-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: refactor cosign verification error messages #1750
Conversation
feat: refresher interface fix: formatting and license test: kuberefresher test: kuberefresher helpers refactor: IsRefreshable KMP interface method fix: add IsRefreshable method refactor: kmp spec interval as string mod: rm todo mod: rm comment style: use embedded type feat: namespaced refresher interface test: mock factory & test refreshable logic refactor: use kubeRefreshNamespaced in controller mod: add license blocks refactor: kmp.spec.interval default to empty string disabling refresh tests: increase refresher coverage refactor(kmp): use factory for creating refresher objects This change introduces a RefresherFactory that is responsible for creating the appropriate refresher object based on a configuration that's passed in. This decouples the reconcile logic from the object creation, making the code more modular and easier to test mod: rename interval to refreshinterval & adds crd descriptions mod: remove verbose logging from refresher docs: kmp refresh interval samples doc: corrected resource name of akv samples fix: kmp spec json tag using incorrect values & add refresh interval description fix: add licenses & update interval name in tests mod: comments for exported interfaces test: improve refresher test coverage Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.0 to 0.17.1. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](anchore/sbom-action@d94f46e...ab9d16d) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@eb055d7...29d86d2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Joshua Duffney <[email protected]>
…ect#1697) Signed-off-by: Joshua Duffney <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.1 to 3.26.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@29d86d2...429e197) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Signed-off-by: Yi Zha <[email protected]> Signed-off-by: Joshua Duffney <[email protected]>
Codecov ReportAttention: Patch coverage is
|
360d80b
to
381d61a
Compare
86e32c9
to
fac5b5a
Compare
fac5b5a
to
99bd939
Compare
99bd939
to
7bd896d
Compare
7bd896d
to
0c99179
Compare
I've resolved comments from @yizha1 at the PR from my forked repo: binbin-li#230 |
0c99179
to
51d56e5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding this! Left some non blocking comments.
@@ -46,7 +46,7 @@ func getCosignReferences(ctx context.Context, subjectReference common.Reference, | |||
return nil, nil | |||
} | |||
evictOnError(ctx, err, subjectReference.Original) | |||
return nil, re.ErrorCodeRepositoryOperationFailure.WithError(err).WithComponentType(re.ReferrerStore) | |||
return nil, re.ErrorCodeRepositoryOperationFailure.WithDetail(fmt.Sprintf("Failed to validate the signature of the artifact: %+v", subjectReference)).WithError(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: consider adding cosign
in the error message since it's co-sign specific. Also maybe adding failed to validate existence of cosign signature
instead?
@@ -224,18 +224,18 @@ func (v *cosignVerifier) verifyInternal(ctx context.Context, subjectReference co | |||
// get the reference manifest (cosign oci image) | |||
referenceManifest, err := referrerStore.GetReferenceManifest(ctx, subjectReference, referenceDescriptor) | |||
if err != nil { | |||
return errorToVerifyResult(v.name, v.verifierType, fmt.Errorf("failed to get reference manifest: %w", err)), nil | |||
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get artifact metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil | |
return errorToVerifyResult(v.name, v.verifierType, re.ErrorCodeVerifyPluginFailure.WithDetail(fmt.Sprintf("Failed to get cosign signature metadata for %s", referenceDescriptor.Digest)).WithError(err)), nil |
@@ -540,14 +540,14 @@ func verifyWithKeys(ctx context.Context, keysMap map[PKKey]keymanagementprovider | |||
if pubKey.ProviderType == azurekeyvault.ProviderName { | |||
hashType, sig, err = processAKVSignature(sigEncoded, sig, pubKey.Key, payload, staticOpts) | |||
if err != nil { | |||
return verifications, false, fmt.Errorf("failed to process AKV signature: %w", err) | |||
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by AKV").WithError(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by AKV").WithError(err) | |
return verifications, false, re.ErrorCodeVerifyPluginFailure.WithDetail("Failed to validate the Cosign signature generated by Azure Key Vault").WithError(err) |
Signed-off-by: akashsinghal <[email protected]>
Description
What this PR does / why we need it:
This PR is based on #1730, check the actual diff at: binbin-li#230
It refactors error messages involved in Cosign signature validation, improving the clarity of error messages and providing more intuitive remediation steps for users.
For errors that are self-explanatory, I have not included remediation steps.
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Part of work for #1321
Type of change
Please delete options that are not relevant.
main
branch)How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration
Checklist:
Post Merge Requirements
Helm Chart Change