Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch Signify service to use mTLS #11777

Merged
merged 55 commits into from
Sep 30, 2024
Merged

Switch Signify service to use mTLS #11777

merged 55 commits into from
Sep 30, 2024

Conversation

akiioto
Copy link
Contributor

@akiioto akiioto commented Sep 4, 2024
edited
Loading

Description

Changes proposed in this pull request:

  • Rework of existing logic to sign images (only one signer)
  • Change auth to mTLS
  • Updated documentation
  • Change in kaniko build config which utilise new signer server

Related issue(s)

@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 4, 2024
@akiioto akiioto changed the title x Switch Signify service to use mTLS Sep 6, 2024
dekiel
dekiel requested changes Sep 10, 2024
View reviewed changes
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
Sawthis
Sawthis requested changes Sep 10, 2024
View reviewed changes
pkg/sign/notary.go Outdated Show resolved Hide resolved
@Sawthis Sawthis self-requested a review September 10, 2024 09:40
@akiioto akiioto requested a review from dekiel September 23, 2024 08:56
dekiel
dekiel requested changes Sep 24, 2024
View reviewed changes
Copy link
Contributor

@dekiel dekiel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pleas provide a description in a PR which describes what and how you try to achieve. It will provide some context to the changes you made.

Please answer comments from previous review. Some where not addressed.

pkg/sign/notary.go Show resolved Hide resolved
pkg/sign/notary_structs.go Outdated Show resolved Hide resolved
pkg/sign/notary_structs.go Outdated Show resolved Hide resolved
pkg/sign/notary_structs.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go
}

// Build target
target := Target{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would expect a target provides a uniq and full location and identifier. This implementation provides a tag and manifest metadata. This is rather a version not a target.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we? This is payload required by the tool

https://pages.github.tools.sap/Repository-Services/Signify/how_to/manage_signatures/

pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Outdated Show resolved Hide resolved
pkg/sign/notary.go Show resolved Hide resolved
pkg/sign/notary.go Show resolved Hide resolved
@akiioto akiioto requested a review from dekiel September 25, 2024 07:17
@akiioto
Copy link
Contributor Author

akiioto commented Sep 27, 2024

The fields in NotarySigner are now private. The only change in the tests was renaming the package from sign_test to sign.

@kyma-bot kyma-bot added the lgtm Looks good to me! label Sep 28, 2024
@dekiel
Copy link
Contributor

dekiel commented Sep 28, 2024

Please remember to add PRs to our project. It's easily visible for the team then.

@kyma-bot kyma-bot merged commit ef2e8ac into kyma-project:main Sep 30, 2024
22 checks passed
@kyma-bot
Copy link
Contributor

✅ Apply Result

CI link

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.
Details (Click me) 
Acquiring state lock. This may take a few moments...
data.kubectl_file_documents.automated_approver_rules: Reading...
data.kubectl_file_documents.automated_approver: Reading...
data.kubectl_file_documents.automated_approver_rules: Read complete after 0s [id=48d07f870c26a37d3a48229fcc9cd29ae14bea83cf200e4e8326e5d755a1e790]
data.kubectl_file_documents.automated_approver: Read complete after 0s [id=ac6ccf712c74ac0ac359e47dcd19a531f9985640cf13bd588c59453dd5a9c2ec]
data.github_organization.kyma-project: Reading...
github_actions_variable.github_terraform_executor_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_EXECUTOR_SECRET_NAME]
github_actions_variable.github_terraform_planner_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_PLANNER_SECRET_NAME]
github_actions_organization_variable.image_builder_ado_pat_gcp_secret_name: Refreshing state... [id=IMAGE_BUILDER_ADO_PAT_GCP_SECRET_NAME]
data.github_repository.gitleaks_repository["test-infra"]: Reading...
data.github_repository.test_infra: Reading...
github_actions_organization_variable.gcp_kyma_project_project_id: Refreshing state... [id=GCP_KYMA_PROJECT_PROJECT_ID]
module.signify_secret_rotator.google_service_account.signify_secret_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
google_artifact_registry_repository.dockerhub_mirror: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror]
google_dns_managed_zone.build_kyma: Refreshing state... [id=projects/sap-kyma-prow/managedZones/build-kyma]
data.google_pubsub_topic.secret-manager-notifications-topic: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Reading...
google_service_account.gitleaks-secret-accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-deploy: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-deploy@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.data.google_project.project: Reading...
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Read complete after 1s [id=projects/sap-kyma-prow/secrets/common-slack-bot-token]
google_service_account.control-plane: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/control-plane@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.google_cloud_run_service.cors_proxy: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy]
data.google_pubsub_topic.secret-manager-notifications-topic: Read complete after 1s [id=projects/sap-kyma-prow/topics/secret-manager-notifications]
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Reading...
module.github_webhook_gateway.google_pubsub_topic.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled]
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret]
module.security_dashboard_token.data.google_iam_policy.noauth: Reading...
module.security_dashboard_token.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
google_service_account.kyma-oci-image-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-oci-image-builder@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.image_syncer_writer: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/image-syncer-writer@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.counduit-cli-bucket: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/counduit-cli-bucket@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_service_account.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gcr-cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcr-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-vm-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-vm-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.data.google_project.project: Reading...
google_service_account.sa-kyma-dns-serviceuser: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-dns-serviceuser@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_service_account.secret-manager-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-trusted@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-security-scanners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-security-scanners@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.image_syncer_reader: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/image-syncer-reader@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_service_account.service_account_keys_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_monitoring_alert_policy.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/17360148176148949136]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Refreshing state... [id=locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token]
google_service_account.terraform_planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
data.github_repository.gitleaks_repository["test-infra"]: Read complete after 3s [id=test-infra]
google_service_account.sa-kyma-artifacts: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-artifacts@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform-planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.data.google_project.project: Reading...
data.google_client_config.gcp: Reading...
module.service_account_keys_cleaner.data.google_project.project: Reading...
google_service_account.terraform-executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.sa-secret-update: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-secret-update@sap-kyma-prow.iam.gserviceaccount.com]
data.github_repository.test_infra: Read complete after 3s [id=test-infra]
google_service_account.sa-prow-pubsub: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-pubsub@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
google_service_account.secret-manager-prow: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-prow@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_service_account.service_account_keys_cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.secret-manager-untrusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-untrusted@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_service_account.kyma-compliance-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-compliance-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
google_service_account.sa_gke_kyma_integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-job-resource-cleaners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-job-resource-cleaners@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gencred-refresher: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gencred-refresher@sap-kyma-prow.iam.gserviceaccount.com]
google_pubsub_topic.secrets_rotator_dead_letter: Refreshing state... [id=projects/sap-kyma-prow/topics/secrets-rotator-dead-letter]
google_service_account.sa-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-security-dashboard-oauth: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-security-dashboard-oauth@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.prow_k8s_cluster: Reading...
google_service_account.sa-dev-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-dev-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_service_account.neighbors-conduit-cli-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/neighbors-conduit-cli-builder@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gcr-kyma-project-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcr-kyma-project-trusted@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_project.project: Reading...
google_service_account.sa-gcs-plank: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcs-plank@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.firebase-adminsdk-udzxq: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/firebase-adminsdk-udzxq@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_service_account.github_webhook_gateway: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
google_service_account.sa-gke-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gitleaks_secret_accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.secrets-rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
google_service_account.kyma-submission-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-submission-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_iam_policy.noauth: Reading...
module.github_webhook_gateway.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
google_service_account.sa-prowjob-gcp-logging-client: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prowjob-gcp-logging-client@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.data.google_project.project: Reading...
module.service_account_keys_rotator.google_project_service_identity.pubsub_identity_agent: Refreshing state... [id=projects/sap-kyma-prow/services/pubsub.googleapis.com]
google_container_cluster.trusted_workload: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.artifact_registry["modules-internal"].data.google_client_config.this: Reading...
google_artifact_registry_repository.prod_docker_repository: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod]
module.github_webhook_gateway.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
module.signify_secret_rotator.google_cloud_run_service.signify_secret_rotator: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/signify-secret-rotator]
github_actions_organization_variable.image_syncer_writer_service_account_email: Refreshing state... [id=IMAGE_SYNCER_WRITER_SERVICE_ACCOUNT_EMAIL]
module.artifact_registry["modules-internal"].data.google_client_config.this: Read complete after 1s [id=projects/"kyma-project"/regions/"europe-west4"/zones/<null>]
google_project_iam_member.terraform_executor_prow_project_owner: Refreshing state... [id=sap-kyma-prow/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_project_iam_member.terraform_executor_workloads_project_owner: Refreshing state... [id=sap-kyma-prow-workloads/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account_iam_binding.terraform_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
github_actions_variable.gcp_terraform_executor_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_EXECUTOR_SERVICE_ACCOUNT_EMAIL]
module.slack_message_sender.google_project_iam_member.project_run_invoker: Refreshing state... [id=sap-kyma-prow/roles/run.invoker/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_secret_manager_secret_iam_member.slack_msg_sender_common_slack_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/common-slack-bot-token/roles/secretmanager.secretAccessor/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.data.google_iam_policy.run_invoker: Reading...
module.slack_message_sender.data.google_iam_policy.run_invoker: Read complete after 0s [id=1526577908]
module.signify_secret_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_viewer: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.viewer/serviceAccount:signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.google_project_iam_member.signify_secret_rotator_secret_version_adder: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretVersionAdder/serviceAccount:signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.google_project_iam_member.signify_secret_rotator_secret_version_accessor: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretAccessor/serviceAccount:signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_organization_variable.image_syncer_reader_service_account_email: Refreshing state... [id=IMAGE_SYNCER_READER_SERVICE_ACCOUNT_EMAIL]
module.service_account_keys_rotator.google_cloud_run_service.service_account_keys_rotator: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-rotator]
data.google_container_cluster.prow_k8s_cluster: Read complete after 2s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
google_service_account_iam_binding.terraform_planner_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
google_storage_bucket_iam_binding.planner_state_bucket_write_access: Refreshing state... [id=b/tf-state-kyma-project/roles/storage.objectUser]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/container.developer"]: Refreshing state... [id=sap-kyma-prow/roles/container.developer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/iam.securityReviewer"]: Refreshing state... [id=sap-kyma-prow/roles/iam.securityReviewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/storage.objectViewer"]: Refreshing state... [id=sap-kyma-prow/roles/storage.objectViewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_workloads_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow-workloads/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_variable.gcp_terraform_planner_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL]
google_artifact_registry_repository_iam_member.dockerhub_mirror_access: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/dockerhub-mirror/roles/artifactregistry.reader/serviceAccount:azure-pipeline-image-builder@kyma-project.iam.gserviceaccount.com]
github_actions_variable.kyma_autobump_bot_github_token_secret_name: Refreshing state... [id=test-infra:KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME]
module.cors_proxy.google_cloud_run_service_iam_policy.noauth: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/cors-proxy]
data.google_container_cluster.trusted_workload_k8s_cluster: Read complete after 4s [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.service_account_keys_cleaner.google_cloud_run_service.service_account_keys_cleaner: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-cleaner]
data.github_organization.kyma-project: Read complete after 6s [id=39153523]
google_project_iam_binding.dns_collector_bucket_get: Refreshing state... [id=sap-kyma-prow/projects/sap-kyma-prow/roles/BucketGet]
google_project_iam_binding.dns_collector_dns_reader: Refreshing state... [id=sap-kyma-prow/roles/dns.reader]
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 3s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
google_project_iam_binding.dns_collector_container_analysis_occurrences_viewer: Refreshing state... [id=sap-kyma-prow/roles/containeranalysis.occurrences.viewer]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_sa_keys_admin: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_secret_viewer: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.viewer/serviceAccount:sa-keys-cleaner@sa

# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...

dead_letter_topic = {
  "effective_labels" = tomap({
    "application" = "secrets-rotator"
  })
  "id" = "projects/sap-kyma-prow/topics/secrets-rotator-dead-letter"
  "ingestion_data_source_settings" = tolist([])
  "kms_key_name" = ""
  "labels" = tomap({
    "application" = "secrets-rotator"
  })
  "message_retention_duration" = "86600s"
  "message_storage_policy" = tolist([
    {
      "allowed_persistence_regions" = tolist([
        "africa-south1",
        "asia-east1",
        "asia-east2",
        "asia-northeast1",
        "asia-northeast2",
        "asia-northeast3",
        "asia-south1",
        "asia-south2",
        "asia-southeast1",
        "asia-southeast2",
        "australia-southeast1",
        "australia-southeast2",
        "europe-central2",
        "europe-north1",
        "europe-southwest1",
        "europe-west1",
        "europe-west10",
        "europe-west12",
        "europe-west2",
        "europe-west3",
        "europe-west4",
        "europe-west6",
        "europe-west8",
        "europe-west9",
        "me-central1",
        "me-central2",
        "me-west1",
        "northamerica-northeast1",
        "northamerica-northeast2",
        "southamerica-east1",
        "southamerica-west1",
        "us-central1",
        "us-central2",
        "us-east1",
        "us-east4",
        "us-east5",
        "us-east7",
        "us-south1",
        "us-west1",
        "us-west2",
        "us-west3",
        "us-west4",
        "us-west8",
      ])
    },
  ])
  "name" = "secrets-rotator-dead-letter"
  "project" = "sap-kyma-prow"
  "schema_settings" = tolist([])
  "terraform_labels" = tomap({
    "application" = "secrets-rotator"
  })
  "timeouts" = null /* object */
}
service_account_keys_cleaner = {
  "service_account_keys_cleaner_cloud_run_service" = {
    "autogenerate_revision_name" = false
    "id" = "locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-cleaner"
    "location" = "europe-west4"
    "metadata" = tolist([
      {
        "annotations" = tomap({})
        "effective_annotations" = tomap({
          "run.googleapis.com/ingress" = "all"
          "run.googleapis.com/ingress-status" = "all"
          "run.googleapis.com/operation-id" = "10ad69eb-5bba-484d-a25e-099c64ddc127"
          "run.googleapis.com/urls" = "[\"https://service-account-keys-cleaner-351981214969.europe-west4.run.app\",\"https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app\"]"
          "serving.knative.dev/creator" = "[email protected]"
          "serving.knative.dev/lastModifier" = "[email protected]"
        })
        "effective_labels" = tomap({
          "cloud.googleapis.com/location" = "europe-west4"
        })
        "generation" = 86
        "labels" = tomap({})
        "namespace" = "sap-kyma-prow"
        "resource_version" = "AAYjFjx+qgo"
        "self_link" = "/apis/serving.knative.dev/v1/namespaces/351981214969/services/service-account-keys-cleaner"
        "terraform_labels" = tomap({})
        "uid" = "b294b2a5-1c7d-4ab2-a8e3-ad27bbb0b00c"
      },
    ])
    "name" = "service-account-keys-cleaner"
    "project" = "sap-kyma-prow"
    "status" = tolist([
      {
        "conditions" = tolist([
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "Ready"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "ConfigurationsReady"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "RoutesReady"
          },
        ])
        "latest_created_revision_name" = "service-account-keys-cleaner-00086-b7q"
        "latest_ready_revision_name" = "service-account-keys-cleaner-00086-b7q"
        "observed_generation" = 86
        "traffic" = tolist([
          {
            "latest_revision" = true
            "percent" = 100
            "revision_name" = "service-account-keys-cleaner-00086-b7q"
            "tag" = ""
            "url" = ""
          },
        ])
        "url" = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app"
      },
    ])
    "template" = tolist([
      {
        "metadata" = tolist([
          {
            "annotations" = tomap({
              "autoscaling.knative.dev/maxScale" = "100"
            })
            "generation" = 0
            "labels" = tomap({
              "run.googleapis.com/startupProbeType" = "Default"
            })
            "name" = ""
            "namespace" = ""
            "resource_version" = ""
            "self_link" = ""
            "uid" = ""
          },
        ])
        "spec" = tolist([
          {
            "container_concurrency" = 80
            "containers" = tolist([
              {
                "args" = tolist([])
                "command" = tolist([])
                "env" = toset([
                  {
                    "name" = "APPLICATION_NAME"
                    "value" = "secrets-rotator"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "COMPONENT_NAME"
                    "value" = "service-account-keys-cleaner"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "LISTEN_PORT"
                    "value" = "8080"
                    "value_from" = tolist([])
                  },
                ])
                "env_from" = tolist([])
                "image" = "europe-docker.pkg.dev/kyma-project/prod/test-infra/service-account-keys-cleaner:v20240927-29c71d4a"
                "liveness_probe" = tolist([])
                "name" = ""
                "ports" = tolist([
                  {
                    "container_port" = 8080
                    "name" = "http1"
                    "protocol" = ""
                  },
                ])
                "resources" = tolist([
                  {
                    "limits" = tomap({
                      "cpu" = "1000m"
                      "memory" = "512Mi"
                    })
                    "requests" = tomap({})
                  },
                ])
                "startup_probe" = tolist([
                  {
                    "failure_threshold" = 1
                    "grpc" = tolist([])
                    "http_get" = tolist([])
                    "initial_delay_seconds" = 0
                    "period_seconds" = 240
                    "tcp_socket" = tolist([
                      {
                        "port" = 8080
                      },
                    ])
                    "timeout_seconds" = 240
                  },
                ])
                "volume_mounts" = tolist([])
                "working_dir" = ""
              },
            ])
            "service_account_name" = "[email protected]"
            "serving_state" = ""
            "timeout_seconds" = 300
            "volumes" = tolist([])
          },
        ])
      },
    ])
    "timeouts" = null /* object */
    "traffic" = tolist([
      {
        "latest_revision" = true
        "percent" = 100
        "revision_name" = ""
        "tag" = ""
        "url" = ""
      },
    ])
  }
  "service_account_keys_cleaner_secheduler" = {
    "app_engine_http_target" = tolist([])
    "attempt_deadline" = "320s"
    "description" = "Call service account keys cleaner service, to remove old versions of secrets"
    "http_target" = tolist([
      {
        "body" = ""
        "headers" = tomap({})
        "http_method" = "GET"
        "oauth_token" = tolist([])
        "oidc_token" = tolist([
          {
            "audience" = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app"
            "service_account_email" = "[email protected]"
          },
        ])
        "uri" = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app?project=sap-kyma-prow&age=24"
      },
    ])
    "id" = "projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner"
    "name" = "service-account-keys-cleaner"
    "paused" = false
    "project" = "sap-kyma-prow"
    "pubsub_target" = tolist([])
    "region" = "europe-west3"
    "retry_config" = tolist([])
    "schedule" = "0 0 * * 1-5"
    "state" = "ENABLED"
    "time_zone" = "Etc/UTC"
    "timeouts" = null /* object */
  }
  "service_account_keys_cleaner_service_account" = {
    "account_id" = "sa-keys-cleaner"
    "create_ignore_already_exists" = tobool(null)
    "description" = "Identity of the service account keys rotator service."
    "disabled" = false
    "display_name" = ""
    "email" = "[email protected]"
    "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "member" = "serviceAccount:[email protected]"
    "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "project" = "sap-kyma-prow"
    "timeouts" = null /* object */
    "unique_id" = "101317727774651823048"
  }
}
service_account_keys_rotator = {
  "service_account_keys_rotator_cloud_run_service" = {
    "autogenerate_revision_name" = false
    "id" = "locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-rotator"
    "location" = "europe-west4"
    "metadata" = tolist([
      {
        "annotations" = tomap({})
        "effective_annotations" = tomap({
          "run.googleapis.com/ingress" = "all"
          "run.googleapis.com/ingress-status" = "all"
          "run.googleapis.com/operation-id" = "4983b7d3-4e9e-4b20-ba0b-e7e852c9dd69"
          "run.googleapis.com/urls" = "[\"https://service-account-keys-rotator-351981214969.europe-west4.run.app\",\"https://service-account-keys-rotator-q25ja7ch3q-ez.a.run.app\"]"
          "serving.knative.dev/creator" = "[email protected]"
          "serving.knative.dev/lastModifier" = "[email protected]"
        })
        "effective_labels" = tomap({
          "cloud.googleapis.com/location" = "europe-west4"
        })
        "generation" = 84
        "labels" = tomap({})
        "namespace" = "sap-kyma-prow"
        "resource_version" = "AAYjFjxh5qY"
        "self_link" = "/apis/serving.knative.dev/v1/namespaces/351981214969/services/service-account-keys-rotator"
        "terraform_labels" = tomap({})
        "uid" = "c91dbea8-bbbb-4f82-99f5-1f40befe699c"
      },
    ])
    "name" = "service-account-keys-rotator"
    "project" = "sap-kyma-prow"
    "status" = tolist([
      {
        "conditions" = tolist([
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "Ready"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "ConfigurationsReady"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "RoutesReady"
          },
        ])
        "latest_created_revision_name" = "service-account-keys-rotator-00084-7gr"
        "latest_ready_revision_name" = "service-account-keys-rotator-00084-7gr"
        "observed_generation" = 84
        "traffic" = tolist([
          {
            "latest_revision" = true
            "percent" = 100
            "revision_name" = "service-account-keys-rotator-00084-7gr"
            "tag" = ""
            "url" = ""
          },
        ])
        "url" = "https://service-account-keys-rotator-q25ja7ch3q-ez.a.run.app"
      },
    ])
    "template" = tolist([
      {
        "metadata" = tolist([
          {
            "annotations" = tomap({
              "autoscaling.knative.dev/maxScale" = "100"
            })
            "generation" = 0
            "labels" = tomap({
              "run.googleapis.com/startupProbeType" = "Default"
            })
            "name" = ""
            "namespace" = ""
            "resource_version" = ""
            "self_link" = ""
            "uid" = ""
          },
        ])
        "spec" = tolist([
          {
            "container_concurrency" = 80
            "containers" = tolist([
              {
                "args" = tolist([])
                "command" = tolist([])
                "env" = toset([
                  {
                    "name" = "APPLICATION_NAME"
                    "value" = "secrets-rotator"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "COMPONENT_NAME"
                    "value" = "service-account-keys-rotator"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "LISTEN_PORT"
                    "value" = "8080"
                    "value_from" = tolist([])
                  },
                ])
                "env_from" = tolist([])
                "image" = "europe-docker.pkg.dev/kyma-project/prod/test-infra/rotate-service-account:v20240927-29c71d4a"
                "liveness_probe" = tolist([])
                "name" = ""
                "ports" = tolist([
                  {
                    "container_port" = 8080
                    "name" = "http1"
                    "protocol" = ""
                  },
                ])
                "resources" = tolist([
                  {
                    "limits" = tomap({
                      "cpu" = "1000m"
                      "memory" = "512Mi"
                    })
                    "requests" = tomap({})
                  },
                ])
                "startup_probe" = tolist([
                  {
                    "failure_threshold" = 1
                    "grpc" = tolist([])
                    "http_get" = tolist([])
                    "initial_delay_seconds" = 0
                    "period_seconds" = 240
                    "tcp_socket" = tolist([
                      {
                        "port" = 8080
                      },
                    ])
                    "timeout_seconds" = 240
                  },
                ])
                "volume_mounts" = tolist([])
                "working_dir" = ""
              },
            ])
            "service_account_name" = "[email protected]"
            "serving_state" = ""
            "timeout_seconds" = 300
            "volumes" = tolist([])
          },
        ])
      },
    ])
    "timeouts" = null /* object */
    "traffic" = tolist([
      {
        "latest_revision" = true
        "percent" = 100
        "revision_name" = ""
        "tag" = ""
        "url" = ""
      },
    ])
  }
  "service_account_keys_rotator_service_account" = {
    "account_id" = "sa-keys-rotator"
    "create_ignore_already_exists" = tobool(null)
    "description" = "Identity of the service account keys rotator service."
    "disabled" = false
    "display_name" = ""
    "email" = "[email protected]"
    "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "member" = "serviceAccount:[email protected]"
    "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "project" = "sap-kyma-prow"
    "timeouts" = null /* object */
    "unique_id" = "116267434130697196528"
  }
  "service_account_keys_rotator_service_account_iam" = {
    "condition" = tolist([])
    "etag" = "BwYi7lyKx4k="
    "id" = "sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:[email protected]"
    "member" = "serviceAccount:[email protected]"
    "project" = "sap-kyma-prow"
    "role" = "roles/iam.serviceAccountKeyAdmin"
  }
  "service_account_keys_rotator_subscription" = {
    "ack_deadline_seconds" = 20
    "bigquery_config" = tolist([])
    "cloud_storage_config" = tolist([])
    "dead_letter_policy" = tolist([
      {
        "dead_letter_topic" = "projects/sap-kyma-prow/topics/secrets-rotator-dead-letter"
        "max_delivery_attempts" = 15
      },
    ])
    "effective_labels" = tomap({
      "application_name" = "secrets-rotator"
    })
    "enable_exactly_once_delivery" = false
    "enable_message_ordering" = false
    "expiration_policy" = tolist([
      {
        "ttl" = "31556952s"
      },
    ])
    "filter" = "attributes.eventType = \"SECRET_ROTATE\""
    "id" = "projects/sap-kyma-prow/subscriptions/secrets-rotator-service-account-keys-rotator"
    "labels" = tomap({
      "application_name" = "secrets-rotator"
    })
    "message_retention_duration" = "604800s"
    "name" = "secrets-rotator-service-account-keys-rotator"
    "project" = "sap-kyma-prow"
    "push_config" = tolist([
      {
        "attributes" = tomap({})
        "no_wrapper" = tolist([])
        "oidc_token" = tolist([
          {
            "audience" = ""
            "service_account_email" = "[email protected]"
          },
        ])
        "push_endpoint" = "https://service-account-keys-rotator-q25ja7ch3q-ez.a.run.app"
      },
    ])
    "retain_acked_messages" = false
    "retry_policy" = tolist([
      {
        "maximum_backoff" = "600s"
        "minimum_backoff" = "300s"
      },
    ])
    "terraform_labels" = tomap({
      "application_name" = "secrets-rotator"
    })
    "timeouts" = null /* object */
    "topic" = "projects/sap-kyma-prow/topics/secret-manager-notifications"
  }
}
terraform_executor_gcp_prow_project_iam_member = {
  "condition" = tolist([])
  "etag" = "BwYi7lyKx4k="
  "id" = "sap-kyma-prow/roles/owner/serviceAccount:[email protected]"
  "member" = "serviceAccount:[email protected]"
  "project" = "sap-kyma-prow"
  "role" = "roles/owner"
}
terraform_executor_gcp_service_account = {
  "account_id" = "terraform-executor"
  "create_ignore_already_exists" = tobool(null)
  "description" = "Identity of terraform executor. It's mapped to k8s service account through workload identity."
  "disabled" = false
  "display_name" = "terraform-executor"
  "email" = "[email protected]"
  "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
  "member" = "serviceAccount:[email protected]"
  "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
  "project" = "sap-kyma-prow"
  "timeouts" = null /* object */
  "unique_id" = "109665069699011807029"
}
terraform_executor_gcp_workload_identity = {
  "condition" = tolist([])
  "etag" = "BwYhcY+T+/A="
  "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
  "members" = toset([
    "principal://iam.googleapis.com/projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/subject/repository_id:147495537:repository_owner_id:39153523:workflow:Post Apply Prod Terraform",
  ])
  "role" = "roles/iam.workloadIdentityUser"
  "service_account_id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
}
terraform_executor_gcp_workloads_project_iam_member = {
  "condition" = tolist([])
  "etag" = "BwYa6EJDduE="
  "id" = "sap-kyma-prow-workloads/roles/owner/serviceAccount:[email protected]"
  "member" = "serviceAccount:[email protected]"
  "project" = "sap-kyma-prow-workloads"
  "role" = "roles/owner"
}
trusted_workload_gatekeeper = <sensitive>
untrusted_workload_gatekeeper = <sensitive>

`

@akiioto akiioto mentioned this pull request Oct 1, 2024
Merged
@akiioto akiioto assigned akiioto and unassigned dekiel, Sawthis and IwonaLanger Oct 4, 2024
KacperMalachowski pushed a commit to KacperMalachowski/test-infra that referenced this pull request Nov 6, 2024
@akiioto @IwonaLanger @KacperMalachowski
Switch Signify service to use mTLS (kyma-project#11777)
2be625d 
* x

* x

* x

* x

* x

* cert probably working

* test

* build

* use decrypted key

* rew

* go mod

* rew

* rev

* rev

* revert

* adjust to review

* adjust to review

* test for cert

* notary tests, refactor to test

* notary tests, refactor to test

* linters

* linters

* working

* upd8 test

* upd8 test

* upd8 test

* Revert "working"

This reverts commit ab4e827.

* upd8 test

* test

* New solution

* New solution

* New solution

* New solution

* Ready to review, no hardcodes. 85% test coverage

* Change endpoint

* Change endpoint

* remove unused mock

* Apply suggestions from code review

Co-authored-by: Iwona Langer <[email protected]>

* minor

* test of interfaces

* test updates

* remove last field function

* delete comments

* renaming stuff

* remove tlsconfigratorinterface

* adjust tests

* update to decouple external library

* cleanup

* remove redundant status check

* remove last variable

* use buffered tls config

* fix retryhttp

* fix test certificate

* Make NotarySigner fields private

---------

Co-authored-by: Iwona Langer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IwonaLanger IwonaLanger IwonaLanger approved these changes

@Sawthis Sawthis Sawthis approved these changes

@dekiel dekiel dekiel approved these changes

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@mmitoraj mmitoraj Awaiting requested review from mmitoraj mmitoraj is a code owner

@NHingerl NHingerl Awaiting requested review from NHingerl NHingerl is a code owner

@grego952 grego952 Awaiting requested review from grego952 grego952 is a code owner

@nataliasitko nataliasitko Awaiting requested review from nataliasitko nataliasitko is a code owner

Assignees

@akiioto akiioto

Labels
add-or-update cla: yes Indicates the PR's author has signed the CLA. lgtm Looks good to me! size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@akiioto @kyma-bot @dekiel @Sawthis @IwonaLanger