chains icon indicating copy to clipboard operation
chains copied to clipboard
verified publisher icon tektoncd

KeyID in Grafeas Occurrence

Open chuangw6 opened this issue 3 years ago • 4 comments

Feature request

When we create Grafeas occurrences, we only set the KMS key path gcpkms://projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key> as the keyID field of the DSSE envelope.

If chains is configured to sign with k8s secret signing-secrets in the tekton-chains namespace, the key id field will be empty.

In order to support this case, we might want to use the hard-coded k8s://tekton-chains/signing-secrets as the keyid for k8s secret signing since chains expects signing keys to exist in a Kubernetes secret signing-secrets in the tekton-chains namespace..

Use case

  • Chains uses k8s secret to sign instead of KMS keys.

chuangw6 avatar Jun 24 '22 15:06 chuangw6

/assign @chuangw6

chuangw6 avatar Jun 24 '22 15:06 chuangw6

Thoughts? @wlynch @priyawadhwa

chuangw6 avatar Jun 24 '22 15:06 chuangw6

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Sep 22 '22 16:09 tekton-robot

Sorry for missing this! This seems fine.

Alternatively we could look into doing is including a fingerprint of the key, which will probably be more reliable in uniquely identifying a key since the value of the secret can change over time.

wlynch avatar Sep 22 '22 16:09 wlynch

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

tekton-robot avatar Oct 22 '22 16:10 tekton-robot

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

tekton-robot avatar Nov 21 '22 16:11 tekton-robot

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Nov 21 '22 16:11 tekton-robot