remove config-trusted-resources

config/controller.yaml

@@ -84,10 +84,6 @@ spec:
           mountPath: /etc/config-logging
         - name: config-registry-cert
           mountPath: /etc/config-registry-cert
-        # Mount secret for trusted resources
-        - name: verification-secrets
-          mountPath: /etc/verification-secrets
-          readOnly: true
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom:
@@ -112,8 +108,6 @@ spec:
           value: config-leader-election
         - name: CONFIG_SPIRE
           value: config-spire
-        - name: CONFIG_TRUSTED_RESOURCES_NAME
-          value: config-trusted-resources
         - name: SSL_CERT_FILE
           value: /etc/config-registry-cert/cert
         - name: SSL_CERT_DIR
@@ -168,11 +162,6 @@ spec:
         - name: config-registry-cert
           configMap:
             name: config-registry-cert
-        # Mount secret for trusted resources
-        - name: verification-secrets
-          secret:
-            secretName: verification-secrets
-            optional: true
 ---
 apiVersion: v1
 kind: Service

docs/trusted-resources.md

@@ -69,37 +69,6 @@ Or patch the new values:
 kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"resource-verification-mode":"enforce"}}
 ```
 
-
-#### Config key at configmap (Deprecated)
-
-**Note:** key configuration in configmap is deprecated, the issue [#5852](https://github.com/tektoncd/pipeline/issues/5852) will track the deprecation. Please use [VerificationPolicy](#config-key-at-verificationpolicy) instead.
-
-Multiple keys reference should be separated by comma. If the resource can pass any key in the list, it will pass the verification.
-
-We currently hardcode SHA256 as hashfunc for loading public keys as verifiers.
-
-Public key files should be added into secret and mounted into controller volumes. To add keys into secret you may execute:
-
-```shell
-kubectl create secret generic verification-secrets \
-  --from-file=cosign.pub=./cosign.pub \
-    --from-file=cosign.pub=./cosign2.pub \
-  -n tekton-pipelines
-```
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-trusted-resources
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-pipelines
-data:
-  publickeys: "/etc/verification-secrets/cosign.pub, /etc/verification-secrets/cosign2.pub"
-```
-
 #### Config key at VerificationPolicy
 VerificationPolicy supports SecretRef or encoded public key data.
 
@@ -170,3 +139,45 @@ To learn more about `ConfigSource` please refer to resolvers doc for more contex
 
 `hashAlgorithm` is the algorithm for the public key, by default is `sha256`. It also supports `SHA224`, `SHA384`, `SHA512`.
 
+
+#### Migrate Config key at configmap to VerificationPolicy
+**Note:** key configuration in configmap is deprecated,
+The following usage of public keys in configmap can be migrated to VerificationPolicy/
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-trusted-resources
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  publickeys: "/etc/verification-secrets/cosign.pub, /etc/verification-secrets/cosign2.pub"
+```
+
+To migrate to VerificationPolicy: Stores the public key files in a secret, and configure the secret ref in VerificationPolicy
+
+```yaml
+apiVersion: tekton.dev/v1alpha1
+kind: VerificationPolicy
+metadata:
+  name: verification-policy-name
+  namespace: resource-namespace
+spec:
+  authorities:
+    - name: key1
+      key:
+        # secretRef refers to a secret in the cluster, this secret should contain public keys data
+        secretRef:
+          name: secret-name-cosign
+          namespace: secret-namespace
+        hashAlgorithm: sha256
+    - name: key2
+      key:
+        secretRef:
+          name: secret-name-cosign2
+          namespace: secret-namespace
+        hashAlgorithm: sha256
+```

pkg/apis/config/store.go

@@ -28,11 +28,10 @@ type cfgKey struct{}
 // Config holds the collection of configurations that we attach to contexts.
 // +k8s:deepcopy-gen=false
 type Config struct {
-	Defaults         *Defaults
-	FeatureFlags     *FeatureFlags
-	Metrics          *Metrics
-	TrustedResources *TrustedResources
-	SpireConfig      *sc.SpireConfig
+	Defaults     *Defaults
+	FeatureFlags *FeatureFlags
+	Metrics      *Metrics
+	SpireConfig  *sc.SpireConfig
 }
 
 // FromContext extracts a Config from the provided context.
@@ -53,15 +52,13 @@ func FromContextOrDefaults(ctx context.Context) *Config {
 	defaults, _ := NewDefaultsFromMap(map[string]string{})
 	featureFlags, _ := NewFeatureFlagsFromMap(map[string]string{})
 	metrics, _ := newMetricsFromMap(map[string]string{})
-	trustedresources, _ := NewTrustedResourcesConfigFromMap(map[string]string{})
 	spireconfig, _ := NewSpireConfigFromMap(map[string]string{})
 
 	return &Config{
-		Defaults:         defaults,
-		FeatureFlags:     featureFlags,
-		Metrics:          metrics,
-		TrustedResources: trustedresources,
-		SpireConfig:      spireconfig,
+		Defaults:     defaults,
+		FeatureFlags: featureFlags,
+		Metrics:      metrics,
+		SpireConfig:  spireconfig,
 	}
 }
 
@@ -84,11 +81,10 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i
 			"defaults/features/artifacts",
 			logger,
 			configmap.Constructors{
-				GetDefaultsConfigName():         NewDefaultsFromConfigMap,
-				GetFeatureFlagsConfigName():     NewFeatureFlagsFromConfigMap,
-				GetMetricsConfigName():          NewMetricsFromConfigMap,
-				GetTrustedResourcesConfigName(): NewTrustedResourcesConfigFromConfigMap,
-				GetSpireConfigName():            NewSpireConfigFromConfigMap,
+				GetDefaultsConfigName():     NewDefaultsFromConfigMap,
+				GetFeatureFlagsConfigName(): NewFeatureFlagsFromConfigMap,
+				GetMetricsConfigName():      NewMetricsFromConfigMap,
+				GetSpireConfigName():        NewSpireConfigFromConfigMap,
 			},
 			onAfterStore...,
 		),
@@ -116,20 +112,16 @@ func (s *Store) Load() *Config {
 	if metrics == nil {
 		metrics, _ = newMetricsFromMap(map[string]string{})
 	}
-	trustedresources := s.UntypedLoad(GetTrustedResourcesConfigName())
-	if trustedresources == nil {
-		trustedresources, _ = NewTrustedResourcesConfigFromMap(map[string]string{})
-	}
+
 	spireconfig := s.UntypedLoad(GetSpireConfigName())
 	if spireconfig == nil {
 		spireconfig, _ = NewSpireConfigFromMap(map[string]string{})
 	}
 
 	return &Config{
-		Defaults:         defaults.(*Defaults).DeepCopy(),
-		FeatureFlags:     featureFlags.(*FeatureFlags).DeepCopy(),
-		Metrics:          metrics.(*Metrics).DeepCopy(),
-		TrustedResources: trustedresources.(*TrustedResources).DeepCopy(),
-		SpireConfig:      spireconfig.(*sc.SpireConfig).DeepCopy(),
+		Defaults:     defaults.(*Defaults).DeepCopy(),
+		FeatureFlags: featureFlags.(*FeatureFlags).DeepCopy(),
+		Metrics:      metrics.(*Metrics).DeepCopy(),
+		SpireConfig:  spireconfig.(*sc.SpireConfig).DeepCopy(),
 	}
 }

pkg/apis/config/store_test.go

@@ -32,28 +32,24 @@ func TestStoreLoadWithContext(t *testing.T) {
 	defaultConfig := test.ConfigMapFromTestFile(t, "config-defaults")
 	featuresConfig := test.ConfigMapFromTestFile(t, "feature-flags-all-flags-set")
 	metricsConfig := test.ConfigMapFromTestFile(t, "config-observability")
-	trustedresourcesConfig := test.ConfigMapFromTestFile(t, "config-trusted-resources")
 	spireConfig := test.ConfigMapFromTestFile(t, "config-spire")
 
 	expectedDefaults, _ := config.NewDefaultsFromConfigMap(defaultConfig)
 	expectedFeatures, _ := config.NewFeatureFlagsFromConfigMap(featuresConfig)
 	metrics, _ := config.NewMetricsFromConfigMap(metricsConfig)
-	expectedTrustedResources, _ := config.NewTrustedResourcesConfigFromConfigMap(trustedresourcesConfig)
 	expectedSpireConfig, _ := config.NewSpireConfigFromConfigMap(spireConfig)
 
 	expected := &config.Config{
-		Defaults:         expectedDefaults,
-		FeatureFlags:     expectedFeatures,
-		Metrics:          metrics,
-		TrustedResources: expectedTrustedResources,
-		SpireConfig:      expectedSpireConfig,
+		Defaults:     expectedDefaults,
+		FeatureFlags: expectedFeatures,
+		Metrics:      metrics,
+		SpireConfig:  expectedSpireConfig,
 	}
 
 	store := config.NewStore(logtesting.TestLogger(t))
 	store.OnConfigChanged(defaultConfig)
 	store.OnConfigChanged(featuresConfig)
 	store.OnConfigChanged(metricsConfig)
-	store.OnConfigChanged(trustedresourcesConfig)
 	store.OnConfigChanged(spireConfig)
 
 	cfg := config.FromContext(store.ToContext(context.Background()))
@@ -67,15 +63,13 @@ func TestStoreLoadWithContext_Empty(t *testing.T) {
 	defaults, _ := config.NewDefaultsFromMap(map[string]string{})
 	featureFlags, _ := config.NewFeatureFlagsFromMap(map[string]string{})
 	metrics, _ := config.NewMetricsFromConfigMap(&corev1.ConfigMap{Data: map[string]string{}})
-	trustedresources, _ := config.NewTrustedResourcesConfigFromMap(map[string]string{})
 	spireConfig, _ := config.NewSpireConfigFromMap(map[string]string{})
 
 	want := &config.Config{
-		Defaults:         defaults,
-		FeatureFlags:     featureFlags,
-		Metrics:          metrics,
-		TrustedResources: trustedresources,
-		SpireConfig:      spireConfig,
+		Defaults:     defaults,
+		FeatureFlags: featureFlags,
+		Metrics:      metrics,
+		SpireConfig:  spireConfig,
 	}
 
 	store := config.NewStore(logtesting.TestLogger(t))