Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TEP-0091] Trusted resources alpha add sigstore packages #5552

Merged

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Sep 23, 2022

Changes

This commit is part of the work of trusted resources, it introduces the
dependency of sigstore/sigstore by adding signing and verifying
functions to the code base. Those functions are not invoked in this
commit but will be used in the following work.

/kind feature

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. kind/feature Categorizes issue or PR as related to a new feature. labels Sep 23, 2022
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Sep 23, 2022
@Yongxuanzhang Yongxuanzhang changed the title Trusted resources alpha sign verify [TEP-0091] Trusted resources alpha add sigstore packages Sep 23, 2022
@Yongxuanzhang Yongxuanzhang marked this pull request as ready for review September 23, 2022 19:30
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2022
@Yongxuanzhang
Copy link
Member Author

What I'm worried about is the huge added lines of code into vendor. 😟
Any suggestions or help would be appreciated! 🙏

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/testing.go Do not exist 80.0%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/testing.go Do not exist 80.0%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
// import (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like these are unnecessary tabs introduced.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!!

@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-alpha-sign-verify branch from 97fd530 to 628943d Compare September 26, 2022 16:45
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/testing.go Do not exist 80.0%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

)

// signInterface returns the encoded signature for the given object.
func signInterface(signer signature.Signer, i interface{}) (string, error) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is not used in other packages at this commit, I guess we should make them unexported?

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

"os"
"path/filepath"

"github.com/sigstore/cosign/pkg/cosign"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd drop the signing from this PR, since the pipeline controller will primarily be interested in verification only. (signing will likely be more relevant for CLI / CLI plugin).

In generaly, I'd avoid taking on the cosign dependency unless it's absolutely necessary - as you can see from the vendor directory, there's a ton of dependencies.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm remembering now - you're using this for testing.

It looks like you're using cosign mostly for the key generation - you can drop this in favor of generating + loading the key directly via one of the load functions in https://pkg.go.dev/github.com/sigstore/sigstore/pkg/signature

e.g. you could replace most of this with something like:

key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err ...
sv, err := signature.LoadECDSASignerVerifier(key, crypto.SHA256)
if err ...
return sv

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! Thanks! I will try it out!

"os"
"path/filepath"

"github.com/sigstore/cosign/pkg/cosign"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm remembering now - you're using this for testing.

It looks like you're using cosign mostly for the key generation - you can drop this in favor of generating + loading the key directly via one of the load functions in https://pkg.go.dev/github.com/sigstore/sigstore/pkg/signature

e.g. you could replace most of this with something like:

key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err ...
sv, err := signature.LoadECDSASignerVerifier(key, crypto.SHA256)
if err ...
return sv

)

func init() {
os.Setenv("SYSTEM_NAMESPACE", namespace)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the preferred way of doing this is is to import knative.dev/pkg/testing.

I'm also curious why you need this if we're not verifying any controller functionality yet 🤔

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be the piece of code I forgot to remove 🥲

"os"
"path/filepath"

"github.com/sigstore/cosign/pkg/cosign"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.7%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 76.6%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 27, 2022
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 77.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 77.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-alpha-sign-verify branch from a0574bf to 3322d72 Compare September 27, 2022 17:01
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 77.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-alpha-sign-verify branch 2 times, most recently from 775abbb to fec4d52 Compare September 27, 2022 17:15
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 77.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-alpha-sign-verify branch from fec4d52 to 287ddcb Compare September 27, 2022 17:20
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 77.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 81.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

This commit is part of the work of trusted resources, it introduces the
dependency of sigstore by adding signing and verifying
functions to the code base. Those functions are not invoked in this
commit but will be used in the following work.
update
@Yongxuanzhang Yongxuanzhang force-pushed the trusted-resources-alpha-sign-verify branch from edde682 to 99f6580 Compare September 28, 2022 18:56
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/trustedresources/sign.go Do not exist 81.8%
pkg/reconciler/trustedresources/verify.go Do not exist 87.5%

@dibyom
Copy link
Member

dibyom commented Sep 28, 2022

/approve

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 28, 2022
@wlynch
Copy link
Member

wlynch commented Sep 28, 2022

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 28, 2022
@tekton-robot tekton-robot merged commit 2c24caa into tektoncd:main Sep 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants