Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add cosign keyless support to trust policy #1503

Merged
merged 21 commits into from
Jun 6, 2024
Merged

feat: add cosign keyless support to trust policy #1503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
9cbd3c2
feat: add cosign keyless support to trust policy
akashsinghal May 23, 2024
1f46e5c
fix
akashsinghal May 23, 2024
d505814
add summary message explaining verifications performed per sig
akashsinghal May 23, 2024
197879c
fix lint
akashsinghal May 23, 2024
1390fbd
merge dev
akashsinghal May 24, 2024
04def16
merge dev
akashsinghal May 28, 2024
704ac06
address comments
akashsinghal May 29, 2024
7967171
Merge branch 'dev' into akashsinghal/cosignkeyless
akashsinghal May 29, 2024
3eebc5f
merge dev
akashsinghal May 30, 2024
7eace53
add trust policy to extension field
akashsinghal May 31, 2024
f910f19
Merge branch 'dev' into akashsinghal/cosignkeyless
akashsinghal May 31, 2024
a6e9d32
merge dev
akashsinghal Jun 4, 2024
9ee96fc
address comments
akashsinghal Jun 4, 2024
0c935fe
address more comments
akashsinghal Jun 4, 2024
77d7387
update helper template
akashsinghal Jun 4, 2024
2642d5f
add more tests
akashsinghal Jun 4, 2024
3eab474
Merge branch 'dev' into akashsinghal/cosignkeyless
akashsinghal Jun 4, 2024
fcd80db
update tests
akashsinghal Jun 5, 2024
4c417f1
verify failure
akashsinghal Jun 5, 2024
fa5975c
revert previous commit
akashsinghal Jun 5, 2024
dc47952
Merge branch 'dev' into akashsinghal/cosignkeyless
akashsinghal Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,7 @@ e2e-helm-deploy-ratify:
--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.tLogVerify=false \
susanshi marked this conversation as resolved.
Show resolved Hide resolved
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand All @@ -611,6 +612,7 @@ e2e-helm-deploy-ratify-without-tls-certs:
--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.tLogVerify=false \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand Down
7 changes: 7 additions & 0 deletions charts/ratify/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,13 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| cosignKeys | An array of public keys used to create inline key management providers used by Cosign verifier | `[]` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` |
| cosign.rekorURL | URL string reference to remote rekor server. If not specified, implementation will default to use Rekor public good instance `https://rekor.sigstore.dev`. | `` |
| cosign.tLogVerify | Enables/disables verification of presence of signature in Transparency log. | `true` |
| cosign.keyless.ctLogVerify | Enables/disables verification of presence of Secure Certificate Timestamp (SCT) in transparency log | `true` |
| cosign.keyless.certificateIdentity | String certificate identity used for exact identity match during verification. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined at together | `` |
| cosign.keyless.certificateIdentityRegExp | String certificate identity regular expression for identity matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined together | `` |
| cosign.keyless.certificateOIDCIssuer | String certificate OIDC issuer for exact issuer matching during verification. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together | `` |
| cosign.keyless.certificateOIDCIssuerRegExp | String certificate OIDC issuer regular expression for issuer matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together | `` |
| vulnerabilityreport.enabled | Enables/disables installation of vulnerability report verifier | `false` |
| vulnerabilityreport.passthrough | Enables/disables passthrough. All validation except `maximumAge` are disregarded and report content is added to verifier report | `false` |
| vulnerabilityreport.schemaURL | URL for JSON schema to validate report against | `` |
Expand Down
16 changes: 16 additions & 0 deletions charts/ratify/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,4 +146,20 @@ Set the namespace exclusions for Assign
{{- if and (ne .Release.Namespace $gkNamespace) (ne .Release.Namespace "kube-system") }}
- {{ .Release.Namespace | quote}}
{{- end }}
{{- end }}

{{/*
Choose cosign legacy or not. Determined by if cosignKeys are provided or not
OR if azurekeyvault is enabled and keys are provided
OR if keyless is enabled and certificateIdentity, certificateIdentityRegExp, certificateOIDCIssuer, or certificateOIDCIssuerExp are provided
*/}}
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
{{- define "ratify.cosignLegacy" -}}
{{- $cosignKeysPresent := gt (len .Values.cosignKeys) 0 -}}
{{- $azureKeyVaultEnabled := .Values.azurekeyvault.enabled -}}
{{- $azureKeyVaultKeysPresent := gt (len .Values.azurekeyvault.keys) 0 -}}
{{- if or $cosignKeysPresent (and $azureKeyVaultEnabled $azureKeyVaultKeysPresent) .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerExp -}}
false
{{- else }}
true
{{- end }}
{{- end }}
12 changes: 11 additions & 1 deletion charts/ratify/templates/verifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
{{- if or (gt (len .Values.cosignKeys) 0) (and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0)) }}
{{- if (eq (include "ratify.cosignLegacy" .) "false") }}
trustPolicies:
- name: default
version: 1.0.0
Expand All @@ -65,6 +65,16 @@ spec:
{{- if and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0) }}
- provider: kmprovider-akv
{{- end }}
tLogVerify: {{ .Values.cosign.tLogVerify }}
rekorURL: {{ .Values.cosign.rekorURL }}
{{- if or .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
keyless:
ctLogVerify: {{ .Values.cosign.keyless.ctLogVerify }}
certificateIdentity: {{ .Values.cosign.keyless.certificateIdentity }}
certificateIdentityRegExp: {{ .Values.cosign.keyless.certificateIdentityRegExp }}
certificateOIDCIssuer: {{ .Values.cosign.keyless.certificateOIDCIssuer }}
certificateOIDCIssuerRegExp: {{ .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
{{- end }}
{{- else }}
key: /usr/local/ratify-certs/cosign/cosign.pub
{{- end }}
Expand Down
9 changes: 9 additions & 0 deletions charts/ratify/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,15 @@ cosign:
enabled: true
scopes: ["*"] # corresponds to a single trust policy
key: "" # DEPRECATED: Use cosignKeys instead
rekorURL: ""
tLogVerify: true
keyless:
ctLogVerify: true
certificateIdentity: ""
certificateIdentityRegExp: ""
certificateOIDCIssuer: ""
certificateOIDCIssuerRegExp: ""

vulnerabilityreport:
enabled: false
passthrough: false
Expand Down
3 changes: 2 additions & 1 deletion config/samples/clustered/verifier/config_v1beta1_verifier_cosign.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,5 @@ spec:
scopes:
- "*"
keys:
- provider: ratify-cosign-inline-key-0
- provider: ratify-cosign-inline-key-0
tLogVerify: false
0 ...nfig_v1beta1_verifier_cosign_keyless.yaml → ...beta1_verifier_cosign_keyless_legacy.yaml
View file
Open in desktop
File renamed without changes.
1 change: 1 addition & 0 deletions config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ spec:
- "*"
keys:
- provider: default/ratify-cosign-inline-key-0
tLogVerify: false
Loading
Loading