Skip to content

Commit

Permalink
feat: add cosign keyless support to trust policy (ratify-project#1503)
Browse files Browse the repository at this point in the history
  • Loading branch information
akashsinghal authored and binbin-li committed Sep 14, 2024
1 parent 91b10fa commit f6b768a
Show file tree
Hide file tree
Showing 16 changed files with 585 additions and 185 deletions.
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,7 @@ e2e-helm-deploy-ratify:
--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.tLogVerify=false \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand All @@ -611,6 +612,7 @@ e2e-helm-deploy-ratify-without-tls-certs:
--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.tLogVerify=false \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand Down
7 changes: 7 additions & 0 deletions charts/ratify/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,13 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| cosignKeys | An array of public keys used to create inline key management providers used by Cosign verifier | `[]` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` |
| cosign.rekorURL | URL string reference to remote rekor server. If not specified, implementation will default to use Rekor public good instance `https://rekor.sigstore.dev`. | `` |
| cosign.tLogVerify | Enables/disables verification of presence of signature in Transparency log. | `true` |
| cosign.keyless.ctLogVerify | Enables/disables verification of presence of Secure Certificate Timestamp (SCT) in transparency log | `true` |
| cosign.keyless.certificateIdentity | String certificate identity used for exact identity match during verification. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined at together | `` |
| cosign.keyless.certificateIdentityRegExp | String certificate identity regular expression for identity matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined together | `` |
| cosign.keyless.certificateOIDCIssuer | String certificate OIDC issuer for exact issuer matching during verification. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together | `` |
| cosign.keyless.certificateOIDCIssuerRegExp | String certificate OIDC issuer regular expression for issuer matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together | `` |
| vulnerabilityreport.enabled | Enables/disables installation of vulnerability report verifier | `false` |
| vulnerabilityreport.passthrough | Enables/disables passthrough. All validation except `maximumAge` are disregarded and report content is added to verifier report | `false` |
| vulnerabilityreport.schemaURL | URL for JSON schema to validate report against | `` |
Expand Down
16 changes: 16 additions & 0 deletions charts/ratify/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -146,4 +146,20 @@ Set the namespace exclusions for Assign
{{- if and (ne .Release.Namespace $gkNamespace) (ne .Release.Namespace "kube-system") }}
- {{ .Release.Namespace | quote}}
{{- end }}
{{- end }}

{{/*
Choose cosign legacy or not. Determined by if cosignKeys are provided or not
OR if azurekeyvault is enabled and keys are provided
OR if keyless is enabled and certificateIdentity, certificateIdentityRegExp, certificateOIDCIssuer, or certificateOIDCIssuerExp are provided
*/}}
{{- define "ratify.cosignLegacy" -}}
{{- $cosignKeysPresent := gt (len .Values.cosignKeys) 0 -}}
{{- $azureKeyVaultEnabled := .Values.azurekeyvault.enabled -}}
{{- $azureKeyVaultKeysPresent := gt (len .Values.azurekeyvault.keys) 0 -}}
{{- if or $cosignKeysPresent (and $azureKeyVaultEnabled $azureKeyVaultKeysPresent) .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerExp -}}
false
{{- else }}
true
{{- end }}
{{- end }}
12 changes: 11 additions & 1 deletion charts/ratify/templates/verifier.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
{{- if or (gt (len .Values.cosignKeys) 0) (and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0)) }}
{{- if (eq (include "ratify.cosignLegacy" .) "false") }}
trustPolicies:
- name: default
version: 1.0.0
Expand All @@ -65,6 +65,16 @@ spec:
{{- if and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0) }}
- provider: kmprovider-akv
{{- end }}
tLogVerify: {{ .Values.cosign.tLogVerify }}
rekorURL: {{ .Values.cosign.rekorURL }}
{{- if or .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
keyless:
ctLogVerify: {{ .Values.cosign.keyless.ctLogVerify }}
certificateIdentity: {{ .Values.cosign.keyless.certificateIdentity }}
certificateIdentityRegExp: {{ .Values.cosign.keyless.certificateIdentityRegExp }}
certificateOIDCIssuer: {{ .Values.cosign.keyless.certificateOIDCIssuer }}
certificateOIDCIssuerRegExp: {{ .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
{{- end }}
{{- else }}
key: /usr/local/ratify-certs/cosign/cosign.pub
{{- end }}
Expand Down
9 changes: 9 additions & 0 deletions charts/ratify/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,15 @@ cosign:
enabled: true
scopes: ["*"] # corresponds to a single trust policy
key: "" # DEPRECATED: Use cosignKeys instead
rekorURL: ""
tLogVerify: true
keyless:
ctLogVerify: true
certificateIdentity: ""
certificateIdentityRegExp: ""
certificateOIDCIssuer: ""
certificateOIDCIssuerRegExp: ""

vulnerabilityreport:
enabled: false
passthrough: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,5 @@ spec:
scopes:
- "*"
keys:
- provider: ratify-cosign-inline-key-0
- provider: ratify-cosign-inline-key-0
tLogVerify: false
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ spec:
- "*"
keys:
- provider: default/ratify-cosign-inline-key-0
tLogVerify: false
Loading

0 comments on commit f6b768a

Please sign in to comment.