feat: KMP periodic retrieval with k8s requeue (#1727)

api/v1beta1/keymanagementproviders_types.go

@@ -31,6 +31,10 @@ type KeyManagementProviderSpec struct {
 	// Name of the key management provider
 	Type string `json:"type,omitempty"`
 
+	// Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:default=""
+	RefreshInterval string `json:"refreshInterval,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters of the key management provider
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`

api/v1beta1/namespacedkeymanagementprovider_types.go

@@ -32,6 +32,10 @@ type NamespacedKeyManagementProviderSpec struct {
 	// Name of the key management provider
 	Type string `json:"type,omitempty"`
 
+	// Refresh interval for the key management provider. Only used if the key management provider is refreshable. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:default=""
+	RefreshInterval string `json:"refreshInterval,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters of the key management provider
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`

charts/ratify/crds/keymanagementprovider-customresourcedefinition.yaml

@@ -14,73 +14,87 @@ spec:
     singular: keymanagementprovider
   scope: Cluster
   versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.issuccess
-      name: IsSuccess
-      type: boolean
-    - jsonPath: .status.brieferror
-      name: Error
-      type: string
-    - jsonPath: .status.lastfetchedtime
-      name: LastFetchedTime
-      type: date
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: KeyManagementProvider is the Schema for the keymanagementproviders
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: KeyManagementProviderSpec defines the desired state of KeyManagementProvider
-            properties:
-              parameters:
-                description: Parameters of the key management provider
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              type:
-                description: Name of the key management provider
-                type: string
-            type: object
-          status:
-            description: KeyManagementProviderStatus defines the observed state of
-              KeyManagementProvider
-            properties:
-              brieferror:
-                description: Truncated error message if the message is too long
-                type: string
-              error:
-                description: Error message if operation was unsuccessful
-                type: string
-              issuccess:
-                description: Is successful in loading certificate/key files
-                type: boolean
-              lastfetchedtime:
-                description: The time stamp of last successful certificate/key fetch
-                  operation. If operation failed, last fetched time shows the time
-                  of error
-                format: date-time
-                type: string
+    - additionalPrinterColumns:
+        - jsonPath: .status.issuccess
+          name: IsSuccess
+          type: boolean
+        - jsonPath: .status.brieferror
+          name: Error
+          type: string
+        - jsonPath: .status.lastfetchedtime
+          name: LastFetchedTime
+          type: date
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description:
+            KeyManagementProvider is the Schema for the keymanagementproviders
+            API
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: KeyManagementProviderSpec defines the desired state of KeyManagementProvider
               properties:
-                description: provider specific properties of the each individual certificate/key
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-            required:
-            - issuccess
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
+                refreshInterval:
+                  default: ""
+                  description:
+                    Refresh interval for fetching the certificate/key files
+                    from the provider. Only for providers that are refreshable. The
+                    value is in the format of "1h30m" where "h" means hour and "m" means
+                    minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
+                    "s", "m", "h".
+                  type: string
+                parameters:
+                  description: Parameters of the key management provider
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type:
+                  description: Name of the key management provider
+                  type: string
+              type: object
+            status:
+              description:
+                KeyManagementProviderStatus defines the observed state of
+                KeyManagementProvider
+              properties:
+                brieferror:
+                  description: Truncated error message if the message is too long
+                  type: string
+                error:
+                  description: Error message if operation was unsuccessful
+                  type: string
+                issuccess:
+                  description: Is successful in loading certificate/key files
+                  type: boolean
+                lastfetchedtime:
+                  description:
+                    The time stamp of last successful certificate/key fetch
+                    operation. If operation failed, last fetched time shows the time
+                    of error
+                  format: date-time
+                  type: string
+                properties:
+                  description: provider specific properties of the each individual certificate/key
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+              required:
+                - issuccess
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

charts/ratify/crds/namespacedkeymanagementprovider-customresourcedefinition.yaml

@@ -14,74 +14,89 @@ spec:
     singular: namespacedkeymanagementprovider
   scope: Namespaced
   versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.issuccess
-      name: IsSuccess
-      type: boolean
-    - jsonPath: .status.brieferror
-      name: Error
-      type: string
-    - jsonPath: .status.lastfetchedtime
-      name: LastFetchedTime
-      type: date
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: NamespacedKeyManagementProvider is the Schema for the namespacedkeymanagementproviders
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: NamespacedKeyManagementProviderSpec defines the desired state
-              of NamespacedKeyManagementProvider
-            properties:
-              parameters:
-                description: Parameters of the key management provider
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              type:
-                description: Name of the key management provider
-                type: string
-            type: object
-          status:
-            description: NamespacedKeyManagementProviderStatus defines the observed
-              state of NamespacedKeyManagementProvider
-            properties:
-              brieferror:
-                description: Truncated error message if the message is too long
-                type: string
-              error:
-                description: Error message if operation was unsuccessful
-                type: string
-              issuccess:
-                description: Is successful in loading certificate/key files
-                type: boolean
-              lastfetchedtime:
-                description: The time stamp of last successful certificate/key fetch
-                  operation. If operation failed, last fetched time shows the time
-                  of error
-                format: date-time
-                type: string
+    - additionalPrinterColumns:
+        - jsonPath: .status.issuccess
+          name: IsSuccess
+          type: boolean
+        - jsonPath: .status.brieferror
+          name: Error
+          type: string
+        - jsonPath: .status.lastfetchedtime
+          name: LastFetchedTime
+          type: date
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description:
+            NamespacedKeyManagementProvider is the Schema for the namespacedkeymanagementproviders
+            API
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description:
+                NamespacedKeyManagementProviderSpec defines the desired state
+                of NamespacedKeyManagementProvider
               properties:
-                description: provider specific properties of the each individual certificate/key
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-            required:
-            - issuccess
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
+                refreshInterval:
+                  default: ""
+                  description:
+                    Refresh interval for fetching the certificate/key files
+                    from the provider. Only for providers that are refreshable. The
+                    value is in the format of "1h30m" where "h" means hour and "m" means
+                    minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
+                    "s", "m", "h".
+                  type: string
+                parameters:
+                  description: Parameters of the key management provider
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type:
+                  description: Name of the key management provider
+                  type: string
+              type: object
+            status:
+              description:
+                NamespacedKeyManagementProviderStatus defines the observed
+                state of NamespacedKeyManagementProvider
+              properties:
+                brieferror:
+                  description: Truncated error message if the message is too long
+                  type: string
+                error:
+                  description: Error message if operation was unsuccessful
+                  type: string
+                issuccess:
+                  description: Is successful in loading certificate/key files
+                  type: boolean
+                lastfetchedtime:
+                  description:
+                    The time stamp of last successful certificate/key fetch
+                    operation. If operation failed, last fetched time shows the time
+                    of error
+                  format: date-time
+                  type: string
+                properties:
+                  description: provider specific properties of the each individual certificate/key
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+              required:
+                - issuccess
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

config/crd/bases/config.ratify.deislabs.io_keymanagementproviders.yaml

@@ -54,6 +54,14 @@ spec:
                 description: Parameters of the key management provider
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              refreshInterval:
+                default: ""
+                description: Refresh interval for fetching the certificate/key files
+                  from the provider. Only for providers that are refreshable. The
+                  value is in the format of "1h30m" where "h" means hour and "m" means
+                  minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
+                  "s", "m", "h".
+                type: string
               type:
                 description: Name of the key management provider
                 type: string

config/crd/bases/config.ratify.deislabs.io_namespacedkeymanagementproviders.yaml

@@ -55,6 +55,12 @@ spec:
                 description: Parameters of the key management provider
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              refreshInterval:
+                default: ""
+                description: Refresh interval for the key management provider. Only
+                  used if the key management provider is refreshable. Valid time units
+                  are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+                type: string
               type:
                 description: Name of the key management provider
                 type: string

config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv.yaml

@@ -1,13 +1,13 @@
 apiVersion: config.ratify.deislabs.io/v1beta1
 kind: KeyManagementProvider
 metadata:
-  name: keymanagementprovider-inline
+  name: keymanagementprovider-akv
 spec:
   type: azurekeyvault
   parameters:
     vaultURI: https://yourkeyvault.vault.azure.net/
     certificates:
       - name: yourCertName
-        version: yourCertVersion # Optional, fetch latest version if empty 
+        version: yourCertVersion # Optional, fetch latest version if empty
     tenantID:
-    clientID: 
+    clientID:

config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml

@@ -0,0 +1,14 @@
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: KeyManagementProvider
+metadata:
+  name: keymanagementprovider-akv
+spec:
+  type: azurekeyvault
+  refreshInterval: 1m
+  parameters:
+    vaultURI: https://yourkeyvault.vault.azure.net/
+    certificates:
+      - name: yourCertName
+        version: yourCertVersion # Optional, fetch latest version if empty
+    tenantID:
+    clientID: