Move configuration to yaml format (#1720)

Migrate the configuration file from json to yaml Also removes the fulcio-config.yaml file that isn't used Concentrate the issuers and meta-issuers in a single file that can be found at config/identity/config.yaml Also removes the https://auth-staging.eclipse.org/realms/sigstore from the list of issuers, as it is unavailable. Removes the federation script as it has not been used, and switches over to a test that's run to check validity of the configuration. Ref #1111 Signed-off-by: Javan lacerda <javanlacerda@google.com>
sigstore · Jul 15, 2024 · b879601 · b879601
1 parent bdc2230
commit b879601
Show file tree

Hide file tree

Showing 13 changed files with 223 additions and 318 deletions.
diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml
@@ -52,12 +52,11 @@ jobs:
 
         include:
         - issuer: "OIDC Issuer"
-          issuer-config: |
-            "OIDCIssuers": {"https://kubernetes.default.svc": {"IssuerURL": "https://kubernetes.default.svc","ClientID": "sigstore","Type": "kubernetes"}}
+          issuer-config:
+            "oidc-issuers:\n      https://kubernetes.default.svc:\n        issuer-url: \"https://kubernetes.default.svc\"\n        client-id: \"sigstore\"\n        type: \"kubernetes\""
         - issuer: "Meta Issuer"
-          issuer-config: |
-            "MetaIssuers": {"https://kubernetes.*.svc": {"ClientID": "sigstore","Type": "kubernetes"}}
-
+          issuer-config:
+            "meta-issuers:\n      https://kubernetes.*.svc: \n        client-id: \"sigstore\"\n        type: \"kubernetes\""
     env:
       # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
       # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic,
@@ -124,10 +123,8 @@ jobs:
             name: fulcio-config
             namespace: fulcio-system
           data:
-            config.json: |-
-              {
-                ${{ matrix.issuer-config }}
-              }
+            config.yaml: |-
+              ${{ matrix.issuer-config }}
             server.yaml: |-
               host: 0.0.0.0
               port: 5555
@@ -139,7 +136,6 @@ jobs:
               ct-log-url: ""
               log_type: prod
           EOF
-
           # Create secret needed to use fileca
           cat <<EOF > config/fulcio-secret.yaml
           apiVersion: v1

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -91,5 +91,4 @@ jobs:
       - name: check-config
         run: |
           set -e
-          go run federation/main.go
-          git diff --exit-code
+          go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config
diff --git a/cmd/app/serve.go b/cmd/app/serve.go
@@ -87,7 +87,7 @@ func newServeCmd() *cobra.Command {
 	cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)")
 	cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log")
 	cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs")
-	cmd.Flags().String("config-path", "/etc/fulcio-config/config.json", "path to fulcio config json")
+	cmd.Flags().String("config-path", "/etc/fulcio-config/config.yaml", "path to fulcio config yaml")
 	cmd.Flags().String("pkcs11-config-path", "config/crypto11.conf", "path to fulcio pkcs11 config file")
 	cmd.Flags().String("fileca-cert", "", "Path to CA certificate")
 	cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key")

diff --git a/config/config.jsn b/config/config.jsn
diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml
diff --git a/config/identity/config.yaml b/config/identity/config.yaml
@@ -0,0 +1,81 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+oidc-issuers:
+  https://accounts.google.com:
+    issuer-url: https://accounts.google.com
+    client-id: sigstore
+    type: email
+  https://agent.buildkite.com:
+    issuer-url: https://agent.buildkite.com
+    client-id: sigstore
+    type: buildkite-job
+  https://allow.pub:
+    issuer-url: https://allow.pub
+    client-id: sigstore
+    type: spiffe
+    spiffe-trust-domain: allow.pub
+  https://auth.eclipse.org/auth/realms/sigstore:
+    issuer-url: https://auth.eclipse.org/auth/realms/sigstore
+    client-id: sigstore
+    type: email
+  https://dev.gitlab.org:
+    issuer-url: https://dev.gitlab.org
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://gitlab.archlinux.org:
+    issuer-url: https://gitlab.archlinux.org
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://gitlab.com:
+    issuer-url: https://gitlab.com
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://issuer.enforce.dev:
+    issuer-url: https://issuer.enforce.dev
+    client-id: sigstore
+    type: chainguard-identity
+  https://oauth2.sigstore.dev/auth:
+    issuer-url: https://oauth2.sigstore.dev/auth
+    client-id: sigstore
+    type: email
+    issuer-claim: $.federated_claims.connector_id
+  https://oidc.codefresh.io:
+    issuer-url: https://oidc.codefresh.io
+    client-id: sigstore
+    type: codefresh-workflow
+  https://ops.gitlab.net:
+    issuer-url: https://ops.gitlab.net
+    client-id: sigstore
+    type: gitlab-pipeline
+  https://token.actions.githubusercontent.com:
+    issuer-url: https://token.actions.githubusercontent.com
+    client-id: sigstore
+    type: github-workflow
+meta-issuers:
+  https://*.oic.prod-aks.azure.com/*:
+    client-id: sigstore
+    type: kubernetes
+  https://container.googleapis.com/v1/projects/*/locations/*/clusters/*:
+    client-id: sigstore
+    type: kubernetes
+  https://oidc.eks.*.amazonaws.com/id/*:
+    client-id: sigstore
+    type: kubernetes
+  https://oidc.prod-aks.azure.com/*:
+    client-id: sigstore
+    type: kubernetes
+  https://token.actions.githubusercontent.com/*:
+    client-id: sigstore
+    type: github-workflow
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -37,7 +37,7 @@ services:
       - "${FULCIO_METRICS_PORT:-2112}:2112"
     volumes:
       - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication
-      - ${FULCIO_CONFIG:-./config/config.jsn}:/etc/fulcio-config/config.json:z
+      - ${FULCIO_CONFIG:-./config/identity/config.yaml}:/etc/fulcio-config/config.yaml:z
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"]
       interval: 10s

diff --git a/docs/oidc.md b/docs/oidc.md
@@ -10,9 +10,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the
 
 To add a new OIDC issuer:
 
-* Add a file under the [`federation` folder](https://github.com/sigstore/fulcio/tree/main/federation) with the URL, new issuer type name, and contact ([example](https://github.com/sigstore/fulcio/blob/8975dfd/federation/agent.buildkite.com/config.yaml))
-* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml) by running `go run federation/main.go`
-* Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
+* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
 * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
 * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
 * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)