sigstore icon indicating copy to clipboard operation
sigstore copied to clipboard
verified publisher icon sigstore

Add plugin interface for out-of-tree KMS providers

Open bobcallaway opened this issue 1 year ago • 9 comments

Description

Investigate using go-plugin as an approach for out-of-tree KMS providers to integrate with Sigstore tooling without merging code into this repo.

I believe this is the correct interface to base the plugin design off of: https://github.com/sigstore/sigstore/blob/8a49902a31ccd8f4d297d8109a17e9bb78f8a1ba/pkg/signature/kms/kms.go#L72

bobcallaway avatar Mar 04 '24 20:03 bobcallaway

Two other possible approaches:

  • Go's plugin support. This notes that it only works on certain Linux distros and macOS so it's probably not the best approach
  • kubectl has support for plugins. I haven't dug in yet, but given kubectl is written in go, I assume this either uses either the above or go-plugin, or something that's been written from scratch that we could maybe reuse.

Hayden-IO avatar Mar 04 '24 21:03 Hayden-IO

Two other possible approaches:

  • Go's plugin support. This notes that it only works on certain Linux distros and macOS so it's probably not the best approach

Given lack of portability this is probably a non-starter

  • kubectl has support for plugins. I haven't dug in yet, but given kubectl is written in go, I assume this either uses either the above or go-plugin, or something that's been written from scratch that we could maybe reuse.

this seems to be based on a convention of a separate binary being named kubectl-foo-bar and just launching that child process.

bobcallaway avatar Mar 06 '24 13:03 bobcallaway

Hey Team - how close or far away are we from some sort decision on this and can we be of any help here?

akljph avatar Mar 17 '24 08:03 akljph

The go-plugin library seems like the most promising solution. We haven't started working on this yet. Are you interested in implementing it?

Hayden-IO avatar Mar 17 '24 22:03 Hayden-IO

No promises, but I am talking to my dev team to potentially build it. I will get back to you when I have more info.

Update: Not sure we will be able to get to this as our team is quite busy.

akljph avatar Mar 20 '24 09:03 akljph

@haydentherapper @bobcallaway any chance you and the team of contributors are going to get to this at some point? Unfortunately, we don't have the time.

akljph avatar Jul 23 '24 13:07 akljph

Yes, we're planning to take a look at this shortly.

Hayden-IO avatar Jul 23 '24 15:07 Hayden-IO

Just another follow up on this one. Hope it's coming soon, and thanks so much for all your hard work 🙏

akljph avatar Aug 18 '24 09:08 akljph