forked from sigstore/cosign
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is the start of the necessary pieces to get sigstore#1418 and si…
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
- Loading branch information
Showing
22 changed files
with
1,338 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| // | ||
| // Copyright 2022 The Sigstore Authors. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| // +k8s:deepcopy-gen=package | ||
|
|
||
| // Package config holds the typed objects that define the schemas for | ||
| // ConfigMap objects that pertain to our API objects. | ||
| // This ConfigMap gets created by the Reconciler by combining all the | ||
| // ClusterImagePolicy CR into a single ConfigMap so that the AdmissionController | ||
| // only needs to deal with a single resource when validationg. | ||
|
|
||
| package config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| // | ||
| // Copyright 2022 The Sigstore Authors. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package config | ||
|
|
||
| import ( | ||
| "encoding/json" | ||
| "errors" | ||
| "fmt" | ||
|
|
||
| "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1" | ||
| corev1 "k8s.io/api/core/v1" | ||
| "sigs.k8s.io/yaml" | ||
| ) | ||
|
|
||
| const ( | ||
| // ImagePoliciesConfigName is the name of ConfigMap created by the | ||
| // reconciler and consumed by the admission webhook. | ||
| ImagePoliciesConfigName = "image-policies" | ||
| ) | ||
|
|
||
| type ImagePolicyConfig struct { | ||
| // This is the list of ImagePolicies that a admission controller uses | ||
| // to make policy decisions. | ||
| // TODO(vaikas): Revisit the datastructure. For now seems fine to use the | ||
| // same definitions from the API definition. The _only_ difference is that | ||
| // we do not use SecretReference fields, they get resolved and inlined | ||
| // in the Secret. So it seemed unnecessary to mirror those all over. | ||
| // Key in the map is the name of the ClusterImagePolicy where the Policy | ||
| // was received from. | ||
| Policies map[string]v1alpha1.ClusterImagePolicySpec | ||
| } | ||
|
|
||
| // NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied | ||
| // Map | ||
| func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) { | ||
| ret := &ImagePolicyConfig{Policies: make(map[string]v1alpha1.ClusterImagePolicySpec, len(data))} | ||
| // Spin through the ConfigMap. Each key will point to resolved | ||
| // ImagePatterns. | ||
| for k, v := range data { | ||
| // This is the example that we use to document / test the ConfigMap. | ||
| if k == "_example" { | ||
| continue | ||
| } | ||
| if v == "" { | ||
| return nil, fmt.Errorf("ConfigMap has an entry %q but no value", k) | ||
| } | ||
| clusterImagePolicy := &v1alpha1.ClusterImagePolicySpec{} | ||
|
|
||
| if err := parseEntry(v, clusterImagePolicy); err != nil { | ||
| return nil, fmt.Errorf("Failed to parse the entry %q : %q : %s", k, v, err) | ||
| } | ||
| fmt.Printf("GOT CIP: %+v\n", clusterImagePolicy) | ||
| ret.Policies[k] = *clusterImagePolicy | ||
| } | ||
| return ret, nil | ||
| } | ||
|
|
||
| // NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap | ||
| func NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*ImagePolicyConfig, error) { | ||
| return NewImagePoliciesConfigFromMap(config.Data) | ||
| } | ||
|
|
||
| func parseEntry(entry string, out interface{}) error { | ||
| j, err := yaml.YAMLToJSON([]byte(entry)) | ||
| if err != nil { | ||
| return fmt.Errorf("ConfigMap's value could not be converted to JSON: %s : %v", err, entry) | ||
| } | ||
| return json.Unmarshal(j, &out) | ||
| } | ||
|
|
||
| // GetAuthorities returns all matching Authorities that need to be matched for | ||
| // the given Image. | ||
| func (p *ImagePolicyConfig) GetAuthorities(image string) ([]v1alpha1.Authority, error) { | ||
| if p == nil { | ||
| return nil, errors.New("Config is nil") | ||
| } | ||
|
|
||
| ret := []v1alpha1.Authority{} | ||
|
|
||
| // TODO(vaikas): this is very inefficient, we should have a better | ||
| // way to go from image to Authorities, but just seeing if this is even | ||
| // workable so fine for now. | ||
| for _, v := range p.Policies { | ||
| for _, pattern := range v.Images { | ||
| // TODO(vaikas): do the actual glob match. | ||
| if image == pattern.Glob { | ||
| ret = append(ret, pattern.Authorities...) | ||
| } | ||
| } | ||
| } | ||
| return ret, nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| // Copyright 2022 The Sigstore Authors. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package config | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| . "knative.dev/pkg/configmap/testing" | ||
| _ "knative.dev/pkg/system/testing" | ||
| ) | ||
|
|
||
| const ( | ||
| // Just some public key that was laying around, only format matters. | ||
| inlineKeyData = `-----BEGIN PUBLIC KEY----- | ||
| MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J | ||
| RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ== | ||
| -----END PUBLIC KEY-----` | ||
| ) | ||
|
|
||
| func TestDefaultsConfigurationFromFile(t *testing.T) { | ||
| _, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName) | ||
| if _, err := NewImagePoliciesConfigFromConfigMap(example); err != nil { | ||
| t.Error("NewImagePoliciesConfigFromConfigMap(example) =", err) | ||
| } | ||
| } | ||
|
|
||
| func TestGetAuthorities(t *testing.T) { | ||
| _, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName) | ||
| defaults, err := NewImagePoliciesConfigFromConfigMap(example) | ||
| if err != nil { | ||
| t.Error("NewImagePoliciesConfigFromConfigMap(example) =", err) | ||
| } | ||
| c, err := defaults.GetAuthorities("rando") | ||
| if err != nil { | ||
| t.Error("GetMatches Failed =", err) | ||
| } | ||
| if len(c) == 0 { | ||
| t.Error("Wanted a config, got none.") | ||
| } | ||
| want := "inlinedata here" | ||
| if got := c[0].Key.Data; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data) | ||
| } | ||
| c, err = defaults.GetAuthorities("rando*") | ||
| if err != nil { | ||
| t.Error("GetMatches Failed =", err) | ||
| } | ||
| if len(c) == 0 { | ||
| t.Error("Wanted a config, got none.") | ||
| } | ||
| want = "otherinline here" | ||
| if got := c[0].Key.Data; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data) | ||
| } | ||
| c, err = defaults.GetAuthorities("rando3") | ||
| if err != nil { | ||
| t.Error("GetMatches Failed =", err) | ||
| } | ||
| if len(c) == 0 { | ||
| t.Error("Wanted a config, got none.") | ||
| } | ||
| want = "cakey chilling here" | ||
| if got := c[0].Keyless.CAKey.Data; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CAKey.Data) | ||
| } | ||
| want = "issuer" | ||
| if got := c[0].Keyless.Identities[0].Issuer; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.Identities[0].Issuer) | ||
| } | ||
| want = "subject" | ||
| if got := c[0].Keyless.Identities[0].Subject; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.Identities[0].Subject) | ||
| } | ||
| // Test multiline yaml cert | ||
| c, err = defaults.GetAuthorities("inlinecert") | ||
| if err != nil { | ||
| t.Error("GetMatches Failed =", err) | ||
| } | ||
| if len(c) == 0 { | ||
| t.Error("Wanted a config, got none.") | ||
| } | ||
| want = inlineKeyData | ||
| if got := c[0].Key.Data; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data) | ||
| } | ||
| // Test multiline cert but json encoded | ||
| c, err = defaults.GetAuthorities("ghcr.io/example/*") | ||
| if err != nil { | ||
| t.Error("GetMatches Failed =", err) | ||
| } | ||
| if len(c) == 0 { | ||
| t.Error("Wanted a config, got none.") | ||
| } | ||
| want = inlineKeyData | ||
| if got := c[0].Key.Data; got != want { | ||
| t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data) | ||
| } | ||
|
|
||
| } |
Oops, something went wrong.