-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TEP-0091] Add VerificationPolicy types to configure public keys #5714
[TEP-0091] Add VerificationPolicy types to configure public keys #5714
Conversation
Skipping CI for Draft Pull Request. |
/hold |
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
6aa00d0
to
f32c768
Compare
The following is the coverage report on the affected files.
|
/assign @wlynch @jagathprakash |
@Yongxuanzhang: GitHub didn't allow me to assign the following users: jagathprakash. Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey hey I've taken an initial look at docs and tests in particular (since getting those in a good place really provides a lot of clarity around the rest of the changes XD)
- Before merging, plz squash the 6 commits into one or two commits with detailed commit messages (right now looks like there are a few that are just 'fix lint' 🙏
- nit: probably dont need to include the example in the release notes, can just point users toward the docs
Feel free to remove after commit squashing:
/hold
4333fd1
to
176d3c6
Compare
17a3025
to
08bc762
Compare
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
78e0c43
to
1876db6
Compare
The following is the coverage report on the affected files.
|
@@ -31,6 +31,7 @@ import ( | |||
fakekubeclient "knative.dev/pkg/client/injection/kube/client/fake" | |||
fakelimitrangeinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/limitrange/fake" | |||
fakeserviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" | |||
_ "knative.dev/pkg/system/testing" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
import side effects are pretty dangerous, and 'system testing' import side effects seem especially mysterious - if we can't remove this now and we have to include it to make the unit tests pass, can you create an issue to dig into what is going on here and see if we can avoid this side effect import?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some other places in our code base using this. I think it is due to the use of system.Namespace()
https://github.com/tektoncd/pipeline/search?q=_+%22knative.dev%2Fpkg%2Fsystem%2Ftesting%22
7e7d271
to
ce20386
Compare
The following is the coverage report on the affected files.
|
Discussed making the update to use the secret lister in a subsequent PR and sgtm 👍 @wlynch you have "changes requested" set on this PR but i'm under the impression that @Yongxuanzhang followed up with you today and you don't have any blocking concerns Thanks for all your hard work and back and forth on this @Yongxuanzhang ! /approve |
The following is the coverage report on the affected files.
|
c6f3b01
to
0b36057
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bobcatfish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The following is the coverage report on the affected files.
|
This commit adds VerificationPolicy as a new type under `pkg/apis/pipeline/v1alpha1`, via VerificationPolicy users can config public keys in the CRD for resources verification. The mapping from resources to keys can be done via `pattern`
0b36057
to
7e4a6ba
Compare
name: "signed task with sha384 key", | ||
task: signedTask384, | ||
source: "gcr.io/tekton-releases/catalog/upstream/sha384", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the case to test sha384 key @wlynch
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Changes
This commit adds VerificationPolicy as a new type under
pkg/apis/pipeline/v1alpha1
, viaVerificationPolicy
users can config public keys for resources verification via CRD. ThePattern
field inVerificationPolicy
can be configured to filter out the resources to get corresponding keys.This commits mainly consists of
pkg/apis/pipeline/v1alpha1/verificationpolicy_types.go
;pkg/trustedresources/verify.go
Signed-off-by: Yongxuanzhang [email protected]
/kind feature
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
/kind <type>
. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes