Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURESIGN-1014 | Add support for Trusted Timestamp Authorities in SecureSign #456

Merged
merged 9 commits into from
Aug 19, 2024
Merged

SECURESIGN-1014 | Add support for Trusted Timestamp Authorities in SecureSign #456

merged 9 commits into from
Aug 19, 2024

Conversation

JasonPowr
Copy link
Contributor

@JasonPowr JasonPowr commented Jun 21, 2024
edited
Loading

Opening this as a draft pr, so far this is just the basic deployment of the Timestamp Authority. just looking for some feedback. jira: https://issues.redhat.com/browse/SECURESIGN-1014

Testing

  1. Build and deploy operator
  2. TSA should come up with the rest of the stack
  3. Sign an image with the flag --timestamp-server-url=$TSA_URL eg
TSA_URL=https://<tsa-url>/api/v1/timestamp
cosign sign -y --timestamp-server-url=$TSA_URL <image>
  1. To verify the timestamp you need to retrieve the certificate chain using curl https://<tsa-url>/api/v1/timestamp/certchain > ts_chain.pem, then run the cosign verify cmd like so:
cosign verify --timestamp-certificate-chain=ts_chain_local.pem <image>

TODO

improve e2e and upgrade test

@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch from 75de16f to 171b90d Compare July 2, 2024 11:29
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch from a0bb1a0 to 1282868 Compare July 4, 2024 11:34
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch from 4150c71 to 3259955 Compare July 8, 2024 07:28
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch 2 times, most recently from 0959e74 to 0e16cd0 Compare July 15, 2024 15:51
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch 3 times, most recently from 21c3783 to 080759a Compare July 18, 2024 07:22
@JasonPowr JasonPowr marked this pull request as ready for review July 18, 2024 07:22
@openshift-ci openshift-ci bot requested review from cooktheryan and lkatalin July 18, 2024 07:22
@JasonPowr
Copy link
Contributor Author

/test tas-operator-e2e

osmman
osmman requested changes Jul 18, 2024
View reviewed changes
api/v1alpha1/common.go Outdated Show resolved Hide resolved
api/v1alpha1/common.go Outdated Show resolved Hide resolved
api/v1alpha1/timestampauthority_types.go Show resolved Hide resolved
api/v1alpha1/timestampauthority_types.go Outdated Show resolved Hide resolved
api/v1alpha1/timestampauthority_types.go Outdated Show resolved Hide resolved
api/v1alpha1/timestampauthority_types.go Outdated Show resolved Hide resolved
api/v1alpha1/timestampauthority_types.go Outdated Show resolved Hide resolved
api/v1alpha1/common.go Outdated Show resolved Hide resolved
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch 2 times, most recently from a481720 to d53a47d Compare July 18, 2024 13:15
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch 11 times, most recently from 7bead72 to 513bfc9 Compare August 16, 2024 08:22
@JasonPowr
Copy link
Contributor Author

/test tas-operator-e2e

1 similar comment
@JasonPowr
Copy link
Contributor Author

/test tas-operator-e2e

@JasonPowr JasonPowr requested review from osmman and bouskaJ August 16, 2024 15:09
osmman
osmman reviewed Aug 19, 2024
View reviewed changes
Copy link
Contributor

@osmman osmman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I installed sample Securesign resource and I am getting this status condition on TSA object:

status:
  conditions:
    - message: ''
      reason: Ready
      status: 'True'
      type: Ready
    - message: ''
      reason: Pending
      status: Unknown
      type: TSASignerCondition
    - message: Ingress created
      reason: Creating
      status: 'False'
      type: TSAServerCondition

It looks like that TSA service has been deployed correctly but status of TSASignerCondition and TSAServerCondition are not positive.

internal/controller/tsa/actions/generate_signer_test.go Outdated Show resolved Hide resolved
@JasonPowr JasonPowr force-pushed the configurable-trusted-timestamp-auth branch from 513bfc9 to 04a08c5 Compare August 19, 2024 12:39
@JasonPowr
Copy link
Contributor Author

JasonPowr commented Aug 19, 2024
edited
Loading

@osmman Should be resolved now, I also made those changes to the tests

status:
  conditions:
  - lastTransitionTime: "2024-08-19T12:37:36Z"
    message: ""
    reason: Ready
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-08-19T12:37:26Z"
    message: ""
    reason: Resolved
    status: "True"
    type: TSASignerCondition
  - lastTransitionTime: "2024-08-19T12:37:36Z"
    message: ""
    reason: Ready
    status: "True"
    type: TSAServerCondition

osmman
osmman approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@osmman osmman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Aug 19, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JasonPowr, osmman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@JasonPowr
Copy link
Contributor Author

/unhold

@JasonPowr JasonPowr merged commit 372011c into main Aug 19, 2024
15 of 16 checks passed
@osmman osmman deleted the configurable-trusted-timestamp-auth branch September 17, 2024 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osmman osmman osmman approved these changes

@cooktheryan cooktheryan Awaiting requested review from cooktheryan

@lkatalin lkatalin Awaiting requested review from lkatalin

@bouskaJ bouskaJ Awaiting requested review from bouskaJ

Assignees

@osmman osmman

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JasonPowr @osmman @bouskaJ @openshift-merge-robot