feat(ejbca): deployment changes for ejbca integration (#1033)

Signed-off-by: Jose I. Paris <[email protected]>
chainloop-dev · Jun 27, 2024 · b6fb604 · b6fb604
1 parent c43a346
commit b6fb604
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 26 deletions.
diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml
@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.70.0
+version: 1.70.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.92.7
 

diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
@@ -572,26 +572,37 @@ chainloop config save \
 
 ### Controlplane Misc
 
-| Name                                                         | Description                                              | Value        |
-| ------------------------------------------------------------ | -------------------------------------------------------- | ------------ |
-| `controlplane.resources.limits.cpu`                          | Container resource limits CPU                            | `250m`       |
-| `controlplane.resources.limits.memory`                       | Container resource limits memory                         | `512Mi`      |
-| `controlplane.resources.requests.cpu`                        | Container resource requests CPU                          | `250m`       |
-| `controlplane.resources.requests.memory`                     | Container resource requests memory                       | `512Mi`      |
-| `controlplane.autoscaling.enabled`                           | Enable deployment autoscaling                            | `false`      |
-| `controlplane.autoscaling.minReplicas`                       | Minimum number of replicas                               | `1`          |
-| `controlplane.autoscaling.maxReplicas`                       | Maximum number of replicas                               | `100`        |
-| `controlplane.autoscaling.targetCPUUtilizationPercentage`    | Target CPU percentage                                    | `80`         |
-| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory                                        | `80`         |
-| `controlplane.sentry.enabled`                                | Enable sentry.io alerting                                | `false`      |
-| `controlplane.sentry.dsn`                                    | DSN endpoint                                             | `""`         |
-| `controlplane.sentry.environment`                            | Environment tag                                          | `production` |
-| `controlplane.keylessSigning.enabled`                        | Activates or deactivates de feature                      | `false`      |
-| `controlplane.keylessSigning.backend`                        | The backend to use. Currently only "fileCA" is supported | `fileCA`     |
-| `controlplane.keylessSigning.fileCA.cert`                    | The PEM-encoded certificate of the file based CA         | `""`         |
-| `controlplane.keylessSigning.fileCA.key`                     | The PEM-encoded private key of the file based CA         | `""`         |
-| `controlplane.keylessSigning.fileCA.keyPass`                 | The secret key pass                                      | `""`         |
-| `controlplane.customCAs`                                     | List of custom CA certificates content                   | `[]`         |
+| Name                                                         | Description                        | Value        |
+| ------------------------------------------------------------ | ---------------------------------- | ------------ |
+| `controlplane.resources.limits.cpu`                          | Container resource limits CPU      | `250m`       |
+| `controlplane.resources.limits.memory`                       | Container resource limits memory   | `512Mi`      |
+| `controlplane.resources.requests.cpu`                        | Container resource requests CPU    | `250m`       |
+| `controlplane.resources.requests.memory`                     | Container resource requests memory | `512Mi`      |
+| `controlplane.autoscaling.enabled`                           | Enable deployment autoscaling      | `false`      |
+| `controlplane.autoscaling.minReplicas`                       | Minimum number of replicas         | `1`          |
+| `controlplane.autoscaling.maxReplicas`                       | Maximum number of replicas         | `100`        |
+| `controlplane.autoscaling.targetCPUUtilizationPercentage`    | Target CPU percentage              | `80`         |
+| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory                  | `80`         |
+| `controlplane.sentry.enabled`                                | Enable sentry.io alerting          | `false`      |
+| `controlplane.sentry.dsn`                                    | DSN endpoint                       | `""`         |
+| `controlplane.sentry.environment`                            | Environment tag                    | `production` |
+
+### Keyless signing configuration
+
+| Name                                                       | Description                                                             | Value    |
+| ---------------------------------------------------------- | ----------------------------------------------------------------------- | -------- |
+| `controlplane.keylessSigning.enabled`                      | Activates or deactivates the feature                                    | `false`  |
+| `controlplane.keylessSigning.backend`                      | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` |
+| `controlplane.keylessSigning.fileCA.cert`                  | The PEM-encoded certificate of the file based CA                        | `""`     |
+| `controlplane.keylessSigning.fileCA.key`                   | The PEM-encoded private key of the file based CA                        | `""`     |
+| `controlplane.keylessSigning.fileCA.keyPass`               | The secret key pass                                                     | `""`     |
+| `controlplane.keylessSigning.ejbcaCA.serverURL`            | The url of the EJBCA service (https://host/ejbca)                       | `""`     |
+| `controlplane.keylessSigning.ejbcaCA.clientKey`            | PEM-encoded the private key for EJBCA cert authentication               | `""`     |
+| `controlplane.keylessSigning.ejbcaCA.clientCert`           | PEM-encoded certificate for EJBCA cert authentication                   | `""`     |
+| `controlplane.keylessSigning.ejbcaCA.certProfileName`      | Name of the certificate profile to use in EJBCA                         | `""`     |
+| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA                              | `""`     |
+| `controlplane.keylessSigning.ejbcaCA.caName`               | Name of the CA issuer to use in EJBCA                                   | `""`     |
+| `controlplane.customCAs`                                   | List of custom CA certificates content                                  | `[]`     |
 
 ### Artifact Content Addressable (CAS) API
 

diff --git a/deployment/chainloop/templates/controlplane/config.secret.yaml b/deployment/chainloop/templates/controlplane/config.secret.yaml
@@ -23,7 +23,7 @@ stringData:
   config.observability.yaml: |
     {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }}
   {{- end }}
-  {{- if and .Values.controlplane.keylessSigning .Values.controlplane.keylessSigning.enabled }}
+  {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
   fileca.secret.yaml: |
     {{- with .Values.controlplane.keylessSigning.fileCA }}
     certificate_authority:
@@ -33,6 +33,19 @@ stringData:
         key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}"
     {{- end }}
   {{- end }}
+  {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+  ejbca.secret.yaml: |
+    {{- with .Values.controlplane.keylessSigning.ejbcaCA }}
+    certificate_authority:
+      ejbca_ca:
+        cert_path: "/ca_secrets/ejbca_client.cert"
+        key_path:  "/ca_secrets/ejbca_client.key"
+        server_url: "{{- required "EJBCA server URL is mandatory" .serverURL }}"
+        certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}"
+        end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}"
+        certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}"
+    {{- end }}
+  {{- end }}  
   config.secret.yaml: |
     data:
       database:

diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -85,10 +85,14 @@ spec:
               mountPath: /tmp
             - name: jwt-cas-private-key
               mountPath: /secrets
-            {{- if .Values.controlplane.keylessSigning.enabled }}
+            {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
             - name: file-ca-cert
               mountPath: /ca_secrets
             {{- end }}
+            {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+            - name: ejbca-ca-client
+              mountPath: /ca_secrets
+            {{- end }}
             {{- if .Values.controlplane.tlsConfig.secret.name  }}
             - name: server-certs
               mountPath: /data/server-certs
@@ -135,8 +139,13 @@ spec:
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
         {{- end }}
-        {{- if .Values.controlplane.keylessSigning.enabled }}
+        {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
         - name: file-ca-cert
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
+        {{- end }}
+        {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+        - name: ejbca-ca-client
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca
         {{- end }}
diff --git a/deployment/chainloop/templates/controlplane/ejbca_ca.secret.yaml b/deployment/chainloop/templates/controlplane/ejbca_ca.secret.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  ejbca_client.cert: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientCert | b64enc | quote }}
+  ejbca_client.key: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientKey | b64enc | quote }}
+{{- end }}
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -473,9 +473,11 @@ controlplane:
     dsn: ""
     environment: production
 
+  ## @section Keyless signing configuration
+
   ## Configuration for keyless signing using one of the supported providers
-  ## @param controlplane.keylessSigning.enabled Activates or deactivates de feature
-  ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" is supported
+  ## @param controlplane.keylessSigning.enabled Activates or deactivates the feature
+  ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" and "ejbcaCA" are supported
   ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA
   ##       -----BEGIN CERTIFICATE-----
   ##       ...
@@ -485,13 +487,26 @@ controlplane:
   ##       ...
   ##       -----END RSA PRIVATE KEY-----
   ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass
+  ## @param controlplane.keylessSigning.ejbcaCA.serverURL The url of the EJBCA service (https://host/ejbca)
+  ## @param controlplane.keylessSigning.ejbcaCA.clientKey PEM-encoded the private key for EJBCA cert authentication
+  ## @param controlplane.keylessSigning.ejbcaCA.clientCert PEM-encoded certificate for EJBCA cert authentication
+  ## @param controlplane.keylessSigning.ejbcaCA.certProfileName Name of the certificate profile to use in EJBCA
+  ## @param controlplane.keylessSigning.ejbcaCA.endEntityProfileName Name of the Entity Profile to use in EJBCA
+  ## @param controlplane.keylessSigning.ejbcaCA.caName Name of the CA issuer to use in EJBCA
   keylessSigning:
     enabled: false
     backend: fileCA
     fileCA:
       cert: ""
       key: ""
       keyPass: ""
+    ejbcaCA:
+      serverURL: ""
+      clientKey: ""
+      clientCert: ""
+      certProfileName: ""
+      endEntityProfileName: ""
+      caName: ""
 
   ## Inject custom CA certificates to the controlplane container
   ## @param controlplane.customCAs List of custom CA certificates content