Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEP-0091] enable kms in trusted resources #5965

Merged
merged 1 commit into from
Jan 10, 2023
Merged

[TEP-0091] enable kms in trusted resources #5965

merged 1 commit into from
Jan 10, 2023

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Jan 6, 2023
edited
Loading

Changes

This commit enables kms in trusted resources, before this commit kms field is added to VerificationPolicy and provider libraries are pulled into vendor. This commit adds the function code to use kms when fetching verifiers from VerificationPolicy.

/kind feature

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

enable KMS in VerificationPolicy for trusted resources

@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 6, 2023
@Yongxuanzhang Yongxuanzhang mentioned this pull request Jan 6, 2023
Closed
15 tasks
@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels Jan 6, 2023
@Yongxuanzhang Yongxuanzhang marked this pull request as ready for review January 6, 2023 17:47
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2023
@Yongxuanzhang
Copy link
Member Author

/assign @wlynch

@Yongxuanzhang
Copy link
Member Author

/assign @bobcatfish

@Yongxuanzhang
Copy link
Member Author

/assign @jagathprakash

@tekton-robot
Copy link
Collaborator

@Yongxuanzhang: GitHub didn't allow me to assign the following users: jagathprakash.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @jagathprakash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jagathprakash
jagathprakash reviewed Jan 6, 2023
View reviewed changes
docs/trusted-resources.md Outdated Show resolved Hide resolved
docs/trusted-resources.md Outdated Show resolved Hide resolved
pkg/trustedresources/verifier/verifier.go Outdated Show resolved Hide resolved
@Yongxuanzhang Yongxuanzhang requested review from jagathprakash and removed request for wlynch, dibyom and lbernick January 6, 2023 19:03
@Yongxuanzhang
Copy link
Member Author

/retest

wlynch
wlynch requested changes Jan 9, 2023
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly lgtm!

pkg/trustedresources/verifier/verifier.go Outdated Show resolved Hide resolved
pkg/trustedresources/verifier/verifier.go
@@ -26,6 +26,7 @@ import (

"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/kms"
_ "github.com/sigstore/sigstore/pkg/signature/kms/aws" // imported to execute init function to register aws kms
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a part of this PR, but you probably want to init these in main, not the package library.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in main did you mean the controller main?
What's the difference between init in main and in lib?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because of how the init registration works, including it in the library means that everyone who imports the library transitively will also have the same clients initialized. Moving these to main lets them only apply to a single application.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok got it, I will add a todo for this

pkg/trustedresources/verifier/verifier.go Outdated Show resolved Hide resolved
@Yongxuanzhang Yongxuanzhang requested review from wlynch and removed request for jagathprakash January 9, 2023 18:25
wlynch
wlynch reviewed Jan 9, 2023
View reviewed changes
pkg/trustedresources/verifier/verifier.go
@@ -26,6 +26,7 @@ import (

"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/kms"
_ "github.com/sigstore/sigstore/pkg/signature/kms/aws" // imported to execute init function to register aws kms
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because of how the init registration works, including it in the library means that everyone who imports the library transitively will also have the same clients initialized. Moving these to main lets them only apply to a single application.

pkg/trustedresources/verifier/errors.go Outdated Show resolved Hide resolved
@Yongxuanzhang Yongxuanzhang mentioned this pull request Jan 9, 2023
Closed
@Yongxuanzhang
[TEP-0091] enable kms in trusted resources
80fe495 
This commit enables kms in trusted resources, before this commit kms
field is added to VerificationPolicy and provider libraries are pulled
into vendor. This commit adds the function code to use kms when fetching
verifiers from VerificationPolicy.

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
wlynch
wlynch approved these changes Jan 9, 2023
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2023
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 9, 2023
@Yongxuanzhang
Copy link
Member Author

/retest

@tekton-robot tekton-robot merged commit bab2fbc into tektoncd:main Jan 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jagathprakash jagathprakash jagathprakash left review comments

@wlynch wlynch wlynch approved these changes

Assignees

@bobcatfish bobcatfish

@wlynch wlynch

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Yongxuanzhang @tekton-robot @wlynch @jagathprakash @bobcatfish