Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements in DiskSigner and DiskVerifier and refactors for the use of signing certificate chains. #235

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion conf/harvester/harvester_full.conf
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,27 @@ providers {

# Enables the signing of bundles using a disk-based key pair.
BundleSigner "disk" {
ca_cert_path = "conf/harvester/dummy_root_ca.crt"
# ca_private_key_path: Path to the CA key file. Key files must
# contain a single PEM encoded key. The supported key types are EC
# (ASN.1 or PKCS8 encoded) or RSA (PKCS1 or PKCS8 encoded).
ca_private_key_path = "conf/harvester/dummy_root_ca.key"

# ca_cert_path: If the BundleSigner will use a self-signed CA, cert_file_path
# should specify the path to a single PEM encoded certificate
# representing the CA certificate. If not self-signed,
# ca_cert_path should specify the path to a file that must contain
# one or more certificates necessary to establish a valid certificate
# chain up the root certificates defined in bundle_file_path.
ca_cert_path = "conf/harvester/dummy_root_ca.crt"

# trust_bundle_path: If Galadriel is using a self-signed CA, bundle_file_path
# can be left unset. If not self-signed, then trust_bundle_path should
# be the path to a file that must contain one or more certificates
# representing the upstream root certificates and the file at
# ca_cert_path contains one or more certificates necessary to chain up
# the root certificates in bundle_file_path (where the first
# certificate in ca_cert_path is the CA certificate).
trust_bundle_path = ""
}

# BundleVerifier enables the verification of bundle signatures using selected implementations.
Expand Down
11 changes: 11 additions & 0 deletions doc/galadriel_harvester.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,17 @@ providers {
}
```

##### BundleSigner - disk

Configuration details for BundleSigner "disk":

| Option | Description |
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `ca_private_key_path` | Path to the CA private key file in PEM format. This path can be relative or absolute. |
| `ca_cert_path` | Path to the CA certificate file in PEM format. If Galadriel is using a self-signed CA, cert_file_path should specify the path to a single PEM encoded certificate representing the CA certificate. If not self-signed, cert_file_path should specify the path to a file that must contain one or more certificates necessary to establish a valid certificate chain up the root certificates defined in bundle_file_path. This path can be relative or absolute. |
| `trust_bundle_path` | Required when the ca_cert_path does not contain a self-signed CA certificate. This is the path to the file containing one or more root CAs. This path can be relative or absolute. |
| `signing_cert_ttl` | The TTL of the signing certificate. This TTL should align with the TTL of the SPIRE bundle. |

#### BundleVerifier

This subsection explains the `BundleVerifier` options.
Expand Down
123 changes: 58 additions & 65 deletions pkg/common/api/schemas.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading