Skip to content

Remove use of createcerts in Fulcio #1834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cmurphy merged 1 commit into from
Dec 12, 2025
Merged

Remove use of createcerts in Fulcio #1834

cmurphy merged 1 commit into from
Dec 12, 2025

Conversation

@cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Dec 9, 2025

Simplify the Fulcio configuration by removing the createcerts job and pre-generating the keys for Fulcio from the setup script.

This is a prerequisite to updating ctlog to accept the pre-generated Fulcio roots as an input value rather than using createctconfig to fetch the roots from Fulcio's rootCert HTTP endpoint.

Relates to #1833
Relates to sigstore/rekor-tiles#73

Summary

Release Note

Documentation

@cmurphy cmurphy requested review from a team as code owners December 9, 2025 20:33
loosebazooka
loosebazooka reviewed Dec 9, 2025
View reviewed changes
Copy link
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions, mostly as I don't understand the system fully yet.

@cmurphy cmurphy force-pushed the fulcio-createcerts branch 11 times, most recently from c77d305 to a7294b5 Compare December 10, 2025 00:57
loosebazooka
loosebazooka reviewed Dec 10, 2025
View reviewed changes
Copy link
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cmurphy cmurphy mentioned this pull request Dec 11, 2025
Merged
loosebazooka
loosebazooka previously approved these changes Dec 11, 2025
View reviewed changes
haydentherapper
haydentherapper previously approved these changes Dec 11, 2025
View reviewed changes
config/fulcio/fulcio/200-secret.yaml
namespace: fulcio-system
type: Opaque
data:
cert: <cert-placeholder>
Copy link
Contributor

@haydentherapper haydentherapper Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a duplicate of fulcio-cert.cert? Could we remove this secret if so, or are we keeping these separate to avoid further changes?

Copy link
Contributor Author

@cmurphy cmurphy Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it's a duplicate. The reason, I think, is so that in theory you could give the TUF service account (or some other user) fine-grained access to just this resource and not expose the private key. In practice we don't have access controls like that in our testing but I think it's still nice to keep it separate.

Copy link
Contributor

@haydentherapper haydentherapper Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I also noticed that it was just the TUF-related scripts using it. SGTM to leave it.

@cmurphy cmurphy dismissed stale reviews from haydentherapper and loosebazooka via 5294a7e December 12, 2025 00:55
@cmurphy
Remove use of createcerts in Fulcio
f660aed 
Simplify the Fulcio configuration by removing the createcerts job and
pre-generating the keys for Fulcio from the setup script.

This is a prerequisite to updating ctlog to accept the pre-generated
Fulcio roots as an input value rather than using createctconfig to fetch
the roots from Fulcio's rootCert HTTP endpoint.

Signed-off-by: Colleen Murphy <[email protected]>
@cmurphy cmurphy merged commit b8fd9b4 into sigstore:main Dec 12, 2025
44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@loosebazooka loosebazooka loosebazooka left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cmurphy @loosebazooka @haydentherapper