Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional verification methods #9

Closed
simongottschlag opened this issue Jan 15, 2022 · 5 comments
Closed

Additional verification methods #9

simongottschlag opened this issue Jan 15, 2022 · 5 comments
Labels
enhancement New feature or request

Comments

@simongottschlag
Copy link

Description

Hi again! Thanks for the really awesome job you are doing!

I'm looking into using this together with Azure Key Vault and Azure Container Registry. In my case, each namespace will have a separate key in Key Vault and the identity used by the provider will have verify access to each key.

My idea is to add some config parameters to the provider to be able to configure how the verification is done and configured, but before starting anything I'd like to understand what plans you already have to make sure I align with them in the best possible way.

Would you like some kind of formal proposal from me or something like that? Or maybe you don't want to provide those kinds of features with the provider and only use it as an example?

Keep up the great work! 🚀👍🥇
@simongottschlag simongottschlag added the enhancement New feature or request label Jan 15, 2022
@ribbybibby
Copy link

Hi @simongottschlag, we're also interested in configuring different verification options.

We've been working on it in #6. I'd love to hear your input and if what we've discussed there would meet your use case.

@simongottschlag
Copy link
Author

@ribbybibby I've gone through the PR and done some testing on my own. I'm trying to get MSI authentication to work with both Azure KMS and Azure Container Registry. The first one is working (if using main branch of sigstore) but I'm having issues with authentication using go-containerregistry with Azure and need to get it working before I'm able to see how it all fits in.

One thing I think we will need to add is to be able to specify the key as an annotation for a POD, to be able to look it up in the cosign provider. But I will get back to that when I've successfully gotten ACR auth to work.

@simongottschlag
Copy link
Author

@ribbybibby I've successfully gotten Azure KMS and Azure CR to work with MSI auth, but I had to hack around in multiple projects and probably spent 8h total to understand different parts of the tool chain.

I will think about this for a few days and organize the different PRs to the different libraries from here.

It's a lot of fun but since I'm doing it on my free time it's going to be hard to give any specifics when I'm able spend time on it.

I'll keep you updated!

@simongottschlag
Copy link
Author

As a reference to the authentication issues: sigstore/cosign#1350

@simongottschlag
Copy link
Author

Closing this for now and will get back to it when the current PRs are merged if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ribbybibby @simongottschlag