[OCPNODE-1671] Add ClusterImagePolicy and ImagePolicy #1457
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Hello @QiWang19! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/L
config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml
Outdated
Show resolved
Hide resolved
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@saschagrunert could you review the api? |
QiWang19
force-pushed
the
draft-sigstore
branch
4 times, most recently
from
484198d to
eb77406
Compare
openshift-ci
bot
added
size/XL
QiWang19
force-pushed
the
draft-sigstore
branch
6 times, most recently
from
2f22c0b to
0d6b7b0
Compare
|
|
||
| // PublicKey defines the root of trust based on a sigstore public key. | ||
| type PublicKey struct { | ||
| // keyData contains inline base64 encoded data of the public key. |
There was a problem hiding this comment.
This one didn't get PEM encoding change
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:validation:MaxLength=8192 | ||
| KeyData string `json:"keyData"` | ||
| // rekorKeyData contains inline base64 data of the Rekor public key. |
There was a problem hiding this comment.
This should mention pem format
| // oidcIssuer contains the expected OIDC issuer. | ||
| // Example: "https://expected.OIDC.issuer/" |
There was a problem hiding this comment.
Are we expecting the OIDC issuer to expose the well known endpoint under this path?
|
I think the OIDC issuer field needs a little more depth to the godoc there. I assume, since I'm semi familiar with OIDC, that the expectation is that the URL will be prepended to In that case I'd want to mention that the issue URL should be the full URL including any subpath that the issuer is hosted on and that the issuer URL will be used to discover jwt keys or whatever it's being used for |
I am not sure the implementation for these CRDs can be finished before the feature freeze. The second commit can have the API built and we can develop and test the CRD functions on the cluster. |
|
we have merged the feature gate #1470 for this API. |
@mtrmac Could you take a look? We added the check for |
…
It’s that kind of value, yes, but not necessarily precisely that one, and nothing is going to reach out to the URL. Verification happens off-line. What is actually verified is that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at the user-specified URL. And when Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. It is usually the So the closest direct spec is the c/image does not do any validation of the string, and requires a (byte-for-byte) exact match between the configuration and the certificate extension field. So I would caution against any effort to normalize the users’ input. (I’m afraid I haven’t been paying close attention to this PR.) |
QiWang19
force-pushed
the
draft-sigstore
branch
from
a5af136 to
797d09e
Compare
openshift-ci
bot
added
size/XXL
QiWang19
force-pushed
the
draft-sigstore
branch
from
797d09e to
02db01b
Compare
|
/test e2e-azure |
|
@JoelSpeed PTAL |
|
@mtrmac Would it be fair then to add to the oidcIssuer field an expanded comment that explains what you've just said? That this should typically match the issuer field in the ... That way users might have an idea of where they may be able to find this value or verify the value matches some other source at the least |
|
The c/image documentation just says
I don’t have a strong opinion on whether the details of the field mapping are worth emphasizing. In the worst case, the signature enforcement currently fails with |
Add API for ClusterImagePolicy, ImagePolicy CRD Signed-off-by: Qi Wang <[email protected]>
QiWang19
force-pushed
the
draft-sigstore
branch
from
02db01b to
0412357
Compare
|
@JoelSpeed I updated the comment for oidcIssuer, PTAL |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed, QiWang19, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@QiWang19: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-cluster-config-api-container-v4.16.0-202312130634.p0.gef62af0.assembly.stream for distgit ose-cluster-config-api. |
Add ImagePolicy struct of ImagePolicy CRD for image sigstore signature verification.
enhancement: openshift/enhancements#1402
Epic: https://issues.redhat.com/browse/OCPNODE-1628