-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP(mesh)[SEC-1079/Do-Not-Merge]: Mesh SLSA build provenance and image signatures for verification #7231
base: main
Are you sure you want to change the base?
Conversation
Note: Only Kong employees can add labels due to a GitHub limitation. |
✅ Deploy Preview for kongdocs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
a85c321
to
57bf12f
Compare
2ef5ebf
to
cf4e0c5
Compare
9bb8c9c
to
d96e357
Compare
- text: Verify Build Provenance for Signed Kong Mesh Images | ||
url: /features/provenance-verification-images | ||
- text: Verify Build Provenance for Signed Kong Mesh Binaries | ||
url: /features/provenance-verification-binaries |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Image provenance and binary provenance are available from 2.8.x
@lahabana I would the need the following from mesh team before i can proceed with comments i posted to update
@saisatishkarra to update placeholder values after the above steps are completed. This PR will then be ready for merge. |
20a3910
to
54592a5
Compare
bdb6715
to
391785b
Compare
e4b3b32
to
05810ba
Compare
…et links Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
05810ba
to
f9d167e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think 2 mains things are required:
- tabs for cosign vs slsa-verifier would be much more readable.
- Just provide things that can be copy pasted directly that's really what someone landing on this page would want.
--print-provenance \ | ||
--provenance-path 'kong-mesh.intoto.jsonl' \ | ||
--source-uri 'github.com/Kong/kong-mesh' \ | ||
kong-mesh-2.7.4-*-*.tar.gz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kong-mesh-2.7.4-*-*.tar.gz | |
kong-mesh-{{ page.latest_version }}-*-*.tar.gz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am using the {{page.kong_latest.version}}
everywhere instead {{ page.latest_version }}
which doesn't seem to work. Not sure why though.
PASSED: Verified SLSA provenance | ||
``` | ||
|
||
### Complete example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand the actual diff for the minimal and the complete example. It just seems to have the tag in which case why just make it simple and have the complete example directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the minimal
example is the bare minimum required parameters to verify a provenance
the complete
example uses is the additional options to establish more trust ex: tag from which it was generated etc.
I can remove the "minimal" example and have the "complete" as the only option to verify
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
1. Ensure `slsa-verifier` is installed. | ||
|
||
2. [Download security assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets*+version%3A{{page.kong_latest.version}}) for the required version of {{site.mesh_product_name}} binaries |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why link to cloudsmith and not directly to the thing to download: https://packages.konghq.com/public/kong-mesh-binaries-release/raw/names/security-assets/versions/2.7.4/security-assets.tar.gz ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the in-toto is not included but that's fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see the in-toto in the security-assets is this normal?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the release tags should have the intoto.jsonl
within the security-assets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me look into this!!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lahabana The tag 2.7.4
was using the slsa provenance generator v1.10.0 instead of v2.0.0.
An improvement / breaking change to use v4
to allow downloading the artifacts during the workflow run for later jobs instead of waiting until the end of workflow run.
The step download-artifact@v4
used in the distributions to upload to cloudsmith failed to find / filter (check sreenshot for workflow warnings on GH Summary page) kong-mesh.intoto.jsonl
from workflow assets since it was uploaded using an older API of actions/upload-artifacts
with the issue mentioned above
The file should be published to cloudmsmith automatically in release-2.8 as it uses the version to make artifacts available to be accessible later in the workflow. NO change is needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lahabana LMK if a backport of this might is needed for 2.7.x or will later be ported automatically on the next minor version bump. Hence I am moving the doc content for for Image Provenance and Binary Provenance to be available from: '>=2.8.0'
| `<repo>` | GitHub repository | `kong-mesh` | | ||
| `<workflow name>` | GitHub workflow name | `build-test-distribute` | | ||
| `<workflow trigger>` | Github workflow trigger name | `push` | | ||
| `<version>` | Artifact version to download | `2.7.4` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use page.version
|
||
### Prerequisites | ||
|
||
For both examples, you need to: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be simpler to use tabs. 1 for cosign, 1 for slsa-verifier I think it'd be just less confusing for users.
|
||
```sh | ||
cosign verify-attestation \ | ||
<image>:<tag>@sha256:<manifest_digest> \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to explain to folks how to get the sha from a tag I think (docker inspect kong/kuma-cp:2.7.4 -f '{{ .RepoDigests }}'
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Refer #7231 (comment). LMK if this is enough
{:.important .no-icon} | ||
> Github owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`). | ||
|
||
### Minimal example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here I don't see the point of complete vs minimal. Let's just go complete always it's simpler for users.
Also I would just give something users can copy/paste so no need to have a templated example first and then the full example
Co-authored-by: Charly Molter <charly.molter@konghq.com>
--print-provenance \ | ||
--provenance-path 'kong-mesh.intoto.jsonl' \ | ||
--source-uri 'github.com/Kong/kong-mesh' \ | ||
kong-mesh-2.7.4-*-*.tar.gz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am using the {{page.kong_latest.version}}
everywhere instead {{ page.latest_version }}
which doesn't seem to work. Not sure why though.
PASSED: Verified SLSA provenance | ||
``` | ||
|
||
### Complete example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the minimal
example is the bare minimum required parameters to verify a provenance
the complete
example uses is the additional options to establish more trust ex: tag from which it was generated etc.
I can remove the "minimal" example and have the "complete" as the only option to verify
|
||
3. Collect the necessary image details. | ||
|
||
4. Parse the `<manifest_digest>` for the image using `regctl`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lahabana This explains how to parse the <manifest_digest> https://github.com/Kong/docs.konghq.com/pull/7231/files#diff-d7e8fed39f1d31af5236253c55c02e9d8e51b24aaa7a1b3741f1b1c0be215c02R41
@lahabana Due to the below issues related to provenance in 2.7.x.
i am updating the target versions for the controls in the docs to below:
LMK if you plan on otherwise. |
@@ -158,6 +163,8 @@ inherit: | |||
url: /features/access-audit | |||
- text: MeshGlobalRateLimit (beta) | |||
url: /features/meshglobalratelimit | |||
- text: Verify Signatures for Signed Kong Mesh Images | |||
url: /features/signed-images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed build and image provenance from 2.7.x
@@ -0,0 +1,68 @@ | |||
--- | |||
title: Verify Build Provenance for Kong Mesh Binaries |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting to test until 2.8.0 is released and docs versions are updated
@@ -0,0 +1,81 @@ | |||
--- | |||
title: Verify Build Provenance for Signed Kong Mesh Images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting to test until 2.8.0 is released and docs versions are updated
|
||
```sh | ||
cosign verify-attestation \ | ||
'kong/kuma-cp:2.8.0@<TODO_IMAGE_DIGEST>' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait for release and replace with 2.8.0
digest
|
||
```sh | ||
slsa-verifier verify-image \ | ||
'kong/kuma-cp:2.8.0@<TODO_IMAGE_DIGEST>' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait and replace with 2.8.0
digest
Description
>=2.7.4
>=2.8.0
<target_version>
to verify provenance (NOT generated on preview tags / push to release branches).Customer-facing
docsSummary
PR is focussed to allow customers to take full advantage of the recent SLSA related changes to the Kong Mesh build that implement:
Sources
JIRA:
https://konghq.atlassian.net/browse/SEC-1018
https://konghq.atlassian.net/browse/SEC-1016
PRs:
Testing instructions
Preview link:
Checklist
For example, if this change is for an upcoming 3.6 release, enclose your content in
{% if_version gte:3.6.x %} <content> {% endif_version %}
tags (orif_plugin_version
tags for plugins).Use any of the following keys:
gte:<version>
- greater than or equal to a specific versionlte:<version>
- less than or equal to a specific versioneq:<version>
- exactly equal to a specific versionYou can do the same for older versions.