Merge pull request #4160 from QiWang19/cluster-policies

OCPNODE-1632: Support Cluster ImagePolicy CRD

cmd/machine-config-controller/start.go

@@ -171,6 +171,7 @@ func createControllers(ctx *ctrlcommon.ControllerContext) []ctrlcommon.Controlle
 			ctx.ConfigInformerFactory.Config().V1().Images(),
 			ctx.ConfigInformerFactory.Config().V1().ImageDigestMirrorSets(),
 			ctx.ConfigInformerFactory.Config().V1().ImageTagMirrorSets(),
+			ctx.ConfigInformerFactory,
 			ctx.OperatorInformerFactory.Operator().V1alpha1().ImageContentSourcePolicies(),
 			ctx.ConfigInformerFactory.Config().V1().ClusterVersions(),
 			ctx.ClientBuilder.KubeClientOrDie("container-runtime-config-controller"),

docs/ClusterImagePolicyDesign.md

@@ -0,0 +1,98 @@
+## Summary
+ClusterImagePolicy CRD is managed by ContainerRuntimeConfig controller. This CRD allows setting up configurations for CRI-O to verify the container images signed using [Sigstore](https://www.sigstore.dev/) tools.
+
+## Goals
+Generating corresponding CRI-O configuration files for image signature verification. Rollout ClusterImagePolicy to `/etc/containers/policy.json` for cluster wide configuration. Roll out the registries configuration to `/etc/containers/registries.d/sigstore-registries.yaml`.
+
+## Non-Goals
+Rolling out configuration for OCP payload repositories. The (super scope of) OCP payload repositories will not be written to the configuration files. 
+
+## CRD
+[ClusterImagePolicy CRD](https://github.com/openshift/api/blob/master/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml)
+
+## Example
+
+Below is an example of a ClusterImagePolicy CRD.
+
+```yaml
+apiVersion: config.openshift.io/v1alpha1
+kind: ClusterImagePolicy 
+metadata:
+  name: p0
+spec:
+  scopes:
+    - registry.ci.openshift.org
+    - example.com/global
+  policy:
+    rootOfTrust:
+      policyType: PublicKey
+      publicKey:
+        keyData: Zm9vIGJhcg==
+    signedIdentity:
+      matchPolicy: MatchRepoDigestOrExact
+```
+
+Save the above clusterimagepolicy locally, for example as pubKeyPolicy.yaml.
+Now apply the clusterimagepolicy that you created:
+
+```shell
+oc apply -f pubKeyPolicy.yaml
+```
+
+Check that it was created:
+
+```shell
+oc get clusterimagepolicy
+NAME   AGE
+p0     9s
+
+```
+
+## Validation and Troubleshooting
+The status.conditions.message field shows if the CR has conflicting scope(s). The below ClusterImagePolicy is in pending status because the scope for OCP release payload is skipped.
+
+```shell
+# the clusterimagepolicy has scope registry.build05.ci.openshift.org that is the OCP release payload repository
+$ oc describe clusterimagepolicy.config.openshift.io/p0
+...
+...
+Status:
+  Conditions:
+    Last Transition Time:  2024-02-04T03:24:36Z
+    Message:               has conflict scope(s) ["registry.build05.ci.openshift.org"] of Openshift payload repository registry.build05.ci.openshift.org/ci-ln-gfmf0yb/release, skip the scope(s)
+    Observed Generation:   1
+    Reason:                ConflictScopes
+    Status:                True
+    Type:                  Pending
+```
+
+The machine-config-controller logs will show the error message if the ClusterImagePolicy and Image CR has conflicting configurations. Controller will fail to roll out the CR. 
+- if blocked registries configured by Image CR exist, the clusterimagepolicy scopes must not equal to or nested under blockedRegistries
+- if allowed registries configured by Image CR exist, the clusterimagepolicy scopes nested under the allowedRegistries
+For example, the below error message is shown when the ClusterImagePolicy and blockedRegistries of Image CR has conflicting configurations.
+
+```shell
+I0204 03:51:18.253145       1 container_runtime_config_controller.go:497] Error syncing image config openshift-config: could not Create/Update MachineConfig: could not update policy json with new changes: clusterimagePolicy configured for the scope example.com/global is nested inside blockedRegistries ```
+```
+
+## Implementation Details
+The ContainerRuntimeConfigController would perform the following steps:
+
+1. Validate the ClusterImagePolicy objects are not for OCP release payload repositories.
+
+2. Render the current MachineConfigs (storage.files.contents[policy.json]) into the originalPolicyIgn
+
+3. Serialize the cluster level policies to `policy.json`.
+
+4. Add registries configuration to `sigstore-registries.yaml`. This configuration is used to specify the sigstore is being used as the image signature verification backend. 
+
+5. Update the ignition file `/etc/containers/policy.json` within the `99-<pool>-generated-registries` MachineConfig.
+
+6. Create or Update the ignition file `/etc/containers/registries.d/sigstore-registries.yaml` within the `99-<pool>-generated-imagepolicies` MachineConfig. 
+
+After deletion all of the ClusterImagePolicy instance the config will be reverted to the original policy.json.
+
+## See Also
+see **[containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)**, **[containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md)**  for more information.
+
+

hack/crds-sync.sh

@@ -17,7 +17,7 @@ for crd in "${CRDS_MAPPING[@]}" ; do
 done
 
 #this one goes in manifests rather than install, but should it? 
+cp "vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml" "install/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml"
 cp "vendor/github.com/openshift/api/machineconfiguration/v1/0000_80_controllerconfig.crd.yaml" "manifests/controllerconfig.crd.yaml"
 cp "vendor/github.com/openshift/api/machineconfiguration/v1alpha1/0000_80_machineconfignode-TechPreviewNoUpgrade.crd.yaml" "manifests/0000_80_machine-config-operator_01_machineconfignode-TechPreviewNoUpgrade.crd.yaml" 
 cp "vendor/github.com/openshift/api/operator/v1/0000_80_machine-config-operator_01_config.crd.yaml" "install/0000_80_machine-config-operator_01_config.crd.yaml"
-