Skip to content

Commit

Permalink
feat: add cosign trust policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@akashsinghal
akashsinghal committed Apr 18, 2024
1 parent ff0a3ec commit 50f9fdc
Show file tree
Hide file tree
Showing 29 changed files with 2,366 additions and 137 deletions.
36 changes: 33 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ TEST_REGISTRY = localhost:5000
TEST_REGISTRY_USERNAME = test_user
TEST_REGISTRY_PASSWORD = test_pw

# Azure Key Vault Setup
KEYVAULT_NAME ?= ratify-akv
KEYVAULT_KEY_NAME ?= test-key

all: build test

.PHONY: build
Expand Down Expand Up @@ -340,6 +344,32 @@ e2e-cosign-setup:
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key cosign.key ${TEST_REGISTRY}/cosign@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/cosign:signed-key --descriptor | jq .digest | xargs` && \
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key cosign.key ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/all:v0 --descriptor | jq .digest | xargs`

e2e-cosign-akv-setup:
rm -rf .staging/cosign
mkdir -p .staging/cosign
curl -sSLO https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64
mv cosign-linux-amd64 .staging/cosign
chmod +x .staging/cosign/cosign-linux-amd64

# image signed with a key from azure key vault
printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "cosign signed akv image"]' > .staging/cosign/Dockerfile
docker buildx create --use
docker buildx build --output type=oci,dest=.staging/cosign/cosign.tar -t cosign:v0 .staging/cosign
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/cosign/cosign.tar:v0 ${TEST_REGISTRY}/cosign:signed-key
rm .staging/cosign/cosign.tar

printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "cosign unsigned image"]' > .staging/cosign/Dockerfile
docker buildx create --use
docker buildx build --output type=oci,dest=.staging/cosign/cosign.tar -t cosign:v0 .staging/cosign
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/cosign/cosign.tar:v0 ${TEST_REGISTRY}/cosign:unsigned
rm .staging/cosign/cosign.tar

export COSIGN_PASSWORD="test" && \
cd .staging/cosign && \
./cosign-linux-amd64 login ${TEST_REGISTRY} -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} && \
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key azurekms://${KEYVAULT_NAME}.vault.azure.net/${KEYVAULT_KEY_NAME} ${TEST_REGISTRY}/cosign@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/cosign:signed-key --descriptor | jq .digest | xargs` && \
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key azurekms://${KEYVAULT_NAME}.vault.azure.net/${KEYVAULT_KEY_NAME} ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/all:v0 --descriptor | jq .digest | xargs`

e2e-licensechecker-setup:
rm -rf .staging/licensechecker
mkdir -p .staging/licensechecker
Expand Down Expand Up @@ -484,7 +514,7 @@ e2e-inlinecert-setup:
.staging/notation/notation cert generate-test "alternate-cert"
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} --key "alternate-cert" ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:signed-alternate --descriptor | jq .digest | xargs`

e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup
e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-akv-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup

e2e-deploy-gatekeeper: e2e-helm-install
./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
Expand Down Expand Up @@ -556,7 +586,7 @@ e2e-helm-deploy-ratify:
--set-file provider.tls.caKey=${CERT_DIR}/ca.key \
--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand All @@ -574,7 +604,7 @@ e2e-helm-deploy-ratify-without-tls-certs:
--set gatekeeper.version=${GATEKEEPER_VERSION} \
--set featureFlags.RATIFY_CERT_ROTATION=${CERT_ROTATION_ENABLED} \
--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand Down
4 changes: 3 additions & 1 deletion charts/ratify/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,9 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| affinity | Pod affinity for the Ratify deployment | `{}` |
| tolerations | Pod tolerations for the Ratify deployment | `[]` |
| notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` |
| cosignKeys | An aray of public keys used to create inline key management providers used by Cosign verifier | `[]` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.key | Public certificate used by cosign verifier | `` |
| cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` |
| vulnerabilityreport.enabled | Enables/disables installation of vulnerability report verifier | `false` |
| vulnerabilityreport.passthrough | Enables/disables passthrough. All validation except `maximumAge` are disregarded and report content is added to verifier report | `false` |
| vulnerabilityreport.schemaURL | URL for JSON schema to validate report against | `` |
Expand Down Expand Up @@ -137,3 +138,4 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| akvCertConfig.cert2Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV. | `` |
| akvCertConfig.certificates | **DEPRECATED** Please use `azurekeyvault.certificates` instead. An array of certificate objects identified by `name` and `version` stored in AKV | `` |
| akvCertConfig.tenantId | **DEPRECATED** Please use `azurekeyvault.certificates` instead. TenantID of the configured AKV resource | `` |
| cosign.key | **DEPRECATED** Please use `cosignKeys` instead. Public key used by cosign verifier | `` |
4 changes: 2 additions & 2 deletions charts/ratify/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ spec:
name: healthz
protocol: TCP
volumeMounts:
{{- if .Values.cosign.enabled }}
{{- if and .Values.cosign.enabled .Values.cosign.key }}
- mountPath: "/usr/local/ratify-certs/cosign"
name: cosign-certs
readOnly: true
Expand Down Expand Up @@ -145,7 +145,7 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
{{- if .Values.cosign.enabled }}
{{- if and .Values.cosign.enabled .Values.cosign.key }}
- name: cosign-certs
secret:
secretName: {{ include "ratify.fullname" . }}-cosign-certificate
Expand Down
2 changes: 1 addition & 1 deletion charts/ratify/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.cosign.enabled }}
{{- if and .Values.cosign.enabled .Values.cosign.key}}
apiVersion: v1
kind: Secret
metadata:
Expand Down
37 changes: 25 additions & 12 deletions charts/ratify/templates/verifier.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{- $fullname := include "ratify.fullname" . -}}
---
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
Expand All @@ -16,17 +15,16 @@ spec:
certs:
{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }}
- kmprovider-akv
{{- else }}
{{- if .Values.notationCert }}
{{- if .Values.notationCerts }}
{{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
{{- end }}
{{- end }}
{{- if .Values.notationCert }}
{{- if .Values.notationCerts }}
{{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
{{- end }}
- {{$fullname}}-notation-inline-cert
{{- end }}
{{- range $i, $cert := .Values.notationCerts }}
{{- end }}
{{- range $i, $cert := .Values.notationCerts }}
- {{$fullname}}-notation-inline-cert-{{$i}}
{{- end }}
{{- end }}
{{- end }}
trustPolicyDoc:
version: "1.0"
trustPolicies:
Expand All @@ -50,10 +48,25 @@ metadata:
helm.sh/hook-weight: "5"
spec:
name: cosign
version: 1.0.0
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /usr/local/ratify-certs/cosign/cosign.pub
{{- if .Values.cosign.key }}
key: {{ .Values.cosign.key | quote }}
{{- else }}
trustPolicies:
- name: default
scopes:
{{- range $i, $scope := .Values.cosign.scopes }}
- "{{$scope}}"
{{- end }}
keys:
{{- range $i, $key := .Values.cosignKeys }}
- provider: {{$fullname}}-cosign-inline-key-{{$i}}
{{- end }}
{{- if and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0) }}
- provider: kmprovider-akv
{{- end }}
{{- end }}
{{- end }}
---
{{- if .Values.vulnerabilityreport.enabled }}
Expand Down
3 changes: 2 additions & 1 deletion charts/ratify/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ cosignKeys: []

cosign:
enabled: true
key: ""
scopes: ["*"] # corresponds to a single trust policy
key: "" # DEPRECATED: Use cosignKeys instead
vulnerabilityreport:
enabled: false
passthrough: false
Expand Down
7 changes: 6 additions & 1 deletion config/samples/config_v1beta1_verifier_cosign.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,9 @@ spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /usr/local/ratify-certs/cosign/cosign.pub
trustPolicies:
- name: default
scopes:
- "*"
keys:
- provider: ratify-cosign-inline-key-0
9 changes: 9 additions & 0 deletions config/samples/config_v1beta_verifier_cosign_legacy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-cosign
spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /usr/local/ratify-certs/cosign/cosign.pub
1 change: 1 addition & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ require (
go.step.sm/crypto v0.44.2 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gotest.tools/v3 v3.1.0 // indirect
sigs.k8s.io/release-utils v0.7.7 // indirect
)

Expand Down
7 changes: 5 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -720,6 +720,7 @@ github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
Expand Down Expand Up @@ -998,6 +999,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
Expand Down Expand Up @@ -1096,6 +1098,7 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
Expand Down Expand Up @@ -1220,8 +1223,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
gotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
Expand Down
2 changes: 1 addition & 1 deletion pkg/controllers/keymanagementprovider_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func (r *KeyManagementProviderReconciler) Reconcile(ctx context.Context, req ctr
return ctrl.Result{}, fmt.Errorf("Error fetching keys in KMProvider %v with %v provider, error: %w", resource, keyManagementProvider.Spec.Type, err)
}
keymanagementprovider.SetCertificatesInMap(resource, certificates)
keymanagementprovider.SetKeysInMap(resource, keys)
keymanagementprovider.SetKeysInMap(resource, keyManagementProvider.Spec.Type, keys)
// merge certificates and keys status into one
maps.Copy(keyAttributes, certAttributes)
isFetchSuccessful = true
Expand Down
Loading

0 comments on commit 50f9fdc

Please sign in to comment.