Acr managed identity (#12)

* Updated authn to work with Azure AKS managed identities
To use this, provide the client id during helm install.

* Cleaned up reamde for official use

* Formatting fixes

* updated jwt lib

* linting

* README updates

* Update pkg/authn/provider.go

Co-authored-by: Cody Soyland <[email protected]>

* Update README.md

Co-authored-by: Cody Soyland <[email protected]>

---------

Co-authored-by: Cody Soyland <[email protected]>

Author: kommendorkapten

README.md

@@ -4,6 +4,11 @@ feature](https://open-policy-agent.github.io/gatekeeper/website/docs/externaldat
 with [Artifact attestations](https://github.com/actions/attest) to determine whether
 the images are valid by verifying its signatures.
 
+> [!IMPORTANT]
+> For this to work, OPA Gatekeeper must run with
+> `enableExternalData=true`, which can be configured during
+> installation.
+
 ## Limitations
 
 * mTLS between OPA Gatekeeper and the external data provider is not
@@ -12,129 +17,125 @@ the images are valid by verifying its signatures.
 
 ## Installation
 
-## Verification
+### Preparation
 
-## Local installation
+Before the installation starts, two steps are required to prepare:
 
-1. Create a [kind
-   cluster](https://kind.sigs.k8s.io/docs/user/quick-start/).
-2. Prepare `pull-secret` for private OCI registry (Optional)
+1. How OPA Gatekeeper authenticates the OPA External Data
+   Provider. This is done via regular TLS certificates, but they must
+   be created and made available to the services.
+1. If private OPI registries are used, the authentication must be
+   configured.
 
-```
-$ kubectl create secret docker-registry \
-          ghcr-login-secret \
-          --docker-server=https://ghcr.io \
-          --docker-username=$YOUR_GITHUB_USERNAME \
-          --docker-password=$YOUR_GITHUB_TOKEN \
-          --docker-email=$YOUR_EMAIL
-```
+#### OCI Authentication
 
-3. Prepare a pull secret for the OPA external data provider (Optional)
+Currently there are two tested authentication methods known to work
+with private OCI registries:
 
-```
-$ kubectl create secret \
-          -n provider-system \
-          docker-registry aa-ghcr-login-secret \
-          --docker-server=https://ghcr.io \
-          --docker-username=$YOUR_GITHUB_USERNAME \
-          --docker-password=$YOUR_GITHUB_TOKEN \
-          --docker-email=$YOUR_EMAIL
-```
+1. Using `imagePullSecrets`
+2. Using Managed Identities with Azure Managed Kubernetes Service
+   (AKS)
 
-4. Install Gatekeeper and **enable external data feature**
+Although these are the only tested authentication methods, others may
+work (Azure using Sevice Principals, GKE and EKS configurations) as
+long as the POD/Service Accounts are configured properly.
 
-```
-# Add the Gatekeeper Helm repository
-$ helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
-
-# Install the latest version of Gatekeeper with the external data feature enabled.
-$ helm install gatekeeper/gatekeeper \
-    --set enableExternalData=true \
-    --name-template=gatekeeper \
-    --namespace gatekeeper-system \
-    --create-namespace
-```
+To use `imagePullSecrets`, prepare the secret in the namespace used by
+the Artifact Attestations OPA Provider. The default name is
+`aa-login-secret` but can be changed if needed, just make sure to
+update the value in `values.yaml` before installing.
 
-5. Generate server TLS for the external data provider
+To use Azure Managed Identities, first configure the Managed Identity
+with the required permission (ACR Pull against the relevant
+registries), then [configure a federated
+credential](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center#configure-a-federated-identity-credential-on-an-existing-application)
+against the K8s cluster.
 
-```
-$ ./scripts/gen_certs.sh
-```
+To enable the use of Azure Managed Identities, you must provide the
+Managed Identity's Client ID: `--set azureClientId=${AZURE_CLIENT_ID}`
+during helm install.
 
-6. Build and load the docker image
+#### TLS certificates
 
-```
-$ make docker
-$ make kind-load-image
-```
+> [!NOTE]
+> Tested version of OPA Gatekeeper up to version 3.18.2 only supports
+> RSA keys for the TLS certificates.
+
+OPA Gatekeeper relies on TLS authentication when communicating with
+external data providers. There is a provided
+[script](scripts/gen_certs.sh) to generate a self signed CA and TLS
+certificate. The certificate can be created via other means, as long
+as the private key can be mounted as a secret to the Artifact
+Attestations OPA Provider POD.
+
+When installing the Artifacts Attestations OPA Provider, the CA
+certificate bundle must be provided to configure the root of trust.
 
-7. Install the data provider
+The secret containing the TLS certificate and private key can be
+automatically created, or created separately from the helm
+installation. The secret must have the name `provider-tls-cert`.
 
-To automatically provision the server tls certificate/key secret
+### Install via helm
+
+#### Using `imagePullSecrets`
 
 ```
 $ helm install artifact-attestations-opa-provider charts/artifact-attestations-opa-provider \
     --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
     --set serverCert="$(cat certs/tls.crt | base64 | tr -d '\n\r')" \
     --set serverKey="$(cat certs/tls.key | base64 | tr -d '\n\r')" \
+    --set imagePullSecrets=<name-of-your-secret> \
     --namespace provider-system \
     --create-namespace
 ```
 
-or if the secret is already created
+#### Using Azure Managed Identity
 
 ```
 $ helm install artifact-attestations-opa-provider charts/artifact-attestations-opa-provider \
     --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
-    --set serverCert="" \
+    --set serverCert="$(cat certs/tls.crt | base64 | tr -d '\n\r')" \
+    --set serverKey="$(cat certs/tls.key | base64 | tr -d '\n\r')" \
+    --set azureClientId=${AZURE_CLIENT_ID} \
     --namespace provider-system \
     --create-namespace
 ```
 
-8. Install constraint template and constraint.
-
-From repo:
-
-```
-$ kubectl apply -f validation/from-repo-constraint-template.yml
-$ kubectl apply -f validation/from-repo-constraint.yml
-```
-
-or from org:
-
-```
-$ kubectl apply -f validation/from-org-constraint-template.yml
-$ kubectl apply -f validation/from-org-constraint.yml
-```
-
-or from org with signer (reusable workflow):
+#### Using Azure Managed Identity and an existing TLS secret
 
 ```
-$ kubectl apply -f validation/from-org-with-signer-constraint-template.yml
-$ kubectl apply -f validation/from-org-with-signer-constraint.yml
+$ helm install artifact-attestations-opa-provider charts/artifact-attestations-opa-provider \
+    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
+    --set serverCert="" \
+    --set azureClientId=${AZURE_CLIENT_ID} \
+    --namespace provider-system \
+    --create-namespace
 ```
 
-9. Test with an image from Tina's repository (PGI Sigstore)
+## Verification
 
-```
-$ kubectl run nginx --image=ghcr.io/tinaheidinger/test-container:latest  --dry-run=server -ojson
-```
+Three examples are provided that can be used as references when
+building out the policy.
 
-10. Test with image from Fredrik's repository (private package, GitHub
-   Sigstore)
+The policies are regular OPA Gatekeeper Constraints, where the
+enforcement action can be set, and the targeted/ignored resources.
 
-```
-$ kubectl run nginx --image=ghcr.io/kommendorkapten/ghademo:latest --dry-run=server -ojson
-```
+When writing the policy using the provided examples, the organization
+should be the name of the GitHub org, like `octo-org`, and the
+repository must include the org name like `octo-org/octo-repo`.
 
-11. Test with image from Fredrik's repository (private package, GitHub
-   Sigstore) using a reusable workflow
+The following three examples are provided:
 
-```
-$ kubectl run nginx --image=ghcr.io/kommendorkapten/ghademo:reusable --dry-run=server -ojson
-```
+1. [Verify image](validation/from-org-constraint-template.yaml) is
+   built from a list of provided organizations.
+1. [Verify image](validation/from-repo-constraint-template.yaml) is
+   built from a list of provided repositories.
+1. [Verify
+   image](validation/from-org-with-signer-constraint-template.yaml) is
+   originating from a list of organizations, and built with a reusable
+   workflow from a list of provided repositories.
 
-### Cleaning up
+## Uninstall
 
 ```
 $ kubectl delete -f validation

charts/artifact-attestations-opa-provider/templates/deployment.yaml

@@ -12,6 +12,9 @@ spec:
     metadata:
       labels:
         run: artifact-attestations-opa-provider
+        {{- if .Values.azureClientId }}
+        azure.workload.identity/use: "true"
+        {{- end }}
     spec:
       serviceAccountName: {{ .Values.serviceAccount }}
       automountServiceAccountToken: true
@@ -32,7 +35,7 @@ spec:
             type: RuntimeDefault
         args:
         - -namespace={{ .Release.Namespace }}
-        - -image-pull-secret=aa-ghcr-login-secret
+        - -image-pull-secret={{ .Values.imagePullSecrets }}
         - -certs={{ .Values.certDir }}
         - -port={{ .Values.port }}
         ports:

charts/artifact-attestations-opa-provider/templates/service-account.yaml

@@ -3,3 +3,7 @@ kind: ServiceAccount
 metadata:
   name: {{ .Values.serviceAccount }}
   namespace:  {{ .Release.Namespace }}
+  annotations:
+    {{- if .Values.azureClientId }}
+    azure.workload.identity/client-id: {{ .Values.azureClientId }}
+    {{- end }}

charts/artifact-attestations-opa-provider/values.yaml

@@ -1,7 +1,8 @@
 certDir: /certs
 serviceAccount: opa-provider-sa
 port: 8090
+imagePullSecrets: aa-login-secret
 provider:
-  timeout: 5
+  timeout: 10
   tls:
     caBundle: ""

go.mod

@@ -6,23 +6,51 @@ toolchain go1.24.1
 
 require (
 	github.com/google/go-containerregistry v0.20.3
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20250225234217-098045d5e61f
 	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20250225234217-098045d5e61f
 	github.com/open-policy-agent/frameworks/constraint v0.0.0-20250310182122-79a9477fa575
 	github.com/sigstore/sigstore-go v0.7.1-0.20250321070118-95b41380066f
 )
 
 require (
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.1 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.29.6 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.59 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.38.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.29.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.37.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.14 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20250115170608-608f37feb051 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v28.0.2+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
@@ -44,6 +72,7 @@ require (
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/certificate-transparency-go v1.3.1 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
@@ -56,6 +85,7 @@ require (
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect