Proposal: Create a new subproject for the HashiCorp Vault KMS plugin

[FeynmanZhou]

We had the plan to develop a HashiCorp Vault plugin for Notation based on the Notary Plugin spec, see issue notaryproject/notation-hashicorp-vault#8 . We see users requesting to use Notation with HashiCorp Vault several times. With the HashiCorp Vault plugin added to Notation, it would be helpful for the offline signing scenario and extend the Notation plugin ecosystem.

With the contributions from @OliverShang (LFX mentee) and @patrickzheng200 @shizhMSFT (LFX mentors) , the HashiCorp Vault KMS plugin has the prototype and document available to be reviewed now. The initial implementation is available at https://github.com/OliverShang/notation-hc-vault. The next step is to create a repository under Notary org and collaborate with other Notary maintainers to iterate on it. I propose using vault-plugin as the repository name.

I propose the following members as the initial maintainers:

• @OliverShang from Tongji University
• @patrickzheng200 from Microsoft
• @shizhMSFT from Microsoft
• @cipherboy from HashiCorp

@notaryproject/notaryproject-governance-maintainers If you agree with creating a new repository for this plugin project, please comment below. Thanks!

[patrickzheng200]

LGTM.
Thanks @FeynmanZhou! I also want to call out that, @shizhMSFT is the other mentor, he guided Bingqi throughout the program as well and answered many questions regarding security. So, I'd like to thank @shizhMSFT and Bingqi (Oliver) for their great help and contributions.
As the program is still in progress, we will finalize our workflow and create PRs once the official Notary Repo is created for the project.

[OliverShang]

LGTM.
@FeynmanZhou, Thank you for acknowledging our contributions. It's been great to have such a supportive community working together on this project.
I also want to give a big thanks to my mentors, @patrickzheng200 and @shizhMSFT, who have been instrumental in providing guidance and support throughout the program. Your guidance has been invaluable to our progress.

[yizha1]

LGTM
Thanks @OliverShang @shizhMSFT @patrickzheng200 and @FeynmanZhou
Can't wait to try notation vault plugin.

[shizhMSFT]

For the repository, I'd like to propose that we should follow the same naming pattern notation-{plugin-name} defined in Plugin lifecycle management. The plugin-name basically follows the pattern of <vendor>-<service> (e.g. azure-kv, aws-kms).

Therefore, I would suggest both the plugin binary name and the repository name to be notation-hashicorp-vault.

Note HashiCorp Cloud Platform Vault (HCP Vault) does not include self-managed Vault OSS.

Here's the output of notation plugin ls.

$ notation plugin ls
NAME              DESCRIPTION                                   VERSION             CAPABILITIES                ERROR
hashicorp-vault   Sign artifacts with keys in HashiCorp Vault   v0.1.0+unreleased   [SIGNATURE_GENERATOR.RAW]   <nil>

[shizhMSFT]

If the name notation-hashicorp-vault is too long, an alternative can be notation-hashivault where the name hashivault is borrowed from the name of an Ansible module ansible-modules-hashivault.

[FeynmanZhou]

notation-hashivault sounds good to me.

[toddysm]

LGTM though to be consistent I would say notation-hashi-vault as a name.

[SteveLasker]

LGTM: Fully support additional providers. From a branding perspective, we should likely use notation-hashicorp-vault, but we can check with their project. @shizhMSFT is the length a coding restriction, or just "it's long" question?
I'd also suggest, while I'm fully supportive of many providers, we should be careful to not suggest all providers must be under the notary project. Can we add a page that lists other notation plug-ins, such as the Azure and AWS plugin?

[shizhMSFT]

@SteveLasker Nope, there is no coding restriction. It is just a "it's long" question.

[justincormack]

LGTM

[iamsamirzon]

LGTM and agree with using a repository name which is more descriptive. We need to ensure, we have maintainers defined for this repo before we formally release any release candidate for this repo.

[priteshbandi]

LGTM for creating subproject.

+1 on defining governance for new repo

[vaninrao10]

LGTM for subprojects creation.

+1 on defining governance for any new repo

[ksatirli]

Hey folks! 👋🏽

Kerim here, from @hashicorp.

This is an exciting plugin and I'm grateful for the hard work y'all put in!

I'd like to leave a 👍 for calling the plugin notation-hashicorp-vault (as opposed to just -hashi).

I believe from a naming perspective, while a few chars longer, this makes it more clear and avoids ambiguity.

I appreciate the consideration :)

[YoSuperG]

+1 on notation-hashicorp-vault

[yizha1]

+1 notation-hashicorp-vault for repository name.

+1 for the plugin name hashicorp-vault, as explained by @shizhMSFT

For the repository, I'd like to propose that we should follow the same naming pattern notation-{plugin-name} defined in Plugin lifecycle management. The plugin-name basically follows the pattern of <vendor>-<service> (e.g. azure-kv, aws-kms).

Therefore, I would suggest both the plugin binary name and the repository name to be notation-hashicorp-vault.

Note HashiCorp Cloud Platform Vault (HCP Vault) does not include self-managed Vault OSS.

Here's the output of notation plugin ls.

$ notation plugin ls
NAME              DESCRIPTION                                   VERSION             CAPABILITIES                ERROR
hashicorp-vault   Sign artifacts with keys in HashiCorp Vault   v0.1.0+unreleased   [SIGNATURE_GENERATOR.RAW]   <nil>

[FeynmanZhou]

Thanks @YoSuperG @ksatirli for providing your suggestions! notation-hashicorp-vault sounds good as the sub-project name.

[cipherboy]

If you need any support or advice from Hashicorp around Transit or KVv2, feel free to tag me. :-)

Native x509 key storage is definitely something on my radar for Transit, I'll see if I can push it forwards internally. This would allow you to drop the kv-v2 dependency eventually.

[FeynmanZhou]

Thank you all for supporting this new project. We received the majority of approval from Notary maintainers. It's ready to create this new repo. We will have @OliverShang @patrickzheng200 @shizhMSFT @cipherboy as the initial maintainers.

[FeynmanZhou]

Close this issue since the repo notation-hashicorp-vault has been created https://github.com/notaryproject/notation-hashicorp-vault

[FeynmanZhou]

@toddysm @notaryproject/notaryproject-org-maintainers Could pls you invite @cipherboy and @OliverShang to the Notary org so that we can add them to notation-hashicorp-vault plugin as initial maintainers?

[toddysm]

@FeynmanZhou Please create a PR in the respective repo to update the CODEOWNERS and MAINTAINERS files. This is the process we should follow to add them as maintainers for the repo. Org maintainers need to approve the new repo maintainers in the PR

[FeynmanZhou]

@FeynmanZhou Please create a PR in the respective repo to update the CODEOWNERS and MAINTAINERS files. This is the process we should follow to add them as maintainers for the repo. Org maintainers need to approve the new repo maintainers in the PR

@toddysm Thanks. I reopened this issue and created a PR to add initial CODEOWNERS and MAINTAINERS as we proposed in this issue.

[cipherboy]

@FeynmanZhou Just a note, I think the doc and this proposal could perhaps be better titled with Vault Transit rather than Vault KMS. Vault confusingly acts like a KMS (with the Transit backend) -- but also supports the KMS Backend to synchronize keys across various cloud provider's KMS solutions and fetch credentials for using these KMS instances from applications). At Hashicorp, we tend to call Vault KMS the latter plugin, and the former usage just Vault Transit. :-)

I think there's also a chance for some better tutorials/documentation in the future here. The current advice to use a root token is great for getting started and trying it out, but ultimately we'll want to suggest using tokens scoped to the usage better (e.g., probably just to access whichever paths are used). As far as acquiring this token goes, at Hashicorp we tend to suggest using Vault Agent as a pattern for transparently accessing Vault without having to modify your application to care about different authentication methods. My 2c. is that this is definitely something that should be done for production usage, but something we can defer until later.

Does notary support key management operations with these backends? E.g., key rotation, &c?

[FeynmanZhou]

Close this issue as the new repository "notation-hashicorp-vault" was created