feat(verification): support multiple CAs in helm chart (#1823)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

deployment/chainloop/Chart.yaml

@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.182.0
+version: 1.182.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.164.0
 

deployment/chainloop/README.md

@@ -149,13 +149,21 @@ spec:
             - name: jwt-cas-private-key
               mountPath: /secrets
             {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+            # deprecated
             - name: file-ca-cert
               mountPath: /ca_secrets
             {{- end }}
             {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+            # deprecated
             - name: ejbca-ca-client
               mountPath: /ca_secrets
             {{- end }}
+            {{- if .Values.controlplane.keylessSigning.enabled }}
+            {{- range $index, $backend := .Values.controlplane.keylessSigning.backends }}
+            - name: sign-backend-{{$backend.type}}-{{$index}}
+              mountPath: /sign_secrets_{{$backend.type}}_{{$index}}
+            {{- end }}
+            {{- end }}
             {{- if include "controlplane.tls-secret-name" . }}
             - name: server-certs
               mountPath: /data/server-certs
@@ -198,6 +206,18 @@ spec:
         - name: jwt-cas-private-key
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas
+        {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+        # deprecated
+        - name: file-ca-cert
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
+        {{- end }}
+        {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+        # deprecated
+        - name: ejbca-ca-client
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca
+        {{- end }}
         {{- if include "controlplane.tls-secret-name" . }}
         - name: server-certs
           secret:
@@ -208,15 +228,12 @@ spec:
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
         {{- end }}
-        {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
-        - name: file-ca-cert
-          secret:
-            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
+        {{- if and .Values.controlplane.keylessSigning.enabled }}
+        {{- range $index, $backend := .Values.controlplane.keylessSigning.backends }}
+        - name: sign-backend-{{$backend.type}}-{{$index}}
+          secrets:
+            secretName: {{ include "chainloop.controlplane.fullname" $ }}-keyless-{{$backend.type}}-{{$index}}
         {{- end }}
-        {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
-        - name: ejbca-ca-client
-          secret:
-            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca
         {{- end }}
         {{- if .Values.controlplane.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumes "context" $) | nindent 8 }}

deployment/chainloop/templates/controlplane/deployment.yaml

@@ -27,6 +27,7 @@ stringData:
     {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }}
   {{- end }}
   {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+  # deprecated
   fileca.secret.yaml: |
     {{- with .Values.controlplane.keylessSigning.fileCA }}
     certificate_authorities:
@@ -38,6 +39,7 @@ stringData:
     {{- end }}
   {{- end }}
   {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+  # deprecated
   ejbca.secret.yaml: |
     {{- with .Values.controlplane.keylessSigning.ejbcaCA }}
     certificate_authorities:
@@ -50,7 +52,34 @@ stringData:
           end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}"
           certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}"
     {{- end }}
-  {{- end }}  
+  {{- end }}
+  {{- if and .Values.controlplane.keylessSigning.enabled .Values.controlplane.keylessSigning.backends }}
+  signing.secrets.yaml: |
+    certificate_authorities:
+  {{- range $index, $backend := .Values.controlplane.keylessSigning.backends }}
+  {{- if eq "fileCA" $backend.type }}
+    {{- with $backend.fileCA }}
+      - issuer: {{default false $backend.issuer }}
+        file_ca:
+          cert_path: "/sign_secrets_{{$backend.type}}_{{$index}}/file_ca.cert"
+          key_path:  "/sign_secrets_{{$backend.type}}_{{$index}}/file_ca.key"
+          key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}"
+    {{- end }}
+  {{- else if eq "ejbcaCA" $backend.type }}
+    {{- with $backend.ejbcaCA }}
+      - issuer: {{default false $backend.issuer}}
+        ejbca_ca:
+          cert_path: "/sign_secrets_{{$backend.type}}_{{$index}}/ejbca_client.cert"
+          key_path:  "/sign_secrets_{{$backend.type}}_{{$index}}/ejbca_client.key"
+          root_ca_path: "/sign_secrets_{{$backend.type}}_{{$index}}/ejbca_ca.cert"
+          server_url: "{{- required "EJBCA server URL is mandatory" .serverURL }}"
+          certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}"
+          end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}"
+          certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}"
+    {{- end }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
   config.secret.yaml: |
     data:
       database:

deployment/chainloop/templates/controlplane/secret-config.yaml

@@ -4,6 +4,7 @@ SPDX-License-Identifier: APACHE-2.0
 */}}
 
 {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+# deprecated
 apiVersion: v1
 kind: Secret
 metadata:
@@ -14,4 +15,4 @@ type: Opaque
 data:
   ejbca_client.cert: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientCert | b64enc | quote }}
   ejbca_client.key: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientKey | b64enc | quote }}
-{{- end }}
+{{- end }}

deployment/chainloop/templates/controlplane/secret-ejbca-ca.yaml

@@ -4,6 +4,7 @@ SPDX-License-Identifier: APACHE-2.0
 */}}
 
 {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+# deprecated
 apiVersion: v1
 kind: Secret
 metadata:
@@ -14,4 +15,4 @@ type: Opaque
 data:
   file_ca.cert: {{ .Values.controlplane.keylessSigning.fileCA.cert | b64enc | quote }}
   file_ca.key: {{ .Values.controlplane.keylessSigning.fileCA.key | b64enc | quote }}
-{{- end }}
+{{- end }}

deployment/chainloop/templates/controlplane/secret-file-ca.yaml

@@ -0,0 +1,27 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+
+{{- if .Values.controlplane.keylessSigning.enabled }}
+{{- range $index, $backend := .Values.controlplane.keylessSigning.backends }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" $ }}-keyless-{{$backend.type}}-{{$index}}
+  labels:
+    {{- include "chainloop.controlplane.labels" $ | nindent 4 }}
+type: Opaque
+data:
+{{- if eq "fileCA" $backend.type }}
+  file_ca.cert: {{ $backend.fileCA.cert | b64enc | quote }}
+  file_ca.key: {{ $backend.fileCA.key | b64enc | quote }}
+{{- else if eq "ejbcaCA" $backend.type }}
+  ejbca_client.cert: {{ $backend.ejbcaCA.clientCert | b64enc | quote }}
+  ejbca_client.key: {{ $backend.ejbcaCA.clientKey | b64enc | quote }}
+  ejbca_ca.cert: {{ $backend.ejbcaCA.caCert | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{- end }}

deployment/chainloop/templates/controlplane/secrets-signer-ca.yaml

@@ -658,36 +658,43 @@ controlplane:
 
   ## Configuration for keyless signing using one of the supported providers
   ## @param controlplane.keylessSigning.enabled Activates or deactivates the feature
-  ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" and "ejbcaCA" are supported
-  ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA
+  ## @param controlplane.keylessSigning.backends[0].issuer Whether this backend should be used to issue new certificates. Only one can be set at a time.
+  ## @param controlplane.keylessSigning.backends[0].type backend type. Only "fileCA" and "ejbcaCA" are supported
+  ## @param controlplane.keylessSigning.backends[0].fileCA.cert The PEM-encoded certificate of the file based CA
   ##       -----BEGIN CERTIFICATE-----
   ##       ...
   ##       -----END CERTIFICATE-----
-  ## @param controlplane.keylessSigning.fileCA.key The PEM-encoded private key of the file based CA
+  ## @param controlplane.keylessSigning.backends[0].fileCA.key The PEM-encoded private key of the file based CA
   ##       -----BEGIN RSA PRIVATE KEY-----
   ##       ...
   ##       -----END RSA PRIVATE KEY-----
-  ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass
-  ## @param controlplane.keylessSigning.ejbcaCA.serverURL The url of the EJBCA service ("https://host/ejbca")
-  ## @param controlplane.keylessSigning.ejbcaCA.clientKey PEM-encoded the private key for EJBCA cert authentication
-  ## @param controlplane.keylessSigning.ejbcaCA.clientCert PEM-encoded certificate for EJBCA cert authentication
-  ## @param controlplane.keylessSigning.ejbcaCA.certProfileName Name of the certificate profile to use in EJBCA
-  ## @param controlplane.keylessSigning.ejbcaCA.endEntityProfileName Name of the Entity Profile to use in EJBCA
-  ## @param controlplane.keylessSigning.ejbcaCA.caName Name of the CA issuer to use in EJBCA
+  ## @param controlplane.keylessSigning.backends[0].fileCA.keyPass The secret key pass
+  ## @param controlplane.keylessSigning.backends[1].type backend type. Only "fileCA" and "ejbcaCA" are supported
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.serverURL The url of the EJBCA service ("https://host/ejbca")
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.clientKey PEM-encoded the private key for EJBCA cert authentication
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.clientCert PEM-encoded certificate for EJBCA cert authentication
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.caCert PEM-encoded certificate of the root CA
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.certProfileName Name of the certificate profile to use in EJBCA
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.endEntityProfileName Name of the Entity Profile to use in EJBCA
+  ## @param controlplane.keylessSigning.backends[1].ejbcaCA.caName Name of the CA issuer to use in EJBCA
   keylessSigning:
     enabled: false
-    backend: fileCA
-    fileCA:
-      cert: ""
-      key: ""
-      keyPass: ""
-    ejbcaCA:
-      serverURL: ""
-      clientKey: ""
-      clientCert: ""
-      certProfileName: ""
-      endEntityProfileName: ""
-      caName: ""
+    backends:
+      - type: fileCA
+        fileCA:
+          cert: ""
+          key: ""
+          keyPass: "foo"
+        issuer: true
+      - type: ejbcaCA
+        ejbcaCA:
+          serverURL: ""
+          clientKey: ""
+          clientCert: ""
+          caCert: ""
+          certProfileName: ""
+          endEntityProfileName: ""
+          caName: ""
 
   ## Inject custom CA certificates to the controlplane container
   ## @param controlplane.customCAs List of custom CA certificates content