Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4539

Pipelines/Vault and Cosign Integration

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • Pipelines
    • Engineering
    • x86_64
    • 0
    • 0% 0%

      1. Proposed title of this feature request

      Pipelines/Vault and Cosign integration

      2. What is the nature and description of the request?

      Red Hat

      Hi Bradley and Shawn

       

      just in preparation for Monday - Koustav had some thoughts on how we might be able to help. Just sharing this in advance so we can discuss this on Monday.

       

      From our understanding, it looks like the issue is that you can't have the annotations set somewhere on the Tekton Chains configs and have it passed to the pod that needs to have the Vault agent annotations on it.

       

      These annotations (https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#patching-existing-pods) should reach the pod where cosign is running. Currently, we can not set annotations in Tekton chains controllers config, any changes made to any controller's pods/deployments/etc will be rolled back by the operator. So if we allow that, it might solve the issue?

       

      Citi:

      We've confirmed with Hashicorp that their current annotations via the Vault Agent Injector will not allow us to put the vault token in /home/nonroot/.vault-token as is required for chains/cosign/sigstore to do artifact signing. The annotations get part of the way there, but not all the way there. Instead we have needed to put more detailed Vault agent configuration in ConfigMaps and then run an init and side-car container to get the Vault token in the location cosign expects. The sigstore library that creates the client that is used to interact with Vault only looks in two locations for the Vault token. It first looks in the VAULT_TOKEN environment variable and then falls back to looking in /home/nonroot/.vault-token: https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/hashivault/client.go#L114-L131

       

      Also, we need a way to get the environment variable MONGO_SERVER_URL set with a secret coming from Vault. Long term I believe we would like to use Secrets Storage CSI Driver for this, but that is not currently deployed in our environments. Lacking that we are currently have Vault write the secret to a file and then modifying the chains controller deployment to source that file before then starting chains.
      https://tekton.dev/docs/chains/config/#mongodb

       

      I hope this detail provides a bit more clarity on our current situation.

      3. Why does the customer need this? (List the business requirements here)

      Citi is currently not able to leverage OCP Pipelines to its fullest potential due to the outlined blockers above.

      4. List any affected packages or components.

      OCP Pipelines

            rh-ee-ksaha Koustav Saha
            florianmoss Florian Moss
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: