-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cosigned] Convert functions for webhookCIP from v1alpha1 #1736
Merged
+74
−101
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Create convert functions for internal CIP
Signed-off-by: Denny Hoang <dhoang@vmware.com>
commit c8ed1114dbf71a17c28d5da73ba897bdeaee3f7f
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,8 @@ import ( | |
"encoding/pem" | ||
|
||
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1" | ||
|
||
"knative.dev/pkg/apis" | ||
) | ||
|
||
// ClusterImagePolicy defines the images that go through verification | ||
|
@@ -37,7 +39,7 @@ type Authority struct { | |
// +optional | ||
Key *KeyRef `json:"key,omitempty"` | ||
// +optional | ||
Keyless *v1alpha1.KeylessRef `json:"keyless,omitempty"` | ||
Keyless *KeylessRef `json:"keyless,omitempty"` | ||
// +optional | ||
Sources []v1alpha1.Source `json:"source,omitempty"` | ||
// +optional | ||
|
@@ -50,15 +52,21 @@ type KeyRef struct { | |
// Data contains the inline public key | ||
// +optional | ||
Data string `json:"data,omitempty"` | ||
// KMS contains the KMS url of the public key | ||
// +optional | ||
KMS string `json:"kms,omitempty"` | ||
// PublicKeys are not marshalled because JSON unmarshalling | ||
// errors for *big.Int | ||
// +optional | ||
PublicKeys []*ecdsa.PublicKey `json:"-"` | ||
} | ||
|
||
type KeylessRef struct { | ||
// +optional | ||
URL *apis.URL `json:"url,omitempty"` | ||
// +optional | ||
Identities []v1alpha1.Identity `json:"identities,omitempty"` | ||
// +optional | ||
CACert *KeyRef `json:"ca-cert,omitempty"` | ||
} | ||
|
||
// UnmarshalJSON populates the PublicKeys using Data because | ||
// JSON unmashalling errors for *big.Int | ||
func (k *KeyRef) UnmarshalJSON(data []byte) error { | ||
|
@@ -73,7 +81,7 @@ func (k *KeyRef) UnmarshalJSON(data []byte) error { | |
k.Data = ret["data"] | ||
|
||
if ret["data"] != "" { | ||
publicKeys, err = convertKeyDataToPublicKeys(ret["data"]) | ||
publicKeys, err = ConvertKeyDataToPublicKeys(ret["data"]) | ||
if err != nil { | ||
return err | ||
} | ||
|
@@ -84,9 +92,59 @@ func (k *KeyRef) UnmarshalJSON(data []byte) error { | |
return nil | ||
} | ||
|
||
func convertKeyDataToPublicKeys(pubKey string) ([]*ecdsa.PublicKey, error) { | ||
keys := []*ecdsa.PublicKey{} | ||
func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy { | ||
copyIn := in.DeepCopy() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit, I think this is not stricly necessary because we don't modify, but since we use the images from L105 as inputs, can't think right now if that will make a difference. |
||
|
||
outAuthorities := make([]Authority, 0) | ||
for _, authority := range copyIn.Spec.Authorities { | ||
outAuthority := convertAuthorityV1Alpha1ToWebhook(authority) | ||
outAuthorities = append(outAuthorities, *outAuthority) | ||
} | ||
|
||
return &ClusterImagePolicy{ | ||
Images: copyIn.Spec.Images, | ||
Authorities: outAuthorities, | ||
} | ||
} | ||
|
||
func convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority { | ||
keyRef := convertKeyRefV1Alpha1ToWebhook(in.Key) | ||
keylessRef := convertKeylessRefV1Alpha1ToWebhook(in.Keyless) | ||
|
||
return &Authority{ | ||
Key: keyRef, | ||
Keyless: keylessRef, | ||
Sources: in.Sources, | ||
CTLog: in.CTLog, | ||
} | ||
} | ||
|
||
func convertKeyRefV1Alpha1ToWebhook(in *v1alpha1.KeyRef) *KeyRef { | ||
if in == nil { | ||
return nil | ||
} | ||
|
||
return &KeyRef{ | ||
Data: in.Data, | ||
} | ||
} | ||
|
||
func convertKeylessRefV1Alpha1ToWebhook(in *v1alpha1.KeylessRef) *KeylessRef { | ||
if in == nil { | ||
return nil | ||
} | ||
|
||
CACertRef := convertKeyRefV1Alpha1ToWebhook(in.CACert) | ||
|
||
return &KeylessRef{ | ||
URL: in.URL, | ||
Identities: in.Identities, | ||
CACert: CACertRef, | ||
} | ||
} | ||
|
||
func ConvertKeyDataToPublicKeys(pubKey string) ([]*ecdsa.PublicKey, error) { | ||
keys := []*ecdsa.PublicKey{} | ||
pems := parsePems([]byte(pubKey)) | ||
for _, p := range pems { | ||
key, err := x509.ParsePKIXPublicKey(p.Bytes) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: I am considering whether we should create again all the resources again. As a consequence, we should create the type for ImagePattern, Sources and Identities here to be consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vaikas wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consistency is good indeed :) So, I'd be down for recreating them here, or always use one from the CRD. I don't think I have strong feelings on one or the other. If we can import the CRD ones, seems better to only have to update one place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kept the other ones as imports from the CRD because we arent currently manipulating it at the moment and it is a direct 1:1 mapping.
We actually manipulate keyRefs so that is why Authorities and key[less]Refs were re-implemented as required.
When the other properties diverge, I feel that updating it then makes more sense to keep potential updates in one place as Ville mentions until that diverging.
If there are any strong feelings for one or the other, it is easy enough to replicate the structs and updating tests.