feat(tsa): support timestamp authorities in chart (chainloop-dev#1846)

Signed-off-by: Jose I. Paris <[email protected]>
jiparis · Feb 21, 2025 · 0ab645e · 0ab645e
1 parent b650407
commit 0ab645e
Show file tree

Hide file tree

Showing 6 changed files with 171 additions and 76 deletions.
diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
diff --git a/deployment/chainloop/templates/controlplane/configmap.yaml b/deployment/chainloop/templates/controlplane/configmap.yaml
@@ -63,3 +63,12 @@ data:
     federated_authentication:
       {{- toYaml .Values.controlplane.federatedAuthentication | nindent 6 }}
     {{- end }}
+  {{- if .Values.controlplane.timestampAuthorities }}
+  tsa.yaml: |
+    timestampAuthorities:
+    {{- range $index, $tsa := .Values.controlplane.timestampAuthorities }}
+      - issuer: {{$tsa.issuer}}
+        url: {{$tsa.url}}
+        cert_chain_path: /tsa_roots/chain-{{$index}}.pem
+    {{- end }}
+  {{- end }}
diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -179,6 +179,10 @@ spec:
               mountPath: /etc/pki/tls/certs
               readOnly: true
             {{- end }}
+            {{- if .Values.controlplane.timestampAuthorities }}
+            - name: tsa-roots
+              mountPath: /tsa_roots/
+            {{- end }}
             {{- if .Values.controlplane.extraVolumeMounts }}
             {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
@@ -237,4 +241,9 @@ spec:
         {{- end }}
         {{- if .Values.controlplane.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+        {{- if .Values.controlplane.timestampAuthorities }}
+        - name: tsa-roots
+          configMap:
+            name: {{ include "chainloop.controlplane.fullname" $ }}-tsa
         {{- end }}
diff --git a/deployment/chainloop/templates/controlplane/tsa-configmap.yaml b/deployment/chainloop/templates/controlplane/tsa-configmap.yaml
@@ -0,0 +1,21 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.timestampAuthorities }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-tsa
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  {{- range $index, $tsa := .Values.controlplane.timestampAuthorities }}
+  chain-{{$index}}.pem: |
+    {{$tsa.certChain | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -703,6 +703,31 @@ controlplane:
   #       endEntityProfileName: ""
   #       caName: ""
 
+  ## @section Timestamp authorities
+
+  ## Configuration for RFC3161 timestamp authorities used for signing
+  ## @extra controlplane.timestampAuthorities[0].issuer whether this TSA should be used for signing (only one at a time)
+  ## @extra controlplane.timestampAuthorities[0].url the TSA service URL
+  ## @extra controlplane.timestampAuthorities[0].certChain PEM encoded certificate chain (from leaf to root) for verification
+  ##       -----BEGIN CERTIFICATE-----
+  ##       ...
+  ##       -----END CERTIFICATE-----
+  ##       -----BEGIN CERTIFICATE-----
+  ##       ...
+  ##       -----END CERTIFICATE-----
+  #  timestampAuthorities:
+  #    - issuer: true
+  #      url: https://freetsa.org/tsr
+  #      certChain: |
+  #        -----BEGIN CERTIFICATE-----
+  #        -----END CERTIFICATE-----
+  #
+  #        -----BEGIN CERTIFICATE-----
+  #        -----END CERTIFICATE-----
+
+
+## @section Other settings
+
   ## Inject custom CA certificates to the controlplane container
   ## @param controlplane.customCAs List of custom CA certificates content
   customCAs: []

diff --git a/docs/docs/reference/signing.md b/docs/docs/reference/signing.md
@@ -49,6 +49,9 @@ And verify it:
 ```
 Also note that `chainloop wf run describe` already detects a verifiable attestation and tries to perform the verification automatically. In these cases, you'll see "Verified: true" in the command output.
 
+### Timestamp service
+Chainloop can be configured to send the attestation signature to a timestamp service (TSA) and include the result as part of the attestation bundle. If available, the TSA signature will be used during the verification process.
+
 ### Not yet supported
 
 The following methods are work in progress and **not yet supported**.