Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provenance attesattion for artifacts #2300

Merged
merged 9 commits into from
Nov 15, 2021
Merged

Provenance attesattion for artifacts #2300

merged 9 commits into from
Nov 15, 2021

Conversation

puerco
Copy link
Member

@puerco puerco commented Nov 2, 2021

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

This PR adds the final bit to make all artifacts in the release bucket SLSA1 compliant. We still have to publish the attestations for the container images but we now have a way to check the provenance of all released artifacts.

The final in-toto attestation is composed by parsing the release SBOM, adding the data from the artifacts and then reusing the SLSA predicate from the staging provenance bucket.

Signed-off-by: Adolfo García Veytia (Puerco) [email protected]

Special notes for your reviewer:

Part of #2267

Test run: https://console.cloud.google.com/cloud-build/builds;region=global/66ca2089-2c31-4bdb-8cdd-93342681d166?project=kubernetes-release-test
(Se sample provenance data attached bellow)

Does this PR introduce a user-facing change?

Releases now publish a provenance attestation with a SLSA 0.1 predicate describing all artifacts in the release bucket.

puerco added 5 commits November 2, 2021 01:53
@puerco
spdx parser: Fix bug in File.Name and NONE Dnld
7864d0f 
This commit fixes a bug where the parser would register literal "NONE" in DownloadLocation
and another where Files woule not have their filename correctly set.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
spdx: SLSA Provenance export
edd4da1 
This commit adds the capability to spdx documents to be exported as SLSA
statements. Provenance attestations can now be created from a SPDX SBOM.

The statment object now supports returning its contents as JSON besides
writing to a file.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Regenerate provenance fakeks
0613f5c 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
release: Add end-user provenance generator
a7978bb 
The provenance checker now has the capability to create new end-user provenance
attestaions by crossing data from the staging provenance and the sbom.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
anago/release: Regenerate fakes
20d4773 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 2, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. labels Nov 2, 2021
@puerco puerco mentioned this pull request Nov 2, 2021
Closed
15 tasks
@puerco
Copy link
Member Author

puerco commented Nov 2, 2021

Sample attestation: provenance.json.gz

@puerco
Copy link
Member Author

puerco commented Nov 2, 2021
edited
Loading

Updated provcenance data with paths to actual release bucket locations: provenance.json.gz

And last successfull release run: https://console.cloud.google.com/cloud-build/builds;region=global/9b353695-1d41-48ec-87c3-f542c9158a07?project=kubernetes-release-test

@jimangel jimangel mentioned this pull request Nov 2, 2021
Closed
17 tasks
@palnabarun
Copy link
Member

/cc
(will have a look on Saturday)

palnabarun
palnabarun requested changes Nov 13, 2021
View reviewed changes
Copy link
Member

@palnabarun palnabarun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few small nits, LGTM otherwise!

Great work as always! 💯

I had fun reading through the SLSA Provenance specification and understanding it. Looking forward to the update to v0.2 as well. :)

pkg/anago/release.go Outdated Show resolved Hide resolved
pkg/provenance/statement.go Outdated Show resolved Hide resolved
@puerco
anago/release: Push SLSA attestations to bucket
ee88267 
This commit sends the SLSA provenance attestations to the release
bucket when pushing during release.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Fix TestCheckProvenance (adding mock state)
b5938e9 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
provenance: Rewrite links to artifact locations in the bucket
bba225c 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Update release steps total count to 11
a4f6884 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Copy link
Member Author

puerco commented Nov 14, 2021

Yay, thank a lot @palnabarun , the two nits are addressed and we are should be ready to get the provenance attestations out of the build after we cut the next releases. The SLSA 0.2 types have not yet merged yet: in-toto/in-toto-golang#156 but ill start working to move to 0.2 based on @priyawadhwa 's PR.
Thank you!

@palnabarun
Copy link
Member

/lgtm

@palnabarun
Copy link
Member

Thank you, Adolfo!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 15, 2021
@k8s-ci-robot k8s-ci-robot merged commit 58b4fff into kubernetes:master Nov 15, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Nov 15, 2021
@cpanato
Copy link
Member

cpanato commented Nov 15, 2021

late /lgtm

thanks for the hard work on this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@palnabarun palnabarun palnabarun requested changes

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

@xmudrii xmudrii Awaiting requested review from xmudrii

Assignees

@palnabarun palnabarun

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
4 participants
@puerco @k8s-ci-robot @palnabarun @cpanato