Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add doc KMP Refresh #103

Merged
merged 1 commit into from
Sep 3, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 42 additions & 19 deletions docs/reference/custom resources/key-management-providers.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
Key Management Provider
---
# Key Management Provider

> **NOTE:** `KeyManagementProvider` replaces `CertificateStore` which is now DEPRECATED. See migration [guide](#migrating-from-certificatestore-to-kmp).

A `KeyManagementProvider` (`KMP`) represents key(s) and/or certificate(s) that are consumed by a verifier. `KMP` contains various providers for different use cases. Each provider is responsible for defining custom configuration and providing a set of public keys and/or x.509 certificates. Notation and Cosign verifiers can consume `KMP` resources to use during signature verification. Please refer to respective [Notation](../../plugins/verifier/notation.md) and [Cosign](../../plugins/verifier/cosign.md) verifier documentation on how to consume `KMP`.

## Table of Contents

- [Key Management Provider](#key-management-provider)
- [Table of Contents](#table-of-contents)
- [Scope](#scope)
Expand All @@ -25,15 +25,19 @@ A `KeyManagementProvider` (`KMP`) represents key(s) and/or certificate(s) that a
- [Notation Verifier](#notation-verifier)

## Scope

Key Management Provider can be defined as cluster-wide resources(using the kind `KeyManagementProvider`) or namespaced resources(using the kind `NamespacedKeyManagementProvider`).

## Utilization in Verifiers

The KeyManagementProvider serves primarily as a reference to key/certificate stores in Verifier CRs. Given that the Key Management Provider can exist either cluster-wide or within a namespace, users need to include the appropriate namespace prefix when referencing the KMP in Verifier CRs. To reference a namespaced KMP, the format should be `namespace/kmp-name`. Conversely, to reference a cluster-wide KMP, the format should simply be `kmp-name`.

In general, there are 2 valid use cases. One is a namespaced verifier references a namespaced KMP within the same namespace or a cluster-wide KMP. The other is a cluster-wide verifier references a cluster-wide KMP.

### Examples
***Scenario 1***: A namespaced verifier referencing both namespaced KMP and cluster-wide KMP.

**_Scenario 1_**: A namespaced verifier referencing both namespaced KMP and cluster-wide KMP.

```yaml
apiVersion: config.ratify.deislabs.io/v1beta1
kind: NamespacedVerifier
Expand All @@ -44,14 +48,15 @@ spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- default/ratify-notation-inline-cert-0
- ratify-notation-inline-cert-0
verificationCertStores:
certs:
- default/ratify-notation-inline-cert-0
- ratify-notation-inline-cert-0
# skip irrelevant fields
```

***Scenario 2***: A cluster-wide verifier referencing cluster-wide KMP.
**_Scenario 2_**: A cluster-wide verifier referencing cluster-wide KMP.

```yaml
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
Expand All @@ -61,30 +66,34 @@ spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- ratify-notation-inline-cert-0
verificationCertStores:
certs:
- ratify-notation-inline-cert-0
# skip irrelevant fields
```

## Configuration guidelines

### Inline

#### Template

A provider that can specify a **single** certificate or key. The content is expected to be defined inline in the resource configuration.

```yml
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider # NamespacedKeyManagementProvider has the same spec.
metadata:
name: # a unique name
name: # a unique name
spec:
type: inline
parameters:
contentType: # REQUIRED: [string] (key, certificate)
value: # REQUIRED: [string] value of content
value: # REQUIRED: [string] value of content
status:
error: # error message if the operation failed
issuccess: # boolean that indicate if operation was successful
lastfetchedtime: # timestamp of last attempted fetch operation
error: # error message if the operation failed
issuccess: # boolean that indicate if operation was successful
lastfetchedtime: # timestamp of last attempted fetch operation
properties: # provider specific properties of the fetched certificates/keys. If the current fetch operation fails, this property displays the properties of last successfully cached certificate/key
```

Expand All @@ -93,15 +102,22 @@ status:
| contentType | yes | 'key' or 'certificate'. Describes content type | "" |
| value | yes | string content | "" |

Samples:

- [Inline KMP](https://github.com/ratify-project/ratify/blob/dev/config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_inline.yaml)

### Azure Key Vault

#### Template

```yml
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
name: # a unique name
spec:
type: azurekeyvault
refreshInterval: # OPTIONAL: [string], time duration to refresh the certificates/keys. Disabled by default. Example: 1h, 30m, 1h30m. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
Copy link
Collaborator

@susanshi susanshi Aug 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion to add an example for refresh enabled KMPs in the example section, or link to the /sample

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@susanshi I added samples to the inline and akv sections to point to the samples in the ratify repo. :) Thanks for the suggestion.

parameters:
vaultURI: # REQUIRED: [string], azure key vault URI
tenantID: # REQUIRED: [string], Azure tenant ID
Expand All @@ -111,7 +127,7 @@ spec:
version: # OPTIONAL [string], version identifier
keys: # OPTIONAL: [list], keys in key vault to fetch
- name: # REQUIRED: [string], key name
version: # OPTIONAL [string], version identifier
version: # OPTIONAL [string], version identifier
```

| Name | Required | Description | Default Value |
Expand All @@ -126,11 +142,18 @@ spec:
| keys[*].name | yes | key name (as shown in key vault) | "" |
| keys[*].version | no | version identifier (as shown in key vault). If not provided, latest version will be used | "" |

Samples:

- [Azure Key Vault KMP](https://github.com/ratify-project/ratify/blob/dev/config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv.yaml)
- [Azure Key Vault KMP Refresh Enabled](https://github.com/ratify-project/ratify/blob/dev/config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml)

## Limitation

- If a key/certificate is in disabled state, KMP resource creation will FAIL. Users must remove reference to a disabled Key/Certificate or re-enable in Azure Key Vault.

- Ratify does NOT yet support periodic refresh and polling of certificates/keys. If the default latest version changes, object is disabled/expired, or deleted, Ratify will only become aware once the KMP resource is reconciled (edited, deleted, added).
- Ratify supports periodic refresh and polling of certificates/keys from Azure Key Vault. The `refreshInterval` field can be set to a time duration to refresh the certificates/keys. When no version of the certificate or key is specified, the latest version will be fetched and the resource will be updated. However, if a version is specified, the resource will be locked to that version and will not be updated.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might also want to talk about limitation that auto fetching latest might result in verification failure if previous image signed are with other version of the cert. We can also link N version issue so reader is aware of the road map.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call out, I'll add that limitation to the doc. :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@susanshi do you have a link to that issue? Or does one need to be created since the n-verion feature isn't included in the refresher for the 1.3 release?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find the n-version issue, @duffney could you help create one?

Copy link
Contributor Author

@duffney duffney Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certainly, here's a link. ratify-project/ratify#1751 :) It's also been added to the doc.


- If the `refreshInterval` is set, verification may fail if the artifact being verified is signed with an older version of the certificate/key even if the older version is still valid/enabled. This is because Ratify only uses the latest stored certificate/key for verification. However, [support n-versions of certificates/keys](https://github.com/ratify-project/ratify/issues/1751) is planned in future releases.

- If `keys` are configured, the managed identity with `clientID` specified MUST be assigned the correct permissions to list, view, and download keys in the configured Key Vault.

Expand All @@ -147,7 +170,7 @@ spec:
Get an overview of KMPs status:

```bash
kubectl get keymanagementproviders.config.ratify.deislabs.io
kubectl get keymanagementproviders.config.ratify.deislabs.io
```

Get specific status of each certificate/key fetched in a single KMP
Expand Down