of notes.

  1. the following use-cases are now covered:
  • root ca -> leaf
  • root ca -> intermediate ca -> leaf
  1. the following kms providers are working:
  • awskms
  • azurekms
  • gcpkms
  1. hashivault was added, but has not been tested.

i think that about covers it, i have some basic readme/documentation above as well.

cc @haydentherapper

@haydentherapper
Copy link
Contributor

Thanks @ianhundere, I’ll take a look at this later this week.

@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 2 times, most recently from 563de59 to 78b06b6 Compare December 4, 2024 09:14
@ianhundere ianhundere mentioned this pull request Dec 12, 2024
Open
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 11 times, most recently from 2d76af7 to 9ecd2a2 Compare December 19, 2024 06:20
@ianhundere
Copy link
Author

another nudge for 👀 / thanks y'all

cc @haydentherapper / @bobcallaway

@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch from 867602c to 3750843 Compare January 8, 2025 18:58
@ianhundere
feat: adds cert templates.
8e44c8d 
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
feat: splits/adds cert-utility to pgk/cmd and adds .DS_Store to .git_…
25d2e2a 
…ignore.

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
fix: validates code signing and includes leaf wording.
8d54bc0 
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
feat: adds optional intermediate flag(s) and makes error/validation m…
a7c62f6 
…ore consistent w/ tsa cert-utility.

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
fix: changes cloudkms flag to gcpkms and makes azure/gcp flags more d…
488e778 
…escriptive.

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
fix: makes env vars for azure tenant-id and gcp credentials file more…
87263ab 
… consistent w/ flags.

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
fix: changes kms-region flag to aws-region and gcpkms-credentials-fil…
27f0d29 
…e flag to gcp-credentials-file.

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
fix: improves kms key validation across providers.
1d0ac01 
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere
feat: adds sigstore/sigstore for kms and adds hashivault support.
8bec25f 
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 3 times, most recently from 1d6232a to c4290e9 Compare January 14, 2025 00:59
@ianhundere
docs: adds readme for fulcio-certificate-maker.
dcb821d 
Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch from c4290e9 to dcb821d Compare January 14, 2025 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway Awaiting requested review from bobcallaway

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

light tool to create/sign (via kms) certs (ca, leaf etc)
3 participants
@ianhundere @haydentherapper @bobcallaway