[Cosigned] Convert functions for webhookCIP from v1alpha1

[DennyHoang]

Signed-off-by: Denny Hoang [email protected]

Summary

Continual improvement to webhookCIP

• Less reliance on marshal/unmarshal to allow for more customization and streamlined conversion between CIP and the webhookCIP representation
• KeylessRef.CACert now uses the webhookCIP representation of KeyRef
• Logic for inlinedData from secretRef and KMS moved from reconciler file to the clusterimagepolicy_types for consolidation and removing bulk in reconciler file
• No new tests were added at the moment because the clusterimagepolicy_test already had decent coverage for all the inlining data etc

cc: @coyote240 @hectorj2f @vaikas

[codecov-commenter]

Codecov Report

Merging #1736 (d161bce) into main (de85b7e) will decrease coverage by 0.56%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1736      +/-   ##
==========================================
- Coverage   29.52%   28.96%   -0.57%     
==========================================
  Files         141      141              
  Lines        8502     8394     -108     
==========================================
- Hits         2510     2431      -79     
+ Misses       5718     5697      -21     
+ Partials      274      266       -8     

Impacted Files	Coverage Δ
...econciler/clusterimagepolicy/clusterimagepolicy.go	53.73% <100.00%> (-10.27%)	⬇️
pkg/cosign/tuf/client.go	62.34% <0.00%> (-0.95%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update de85b7e...d161bce. Read the comment docs.

[hectorj2f]

lgtm, so far.

[hectorj2f]

nit: organize the imports as groups (sigstore ones, external, golang packages).

[DennyHoang]

Going to organize it as golang packages, cosign, sigstore, k8s, and then knative. Then all alphabetical within those package groups (not based on the alias of the package)

[hectorj2f]

suggestion: I am considering whether we should create again all the resources again. As a consequence, we should create the type for ImagePattern, Sources and Identities here to be consistent.

[hectorj2f]

@vaikas wdyt?

[vaikas]

Consistency is good indeed :) So, I'd be down for recreating them here, or always use one from the CRD. I don't think I have strong feelings on one or the other. If we can import the CRD ones, seems better to only have to update one place.

[DennyHoang]

I kept the other ones as imports from the CRD because we arent currently manipulating it at the moment and it is a direct 1:1 mapping.
We actually manipulate keyRefs so that is why Authorities and key[less]Refs were re-implemented as required.

When the other properties diverge, I feel that updating it then makes more sense to keep potential updates in one place as Ville mentions until that diverging.

If there are any strong feelings for one or the other, it is easy enough to replicate the structs and updating tests.

[vaikas]

I'd rather not have Tracker / SecretLister exposed here. I'm envisioning using these functions for example, from Cosign the CLI for various reasons, so having the Tracker exposed or secretlister doesn't make sense.
I would rather have this be a three pass operation from the Reconciler:

1. Resolve the inline references
2. Convert to Webhook.

Right now I can't do the second one from CLI (or maybe from other users of this library) because I don't have secretlisters or trackers. So, I'd rather have a Convert function that only converts to inline webhook data with no side effects.

So, I guess I'd rather have a method in Reconciler that handles the CIP->CIP-With-References-Inlined as a method that can take trackers / listers as necessary.
Then, the second step would just take the CIP-With-References-Inlined and this has no side effects at all, and is re-useable from other places as a standalone method that will then allow those places to call the ValidatePolicy.

Thoughts?

[hectorj2f]

If we see those functions been used somewhere else, then lets keep them where they can be reused.

[hectorj2f]

, I guess I'd rather have a method in Reconciler that handles the CIP->CIP-With-References-Inlined as a method that can take trackers / listers as necessary.

I like this option.

[vaikas]

Thanks for cleaning up the marshal/nonmarshal stuff woot woot.

[vaikas]

nit, I think this is not stricly necessary because we don't modify, but since we use the images from L105 as inputs, can't think right now if that will make a difference.