feat(keyless): expose signing service though GRPC (chainloop-dev#861)

Signed-off-by: Jose I. Paris <[email protected]>
jiparis · Jun 3, 2024 · b700ffb · b700ffb
1 parent 59bbbf2
commit b700ffb
Show file tree

Hide file tree

Showing 12 changed files with 477 additions and 155 deletions.
diff --git a/app/controlplane/cmd/main.go b/app/controlplane/cmd/main.go
@@ -22,6 +22,8 @@ import (
 
 	"github.com/bufbuild/protovalidate-go"
 	"github.com/getsentry/sentry-go"
+	"github.com/sigstore/fulcio/pkg/ca"
+	"github.com/sigstore/fulcio/pkg/ca/fileca"
 	flag "github.com/spf13/pflag"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
@@ -127,15 +129,19 @@ func main() {
 	// Kill plugins processes on exit
 	defer availablePlugins.Cleanup()
 
-	app, cleanup, err := wireApp(&bc, credsWriter, logger, availablePlugins)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	ca, err := newSigningCA(ctx, bc.GetCertificateAuthority(), logger)
+	if err != nil {
+		panic(err)
+	}
+	app, cleanup, err := wireApp(&bc, credsWriter, logger, availablePlugins, ca)
 	if err != nil {
 		panic(err)
 	}
 	defer cleanup()
 
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
 	// Run an expiration job every minute that expires unfinished runs older than 1 hour
 	// TODO: Make it configurable from the application config
 	app.runsExpirer.Run(ctx, &biz.WorkflowRunExpirerOpts{CheckInterval: 1 * time.Minute, ExpirationWindow: 1 * time.Hour})
@@ -218,3 +224,16 @@ func initSentry(c *conf.Bootstrap, logger log.Logger) (cleanupFunc func(), err e
 func newProtoValidator() (*protovalidate.Validator, error) {
 	return protovalidate.New()
 }
+
+func newSigningCA(_ context.Context, ca *conf.CA, logger log.Logger) (ca.CertificateAuthority, error) {
+	// File
+	if ca.GetFileCa() != nil {
+		fileCa := ca.GetFileCa()
+		_ = logger.Log(log.LevelInfo, "msg", "Keyless: File CA configured")
+		return fileca.NewFileCA(fileCa.GetCertPath(), fileCa.GetKeyPath(), fileCa.GetKeyPass(), false)
+	}
+
+	// No CA configured, keyless will be deactivated.
+	_ = logger.Log(log.LevelInfo, "msg", "Keyless Signing NOT configured")
+	return nil, nil
+}
diff --git a/app/controlplane/cmd/wire.go b/app/controlplane/cmd/wire.go
@@ -33,9 +33,10 @@ import (
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/wire"
+	"github.com/sigstore/fulcio/pkg/ca"
 )
 
-func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.AvailablePlugins) (*app, func(), error) {
+func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.AvailablePlugins, ca.CertificateAuthority) (*app, func(), error) {
 	panic(
 		wire.Build(
 			wire.Bind(new(credentials.Reader), new(credentials.ReaderWriter)),

diff --git a/app/controlplane/cmd/wire_gen.go b/app/controlplane/cmd/wire_gen.go
diff --git a/app/controlplane/configs/config.devel.yaml b/app/controlplane/configs/config.devel.yaml
@@ -13,6 +13,12 @@ server:
     # We have some slow operations such as verifying an OCI registry
     timeout: 10s
 
+certificate_authority:
+  file_ca:
+    cert_path: "../../devel/devkeys/ca.pub"
+    key_path: "../../devel/devkeys/ca.pem"
+    key_pass: chainloop
+
 # Directory where the plugins are located
 # NOTE: plugins have the form of chainloop-plugin-<name>
 plugins_dir: "./plugins/bin"

diff --git a/app/controlplane/internal/biz/signing.go b/app/controlplane/internal/biz/signing.go
@@ -38,6 +38,10 @@ func NewChainloopSigningUseCase(ca ca.CertificateAuthority) *SigningUseCase {
 
 // CreateSigningCert signs a certificate request with a configured CA, and returns the full certificate chain
 func (s *SigningUseCase) CreateSigningCert(ctx context.Context, orgID string, csrRaw []byte) ([]string, error) {
+	if s.CA == nil {
+		return nil, errors.New("CA not initialized")
+	}
+
 	var publicKey crypto.PublicKey
 
 	if len(csrRaw) == 0 {