Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

loading custom profile vs generic connect.c4m #14

Merged
merged 8 commits into from
Aug 28, 2024
Merged

loading custom profile vs generic connect.c4m #14

merged 8 commits into from
Aug 28, 2024

Conversation

miki725
Copy link
Contributor

@miki725 miki725 commented Aug 20, 2024

currently the action was hard coding the use of connect.c4m which allowed to connect Chalk to CrashOverride.

This change allows to connect Chalk to a custom profile as configured in CrashOverride UI. The rough flow is:

  • CI system generates OIDC token
  • the token is sent to CrashOverride to lookup which org the SCM is installed in
  • CrashOverride mints new JWT for the found org
  • new JWT is used to lookup chalk profile/parameters to be loaded into chalk
  • downloaded profile/parameters embed lower-permission JWT scoped to the action the component is configured to do. For example sending reports JWT doesnt have permission to access attestation keys.

This allows friction-free UX across multiple CI systems with fully custom chalk profiles. Currently supports:

  • GitHub
  • GitLab

For CI systems which do not support this feature the --token can be manually passed which will point chalk to the CrashOverride org without OIDC tokens.

@miki725
Copy link
Contributor Author

miki725 commented Aug 20, 2024

setup.sh Outdated
Comment on lines 7 to 8
OPENID_CONNECT=https://chalk-test.crashoverride.run/v0.1/openid-connect/github
PROFILE=https://chalk-test.crashoverride.run/v0.1/profile
Copy link
Contributor Author

@miki725 miki725 Aug 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • need to flip to prod before merging

@miki725
Copy link
Contributor Author

miki725 commented Aug 20, 2024

this should not be merged until the UI is fully deployed into prod

@miki725 miki725 marked this pull request as ready for review August 27, 2024 01:53
@DarbyBrown
Copy link

This should be all ok to merge @miki725 👍

PROFILE=https://chalk.crashoverride.run/v0.1/profile
GITHUB_OPENID_CONNECT=https://chalk.crashoverride.run/v0.1/openid-connect/github
GITLAB_OPENID_CONNECT=https://chalk.crashoverride.run/v0.1/openid-connect/gitlab
if [ -n "${__CHALK_TESTING__:-}" ]; then

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking: We should document this feature clearly in notion before we forget and call it out on a team meeting

Copy link

@MyNameIsMeerkat MyNameIsMeerkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@miki725 miki725 merged commit 16e6642 into main Aug 28, 2024
2 checks passed
@miki725 miki725 deleted the profiles branch August 28, 2024 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants