-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TEP-0091] enable kms in trusted resources #5965
Conversation
Skipping CI for Draft Pull Request. |
/assign @wlynch |
/assign @bobcatfish |
/assign @jagathprakash |
@Yongxuanzhang: GitHub didn't allow me to assign the following users: jagathprakash. Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1439573
to
32de059
Compare
32de059
to
f1f160a
Compare
f1f160a
to
a57511f
Compare
/retest |
a57511f
to
80d5a21
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly lgtm!
@@ -26,6 +26,7 @@ import ( | |||
|
|||
"github.com/sigstore/sigstore/pkg/cryptoutils" | |||
"github.com/sigstore/sigstore/pkg/signature" | |||
"github.com/sigstore/sigstore/pkg/signature/kms" | |||
_ "github.com/sigstore/sigstore/pkg/signature/kms/aws" // imported to execute init function to register aws kms |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a part of this PR, but you probably want to init these in main
, not the package library.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in main did you mean the controller main?
What's the difference between init in main and in lib?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because of how the init registration works, including it in the library means that everyone who imports the library transitively will also have the same clients initialized. Moving these to main lets them only apply to a single application.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok got it, I will add a todo for this
80d5a21
to
052ff19
Compare
052ff19
to
094c474
Compare
@@ -26,6 +26,7 @@ import ( | |||
|
|||
"github.com/sigstore/sigstore/pkg/cryptoutils" | |||
"github.com/sigstore/sigstore/pkg/signature" | |||
"github.com/sigstore/sigstore/pkg/signature/kms" | |||
_ "github.com/sigstore/sigstore/pkg/signature/kms/aws" // imported to execute init function to register aws kms |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because of how the init registration works, including it in the library means that everyone who imports the library transitively will also have the same clients initialized. Moving these to main lets them only apply to a single application.
094c474
to
01dcc63
Compare
This commit enables kms in trusted resources, before this commit kms field is added to VerificationPolicy and provider libraries are pulled into vendor. This commit adds the function code to use kms when fetching verifiers from VerificationPolicy. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
01dcc63
to
80fe495
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
Changes
This commit enables kms in trusted resources, before this commit kms field is added to VerificationPolicy and provider libraries are pulled into vendor. This commit adds the function code to use kms when fetching verifiers from VerificationPolicy.
/kind feature
Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
/kind <type>
. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes