[RFC-0003] Implement OCIRepository verification using Cosign

[developer-guy]

This PR implements cosign verification as specified in RFC-0003 Flux OCI support for Kubernetes manifests.

Usage example

Verify with Cosign public keys stored in a Kubernetes secret:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: podinfo-deploy-signed-with-key
spec:
  interval: 5m
  url: oci://ghcr.io/stefanprodan/podinfo-deploy
  ref:
    semver: "6.2.x"
  verify:
    provider: cosign
    secretRef:
      name: cosign-key

Verify with Cosign keyless using Rekor public instance:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: podinfo-deploy-signed-with-keyless
spec:
  interval: 5m
  url: oci://ghcr.io/stefanprodan/manifests/podinfo
  ref:
    semver: "6.2.x"
  verify:
    provider: cosign

Fixes #863

Authors:

• Furkan Turkal furkan.turkal@trendyol.com
• Batuhan Apaydın batuhan.apaydin@trendyol.com
• Stefan Prodan

[developer-guy]

We haven't tested it yet, but we'll ASAP. We'll remove the WIP label right after it.

[stefanprodan]

Wow cosign comes with 900+ dependencies? 😱

[hiddeco]

Seems to (partly) be due to go mod not being run with -compat:

$ git diff --stat
 go.mod | 12 ------------
 go.sum | 59 -----------------------------------------------------------
 2 files changed, 71 deletions(-)

[stefanprodan]

@developer-guy please run make generate manifests api-docs tidy vet before a commit.

[darkowlzz]

If I configure verification but don't provide a secret ref:

spec:
  interval: 1m0s
  provider: generic
  ref:
    tag: "1"
  timeout: 60s
  url: oci://example.com/local-dev/hello-world
  verify:
    provider: cosign

This happens

failed to verify the signature using provider 'cosign': unable to get Fulcio root certs: initializing tuf: creating cached local store: mkdir /.sigstore: read-only file system

I don't think it's clear what's wrong reading the error.
It's set in the SourceVerified condition and also sent as notification to NC.

[developer-guy]

If I configure verification but don't provide a secret ref:

spec:
  interval: 1m0s
  provider: generic
  ref:
    tag: "1"
  timeout: 60s
  url: oci://example.com/local-dev/hello-world
  verify:
    provider: cosign

This happens

failed to verify the signature using provider 'cosign': unable to get Fulcio root certs: initializing tuf: creating cached local store: mkdir /.sigstore: read-only file system

I don't think it's clear what's wrong reading the error. It's set in the SourceVerified condition and also sent as notification to NC.

This one is related to the deployment of your source-controller, you need to set the following environment variable to the source-controller deployment as we did in the PR:

env:
 - name: TUF_ROOT # store the Fulcio root CA file in tmp
   value: "/tmp/.sigstore"

[darkowlzz]

This one is related to the deployment of your source-controller, you need to set the following environment variable to the source-controller deployment

@developer-guy that's keyless verification. The issue is with the error not being clear about what happened. There's a log line that tells that keyless verification is attempted:

{"level":"info","ts":"2022-09-21T17:52:59.649Z","msg":"no secret reference is provided, trying to verify the image using keyless approach","controller":"ocirepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"OCIRepository","oCIRepository":{"name":"hello-world","namespace":"default"},"namespace":"default","name":"hello-world","reconcileID":"92f0cc39-caa9-4876-a1ed-1b68016fee54"}

but it's not clear from the notification, event and status condition messages. It'd be good to amend the error with more context.

[stefanprodan]

It'd be good to amend the error with more context.

Agreed, I've added the keyless method to the verification error along with a test for it.

[darkowlzz]

LGTM!