Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cosigned] Rename cosigned references to policy-controller #1893

Merged
merged 5 commits into from
May 20, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:
run: gcloud auth configure-docker --quiet
- name: container
run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container
- name: cosigned
run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-cosigned
- name: policy-controller
run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-policy-controller
- name: sget
run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-sget
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: Test cosigned with ClusterImagePolicy with attestations
name: Test policy-controller with ClusterImagePolicy with attestations

on:
pull_request:
Expand Down Expand Up @@ -40,7 +40,7 @@ jobs:

env:
KNATIVE_VERSION: "1.1.0"
KO_DOCKER_REPO: "registry.local:5000/cosigned"
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.2.8"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
Expand Down Expand Up @@ -74,17 +74,17 @@ jobs:
- name: Install cluster + cosign
uses: sigstore/scaffolding/actions/setup@main

- name: Install cosigned
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
COSIGNED_YAML: cosigned-e2e.yaml
KO_PREFIX: registry.local:5000/cosigned
COSIGNED_YAML: policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
COSIGNED_ARCHS: linux/amd64
run: |
make ko-cosigned
kubectl apply -f cosigned-e2e.yaml
make ko-policy-controller
kubectl apply -f policy-controller-e2e.yaml

# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/kind-cluster-image-policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: Test cosigned with ClusterImagePolicy
name: Test policy-controller with ClusterImagePolicy

on:
pull_request:
Expand Down Expand Up @@ -40,7 +40,7 @@ jobs:

env:
KNATIVE_VERSION: "1.1.0"
KO_DOCKER_REPO: "registry.local:5000/cosigned"
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
Expand Down Expand Up @@ -74,17 +74,17 @@ jobs:
- name: Install cluster + cosign
uses: sigstore/scaffolding/actions/setup@main

- name: Install cosigned
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
COSIGNED_YAML: cosigned-e2e.yaml
KO_PREFIX: registry.local:5000/cosigned
COSIGNED_YAML: policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
COSIGNED_ARCHS: linux/amd64
run: |
make ko-cosigned
kubectl apply -f cosigned-e2e.yaml
make ko-policy-controller
kubectl apply -f policy-controller-e2e.yaml

# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/kind-e2e-cosigned.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: Cosigned KinD E2E
name: Policy Controller KinD E2E

on:
pull_request:
Expand Down Expand Up @@ -40,7 +40,7 @@ jobs:
REGISTRY_PORT: 5000
INSECURE_REGISTRY_NAME: insecure-registry.notlocal
INSECURE_REGISTRY_PORT: 5001
KO_DOCKER_REPO: registry.local:5000/cosigned
KO_DOCKER_REPO: registry.local:5000/policy-controller

steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
Expand Down Expand Up @@ -97,17 +97,17 @@ jobs:
# local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts

- name: Install cosigned
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
COSIGNED_YAML: cosigned-e2e.yaml
KO_PREFIX: registry.local:5000/cosigned
COSIGNED_YAML: policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
COSIGNED_ARCHS: linux/amd64
run: |
make ko-cosigned
kubectl apply -f cosigned-e2e.yaml
make ko-policy-controller
kubectl apply -f policy-controller-e2e.yaml

# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
Expand All @@ -121,9 +121,9 @@ jobs:
run: |
./test/e2e_test_policy_crd.sh

- name: Run Cosigned Tests
- name: Run Policy Controller Tests
run: |
./test/e2e_test_cosigned.sh
./test/e2e_test_policy_controller.sh

- name: Collect diagnostics
if: ${{ failure() }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/kind-verify-attestation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:

env:
KNATIVE_VERSION: "1.1.0"
KO_DOCKER_REPO: "registry.local:5000/cosigned"
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
bin*
dist/
cosignImagerefs
cosignedImagerefs
policyControllerImagerefs
sgetImagerefs
policyImagerefs

Expand Down
2 changes: 1 addition & 1 deletion .ko.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ builds:
- -extldflags "-static"
- "{{ .Env.LDFLAGS }}"

- id: cosigned
- id: policy-controller
dir: .
main: ./cmd/cosign/webhook
env:
Expand Down
24 changes: 12 additions & 12 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,9 @@ cosign: $(SRCS)
cosign-pivkey-pkcs11key: $(SRCS)
CGO_ENABLED=1 go build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign

## Build cosigned binary
.PHONY: cosigned
cosigned: policy-webhook
## Build policy-controller binary
.PHONY: policy-controller
policy-controller: policy-webhook
CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign/webhook

.PHONY: policy-webhook
Expand Down Expand Up @@ -128,7 +128,7 @@ test:

clean:
rm -rf cosign
rm -rf cosigned
rm -rf policy-controller
rm -rf sget
rm -rf dist/

Expand All @@ -151,7 +151,7 @@ endef
# ko build
##########
.PHONY: ko
ko: ko-cosign ko-sget ko-cosigned
ko: ko-cosign ko-sget ko-policy-controller

.PHONY: ko-cosign
ko-cosign:
Expand All @@ -171,13 +171,13 @@ ko-sget:
--image-refs sgetImagerefs \
github.com/sigstore/cosign/cmd/sget

.PHONY: ko-cosigned
ko-cosigned: kustomize-cosigned ko-policy-webhook
# cosigned
.PHONY: ko-policy-controller
ko-policy-controller: kustomize-policy-controller ko-policy-webhook
# policy-controller
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \
KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-controller ko resolve --bare \
--platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
--image-refs cosignedImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML)
--image-refs policyControllerImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML)

ko-policy-webhook:
# policy_webhook
Expand Down Expand Up @@ -212,8 +212,8 @@ ko-apply:
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/


.PHONY: kustomize-cosigned
kustomize-cosigned:
.PHONY: kustomize-policy-controller
kustomize-policy-controller:
kustomize build config/ > $(COSIGNED_YAML)

##################
Expand Down
12 changes: 6 additions & 6 deletions cmd/cosign/policy_webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ import (
"knative.dev/pkg/webhook/resourcesemantics/validation"
"sigs.k8s.io/release-utils/version"

"github.com/sigstore/cosign/pkg/apis/cosigned"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1beta1"
"github.com/sigstore/cosign/pkg/apis/policy"
"github.com/sigstore/cosign/pkg/apis/policy/v1alpha1"
"github.com/sigstore/cosign/pkg/apis/policy/v1beta1"
"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy"

// Register the provider-specific plugins
Expand All @@ -52,15 +52,15 @@ var (
// with the resource types, namespace selectors, CABindle and service path.
// If this changes, you must also change:
// ./config/501-policy-webhook-configurations.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/policy-webhook/policy_webhook_configurations.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
mutatingWebhookName = flag.String("mutating-webhook-name", "defaulting.clusterimagepolicy.sigstore.dev", "The name of the mutating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
// validatingWebhookName holds the name of the validating webhook configuration
// resource dispatching admission requests to policy-webhook.
// It is also the name of the webhook which is injected by the controller
// with the resource types, namespace selectors, CABindle and service path.
// If this changes, you must also change:
// ./config/501-policy-webhook-configurations.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/policy-webhook/policy_webhook_configurations.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
validatingWebhookName = flag.String("validating-webhook-name", "validating.clusterimagepolicy.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
)

Expand Down Expand Up @@ -135,7 +135,7 @@ func newConversionController(ctx context.Context, cmw configmap.Watcher) *contro
// Specify the types of custom resource definitions that should be converted
map[schema.GroupKind]conversion.GroupKindConversion{
v1beta1.Kind("ClusterImagePolicy"): {
DefinitionName: cosigned.ClusterImagePolicyResource.String(),
DefinitionName: policy.ClusterImagePolicyResource.String(),
HubVersion: v1alpha1GroupVersion,
Zygotes: map[string]conversion.ConvertibleObject{
v1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{},
Expand Down
10 changes: 5 additions & 5 deletions cmd/cosign/webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,14 +45,14 @@ import (
var secretName = flag.String("secret-name", "", "The name of the secret in the webhook's namespace that holds the public key for verification.")

// webhookName holds the name of the validating and mutating webhook
// configuration resources dispatching admission requests to cosigned.
// configuration resources dispatching admission requests to policy-controller.
// It is also the name of the webhook which is injected by the controller
// with the resource types, namespace selectors, CABindle and service path.
// If this changes, you must also change:
// ./config/500-webhook-configuration.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/webhook/webhook_mutating.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/webhook/webhook_validating.yaml
var webhookName = flag.String("webhook-name", "cosigned.sigstore.dev", "The name of the validating and mutating webhook configurations as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to cosigned.")
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_mutating.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_validating.yaml
var webhookName = flag.String("webhook-name", "policy.sigstore.dev", "The name of the validating and mutating webhook configurations as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-controller.")

func main() {
opts := webhook.Options{
Expand All @@ -69,7 +69,7 @@ func main() {
vJSON, _ := v.JSONString()
log.Printf("%v", vJSON)
// This calls flag.Parse()
sharedmain.MainWithContext(ctx, "cosigned",
sharedmain.MainWithContext(ctx, "policy-controller",
certificates.NewController,
NewValidatingAdmissionController,
NewMutatingAdmissionController,
Expand Down
2 changes: 1 addition & 1 deletion cmd/schema/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import (
"knative.dev/hack/schema/commands"
"knative.dev/hack/schema/registry"

v1alpha1 "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
v1alpha1 "github.com/sigstore/cosign/pkg/apis/policy/v1alpha1"
)

// schema is a tool to dump the schema for Eventing resources.
Expand Down
2 changes: 1 addition & 1 deletion config/100-namespace.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ kind: Namespace
metadata:
name: cosign-system
labels:
cosigned.sigstore.dev/include: "false"
policy.sigstore.dev/include: "false"
8 changes: 4 additions & 4 deletions config/200-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cosigned-rbac
name: policy-controller-rbac
rules:
- apiGroups: [""]
resources: ["events"]
Expand All @@ -28,7 +28,7 @@ rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames: ["cosigned.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]
resourceNames: ["policy.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]

- apiGroups: [""]
resources: ["namespaces"]
Expand All @@ -45,10 +45,10 @@ rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "update"]
resourceNames: ["clusterimagepolicies.cosigned.sigstore.dev"]
resourceNames: ["clusterimagepolicies.policy.sigstore.dev"]

# Allow reconciliation of the ClusterImagePolic CRDs.
- apiGroups: ["cosigned.sigstore.dev"]
- apiGroups: ["policy.sigstore.dev"]
resources: ["clusterimagepolicies"]
verbs: ["get", "list", "update", "watch", "patch"]

Expand Down
2 changes: 1 addition & 1 deletion config/200-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cosigned-namespace-rbac
name: policy-controller-namespace-rbac
namespace: cosign-system
rules:
# Needed to watch and load configuration and secret data.
Expand Down
4 changes: 2 additions & 2 deletions config/201-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cosigned-webhook
name: policy-controller-webhook
subjects:
- kind: ServiceAccount
name: webhook
namespace: cosign-system
roleRef:
kind: ClusterRole
name: cosigned-rbac
name: policy-controller-rbac
apiGroup: rbac.authorization.k8s.io
4 changes: 2 additions & 2 deletions config/201-rolebinding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cosigned-webhook
name: policy-controller-webhook
namespace: cosign-system
subjects:
- kind: ServiceAccount
name: webhook
namespace: cosign-system
roleRef:
kind: Role
name: cosigned-namespace-rbac
name: policy-controller-namespace-rbac
apiGroup: rbac.authorization.k8s.io
4 changes: 2 additions & 2 deletions config/300-clusterimagepolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterimagepolicies.cosigned.sigstore.dev
name: clusterimagepolicies.policy.sigstore.dev
spec:
group: cosigned.sigstore.dev
group: policy.sigstore.dev
names:
kind: ClusterImagePolicy
plural: clusterimagepolicies
Expand Down
Loading