Start of the necessary pieces to get #1418 and #1419 implemented (#1562)

* This is the start of the necessary pieces to get #1418 and #1419 implemented

ClusterImagePolicy reconciler will now create a configmap (no secret support yet)
and update it on changes (not on deletions yet). Also put up most necessary
testing pieces so that we can start unit testing the reconciler and make sure
it updates the resulting configmap.

There's also a ConfigStore that we can then inject into the admission webhook
that I have wired in there (nop for now, but demonstrating how it could work).
Idea being that you could then for a given image ask for all the authorities that
need to be validated. You can see what that config looks like in the
/pkg/apis/config/testdata/image-policies.yaml and the accompanying tests
in /pkg/apis/config/image_policies_test
I made sure that it works with both yaml/json.

While playing with this there's some questions that came to mind, so I'll take
those to the document.

Hope is that we get enough pieces in place so that we can agree on the major
moving pieces and how they fit together and enough testing in place that
we can start sharding up the work more efficiently and in more focused areas.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Add placeholder configmap with an example.
Rename to be consistent with the other cm. image-policies => config-image-policies

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Address lint.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Use namespaced sharedinformerfactory so that we have the right permissions.
Ran manual tests validating that things are working, when I remove
things from the configmap, things are patched back in (after the global
resync is triggered).

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Check error, duh.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

* Just trying to remove the files that verify-codegen is complaining.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

cmd/cosign/webhook/main.go

@@ -29,6 +29,7 @@ import (
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/logging"
 	"knative.dev/pkg/signals"
 	"knative.dev/pkg/webhook"
 	"knative.dev/pkg/webhook/certificates"
@@ -37,6 +38,7 @@ import (
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	"sigs.k8s.io/release-utils/version"
 
+	"github.com/sigstore/cosign/pkg/apis/config"
 	cwebhook "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook"
 	"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy"
 )
@@ -85,6 +87,9 @@ var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 }
 
 func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	// Decorate contexts with the current state of the config.
+	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
+	store.WatchConfigs(cmw)
 	validator := cwebhook.NewValidator(ctx, *secretName)
 
 	return validation.NewAdmissionController(ctx,
@@ -99,6 +104,7 @@ func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher
 
 		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
 		func(ctx context.Context) context.Context {
+			ctx = store.ToContext(ctx)
 			ctx = duckv1.WithPodValidator(ctx, validator.ValidatePod)
 			ctx = duckv1.WithPodSpecValidator(ctx, validator.ValidatePodSpecable)
 			ctx = duckv1.WithCronJobValidator(ctx, validator.ValidateCronJob)

config/200-role.yaml

@@ -27,3 +27,10 @@ rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+
+  # This is needed to create / patch ConfigMap that is created by the reconciler
+  # to consolidate various CIP configuration into a policy ConfigMap.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["config-image-policies"]
+    verbs: ["get", "list", "create", "update", "patch", "watch"]

config/config-image-policies.yaml

@@ -0,0 +1,29 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-image-policies
+  namespace: cosign-system
+
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+    cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\",\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}]}"
+

go.mod

@@ -56,6 +56,7 @@ require (
 	k8s.io/utils v0.0.0-20220127004650-9b3446523e65
 	knative.dev/pkg v0.0.0-20220202132633-df430fa0dd96
 	sigs.k8s.io/release-utils v0.4.1-0.20220207182343-6dadf2228617
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
@@ -264,7 +265,6 @@ require (
 	k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect
 	k8s.io/klog/v2 v2.40.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 require (

pkg/apis/config/doc.go

@@ -0,0 +1,23 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +k8s:deepcopy-gen=package
+
+// Package config holds the typed objects that define the schemas for
+// ConfigMap objects that pertain to our API objects.
+// This ConfigMap gets created by the Reconciler by combining all the
+// ClusterImagePolicy CR into a single ConfigMap so that the AdmissionController
+// only needs to deal with a single resource when validationg.
+package config

pkg/apis/config/image_policies.go

@@ -0,0 +1,104 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	// ImagePoliciesConfigName is the name of ConfigMap created by the
+	// reconciler and consumed by the admission webhook.
+	ImagePoliciesConfigName = "config-image-policies"
+)
+
+type ImagePolicyConfig struct {
+	// This is the list of ImagePolicies that a admission controller uses
+	// to make policy decisions.
+	// TODO(vaikas): Revisit the datastructure. For now seems fine to use the
+	// same definitions from the API definition. The _only_ difference is that
+	// we do not use SecretReference fields, they get resolved and inlined
+	// in the Secret. So it seemed unnecessary to mirror those all over.
+	// Key in the map is the name of the ClusterImagePolicy where the Policy
+	// was received from.
+	Policies map[string]v1alpha1.ClusterImagePolicySpec
+}
+
+// NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied
+// Map
+func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) {
+	ret := &ImagePolicyConfig{Policies: make(map[string]v1alpha1.ClusterImagePolicySpec, len(data))}
+	// Spin through the ConfigMap. Each key will point to resolved
+	// ImagePatterns.
+	for k, v := range data {
+		// This is the example that we use to document / test the ConfigMap.
+		if k == "_example" {
+			continue
+		}
+		if v == "" {
+			return nil, fmt.Errorf("configmap has an entry %q but no value", k)
+		}
+		clusterImagePolicy := &v1alpha1.ClusterImagePolicySpec{}
+
+		if err := parseEntry(v, clusterImagePolicy); err != nil {
+			return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err)
+		}
+		ret.Policies[k] = *clusterImagePolicy
+	}
+	return ret, nil
+}
+
+// NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap
+func NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*ImagePolicyConfig, error) {
+	return NewImagePoliciesConfigFromMap(config.Data)
+}
+
+func parseEntry(entry string, out interface{}) error {
+	j, err := yaml.YAMLToJSON([]byte(entry))
+	if err != nil {
+		return fmt.Errorf("config's value could not be converted to JSON: %w : %s", err, entry)
+	}
+	return json.Unmarshal(j, &out)
+}
+
+// GetAuthorities returns all matching Authorities that need to be matched for
+// the given Image.
+func (p *ImagePolicyConfig) GetAuthorities(image string) ([]v1alpha1.Authority, error) {
+	if p == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	ret := []v1alpha1.Authority{}
+
+	// TODO(vaikas): this is very inefficient, we should have a better
+	// way to go from image to Authorities, but just seeing if this is even
+	// workable so fine for now.
+	for _, v := range p.Policies {
+		for _, pattern := range v.Images {
+			// TODO(vaikas): do the actual glob match.
+			if image == pattern.Glob {
+				ret = append(ret, pattern.Authorities...)
+			}
+		}
+	}
+	return ret, nil
+}

pkg/apis/config/image_policies_test.go

@@ -0,0 +1,110 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"testing"
+
+	. "knative.dev/pkg/configmap/testing"
+	_ "knative.dev/pkg/system/testing"
+)
+
+const (
+	// Just some public key that was laying around, only format matters.
+	inlineKeyData = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
+RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
+-----END PUBLIC KEY-----`
+)
+
+func TestDefaultsConfigurationFromFile(t *testing.T) {
+	_, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)
+	if _, err := NewImagePoliciesConfigFromConfigMap(example); err != nil {
+		t.Error("NewImagePoliciesConfigFromConfigMap(example) =", err)
+	}
+}
+
+func TestGetAuthorities(t *testing.T) {
+	_, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)
+	defaults, err := NewImagePoliciesConfigFromConfigMap(example)
+	if err != nil {
+		t.Error("NewImagePoliciesConfigFromConfigMap(example) =", err)
+	}
+	c, err := defaults.GetAuthorities("rando")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want := "inlinedata here"
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+	c, err = defaults.GetAuthorities("rando*")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = "otherinline here"
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+	c, err = defaults.GetAuthorities("rando3")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = "cakey chilling here"
+	if got := c[0].Keyless.CAKey.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CAKey.Data)
+	}
+	want = "issuer"
+	if got := c[0].Keyless.Identities[0].Issuer; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.Identities[0].Issuer)
+	}
+	want = "subject"
+	if got := c[0].Keyless.Identities[0].Subject; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.Identities[0].Subject)
+	}
+	// Test multiline yaml cert
+	c, err = defaults.GetAuthorities("inlinecert")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = inlineKeyData
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+	// Test multiline cert but json encoded
+	c, err = defaults.GetAuthorities("ghcr.io/example/*")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = inlineKeyData
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+}