cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Move pkg/providers to sigstore/sigstore

Open imjasonh opened this issue 3 years ago • 4 comments

Description

github.com/sigstore/cosign/pkg/providers provides an interface for OIDC token providers and some common implementations, in subpackages (e.g., pkg/providers/google).

The interface is agnostic to providers' dependencies, and doesn't have any deps outside of the Go stdlib. Provider-specified implementations may have external dependencies, e.g., pkg/providers/google depends on google.golang.org/api/idtoken.

I'd like to propose we move at least the agnostic interface definition into sigstore/sigstore, and consider whether and how we should move the provider-specific impls out into their own modules -- either as submodules in sigstore/sigstore, or as separate repos, e.g., sigstore/oidc-google, sigstore/oidc-github, and so on.

This would allow cosign and other implementations to selectively import OIDC providers they want to support, and not take a dependency on any others.

If this is successful, it may also give us a model to follow when moving KMS providers into separate modules or repos, for the same reasons.

imjasonh avatar May 11 '22 19:05 imjasonh

cc @mattmoor since you were looking at KMS providers recently

haydentherapper avatar May 11 '22 21:05 haydentherapper

Here's a concrete proposal:

  • move pkg/providers into sigstore/sigstore, as pkg/oidc/providers
  • move pkg/providers/filesystem into sigstore/sigstore as pkg/oidc/providers/filesystem
  • move pkg/providers/github into sigstore/sigstore as pkg/oidc/providers/github
    • (as it doesn't have any large dependencies, it doesn't really warrant its own repo)
  • move pkg/providers/google into sigstore/oidc-google
  • move pkg/providers/spiffe into sigstore/oidc-spiffe
  • deprecate pkg/providers/all, and recommend folks do what it does itself, and _-import whatever providers you may want.
    • after some time, we can delete all the previous pkg/providers/* packages, including all, and drop a bunch of dependencies from sigstore/cosign

With this arrangement, clients (incl cosign) that want to support these providers simply have to _-import them, and if they don't depend on them, they don't take their dependencies.

imjasonh avatar May 12 '22 19:05 imjasonh

cc @wlynch

imjasonh avatar May 12 '22 19:05 imjasonh

Another bump: the filesystem provider expects to find a token at /var/run/sigstore/cosign/oidc-token -- if we move this to sigstore/sigstore I think we should see if we can have it look in /var/run/sigstore first, and then fallback to .../cosign for compatibility.

Or, keep the cosign-looking behavior as a special internal provider only in the cosign codebase, and have sigstore's only look in sigstore.

imjasonh avatar May 13 '22 16:05 imjasonh