Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add plugin interface for out-of-tree KMS providers #1658

Closed
bobcallaway opened this issue Mar 4, 2024 · 11 comments
Closed

Add plugin interface for out-of-tree KMS providers #1658

bobcallaway opened this issue Mar 4, 2024 · 11 comments
Labels
enhancement New feature or request

Comments

@bobcallaway
Copy link
Member

Description

Investigate using go-plugin as an approach for out-of-tree KMS providers to integrate with Sigstore tooling without merging code into this repo.

I believe this is the correct interface to base the plugin design off of:

sigstore/pkg/signature/kms/kms.go

Line 72 in 8a49902

type SignerVerifier interface {

@bobcallaway bobcallaway added the enhancement New feature or request label Mar 4, 2024
@haydentherapper
Copy link
Contributor

Two other possible approaches:

  • Go's plugin support. This notes that it only works on certain Linux distros and macOS so it's probably not the best approach
  • kubectl has support for plugins. I haven't dug in yet, but given kubectl is written in go, I assume this either uses either the above or go-plugin, or something that's been written from scratch that we could maybe reuse.

@bobcallaway
Copy link
Member Author

Two other possible approaches:

  • Go's plugin support. This notes that it only works on certain Linux distros and macOS so it's probably not the best approach

Given lack of portability this is probably a non-starter

  • kubectl has support for plugins. I haven't dug in yet, but given kubectl is written in go, I assume this either uses either the above or go-plugin, or something that's been written from scratch that we could maybe reuse.

this seems to be based on a convention of a separate binary being named kubectl-foo-bar and just launching that child process.

@akljph
Copy link

akljph commented Mar 17, 2024

Hey Team - how close or far away are we from some sort decision on this and can we be of any help here?

@haydentherapper
Copy link
Contributor

The go-plugin library seems like the most promising solution. We haven't started working on this yet. Are you interested in implementing it?

@akljph
Copy link

akljph commented Mar 20, 2024
edited
Loading

No promises, but I am talking to my dev team to potentially build it. I will get back to you when I have more info.

Update: Not sure we will be able to get to this as our team is quite busy.

@akljph
Copy link

akljph commented Jul 23, 2024

@haydentherapper @bobcallaway any chance you and the team of contributors are going to get to this at some point? Unfortunately, we don't have the time.

@haydentherapper
Copy link
Contributor

Yes, we're planning to take a look at this shortly.

@akljph
Copy link

akljph commented Aug 18, 2024

Just another follow up on this one. Hope it's coming soon, and thanks so much for all your hard work 🙏

@haydentherapper haydentherapper mentioned this issue Sep 9, 2024
Closed
@ramonpetgrave64
Copy link
Contributor

ramonpetgrave64 commented Oct 7, 2024
edited
Loading

To update, we've started to take a look and experiment with this.

@haydentherapper haydentherapper mentioned this issue Nov 5, 2024
Open
This was referenced Dec 6, 2024
Closed
Merged
Closed
@ramonpetgrave64
Copy link
Contributor

Draft PR and spec Link here. #1901

haydentherapper pushed a commit that referenced this issue Jan 21, 2025
@ramonpetgrave64
add initial plugin support for KMSs (#1901)
56b0086 
We're adding plugin support the sigstore to support separately-compiled KMS providers. We experimented with the hashicorp/go-plugin system suggested in #1658, and we would like to try kubectl's style of supporting plugin programs. It basically works like this.

The plugin is a separate program on the system's PATH, invoked as a command
the SignerVerifier interface arguments are sent as CLI arguments and file contents over stdin
the SignerVerifier interface return values are sent over stdout
You should be able to implement a plugin in any language, even shellscript. If using go, once you implement the SignerVerifier interface methods, your plugin program could be as simple as the example included in this PR at "test/cliplugin/localkms/main.go".

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@haydentherapper
Copy link
Contributor

This is now complete.

This was referenced Feb 21, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

draft: add plugin support for KMSs ramonpetgrave64/cosign
4 participants
@bobcallaway @haydentherapper @ramonpetgrave64 @akljph