From 408e9472dba7a612659377c96098edfe8a9ce2cd Mon Sep 17 00:00:00 2001 From: Stephen Fox Date: Thu, 29 Aug 2024 23:22:59 +0000 Subject: [PATCH] fulcio: Added support for specifying AWS settings. Prior to this commit, the chart did not provide a way to supply AWS credentials for AWS KMS. This commit adds support for AWS KMS by allowing users to supply an AWS region ID and IAM credentials. AWS KMS users must specify the "cloudPlatform" parameter with a value of "aws" and specify "certificateAuthority" as "kmsca". The chart will then look for a kubernetes secret named by the "awsCredentialsSecret" parameter. The AWS region ID can be supplied using the newly-added "awsRegion" parameter. Signed-off-by: Stephen Fox --- charts/fulcio/Chart.yaml | 2 +- charts/fulcio/README.md | 5 ++++- charts/fulcio/templates/fulcio-deployment.yaml | 18 ++++++++++++++++-- charts/fulcio/values.schema.json | 9 +++++++++ charts/fulcio/values.yaml | 6 ++++++ 5 files changed, 36 insertions(+), 4 deletions(-) diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml index e03fdf96..be9f63a1 100644 --- a/charts/fulcio/Chart.yaml +++ b/charts/fulcio/Chart.yaml @@ -5,7 +5,7 @@ description: | type: application -version: 2.5.4 +version: 2.6.0 appVersion: 1.6.4 keywords: diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md index 65703ada..9034d2bd 100644 --- a/charts/fulcio/README.md +++ b/charts/fulcio/README.md @@ -2,7 +2,7 @@ -![Version: 2.5.4](https://img.shields.io/badge/Version-2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) +![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square) Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone. @@ -121,6 +121,8 @@ helm uninstall [RELEASE_NAME] | server.args.grpcPort | int | `5554` | | | server.args.hsm_caroot_id | string | `nil` | | | server.args.port | int | `5555` | | +| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | ubernetes secret name containing IAM credentials for use with AWS KMS | +| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key | | server.grpcSvcPort | int | `5554` | | | server.image.pullPolicy | string | `"IfNotPresent"` | | | server.image.registry | string | `"gcr.io"` | | @@ -156,6 +158,7 @@ helm uninstall [RELEASE_NAME] | server.ingresses[0].name | string | `"gce-ingress"` | | | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` | | | server.ingresses[0].tls | list | `[]` | | +| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") | | server.logging.production | bool | `false` | | | server.name | string | `"server"` | | | server.nodeSelector | object | `{}` | | diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml index 7682b38c..1cd83b42 100644 --- a/charts/fulcio/templates/fulcio-deployment.yaml +++ b/charts/fulcio/templates/fulcio-deployment.yaml @@ -71,14 +71,28 @@ spec: {{- range .Values.server.extraArgs }} - {{ . | quote }} {{- end }} - {{- if eq .Values.server.args.certificateAuthority "fileca" }} env: + {{- if eq .Values.server.args.certificateAuthority "fileca" }} - name: PASSWORD valueFrom: secretKeyRef: name: {{ .Values.server.secret }} key: password - {{- end }} + {{- end }} + {{- if and (eq .Values.server.args.certificateAuthority "kmsca") (eq .Values.server.kmsType "aws") }} + - name: AWS_DEFAULT_REGION + value: {{ .Values.server.awsKmsRegion }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: accessKeyId + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.server.awsKmsCredentialsSecretName }} + key: secretAccessKey + {{- end }} livenessProbe: failureThreshold: 3 httpGet: diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json index f2957120..f0900e38 100644 --- a/charts/fulcio/values.schema.json +++ b/charts/fulcio/values.schema.json @@ -201,6 +201,12 @@ }, "type": "object" }, + "awsKmsCredentialsSecretName": { + "type": "string" + }, + "awsKmsRegion": { + "type": "string" + }, "grpcSvcPort": { "type": "integer" }, @@ -406,6 +412,9 @@ }, "type": "array" }, + "kmsType": { + "type": "string" + }, "logging": { "properties": { "production": { diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml index b4f8d60a..e3e58c6c 100644 --- a/charts/fulcio/values.yaml +++ b/charts/fulcio/values.yaml @@ -13,7 +13,13 @@ server: name: server svcPort: 80 grpcSvcPort: 5554 + # -- KMS type for signing key (possible values: "" / "none", "aws") + kmsType: none secret: fulcio-server-secret + # -- kubernetes secret name containing IAM credentials for use with AWS KMS + awsKmsCredentialsSecretName: aws-kms-credentials + # -- AWS region if using AWS KMS for signing key + awsKmsRegion: us-east-1 logging: production: false image: