remove trusted-resources-config

This commit removes trusted-resources-config. The deprecation is
announced in release v0.45. The reason of removing is that
trusted-resources-config is used to store public keys for verificaiton
but Verification Policy has already covered all the functionalities and
has more advanced features. Since there are not any other fields in
trusted-resources-config we decided to remove it.

Closes #5852

Signed-off-by: Yongxuan Zhang [email protected]

config/controller.yaml

@@ -88,10 +88,6 @@ spec:
           mountPath: /etc/config-logging
         - name: config-registry-cert
           mountPath: /etc/config-registry-cert
-        # Mount secret for trusted resources
-        - name: verification-secrets
-          mountPath: /etc/verification-secrets
-          readOnly: true
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom:
@@ -116,8 +112,6 @@ spec:
           value: config-leader-election
         - name: CONFIG_SPIRE
           value: config-spire
-        - name: CONFIG_TRUSTED_RESOURCES_NAME
-          value: config-trusted-resources
         - name: SSL_CERT_FILE
           value: /etc/config-registry-cert/cert
         - name: SSL_CERT_DIR
@@ -172,11 +166,6 @@ spec:
         - name: config-registry-cert
           configMap:
             name: config-registry-cert
-        # Mount secret for trusted resources
-        - name: verification-secrets
-          secret:
-            secretName: verification-secrets
-            optional: true
 ---
 apiVersion: v1
 kind: Service

docs/trusted-resources.md

@@ -69,37 +69,6 @@ Or patch the new values:
 kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"resource-verification-mode":"enforce"}}
 ```
 
-
-#### Config key at configmap (Deprecated)
-
-**Note:** key configuration in configmap is deprecated, the issue [#5852](https://github.com/tektoncd/pipeline/issues/5852) will track the deprecation. Please use [VerificationPolicy](#config-key-at-verificationpolicy) instead.
-
-Multiple keys reference should be separated by comma. If the resource can pass any key in the list, it will pass the verification.
-
-We currently hardcode SHA256 as hashfunc for loading public keys as verifiers.
-
-Public key files should be added into secret and mounted into controller volumes. To add keys into secret you may execute:
-
-```shell
-kubectl create secret generic verification-secrets \
-  --from-file=cosign.pub=./cosign.pub \
-    --from-file=cosign.pub=./cosign2.pub \
-  -n tekton-pipelines
-```
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-trusted-resources
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-pipelines
-data:
-  publickeys: "/etc/verification-secrets/cosign.pub, /etc/verification-secrets/cosign2.pub"
-```
-
 #### Config key at VerificationPolicy
 VerificationPolicy supports SecretRef or encoded public key data.
 

pkg/apis/config/store.go

@@ -33,7 +33,6 @@ type Config struct {
 	ArtifactBucket   *ArtifactBucket
 	ArtifactPVC      *ArtifactPVC
 	Metrics          *Metrics
-	TrustedResources *TrustedResources
 	SpireConfig      *sc.SpireConfig
 }
 
@@ -57,7 +56,6 @@ func FromContextOrDefaults(ctx context.Context) *Config {
 	artifactBucket, _ := NewArtifactBucketFromMap(map[string]string{})
 	artifactPVC, _ := NewArtifactPVCFromMap(map[string]string{})
 	metrics, _ := newMetricsFromMap(map[string]string{})
-	trustedresources, _ := NewTrustedResourcesConfigFromMap(map[string]string{})
 	spireconfig, _ := NewSpireConfigFromMap(map[string]string{})
 
 	return &Config{
@@ -66,7 +64,6 @@ func FromContextOrDefaults(ctx context.Context) *Config {
 		ArtifactBucket:   artifactBucket,
 		ArtifactPVC:      artifactPVC,
 		Metrics:          metrics,
-		TrustedResources: trustedresources,
 		SpireConfig:      spireconfig,
 	}
 }
@@ -95,7 +92,6 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i
 				GetArtifactBucketConfigName():   NewArtifactBucketFromConfigMap,
 				GetArtifactPVCConfigName():      NewArtifactPVCFromConfigMap,
 				GetMetricsConfigName():          NewMetricsFromConfigMap,
-				GetTrustedResourcesConfigName(): NewTrustedResourcesConfigFromConfigMap,
 				GetSpireConfigName():            NewSpireConfigFromConfigMap,
 			},
 			onAfterStore...,
@@ -133,10 +129,7 @@ func (s *Store) Load() *Config {
 	if metrics == nil {
 		metrics, _ = newMetricsFromMap(map[string]string{})
 	}
-	trustedresources := s.UntypedLoad(GetTrustedResourcesConfigName())
-	if trustedresources == nil {
-		trustedresources, _ = NewTrustedResourcesConfigFromMap(map[string]string{})
-	}
+
 	spireconfig := s.UntypedLoad(GetSpireConfigName())
 	if spireconfig == nil {
 		spireconfig, _ = NewSpireConfigFromMap(map[string]string{})
@@ -148,7 +141,6 @@ func (s *Store) Load() *Config {
 		ArtifactBucket:   artifactBucket.(*ArtifactBucket).DeepCopy(),
 		ArtifactPVC:      artifactPVC.(*ArtifactPVC).DeepCopy(),
 		Metrics:          metrics.(*Metrics).DeepCopy(),
-		TrustedResources: trustedresources.(*TrustedResources).DeepCopy(),
 		SpireConfig:      spireconfig.(*sc.SpireConfig).DeepCopy(),
 	}
 }

pkg/apis/config/store_test.go

@@ -34,15 +34,13 @@ func TestStoreLoadWithContext(t *testing.T) {
 	artifactBucketConfig := test.ConfigMapFromTestFile(t, "config-artifact-bucket")
 	artifactPVCConfig := test.ConfigMapFromTestFile(t, "config-artifact-pvc")
 	metricsConfig := test.ConfigMapFromTestFile(t, "config-observability")
-	trustedresourcesConfig := test.ConfigMapFromTestFile(t, "config-trusted-resources")
 	spireConfig := test.ConfigMapFromTestFile(t, "config-spire")
 
 	expectedDefaults, _ := config.NewDefaultsFromConfigMap(defaultConfig)
 	expectedFeatures, _ := config.NewFeatureFlagsFromConfigMap(featuresConfig)
 	expectedArtifactBucket, _ := config.NewArtifactBucketFromConfigMap(artifactBucketConfig)
 	expectedArtifactPVC, _ := config.NewArtifactPVCFromConfigMap(artifactPVCConfig)
 	metrics, _ := config.NewMetricsFromConfigMap(metricsConfig)
-	expectedTrustedResources, _ := config.NewTrustedResourcesConfigFromConfigMap(trustedresourcesConfig)
 	expectedSpireConfig, _ := config.NewSpireConfigFromConfigMap(spireConfig)
 
 	expected := &config.Config{
@@ -51,7 +49,6 @@ func TestStoreLoadWithContext(t *testing.T) {
 		ArtifactBucket:   expectedArtifactBucket,
 		ArtifactPVC:      expectedArtifactPVC,
 		Metrics:          metrics,
-		TrustedResources: expectedTrustedResources,
 		SpireConfig:      expectedSpireConfig,
 	}
 
@@ -61,7 +58,6 @@ func TestStoreLoadWithContext(t *testing.T) {
 	store.OnConfigChanged(artifactBucketConfig)
 	store.OnConfigChanged(artifactPVCConfig)
 	store.OnConfigChanged(metricsConfig)
-	store.OnConfigChanged(trustedresourcesConfig)
 	store.OnConfigChanged(spireConfig)
 
 	cfg := config.FromContext(store.ToContext(context.Background()))
@@ -77,7 +73,6 @@ func TestStoreLoadWithContext_Empty(t *testing.T) {
 	artifactBucket, _ := config.NewArtifactBucketFromMap(map[string]string{})
 	artifactPVC, _ := config.NewArtifactPVCFromMap(map[string]string{})
 	metrics, _ := config.NewMetricsFromConfigMap(&corev1.ConfigMap{Data: map[string]string{}})
-	trustedresources, _ := config.NewTrustedResourcesConfigFromMap(map[string]string{})
 	spireConfig, _ := config.NewSpireConfigFromMap(map[string]string{})
 
 	want := &config.Config{
@@ -86,7 +81,6 @@ func TestStoreLoadWithContext_Empty(t *testing.T) {
 		ArtifactBucket:   artifactBucket,
 		ArtifactPVC:      artifactPVC,
 		Metrics:          metrics,
-		TrustedResources: trustedresources,
 		SpireConfig:      spireConfig,
 	}