Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource #1134

Merged
merged 19 commits into from
Oct 26, 2023

Conversation

susanshi
Copy link
Collaborator

@susanshi susanshi commented Oct 18, 2023

Description

Fixes #1061

What this PR does / why we need it:

currently certStore defined in trust policy only contains name which means the CertStore cannot be uniquely identified. To address , the PR introduces below changes:

  • Updated certstore controller to cache certificates based on key "namepsace/name". E.g. gatekeeper-system/ratify-notation-inline-cert
  • updated verifier reconcile to append namespace to cert store (if certSTore is not name spaced already). The default namespace would be the verifier's namespace, given verifier are cluster scoped resource, use ratify deployed namespace
    as a fall back.
  • remove verificateCertStore from configMap we cannot infer namespace from configmap. Verifier/Store are overridden by CRD at runtime, Ratify team is working on cleaning configMap to avoid user confusion. Issue Start server without plugin configs. #1104 Start server without plugin configs. #1104
  • moved RatifyNamespace env variable into util so it can be used by both auth provider and crd controllers
  • add unit test and e2e test for cert store references across namespace

Note: a doc PR will be created in the doc repo

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #1061

Type of change

Please delete options that are not relevant.

  • [ X ] Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • [X ] This change requires a documentation update

How Has This Been Tested?

  • cli scenario covered by cli test
  • validated namespace is append they don't exist
  • validated if namespace is already provided, they are not overridden

@susanshi susanshi changed the title set certstore namespace fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource Oct 18, 2023
@codecov
Copy link

codecov bot commented Oct 18, 2023

Codecov Report

Attention: 20 lines in your changes are missing coverage. Please review.

Comparison is base (f503a01) 52.31% compared to head (9588fcd) 52.39%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1134      +/-   ##
==========================================
+ Coverage   52.31%   52.39%   +0.08%     
==========================================
  Files         101      101              
  Lines        6306     6344      +38     
==========================================
+ Hits         3299     3324      +25     
- Misses       2688     2699      +11     
- Partials      319      321       +2     
Files Coverage Δ
cmd/ratify/cmd/verify.go 61.84% <100.00%> (ø)
pkg/utils/utils.go 100.00% <ø> (ø)
pkg/verifier/factory/factory.go 60.93% <100.00%> (ø)
pkg/verifier/notation/truststore.go 85.71% <100.00%> (+0.71%) ⬆️
config/config.go 51.25% <0.00%> (-0.65%) ⬇️
pkg/controllers/certificatestore_controller.go 38.09% <0.00%> (ø)
.../common/oras/authprovider/k8secret_authprovider.go 15.68% <0.00%> (ø)
pkg/verifier/notation/notation.go 83.01% <72.72%> (-3.19%) ⬇️
pkg/controllers/verifier_controller.go 42.30% <63.15%> (+5.21%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Makefile Outdated Show resolved Hide resolved
Copy link
Collaborator

@binbin-li binbin-li left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wonder if we need to update Verifier CRD to namespaced?

pkg/verifier/notation/notation.go Outdated Show resolved Hide resolved
@susanshi
Copy link
Collaborator Author

wonder if we need to update Verifier CRD to namespaced?

I think we should eventually , but we have to think more about the usecase of having namespaced verifier. This change future proofs the certStore scenario by checking if there is a verifier namespace first.

@susanshi
Copy link
Collaborator Author

Hi @binbin-li , @akashsinghal , please review the latest. thanks!

binbin-li
binbin-li previously approved these changes Oct 25, 2023
Copy link
Collaborator

@binbin-li binbin-li left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm overall!

charts/ratify/README.md Outdated Show resolved Hide resolved
defaultCertPath = "ratify-certs/notation/truststore"
verifierName = "notation"
defaultCertPath = "ratify-certs/notation/truststore"
namespaceSeperator = "/"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: is this universal? should this also be moved to global constants?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved to internal const. thanks!

susanshi and others added 2 commits October 26, 2023 02:39
Co-authored-by: Akash Singhal <[email protected]>
Signed-off-by: Susan Shi <[email protected]>
@susanshi
Copy link
Collaborator Author

updates pushed, @binbin-li @akashsinghal , please review when convenient. thanks!

@susanshi susanshi enabled auto-merge (squash) October 26, 2023 03:32
@susanshi susanshi merged commit ba1bb28 into ratify-project:main Oct 26, 2023
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

same certificateStore name in different namespace
3 participants