build: update Bridge to Kubernetes debugging steps (#1384)

.vscode/launch.json

@@ -12,15 +12,15 @@
       "program": "${workspaceFolder}/cmd/ratify",
       "env": {
         "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
-        "RATIFY_LOG_LEVEL": "debug",
+        "RATIFY_LOG_LEVEL": "debug"
       },
       "args": [
         "verify",
         "-s",
         "${input:subject}",
         "-c",
-        "${input:configPath}",
-      ],
+        "${input:configPath}"
+      ]
     },
     {
       "name": "Serve",
@@ -35,10 +35,9 @@
         "serve",
         "--http",
         ":6001"
-      ],
+      ]
     },
     {
-      // This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed
       "name": "Serve w/ CRD manager",
       "type": "go",
       "request": "launch",
@@ -47,18 +46,19 @@
       "env": {
         "RATIFY_LOG_LEVEL": "debug",
         "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
-        "RATIFY_NAMESPACE": "gatekeeper-system",
+        "RATIFY_NAMESPACE": "gatekeeper-system"
       },
       "args": [
         "serve",
         "--enable-crd-manager",
         "--http",
         ":6001"
-      ],
+      ]
     },
     {
       // This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed
-      // This requires you to have generated tls.crt and tls.key and placed them in a single directory
+      // This requires you to have generated server TLS certs: tls.crt, tls.key, ca.crt, ca.key and placed them in a single directory
+      // This requires you to have a client CA cert (Gatekeeper CA cert) to verify the client cert
       "name": "Serve w/ CRD manager and TLS enabled",
       "type": "go",
       "request": "launch",
@@ -73,8 +73,9 @@
         "--enable-crd-manager",
         "--http",
         ":6001",
-        "--cert-dir=${input:tlsDir}"
-      ],
+        "--cert-dir=${input:tlsDir}",
+        "--ca-cert-file=${input:clientCACert}",
+      ]
     },
     {
       "name": "Debug SBOM Plugin",
@@ -87,7 +88,7 @@
         "RATIFY_LOG_LEVEL": "debug",
         "RATIFY_VERIFIER_COMMAND": "VERIFY",
         "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/image:sbom",
-        "RATIFY_VERIFIER_VERSION": "1.0.0",
+        "RATIFY_VERIFIER_VERSION": "1.0.0"
       },
       "console": "integratedTerminal"
     }
@@ -111,5 +112,11 @@
       "description": "Absolute path to tls cert and key directory",
       "default": "${workspaceFolder}/tls/certs"
     },
+    {
+      "id": "clientCACert",
+      "type": "promptString",
+      "description": "Absolute path to client CA cert (Gatekeeper CA cert)",
+      "default": "${workspaceFolder}/client-ca-cert/ca.crt"
+    }
   ]
 }

CONTRIBUTING.md

@@ -269,19 +269,25 @@ Gatekeeper requires TLS for external data provider interactions. As such ratify
     helm install ratify \
       ./charts/ratify --atomic \
       --namespace gatekeeper-system \
+      --set logger.level=debug \
       --set-file notationCerts[0]=./test/testdata/notation.crt \
       --set-file provider.tls.crt=./tls/certs/tls.crt \
       --set-file provider.tls.key=./tls/certs/tls.key \
-      --set-file provider.tls.cabundle=./tls/certs/ca.crt
+      --set-file provider.tls.cabundle="$(cat ./tls/certs/ca.crt | base64 | tr -d '\n\r')" \
+      --set-file provider.tls.caCert=./tls/certs/ca.crt \
+      --set-file provider.tls.caKey=./tls/certs/ca.key
     ```
+Update the `KubernetesLocalProcessConfig.yaml` with updated directory/file paths:
+- In the file, set the `<INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the Azure Workload Identity JWT token. 
+- In the file, set the `<INSERT CLIENT CA CERT LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the `client-ca-cert` volume (Gatekeeper's `ca.crt`). 
 
 Configure Bridge to Kubernetes (Comprehensive guide [here](https://learn.microsoft.com/en-us/visualstudio/bridge/bridge-to-kubernetes-vs-code))
 1. Open the `Command Palette` in VSCode `CTRL-SHIFT-P`
-1. Select `Bridge to Kubernetes: Configure`
-1. Select `Ratify` from the list as the service to redirect to
-1. Set port to be 6001
-1. Select `Serve w/ CRD manager and TLS enabled` as the launch config
-1. Select 'No' for request isolation
+2. Select `Bridge to Kubernetes: Configure`
+3. Select `Ratify` from the list as the service to redirect to
+4. Set port to be 6001
+5. Select `Serve w/ CRD manager and TLS enabled` as the launch config
+6. Select 'No' for request isolation
 
 This should automatically append a new Bridge to Kubernetes configuration to the launch.json file and add a new tasks.json file. 
 

KubernetesLocalProcessConfig.yaml

@@ -0,0 +1,15 @@
+version: 0.1
+env:
+  - name: azure-identity-token # REMOVE if not using Azure Workload Identity
+    value:  $(volumeMounts:azure-identity-token) # REMOVE if not using Azure Workload Identity
+  - name: client-ca-cert
+    value: $(volumeMounts:client-ca-cert)
+  - name: AZURE_FEDERATED_TOKEN_FILE # REMOVE if not using Azure Workload Identity
+    value: <INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>/azure-identity-token # REMOVE if not using Azure Workload Identity
+  - name: RATIFY_NAMESPACE
+    value: gatekeeper-system
+volumeMounts:
+  - name: client-ca-cert
+    localPath: <INSERT CLIENT CA CERT LOCAL PATH>
+  - name: azure-identity-token # REMOVE if not using Azure Workload Identity
+    localPath: <INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH> # REMOVE if not using Azure Workload Identity