OCPNODE-2439: Add support for BYOPKI

[harche]

This PR modifies existing image policy enhancement for image verification to add support for BYOPKI use case.

[mtrmac]

A very brief skim:

• ACK on the feature set, no concerns on security. Not having wildcards simplifies things.
• I think “BYOPKI” is a possible name but not what I’d expect. “CertificateRootOfTrust” (my weak preference) or at most “PKIRootOfTrust” seems better from a quick guess.
• WRT the “chain” field… I would very weakly prefer to not have that, so that users have to explicitly decide what is the root of trust and what are intermediates; that would eliminate a class of mistakes. I can well see an argument that it is more of an inconvenience than a security improvement.
• The CertificateIdentityEntity name seems not ideal… “entity” means nothing, and maybe the type name should be more specific to pollute the wider namespace less.
• (I didn’t carefully review details of the comments nor names of the objects otherwise.)

[openshift-ci-robot]

@harche: This pull request references OCPNODE-2439 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@harche: This pull request references OCPNODE-2439 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

This PR modifies existing image policy enhancement for image verification to add support for BYOPKI use case.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtrmac]

Primarily note the question whether certificate subject matching should be mandatory vs. whether we need to suport Rekor for trusted timestamps.

(AFAIK we didn’t get a detailed response from one of the customers motivating this work…)

The other comments are more about the mechanism of the thing.

---

A generic reminder: I don’t (currently) understand K8S API guidelines / restrictions, that either needs a separate expert reviewer, or I need to learn.

[harche]

@mtrmac thanks for those comments, I have updated the enhancement with those suggestions.

[mtrmac]

Thanks!

From my POV the primary outstanding question is the mandatory subject matching vs. Rekor feature requirements.

To confirm, is the current plan to make subject matching mandatory, and not add Rekor (yet)?

[harche]

Thanks!

From my POV the primary outstanding question is the mandatory subject matching vs. Rekor feature requirements.

To confirm, is the current plan to make subject matching mandatory, and not add Rekor (yet)?

Yes, the current plan is to make subject matching mandatory and consider Rekor at later point in time.

[harche]

@mtrmac Thanks for your extensive review.

[saschagrunert]

nit: let's fix the indentation here.

[harche]

updated. thanks.

[saschagrunert]

how about just using CertificateSubject since we're already in the PKI struct?

Suggested change

	PKICertificateSubject *PKICertificateSubject `json:"pkiCertificateSubject,omitempty"`
	CertificateSubject *CertificateSubject `json:"certificateSubject,omitempty"`

[harche]

@mtrmac WDYT?

[mtrmac]

As far as correctness goes, sure, why not.

One concern to think about is that there are two audiences here:

• Users writing YAML: for them the json field names matter, and we can rely on the nesting structure to avoid repetition. So certificateSubject is better than pkiCertificateSubject
• Go programmers using the API package: all types are at the top level, so they should be unique standalone. So PKICertificateSubject is better than CertificateSubject, or maybe it should be PKIImagePolicyCertificateSubject in the extreme??
  • Note especially that the naming the top-level structure just PKI is not ideal… we can get away with that for FulcioCAWithRekor, but for PKI and the existing PublicKey… there’s some risk of clashes.

But, also, the YAML names are more important because they are user-facing; the Go type names are ~internal in a package with no stable API commitment (I think?) so if we ever encountered a conflict, we can rename things.

[QiWang19]

Suggested change

	PKICertificateSubject *PKICertificateSubject `json:"pkiCertificateSubject,omitempty"`
	PKICertificateSubject *PKICertificateSubject `json:"certificateSubject,omitempty"`

Maybe only omit the PKI from the json annotation.

[QiWang19]

Note especially that the naming the top-level structure just PKI is not ideal… we can get away with that for FulcioCAWithRekor, but for PKI and the existing PublicKey… there’s some risk of clashes.

will CustomPKI instead of PKI make a difference? we can explain in the comment this means a PKI not from Sigstore.

[mtrmac]

In the context of openshift/api/config/v1alpha1 (or, worse, eventually, …/v1, I think PKI and CustomPKI are very similarly likely to clash — if there is going to be a clash, it’s going to be with some other non-policy.json PKI use.

See https://pkg.go.dev/github.com/openshift/api/config/v1 — there are things like NamedCertificate and CertInfo.

So I’d be tempted to use ImagePolicy* for all types (ImagePolicyPKI?), but that might well be an overreaction.

---

I do think the JSON/YAML field names are much more important; I’m not nearly as worried about the Go types.

[saschagrunert]

Let's add a note what this field does.

[harche]

Updated, thanksl

[saschagrunert]

@mrunalp PTAL, too

[saschagrunert]

@QiWang19 PTAL as well.

[mrunalp]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrunalp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mrunalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@harche: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.