Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support loading a key from HashiCorp Vault in admin cli #608

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Support loading a key from HashiCorp Vault in admin cli #608

wants to merge 4 commits into from

Conversation

lukpueh
Copy link
Collaborator

@lukpueh lukpueh commented Jun 4, 2024

Changes key loading helpers used by admin ceremony and metadata update commands to provide an option to the user to load a public key from HashiCorp Vault into TUF metadata.

TODO:

  • update to securesystemslib 1.0.0 to use VaultSigner (this will require a major sweep through the code base)
  • adopt change in existing metadata update and sign tests (currently, only helper tests are updated)
  • add new tests
  • re-think "ambient" config needed by HashiCorp client. options are:
    1. tell user to provide config out-of-band, e.g. via rc file, env vars, etc. as expected by securesystemslib
    2. prompt user for config, and re-export in a form supported by securesystemslib

tuf-on-ci does the former (see "Prepare your local environment" in its docs/ONLINE-SIGNING-SETUP.md (cc @jku, who might be willing to share some wisdom )

@lukpueh
Change _load_key_from_file_prompt return value
3e2a4ae 
In preparation for supporting multiple online key types, this helper
is changed to return the key and a uri to access the corresponding
signer.

Since the helper is still used for online and offline key configuration,
via a common intermediary helper `_load_key_prompt`, the returned uri is
not yet used.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Add helper to load key from HashiCorp Vault
e33e4a2 
Prompts for key name in vault and return uri and key.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Create separate online and offline load key helpers
8fdf7a9 
Rename _load_key_prompt to _load_offline_key_prompt. This stays the
same and currently only supports loading a key from file.

Add new _load_online_key_prompt to load key from either file, or
hashicorp vault.

Change _configure_online_key_prompt to use _load_online_key_prompt,
which return the key already with the uri included.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Adopt load online key changes in helper tests
5baaad2 
Signed-off-by: Lukas Puehringer <[email protected]>
@jku
Copy link

jku commented Jun 5, 2024

tuf-on-ci does the former (see "Prepare your local environment" in its docs/ONLINE-SIGNING-SETUP.md (cc @jku, who might be willing to share some wisdom )

I'm still not sure if that was the best idea:

  • on one hand once the KMS access is setup it works really smoothly, is not much code in the signing tool itself, and is very reliable (less chance for copy-pasting mistakes)
  • on the other hand getting the KMS permissions and authenticating can be a hassle for the user: maybe copy pasting data from the KMS web UI would be overall easier for user?

@lukpueh lukpueh mentioned this pull request Jul 15, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lukpueh @jku