WIP(mesh)[SEC-1079/Do-Not-Merge]: Mesh SLSA build provenance and image signatures for verification

[saisatishkarra]

Description

• JIRA: https://konghq.atlassian.net/browse/SEC-1079
• Target version:
  • Image Signing and SBOM: >=2.7.4
  • Image Provenance and Binary Provenance: >=2.8.0
• Draft /WIP: Pending official Kong Mesh release tag for specified <target_version> to verify provenance (NOT generated on preview tags / push to release branches).
• Docs Type: Customer-facing docs

Summary

PR is focussed to allow customers to take full advantage of the recent SLSA related changes to the Kong Mesh build that implement:

• cosign-based image signing (Image Signatures)
• slsa-container generator based image provenance verification (Image build provenance)
• slsa-generic generator based binary artifacts verification (Binary build provenance)

Sources

JIRA:

https://konghq.atlassian.net/browse/SEC-1018
https://konghq.atlassian.net/browse/SEC-1016

PRs:

• Image Provenance for Kong Mesh - https://github.com/Kong/kong-mesh/pull/5623
• Binary Provenance for Kong Mesh - https://github.com/Kong/kong-mesh/pull/5582
• SCA / SBOM - https://github.com/Kong/kong-mesh/pull/5525
• Image Signing - https://github.com/Kong/kong-mesh/pull/5547

Testing instructions

Preview link:

Checklist

• Review label added
• Conditional version tags added, if applicable.

For example, if this change is for an upcoming 3.6 release, enclose your content in {% if_version gte:3.6.x %} <content> {% endif_version %} tags (or if_plugin_version tags for plugins).

Use any of the following keys:

• gte:<version> - greater than or equal to a specific version
• lte:<version> - less than or equal to a specific version
• eq:<version> - exactly equal to a specific version

You can do the same for older versions.

[github-actions]

⚠️ Please add at least one of the following review labels to this PR:

• review:copyedit: Request for writer review.
• review:general: Review for general accuracy and presentation.
  Does the doc work? Does it output correctly?
• review:tech: Request for technical review for a docs platform change.
• review:sme: Request for review from an SME (engineer, PM, etc.).

Note: Only Kong employees can add labels due to a GitHub limitation.
If you're an OSS contributor, thank you! The maintainers will label this PR for you.

[netlify]

✅ Deploy Preview for kongdocs ready!

Name	Link
🔨 Latest commit	8881add
🔍 Latest deploy log	https://app.netlify.com/sites/kongdocs/deploys/6675b51309af390008fc1496
😎 Deploy Preview	https://deploy-preview-7231--kongdocs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	9 paths audited Performance: 93 (no change from production) Accessibility: 93 (no change from production) Best Practices: 98 (🟢 up 8 from production) SEO: 91 (🟢 up 1 from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[saisatishkarra]

Image provenance and binary provenance are available from 2.8.x

[saisatishkarra]

@lahabana I would the need the following from mesh team before i can proceed with comments i posted to update <placeholder> values:

1. Backport PR to release-2.7 branch. Refer for Context
2. Blocked until official Kong Mesh release tag for specified <target_version> to populate assets in cloudsmith and dockerhub kong/notary
3. @lahabana @vsofronievk Review this PR for any feedback: https://deploy-preview-7231--kongdocs.netlify.app/

@saisatishkarra to update placeholder values after the above steps are completed. This PR will then be ready for merge.

[saisatishkarra]

@lahabana This PR is ready for review and needs only one clarification on this comment

[lahabana]

I think 2 mains things are required:

• tabs for cosign vs slsa-verifier would be much more readable.
• Just provide things that can be copy pasted directly that's really what someone landing on this page would want.

[lahabana]

Suggested change

	kong-mesh-2.7.4-*-*.tar.gz
	kong-mesh-{{ page.latest_version }}-*-*.tar.gz

[saisatishkarra]

I am using the {{page.kong_latest.version}} everywhere instead {{ page.latest_version }} which doesn't seem to work. Not sure why though.

[lahabana]

I don't understand the actual diff for the minimal and the complete example. It just seems to have the tag in which case why just make it simple and have the complete example directly?

[saisatishkarra]

the minimalexample is the bare minimum required parameters to verify a provenance

the complete example uses is the additional options to establish more trust ex: tag from which it was generated etc.

I can remove the "minimal" example and have the "complete" as the only option to verify

[saisatishkarra]

done

[lahabana]

Why link to cloudsmith and not directly to the thing to download: https://packages.konghq.com/public/kong-mesh-binaries-release/raw/names/security-assets/versions/2.7.4/security-assets.tar.gz ?

[lahabana]

Seems like the in-toto is not included but that's fine.

[lahabana]

I don't see the in-toto in the security-assets is this normal?

[saisatishkarra]

No, the release tags should have the intoto.jsonl within the security-assets

[saisatishkarra]

Let me look into this!!

[saisatishkarra]

@lahabana The tag 2.7.4 was using the slsa provenance generator v1.10.0 instead of v2.0.0.

An improvement / breaking change to use v4 to allow downloading the artifacts during the workflow run for later jobs instead of waiting until the end of workflow run.

The step download-artifact@v4 used in the distributions to upload to cloudsmith failed to find / filter (check sreenshot for workflow warnings on GH Summary page) kong-mesh.intoto.jsonl from workflow assets since it was uploaded using an older API of actions/upload-artifacts with the issue mentioned above

The file should be published to cloudmsmith automatically in release-2.8 as it uses the version to make artifacts available to be accessible later in the workflow. NO change is needed.

[saisatishkarra]

@lahabana LMK if a backport of this might is needed for 2.7.x or will later be ported automatically on the next minor version bump. Hence I am moving the doc content for for Image Provenance and Binary Provenance to be available from: '>=2.8.0'

[lahabana]

Use page.version

[lahabana]

Would it be simpler to use tabs. 1 for cosign, 1 for slsa-verifier I think it'd be just less confusing for users.

[lahabana]

You need to explain to folks how to get the sha from a tag I think (docker inspect kong/kuma-cp:2.7.4 -f '{{ .RepoDigests }}')

[saisatishkarra]

Refer #7231 (comment). LMK if this is enough

[lahabana]

Same here I don't see the point of complete vs minimal. Let's just go complete always it's simpler for users.
Also I would just give something users can copy/paste so no need to have a templated example first and then the full example

[saisatishkarra]

I am using the {{page.kong_latest.version}} everywhere instead {{ page.latest_version }} which doesn't seem to work. Not sure why though.

[saisatishkarra]

the minimalexample is the bare minimum required parameters to verify a provenance

the complete example uses is the additional options to establish more trust ex: tag from which it was generated etc.

I can remove the "minimal" example and have the "complete" as the only option to verify

[saisatishkarra]

@lahabana This explains how to parse the <manifest_digest> https://github.com/Kong/docs.konghq.com/pull/7231/files#diff-d7e8fed39f1d31af5236253c55c02e9d8e51b24aaa7a1b3741f1b1c0be215c02R41

[saisatishkarra]

@lahabana Due to the below issues related to provenance in 2.7.x.

• missing provenance file intoto.jsonl for binary artifacts - (Pending fix)
• improper notary repository for image provenance = PRThe fixes for the above only targetrelease-2.8` branch and master since 2.7.4 is already generated.

i am updating the target versions for the controls in the docs to below:

• Image Signing and SBOM: >=2.7.4
• Image Provenance and Binary Provenance: '>=2.8.0'

LMK if you plan on otherwise.

[saisatishkarra]

Removed build and image provenance from 2.7.x

[saisatishkarra]

Waiting to test until 2.8.0 is released and docs versions are updated

[saisatishkarra]

Waiting to test until 2.8.0 is released and docs versions are updated

[saisatishkarra]

wait for release and replace with 2.8.0 digest

[saisatishkarra]

wait and replace with 2.8.0 digest