Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add cosign trust policies #1381

Merged
merged 9 commits into from
Apr 24, 2024
Merged

feat: add cosign trust policies #1381

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
50f9fdc
feat: add cosign trust policies
akashsinghal Apr 18, 2024
31db6c7
update extension config for verifier report
akashsinghal Apr 20, 2024
ac7a0fc
address comments
akashsinghal Apr 22, 2024
1f361bb
Merge branch 'dev' into akashsinghal/trustpolicies
akashsinghal Apr 22, 2024
812e0a6
fix
akashsinghal Apr 22, 2024
f8c365a
add version
akashsinghal Apr 22, 2024
fe94194
create akv helper
akashsinghal Apr 22, 2024
dcef905
comments
akashsinghal Apr 23, 2024
63a4f93
Merge branch 'dev' into akashsinghal/trustpolicies
akashsinghal Apr 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 33 additions & 3 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ TEST_REGISTRY = localhost:5000
TEST_REGISTRY_USERNAME = test_user
TEST_REGISTRY_PASSWORD = test_pw

# Azure Key Vault Setup
KEYVAULT_NAME ?= ratify-akv
KEYVAULT_KEY_NAME ?= test-key

all: build test

.PHONY: build
Expand Down Expand Up @@ -340,6 +344,32 @@ e2e-cosign-setup:
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key cosign.key ${TEST_REGISTRY}/cosign@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/cosign:signed-key --descriptor | jq .digest | xargs` && \
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key cosign.key ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/all:v0 --descriptor | jq .digest | xargs`

e2e-cosign-akv-setup:
rm -rf .staging/cosign
mkdir -p .staging/cosign
curl -sSLO https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
mv cosign-linux-amd64 .staging/cosign
chmod +x .staging/cosign/cosign-linux-amd64

# image signed with a key from azure key vault
printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "cosign signed akv image"]' > .staging/cosign/Dockerfile
docker buildx create --use
docker buildx build --output type=oci,dest=.staging/cosign/cosign.tar -t cosign:v0 .staging/cosign
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/cosign/cosign.tar:v0 ${TEST_REGISTRY}/cosign:signed-key
rm .staging/cosign/cosign.tar

printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "cosign unsigned image"]' > .staging/cosign/Dockerfile
docker buildx create --use
docker buildx build --output type=oci,dest=.staging/cosign/cosign.tar -t cosign:v0 .staging/cosign
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/cosign/cosign.tar:v0 ${TEST_REGISTRY}/cosign:unsigned
rm .staging/cosign/cosign.tar

export COSIGN_PASSWORD="test" && \
cd .staging/cosign && \
./cosign-linux-amd64 login ${TEST_REGISTRY} -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} && \
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key azurekms://${KEYVAULT_NAME}.vault.azure.net/${KEYVAULT_KEY_NAME} ${TEST_REGISTRY}/cosign@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/cosign:signed-key --descriptor | jq .digest | xargs` && \
./cosign-linux-amd64 sign --allow-insecure-registry --allow-http-registry --tlog-upload=false --key azurekms://${KEYVAULT_NAME}.vault.azure.net/${KEYVAULT_KEY_NAME} ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/all:v0 --descriptor | jq .digest | xargs`
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved

e2e-licensechecker-setup:
rm -rf .staging/licensechecker
mkdir -p .staging/licensechecker
Expand Down Expand Up @@ -484,7 +514,7 @@ e2e-inlinecert-setup:
.staging/notation/notation cert generate-test "alternate-cert"
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} --key "alternate-cert" ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:signed-alternate --descriptor | jq .digest | xargs`

e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup
e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-akv-setup e2e-licensechecker-setup e2e-sbom-setup e2e-schemavalidator-setup

e2e-deploy-gatekeeper: e2e-helm-install
./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
Expand Down Expand Up @@ -556,7 +586,7 @@ e2e-helm-deploy-ratify:
--set-file provider.tls.caKey=${CERT_DIR}/ca.key \
--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand All @@ -574,7 +604,7 @@ e2e-helm-deploy-ratify-without-tls-certs:
--set gatekeeper.version=${GATEKEEPER_VERSION} \
--set featureFlags.RATIFY_CERT_ROTATION=${CERT_ROTATION_ENABLED} \
--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand Down
4 changes: 3 additions & 1 deletion charts/ratify/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,9 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| affinity | Pod affinity for the Ratify deployment | `{}` |
| tolerations | Pod tolerations for the Ratify deployment | `[]` |
| notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` |
| cosignKeys | An aray of public keys used to create inline key management providers used by Cosign verifier | `[]` |
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.key | Public certificate used by cosign verifier | `` |
| cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` |
| vulnerabilityreport.enabled | Enables/disables installation of vulnerability report verifier | `false` |
| vulnerabilityreport.passthrough | Enables/disables passthrough. All validation except `maximumAge` are disregarded and report content is added to verifier report | `false` |
| vulnerabilityreport.schemaURL | URL for JSON schema to validate report against | `` |
Expand Down Expand Up @@ -137,3 +138,4 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| akvCertConfig.cert2Version | **DEPRECATED** Please use `azurekeyvault.certificates` instead. Exact version of certificate to use from AKV. | `` |
| akvCertConfig.certificates | **DEPRECATED** Please use `azurekeyvault.certificates` instead. An array of certificate objects identified by `name` and `version` stored in AKV | `` |
| akvCertConfig.tenantId | **DEPRECATED** Please use `azurekeyvault.certificates` instead. TenantID of the configured AKV resource | `` |
| cosign.key | **DEPRECATED** Please use `cosignKeys` instead. Public key used by cosign verifier | `` |
4 changes: 2 additions & 2 deletions charts/ratify/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ spec:
name: healthz
protocol: TCP
volumeMounts:
{{- if .Values.cosign.enabled }}
{{- if and .Values.cosign.enabled .Values.cosign.key }}
- mountPath: "/usr/local/ratify-certs/cosign"
name: cosign-certs
readOnly: true
Expand Down Expand Up @@ -145,7 +145,7 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
{{- if .Values.cosign.enabled }}
{{- if and .Values.cosign.enabled .Values.cosign.key }}
- name: cosign-certs
secret:
secretName: {{ include "ratify.fullname" . }}-cosign-certificate
Expand Down
2 changes: 1 addition & 1 deletion charts/ratify/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.cosign.enabled }}
{{- if and .Values.cosign.enabled .Values.cosign.key}}
apiVersion: v1
kind: Secret
metadata:
Expand Down
37 changes: 25 additions & 12 deletions charts/ratify/templates/verifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{- $fullname := include "ratify.fullname" . -}}
---
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
Expand All @@ -16,17 +15,16 @@ spec:
certs:
{{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }}
- kmprovider-akv
{{- else }}
{{- if .Values.notationCert }}
{{- if .Values.notationCerts }}
{{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
{{- end }}
{{- end }}
{{- if .Values.notationCert }}
{{- if .Values.notationCerts }}
{{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
{{- end }}
- {{$fullname}}-notation-inline-cert
{{- end }}
{{- range $i, $cert := .Values.notationCerts }}
{{- end }}
{{- range $i, $cert := .Values.notationCerts }}
- {{$fullname}}-notation-inline-cert-{{$i}}
{{- end }}
{{- end }}
{{- end }}
trustPolicyDoc:
version: "1.0"
trustPolicies:
Expand All @@ -50,10 +48,25 @@ metadata:
helm.sh/hook-weight: "5"
spec:
name: cosign
version: 1.0.0
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /usr/local/ratify-certs/cosign/cosign.pub
{{- if .Values.cosign.key }}
key: {{ .Values.cosign.key | quote }}
{{- else }}
trustPolicies:
- name: default
scopes:
{{- range $i, $scope := .Values.cosign.scopes }}
- "{{$scope}}"
{{- end }}
keys:
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

record a demo and get experience feedback

{{- range $i, $key := .Values.cosignKeys }}
- provider: {{$fullname}}-cosign-inline-key-{{$i}}
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
{{- if and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0) }}
- provider: kmprovider-akv
{{- end }}
{{- end }}
{{- end }}
---
{{- if .Values.vulnerabilityreport.enabled }}
Expand Down
3 changes: 2 additions & 1 deletion charts/ratify/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ cosignKeys: []

cosign:
enabled: true
key: ""
scopes: ["*"] # corresponds to a single trust policy
key: "" # DEPRECATED: Use cosignKeys instead
vulnerabilityreport:
enabled: false
passthrough: false
Expand Down
7 changes: 6 additions & 1 deletion config/samples/config_v1beta1_verifier_cosign.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,9 @@ spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /usr/local/ratify-certs/cosign/cosign.pub
trustPolicies:
- name: default
scopes:
- "*"
keys:
- provider: ratify-cosign-inline-key-0
9 changes: 9 additions & 0 deletions config/samples/config_v1beta_verifier_cosign_legacy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-cosign
spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /usr/local/ratify-certs/cosign/cosign.pub
1 change: 1 addition & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ require (
go.step.sm/crypto v0.44.2 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gotest.tools/v3 v3.1.0 // indirect
sigs.k8s.io/release-utils v0.7.7 // indirect
)

Expand Down
7 changes: 5 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -720,6 +720,7 @@ github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
Expand Down Expand Up @@ -998,6 +999,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
Expand Down Expand Up @@ -1096,6 +1098,7 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
Expand Down Expand Up @@ -1220,8 +1223,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
gotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
Expand Down
2 changes: 1 addition & 1 deletion pkg/controllers/keymanagementprovider_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func (r *KeyManagementProviderReconciler) Reconcile(ctx context.Context, req ctr
return ctrl.Result{}, fmt.Errorf("Error fetching keys in KMProvider %v with %v provider, error: %w", resource, keyManagementProvider.Spec.Type, err)
}
keymanagementprovider.SetCertificatesInMap(resource, certificates)
keymanagementprovider.SetKeysInMap(resource, keys)
keymanagementprovider.SetKeysInMap(resource, keyManagementProvider.Spec.Type, keys)
// merge certificates and keys status into one
maps.Copy(keyAttributes, certAttributes)
isFetchSuccessful = true
Expand Down
Loading
Loading