fulcio: Added support for specifying AWS settings.

Prior to this commit, the chart did not provide a way to supply AWS credentials for AWS KMS. This commit adds support for AWS KMS by allowing users to supply an AWS region ID and IAM credentials. AWS KMS users must specify the "cloudPlatform" parameter with a value of "aws" and specify "certificateAuthority" as "kmsca". The chart will then look for a kubernetes secret named by the "awsCredentialsSecret" parameter. The AWS region ID can be supplied using the newly-added "awsRegion" parameter. Signed-off-by: Stephen Fox <sfoxjr@equinix.com>
sigstore · Sep 6, 2024 · 408e947 · 408e947
1 parent 6136454
commit 408e947
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 4 deletions.
diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.5.4
+version: 2.6.0
 appVersion: 1.6.4
 
 keywords:

diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.5.4](https://img.shields.io/badge/Version-2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
+![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -121,6 +121,8 @@ helm uninstall [RELEASE_NAME]
 | server.args.grpcPort | int | `5554` |  |
 | server.args.hsm_caroot_id | string | `nil` |  |
 | server.args.port | int | `5555` |  |
+| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | ubernetes secret name containing IAM credentials for use with AWS KMS |
+| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key |
 | server.grpcSvcPort | int | `5554` |  |
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"gcr.io"` |  |
@@ -156,6 +158,7 @@ helm uninstall [RELEASE_NAME]
 | server.ingresses[0].name | string | `"gce-ingress"` |  |
 | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` |  |
 | server.ingresses[0].tls | list | `[]` |  |
+| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") |
 | server.logging.production | bool | `false` |  |
 | server.name | string | `"server"` |  |
 | server.nodeSelector | object | `{}` |  |

diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml
@@ -71,14 +71,28 @@ spec:
             {{- range .Values.server.extraArgs }}
             - {{ . | quote }}
             {{- end }}
-          {{- if eq .Values.server.args.certificateAuthority "fileca" }}
           env:
+            {{- if eq .Values.server.args.certificateAuthority "fileca" }}
             - name: PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.server.secret }}
                   key: password
-          {{- end }}
+            {{- end }}
+            {{- if and (eq .Values.server.args.certificateAuthority "kmsca") (eq .Values.server.kmsType "aws") }}
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.server.awsKmsRegion }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.awsKmsCredentialsSecretName }}
+                  key: accessKeyId
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.awsKmsCredentialsSecretName }}
+                  key: secretAccessKey
+            {{- end }}
           livenessProbe:
             failureThreshold: 3
             httpGet:

diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json
@@ -201,6 +201,12 @@
                     },
                     "type": "object"
                 },
+                "awsKmsCredentialsSecretName": {
+                    "type": "string"
+                },
+                "awsKmsRegion": {
+                    "type": "string"
+                },
                 "grpcSvcPort": {
                     "type": "integer"
                 },
@@ -406,6 +412,9 @@
                     },
                     "type": "array"
                 },
+                "kmsType": {
+                    "type": "string"
+                },
                 "logging": {
                     "properties": {
                         "production": {

diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
@@ -13,7 +13,13 @@ server:
   name: server
   svcPort: 80
   grpcSvcPort: 5554
+  # -- KMS type for signing key (possible values: "" / "none", "aws")
+  kmsType: none
   secret: fulcio-server-secret
+  # -- kubernetes secret name containing IAM credentials for use with AWS KMS
+  awsKmsCredentialsSecretName: aws-kms-credentials
+  # -- AWS region if using AWS KMS for signing key
+  awsKmsRegion: us-east-1
   logging:
     production: false
   image: