Merge pull request #831 from sfox-equinix/aws-kms-support

fulcio: AWS KMS support
sigstore · Sep 10, 2024 · 5178832 · 5178832
2 parents 5e78385 + f94ee9d
commit 5178832
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 4 deletions.
diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.5.4
+version: 2.6.0
 appVersion: 1.6.4
 
 keywords:

diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 2.5.4](https://img.shields.io/badge/Version-2.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
+![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.4](https://img.shields.io/badge/AppVersion-1.6.4-informational?style=flat-square)
 
 Fulcio is a free code signing Certificate Authority, built to make short-lived certificates available to anyone.
 
@@ -121,6 +121,8 @@ helm uninstall [RELEASE_NAME]
 | server.args.grpcPort | int | `5554` |  |
 | server.args.hsm_caroot_id | string | `nil` |  |
 | server.args.port | int | `5555` |  |
+| server.awsKmsCredentialsSecretName | string | `"aws-kms-credentials"` | kubernetes secret name containing IAM credentials for use with AWS KMS |
+| server.awsKmsRegion | string | `"us-east-1"` | AWS region if using AWS KMS for signing key |
 | server.grpcSvcPort | int | `5554` |  |
 | server.image.pullPolicy | string | `"IfNotPresent"` |  |
 | server.image.registry | string | `"gcr.io"` |  |
@@ -156,6 +158,7 @@ helm uninstall [RELEASE_NAME]
 | server.ingresses[0].name | string | `"gce-ingress"` |  |
 | server.ingresses[0].staticGlobalIP | string | `"lb-ext-ip"` |  |
 | server.ingresses[0].tls | list | `[]` |  |
+| server.kmsType | string | `"none"` | KMS type for signing key (possible values: "" / "none", "aws") |
 | server.logging.production | bool | `false` |  |
 | server.name | string | `"server"` |  |
 | server.nodeSelector | object | `{}` |  |

diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml
@@ -71,14 +71,28 @@ spec:
             {{- range .Values.server.extraArgs }}
             - {{ . | quote }}
             {{- end }}
-          {{- if eq .Values.server.args.certificateAuthority "fileca" }}
           env:
+            {{- if eq .Values.server.args.certificateAuthority "fileca" }}
             - name: PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.server.secret }}
                   key: password
-          {{- end }}
+            {{- end }}
+            {{- if and (eq .Values.server.args.certificateAuthority "kmsca") (eq .Values.server.kmsType "aws") }}
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.server.awsKmsRegion }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.awsKmsCredentialsSecretName }}
+                  key: accessKeyId
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.awsKmsCredentialsSecretName }}
+                  key: secretAccessKey
+            {{- end }}
           livenessProbe:
             failureThreshold: 3
             httpGet:

diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json
@@ -201,6 +201,12 @@
                     },
                     "type": "object"
                 },
+                "awsKmsCredentialsSecretName": {
+                    "type": "string"
+                },
+                "awsKmsRegion": {
+                    "type": "string"
+                },
                 "grpcSvcPort": {
                     "type": "integer"
                 },
@@ -406,6 +412,9 @@
                     },
                     "type": "array"
                 },
+                "kmsType": {
+                    "type": "string"
+                },
                 "logging": {
                     "properties": {
                         "production": {

diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
@@ -13,7 +13,13 @@ server:
   name: server
   svcPort: 80
   grpcSvcPort: 5554
+  # -- KMS type for signing key (possible values: "" / "none", "aws")
+  kmsType: none
   secret: fulcio-server-secret
+  # -- kubernetes secret name containing IAM credentials for use with AWS KMS
+  awsKmsCredentialsSecretName: aws-kms-credentials
+  # -- AWS region if using AWS KMS for signing key
+  awsKmsRegion: us-east-1
   logging:
     production: false
   image: