Skip to content

Support loading a key from HashiCorp Vault in admin cli #608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lukpueh wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Support loading a key from HashiCorp Vault in admin cli #608

lukpueh wants to merge 4 commits into from

Conversation

@lukpueh
Copy link
Collaborator

@lukpueh lukpueh commented Jun 4, 2024

Changes key loading helpers used by admin ceremony and metadata update commands to provide an option to the user to load a public key from HashiCorp Vault into TUF metadata.

TODO:

  • update to securesystemslib 1.0.0 to use VaultSigner (this will require a major sweep through the code base)
  • adopt change in existing metadata update and sign tests (currently, only helper tests are updated)
  • add new tests
  • re-think "ambient" config needed by HashiCorp client. options are:
    1. tell user to provide config out-of-band, e.g. via rc file, env vars, etc. as expected by securesystemslib
    2. prompt user for config, and re-export in a form supported by securesystemslib

tuf-on-ci does the former (see "Prepare your local environment" in its docs/ONLINE-SIGNING-SETUP.md (cc @jku, who might be willing to share some wisdom )

Lukas Puehringer added 4 commits June 4, 2024 16:18
Change _load_key_from_file_prompt return value
3e2a4ae 
In preparation for supporting multiple online key types, this helper
is changed to return the key and a uri to access the corresponding
signer.

Since the helper is still used for online and offline key configuration,
via a common intermediary helper `_load_key_prompt`, the returned uri is
not yet used.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Add helper to load key from HashiCorp Vault
e33e4a2 
Prompts for key name in vault and return uri and key.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Create separate online and offline load key helpers
8fdf7a9 
Rename _load_key_prompt to _load_offline_key_prompt. This stays the
same and currently only supports loading a key from file.

Add new _load_online_key_prompt to load key from either file, or
hashicorp vault.

Change _configure_online_key_prompt to use _load_online_key_prompt,
which return the key already with the uri included.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Adopt load online key changes in helper tests
5baaad2 
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@jku
Copy link

jku commented Jun 5, 2024

tuf-on-ci does the former (see "Prepare your local environment" in its docs/ONLINE-SIGNING-SETUP.md (cc @jku, who might be willing to share some wisdom )

I'm still not sure if that was the best idea:

  • on one hand once the KMS access is setup it works really smoothly, is not much code in the signing tool itself, and is very reliable (less chance for copy-pasting mistakes)
  • on the other hand getting the KMS permissions and authenticating can be a hassle for the user: maybe copy pasting data from the KMS web UI would be overall easier for user?

@lukpueh lukpueh mentioned this pull request Jul 15, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukpueh @jku