Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: adds cert-utility templates and documentation. #889

Merged
merged 20 commits into from
Feb 3, 2025
Merged

feat: adds cert-utility templates and documentation. #889

merged 20 commits into from
Feb 3, 2025

Conversation

ianhundere
Copy link
Contributor

@ianhundere ianhundere commented Nov 21, 2024
edited
Loading

closes #886, closes sigstore/fulcio#1930

Summary

currently, there is no standard method for creating cert chains for fulcio or tsa. the community has used an assortment of open source scripts/tools, but i thought it would be nice to have a small cloud agnostic go app to create/sign (via awskms, gcpkms, or azurekms) certificates. the smallstep crypto library is fairly comprehensive in its kms/cert capabilities.

@haydentherapper / @bobcallaway gave the go ahead in proceeding w/ this work.

Release Note

  • Adds certificate utility to create and sign certificates via AWS KMS, Google Cloud KMS, or Azure Key Vault.

Documentation

added docs to ./docs folder and updated README.md to point to docs.

@ianhundere ianhundere changed the title feat: adds cert templates. feat: adds cert-utility. Nov 22, 2024
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 4 times, most recently from 970c9cd to cfdf4ea Compare November 25, 2024 20:03
@ianhundere ianhundere marked this pull request as ready for review November 25, 2024 20:14
@ianhundere ianhundere requested a review from a team as a code owner November 25, 2024 20:14
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 16 times, most recently from 159ac3f to de035f7 Compare December 1, 2024 06:39
@ianhundere
Copy link
Contributor Author

ianhundere commented Dec 1, 2024
edited
Loading

i think this is ready for 👀 now. just a couple of notes.

  1. the following use-cases are now covered:
  • root ca -> leaf
  • root ca -> intermediate ca -> leaf
  1. the following kms providers are working:
  • awskms
  • azurekms
  • gcpkms
  1. hashivault was added, but has not been tested.

i think that about covers it, i have some basic readme/documentation above as well.

cc @haydentherapper

@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch from de035f7 to fcee964 Compare December 1, 2024 14:01
@codecov Codecov
Copy link

codecov bot commented Dec 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.73%. Comparing base (6fd19b0) to head (a96f1ed).
Report is 282 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #889      +/-   ##
==========================================
- Coverage   52.85%   44.73%   -8.12%     
==========================================
  Files          20       55      +35     
  Lines        1209     3657    +2448     
==========================================
+ Hits          639     1636     +997     
- Misses        509     1881    +1372     
- Partials       61      140      +79

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 3 times, most recently from dfa131c to 02345bb Compare December 4, 2024 14:47
@ianhundere ianhundere changed the title feat: adds cert-utility. feat: adds cert-utility templates and documentation. Jan 25, 2025
@ianhundere ianhundere mentioned this pull request Jan 28, 2025
Closed
@ianhundere
feat: adds cert templates.
782f969 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
feat: splits/adds cert-utility to pgk/cmd.
0fbe705 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
fix: enables timestamping / improves validation / includes leaf wording.
d29673c 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
feat: adds optional intermediate flag(s).
f5a1340 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
fix: changes cloudkms flag to gcpkms and makes azure/gcp flags more d…
f043fd9 
…escriptive.

Signed-off-by: ianhundere <[email protected]>
@ianhundere
fix: makes env vars for azure tenant-id and gcp credentials file more…
1d193b3 
… consistent w/ flags.

Signed-off-by: ianhundere <[email protected]>
@ianhundere
fix: changes kms-region flag to aws-region and gcpkms-credentials-fil…
ab38b9c 
…e flag to gcp-credentials-file.

Signed-off-by: ianhundere <[email protected]>
@ianhundere
fix: improves kms key validation across providers.
3373dda 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
feat: adds sigstore/sigstore for kms and hashivault support.
875c4ac 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
docs: adds readme for tsa-certificate-maker.
27e3937 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
chore: adds tsa-cert-maker to make file.
2ae56c7 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
refactor: adds bobcallaway's fb.
a9539fd 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
refactor: for usage errors, show help / for operational errors show j…
2a7b1d5 
…son error.

Signed-off-by: ianhundere <[email protected]>
@ianhundere
chore: groups flags, adds validation for root-id, removes signer wrap…
102fb88 
…per, and other PR fb.

Signed-off-by: ianhundere <[email protected]>
@ianhundere
refactor: adds certLife to replace before/after timestamps.
250b8f7 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
feat: adds templating, positional arg for common name and other impro…
41f2628 
…vements.

Signed-off-by: ianhundere <[email protected]>
@ianhundere
docs: updates docs.
42f065c 
Signed-off-by: ianhundere <[email protected]>
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch from 5d442d2 to 42f065c Compare January 28, 2025 19:26
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch from 7a67fae to 2282744 Compare January 30, 2025 12:30
@ianhundere
Copy link
Contributor Author

this is ready for 👀

cc @haydentherapper

haydentherapper
haydentherapper reviewed Feb 3, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, just a few minor comments!

go.mod Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
@ianhundere
chore: adds fb.
ea45d63 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
chore: adds fb.
a96f1ed 
Signed-off-by: ianhundere <[email protected]>
@ianhundere
Copy link
Contributor Author

Thanks, just a few minor comments!

done and done / thanks for the 👀.

@haydentherapper haydentherapper enabled auto-merge (squash) February 3, 2025 20:50
@haydentherapper haydentherapper merged commit 40f1f8f into sigstore:main Feb 3, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

make leaf optional in certificate-maker light tool to create/sign (via kms) certs (ca, leaf etc)
2 participants
@ianhundere @haydentherapper