Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add plugin interface for out-of-tree KMS providers #1658

Open
bobcallaway opened this issue Mar 4, 2024 · 10 comments · May be fixed by #1901 or sigstore/cosign#3954
Open

Add plugin interface for out-of-tree KMS providers #1658

bobcallaway opened this issue Mar 4, 2024 · 10 comments · May be fixed by #1901 or sigstore/cosign#3954
Labels
enhancement New feature or request

Comments

@bobcallaway
Copy link
Member

Description

Investigate using go-plugin as an approach for out-of-tree KMS providers to integrate with Sigstore tooling without merging code into this repo.

I believe this is the correct interface to base the plugin design off of:

sigstore/pkg/signature/kms/kms.go

Line 72 in 8a49902

type SignerVerifier interface {

@bobcallaway bobcallaway added the enhancement New feature or request label Mar 4, 2024
@haydentherapper
Copy link
Contributor

Two other possible approaches:

  • Go's plugin support. This notes that it only works on certain Linux distros and macOS so it's probably not the best approach
  • kubectl has support for plugins. I haven't dug in yet, but given kubectl is written in go, I assume this either uses either the above or go-plugin, or something that's been written from scratch that we could maybe reuse.

@bobcallaway
Copy link
Member Author

Two other possible approaches:

  • Go's plugin support. This notes that it only works on certain Linux distros and macOS so it's probably not the best approach

Given lack of portability this is probably a non-starter

  • kubectl has support for plugins. I haven't dug in yet, but given kubectl is written in go, I assume this either uses either the above or go-plugin, or something that's been written from scratch that we could maybe reuse.

this seems to be based on a convention of a separate binary being named kubectl-foo-bar and just launching that child process.

@akljph
Copy link

akljph commented Mar 17, 2024

Hey Team - how close or far away are we from some sort decision on this and can we be of any help here?

@haydentherapper
Copy link
Contributor

The go-plugin library seems like the most promising solution. We haven't started working on this yet. Are you interested in implementing it?

@akljph
Copy link

akljph commented Mar 20, 2024
edited
Loading

No promises, but I am talking to my dev team to potentially build it. I will get back to you when I have more info.

Update: Not sure we will be able to get to this as our team is quite busy.

@akljph
Copy link

akljph commented Jul 23, 2024

@haydentherapper @bobcallaway any chance you and the team of contributors are going to get to this at some point? Unfortunately, we don't have the time.

@haydentherapper
Copy link
Contributor

Yes, we're planning to take a look at this shortly.

@akljph
Copy link

akljph commented Aug 18, 2024

Just another follow up on this one. Hope it's coming soon, and thanks so much for all your hard work 🙏

@haydentherapper haydentherapper mentioned this issue Sep 9, 2024
Open
@ramonpetgrave64
Copy link

ramonpetgrave64 commented Oct 7, 2024
edited
Loading

To update, we've started to take a look and experiment with this.

@haydentherapper haydentherapper mentioned this issue Nov 5, 2024
Open
This was referenced Dec 6, 2024
Open
Open
Draft
@ramonpetgrave64
Copy link

Draft PR and spec Link here. #1901

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
4 participants
@bobcallaway @haydentherapper @ramonpetgrave64 @akljph