search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.23k stars 511 forks source link

Hashicorp Vault as storage engine for notary client #1524

Open marcofranssen opened 4 years ago

marcofranssen commented 4 years ago

It would be great if the notary client could be integrated with Hashicorp vault as a storage location for the keys.

Use case:

CI and CD to release docker images runs in different servers and locations. For each repository we need to be able to create the target keys and authorize developers / ci to sign the docker images. As we don't want these root and target keys to live on a developers machine we would like to integrate with Hashicorp Vault so keys can be managed centrally and backups can also be managed in a centralized location.

marcofranssen commented 4 years ago

@HuKeping what do you think about this? Any guidelines on where to start for a small POC?

Things like interfaces to implement or things like that. Not that deep into the code yet.

sethbergman commented 4 years ago

Our team has implemented this using some custom Ansible scripts inside of a Docker image. I wrote part of the implementation. We have setup an approle for vault that has write permissions. We first check vault for any keys to download in the CI runner, then do a docker build, sign and tag, and then we upload the new keys to Vault. GitLab also has a new feature for Vault interagation using JWT.

It's certainly possible, but I'm not able to share the details anymore than that.

Good luck 👍

jfbette commented 3 years ago

I have the same need to store signing keys inside a secure Vault e.g. Hashicorp Vault. The objective here is that highly critical material should remain secured and never leave the Vault. We will avoid challenging situations like :

The workflow could be as is :

  1. The Notary client authenticate to the Hashicorp Vault with a profile with access to appropriated API/Key
  2. Send the docker image to the Transit secret engine API to the path /transit/sign (responsible to sign the data received with a key stored on the
  3. Get back the signature and check against a locally computed digest of the image if its equal (to avoid risk when sending the image to Hashicorp Vault even it is send over HTTPS, ...).
  4. Do as usually with the image signature and Notary

If ok with the principal, I could work on main workflow, interfaces, options needed to the command line and then work on the code to propose a merge request.

marcofranssen commented 3 years ago

We might also want to have a look at cosign which has a neat way of using KMS keys including Hashivault Transit engine.

jfbette commented 3 years ago

Yes! I have looked at it both functionality and in the code and we should reproduce such functionalities inside Notary. What are the next steps according to you?