require an explict setting for signer (rekor & fulcio) rather than an implicit default of memory

Question

require an explict setting for signer (rekor & fulcio) rather than an implicit default of memory

bobcallaway opened this issue 5 months ago · 1 comments

Description

We've had several users be surprised by the behavior of both rekor & fulcio (as deployed by the helm charts) where the default signer is the memory option - this is nice for testing purposes, but not great for actual deployments where you would want a longer-lived key to be used (via KMS, HSM, etc).

We should remove the implicit default and require users to explicitly select one.

Answer 1 · 2024-08-21T22:51:39.000Z

I can work on adding rekor-createsecret job to rekor helm chart that will use the new image fixed here. This can be a better default for rekor signer compared to memory.