OpenBao Support

[Nerkho]

Description

Hello there, I was looking into improving the support of OpenBao.

It works fine with the current hashivault provider, but it relies on the VAULT_ADDR/VAULT_TOKEN environment variables.
For our users, we'd like for them to be able to use cosign with the BAO_ADDR/BAO_TOKEN environment variables to avoid confusion.
Ideally we would also like to see a dedicated provider with its own scheme (e.g openbao://).

I'm happy to submit a PR. But wonder if it's best to just duplicate the hashivault provider or if you'd like this to be implemented differently?

[Hayden-IO]

Hey, thanks for reaching out. As per the KMS policy, we don't plan to support more KMS providers in the repo. However in this case, if there's no additional code beyond environment variable and scheme aliases, I'd be supportive of this change. Do you think you can work this change into the existing provider?

[Nerkho]

Thanks! Yeah, I think we can implement this within the existing provider. I'll try and submit a PR when ready.

[Nerkho]

Meanwhile, some other tasks landed on my desk. I got around to submitting a PR for this: #2303.
And for docs as well: sigstore/docs#421

[karras]

I've raised #2313 to mention OpenBao also in the README and POLICY.

[karras]

Extended the KMS definition to also mention OpenBao in sigstore/docs#422.

[karras]

PRs for raising awareness by showcasing Sigstore on the OpenBao ecosystem page:

• Add Sigstore logos openbao/openbao-ecosystem-logos#23
• Add Sigstore to the "Integrator" ecosystem openbao/openbao#2733

[karras]

@Hayden-IO @Nerkho I gather we can mark this one as resolved?

[Hayden-IO]

https://github.com/sigstore/sigstore/releases/tag/v1.10.5 which includes support