coyote240 · coyote240 · Feb 9, 2022 · Feb 10, 2022 · Feb 14, 2022 · Feb 15, 2022
diff --git a/.gitignore b/.gitignore
@@ -27,3 +27,5 @@
 
 bin*
 dist/
+
+vendor/
diff --git a/Makefile b/Makefile
@@ -100,6 +100,10 @@ cross:
 	go build -trimpath -ldflags "$(LDFLAGS)" -o cosign-$(GOOS)-$(GOARCH) ./cmd/cosign; \
 	shasum -a 256 cosign-$(GOOS)-$(GOARCH) > cosign-$(GOOS)-$(GOARCH).sha256 ))) \
 
+.PHONY: manifests
+manifests:
+	controller-gen object crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=cosigned-rbac webhook paths="./pkg/cosign/kubernetes/api/..." output:crd:artifacts:config=config/crd/bases
+
 #####################
 # lint / test section
 #####################
@@ -145,10 +149,15 @@ ko:
 
 .PHONY: ko-local
 ko-local:
+	#LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	#ko publish --base-import-paths --bare \
+	#	--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
+	#	github.com/sigstore/cosign/cmd/cosign
+
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	ko publish --base-import-paths --bare \
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
-		github.com/sigstore/cosign/cmd/cosign
+		github.com/sigstore/cosign/cmd/cosign/webhook
 
 ##################
 # help

diff --git a/cmd/cosign/webhook/main.go b/cmd/cosign/webhook/main.go
@@ -36,6 +36,7 @@ import (
 	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 
+	"github.com/sigstore/cosign/pkg/cosign/kubernetes/api/sigstore.dev/v1alpha1"
 	cwebhook "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook"
 	"github.com/sigstore/cosign/pkg/version"
 )
@@ -66,6 +67,8 @@ func main() {
 		certificates.NewController,
 		NewValidatingAdmissionController,
 		NewMutatingAdmissionController,
+		NewPolicyValidatingAdmissionController,
+		NewPolicyMutatingAdmissionController,
 	)
 }
 
@@ -138,3 +141,33 @@ func NewMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher)
 		false,
 	)
 }
+
+func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return validation.NewAdmissionController(
+		ctx,
+		"validating.clusterimagepolicy.sigstore.dev",
+		"/validate-sigstore-dev-v1alpha1-clusterimagepolicy",
+		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+			v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
+		},
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+		true,
+	)
+}
+
+func NewPolicyMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return defaulting.NewAdmissionController(
+		ctx,
+		"defaulting.clusterimagepolicy.sigstore.dev",
+		"/default-sigstore-dev-v1alpha1-clusterimagepolicy",
+		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+			v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
+		},
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+		true,
+	)
+}
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -28,7 +28,7 @@ rules:
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["get", "update"]
-    resourceNames: ["cosigned.sigstore.dev"]
+    resourceNames: ["cosigned.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev"]
 
   - apiGroups: [""]
     resources: ["namespaces"]

diff --git a/config/crd/bases/sample.yaml b/config/crd/bases/sample.yaml
@@ -0,0 +1,20 @@
+apiVersion: sigstore.dev/v1alpha1
+kind: ClusterImagePolicy
+metadata:
+  name: my-snazzy-policy
+spec:
+  images:
+    - pattern: "*"
+      authorities:
+        - key:
+            data: ---key---
+---
+apiVersion: sigstore.dev/v1alpha1
+kind: ClusterImagePolicy
+metadata:
+  name: my-busted-policy
+spec:
+  images:
+    - pattern: "*"
+      authorities: 
+        - key: {}
diff --git a/config/crd/bases/sigstore.dev_clusterimagepolicies.yaml b/config/crd/bases/sigstore.dev_clusterimagepolicies.yaml
@@ -0,0 +1,123 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: clusterimagepolicies.sigstore.dev
+spec:
+  group: sigstore.dev
+  names:
+    kind: ClusterImagePolicy
+    listKind: ClusterImagePolicyList
+    plural: clusterimagepolicies
+    singular: clusterimagepolicy
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              images:
+                items:
+                  properties:
+                    authorities:
+                      items:
+                        minProperties: 1
+                        properties:
+                          ctlog:
+                            properties:
+                              url:
+                                type: string
+                            required:
+                            - url
+                            type: object
+                          key:
+                            minProperties: 1
+                            properties:
+                              data:
+                                type: string
+                              kms:
+                                type: string
+                              secretRef:
+                                properties:
+                                  name:
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                          keyless:
+                            maxProperties: 1
+                            properties:
+                              ca-key:
+                                properties:
+                                  data:
+                                    type: string
+                                  name:
+                                    type: string
+                                required:
+                                - data
+                                - name
+                                type: object
+                              identities:
+                                items:
+                                  properties:
+                                    issuer:
+                                      type: string
+                                    subject:
+                                      type: string
+                                  required:
+                                  - issuer
+                                  - subject
+                                  type: object
+                                type: array
+                            type: object
+                          source:
+                            items:
+                              properties:
+                                oci:
+                                  type: string
+                              required:
+                              - oci
+                              type: object
+                            type: array
+                        type: object
+                      minItems: 1
+                      type: array
+                    pattern:
+                      type: string
+                  required:
+                  - authorities
+                  - pattern
+                  type: object
+                minItems: 1
+                type: array
+            type: object
+        required:
+        - metadata
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -42,7 +42,7 @@ spec:
       - name: webhook
         # This is the Go import path for the binary that is containerized
         # and substituted here.
-        image: ko://github.com/sigstore/cosign/cmd/cosign/webhook
+        image: ko.local/webhook:d3e16ab2998b056f06eeb52e3d01db83fbf21da351281c672c5f07c879662dac
         args: ["-secret-name=verification-key"]
         resources:
           requests:
@@ -103,4 +103,4 @@ metadata:
   namespace: cosign-system
 # stringData:
 #   cosign.pub: |
-#     <PEM encoded public key>
+#     <PEM encoded public key>
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -0,0 +1,56 @@
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: defaulting.clusterimagepolicy.sigstore.dev
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook
+      namespace: cosign-system
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: defaulting.clusterimagepolicy.sigstore.dev
+  rules:
+  - apiGroups:
+    - sigstore.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterimagepolicies
+  sideEffects: None
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validation.clusterimagepolicy.sigstore.dev
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook
+      namespace: cosign-system
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: validation.clusterimagepolicy.sigstore.dev
+  rules:
+  - apiGroups:
+    - sigstore.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterimagepolicies
+  sideEffects: None
diff --git a/go.mod b/go.mod
@@ -56,7 +56,11 @@ require (
 	github.com/urfave/cli v1.22.5 // indirect
 	go.opentelemetry.io/contrib v1.3.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
+	go.uber.org/zap v1.20.0
 	golang.org/x/net v0.0.0-20220121210141-e204ce36a2ba // indirect
-	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf // indirect
+	k8s.io/code-generator v0.22.5
+	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
+	knative.dev/hack v0.0.0-20220118141833-9b2ed8471e30
+	sigs.k8s.io/controller-tools v0.4.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )