Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC-0003] Implement OCIRepository verification using Cosign #876

Merged
merged 12 commits into from
Sep 22, 2022
Merged

[RFC-0003] Implement OCIRepository verification using Cosign #876

merged 12 commits into from
Sep 22, 2022

Conversation

developer-guy
Copy link
Member

@developer-guy developer-guy commented Aug 26, 2022
edited by stefanprodan
Loading

This PR implements cosign verification as specified in RFC-0003 Flux OCI support for Kubernetes manifests.

Usage example

Verify with Cosign public keys stored in a Kubernetes secret:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: podinfo-deploy-signed-with-key
spec:
  interval: 5m
  url: oci://ghcr.io/stefanprodan/podinfo-deploy
  ref:
    semver: "6.2.x"
  verify:
    provider: cosign
    secretRef:
      name: cosign-key

Verify with Cosign keyless using Rekor public instance:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: podinfo-deploy-signed-with-keyless
spec:
  interval: 5m
  url: oci://ghcr.io/stefanprodan/manifests/podinfo
  ref:
    semver: "6.2.x"
  verify:
    provider: cosign

Fixes #863

Authors:

@developer-guy
Copy link
Member Author

We haven't tested it yet, but we'll ASAP. We'll remove the WIP label right after it.

@stefanprodan
Copy link
Member

Wow cosign comes with 900+ dependencies? 😱

@hiddeco
Copy link
Member

hiddeco commented Aug 26, 2022

Seems to (partly) be due to go mod not being run with -compat:

$ git diff --stat
 go.mod | 12 ------------
 go.sum | 59 -----------------------------------------------------------
 2 files changed, 71 deletions(-)

@stefanprodan
Copy link
Member

@developer-guy please run make generate manifests api-docs tidy vet before a commit.

@makkes makkes added the area/oci OCI related issues and pull requests label Aug 26, 2022
aryan9600
aryan9600 reviewed Aug 26, 2022
View reviewed changes
internal/verify/verifier.go Outdated Show resolved Hide resolved
controllers/ocirepository_controller.go Outdated Show resolved Hide resolved
makkes
makkes reviewed Aug 26, 2022
View reviewed changes
api/v1beta2/ocirepository_types.go Outdated Show resolved Hide resolved
controllers/ocirepository_controller.go Outdated Show resolved Hide resolved
internal/verify/cosign/client.go Outdated Show resolved Hide resolved
internal/verify/cosign/client.go Outdated Show resolved Hide resolved
internal/verify/cosign/client.go Outdated Show resolved Hide resolved
internal/verify/verifier.go Outdated Show resolved Hide resolved
@developer-guy developer-guy force-pushed the feature/863 branch 2 times, most recently from 0577461 to 3b966fe Compare August 27, 2022 11:33
@developer-guy developer-guy requested review from makkes, stefanprodan, aryan9600 and hiddeco and removed request for makkes, stefanprodan, aryan9600 and hiddeco August 27, 2022 11:34
@stefanprodan stefanprodan force-pushed the feature/863 branch 3 times, most recently from 3a2c636 to 27e121a Compare September 20, 2022 13:00
@stefanprodan
Refactor internal OCI package
082028e 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan stefanprodan force-pushed the feature/863 branch 7 times, most recently from ca91b26 to c72b4e3 Compare September 20, 2022 17:42
@stefanprodan
Retry failed verifications with exponential backoff
7c92949 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan stefanprodan mentioned this pull request Sep 21, 2022
Closed
@darkowlzz
Copy link
Contributor

If I configure verification but don't provide a secret ref:

spec:
  interval: 1m0s
  provider: generic
  ref:
    tag: "1"
  timeout: 60s
  url: oci://example.com/local-dev/hello-world
  verify:
    provider: cosign

This happens

failed to verify the signature using provider 'cosign': unable to get Fulcio root certs: initializing tuf: creating cached local store: mkdir /.sigstore: read-only file system

I don't think it's clear what's wrong reading the error.
It's set in the SourceVerified condition and also sent as notification to NC.

@developer-guy
Copy link
Member Author

If I configure verification but don't provide a secret ref:

spec:
  interval: 1m0s
  provider: generic
  ref:
    tag: "1"
  timeout: 60s
  url: oci://example.com/local-dev/hello-world
  verify:
    provider: cosign

This happens

failed to verify the signature using provider 'cosign': unable to get Fulcio root certs: initializing tuf: creating cached local store: mkdir /.sigstore: read-only file system

I don't think it's clear what's wrong reading the error. It's set in the SourceVerified condition and also sent as notification to NC.

This one is related to the deployment of your source-controller, you need to set the following environment variable to the source-controller deployment as we did in the PR:

env:
 - name: TUF_ROOT # store the Fulcio root CA file in tmp
   value: "/tmp/.sigstore"

@darkowlzz
Copy link
Contributor

This one is related to the deployment of your source-controller, you need to set the following environment variable to the source-controller deployment

@developer-guy that's keyless verification. The issue is with the error not being clear about what happened. There's a log line that tells that keyless verification is attempted:

{"level":"info","ts":"2022-09-21T17:52:59.649Z","msg":"no secret reference is provided, trying to verify the image using keyless approach","controller":"ocirepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"OCIRepository","oCIRepository":{"name":"hello-world","namespace":"default"},"namespace":"default","name":"hello-world","reconcileID":"92f0cc39-caa9-4876-a1ed-1b68016fee54"}

but it's not clear from the notification, event and status condition messages. It'd be good to amend the error with more context.

@darkowlzz darkowlzz mentioned this pull request Sep 21, 2022
Merged
@stefanprodan
Update sigstore/cosign to v1.12.1
b5ffc9f 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan
Add tests for keyless verification
3b637a8 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan
Copy link
Member

It'd be good to amend the error with more context.

Agreed, I've added the keyless method to the verification error along with a test for it.

darkowlzz
darkowlzz approved these changes Sep 22, 2022
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@stefanprodan stefanprodan merged commit c9a5a56 into fluxcd:main Sep 22, 2022
@stefanprodan stefanprodan deleted the feature/863 branch September 22, 2022 10:04
This was referenced Sep 26, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rashedkvm rashedkvm rashedkvm left review comments

@aryan9600 aryan9600 aryan9600 requested changes

@Dentrax Dentrax Dentrax left review comments

@souleb souleb souleb left review comments

@hiddeco hiddeco hiddeco left review comments

@cpanato cpanato cpanato left review comments

@stefanprodan stefanprodan stefanprodan approved these changes

@darkowlzz darkowlzz darkowlzz approved these changes

@makkes makkes makkes approved these changes

Assignees
No one assigned
Labels
area/oci OCI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[RFC-0003] Verify OCI artifacts with cosign static keys
10 participants
@developer-guy @stefanprodan @hiddeco @Dentrax @darkowlzz @makkes @cpanato @souleb @aryan9600 @rashedkvm