Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement Cosign verification for HelmCharts #925

Merged
merged 6 commits into from
Oct 21, 2022
Merged

implement Cosign verification for HelmCharts #925

merged 6 commits into from
Oct 21, 2022

Conversation

souleb
Copy link
Member

@souleb souleb commented Oct 3, 2022
edited
Loading

fixes #914

If implemented, users will be able to enable chart verification for OCI based helm charts.

The remote builder will not attempt to download the chart if an artifact exist with the same name and version and the force option is false. It will try to verify the chart if:

  • we are on the first reconciliation
  • the HelmtChartSpec has changed (generation drift)
  • the previous reconciliation resulted in a failed artifact verification
  • there is no artifact in storage

The helmChart metadata does not contain the digest so we cannot rely on it to detect drift on the remote.

⚠️ We do not enable verification for umbrella charts stored in Git with dependencies resolved from OCI registries, as we assume that each dependency need its own key.

Tests

  • aws + ecr with credentials and autologin
  • gcp + artifact registry with autologin and keyless

Signed-off-by: Soule BA soule@weave.works

@souleb souleb marked this pull request as draft October 3, 2022 12:45
@souleb souleb added area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests labels Oct 4, 2022
stefanprodan
stefanprodan reviewed Oct 6, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add a cosign keyless e2e test for https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo

@souleb souleb marked this pull request as ready for review October 12, 2022 13:53
stefanprodan
stefanprodan reviewed Oct 17, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add the verify field to the HelmChart API spec doc.

@souleb
Copy link
Member Author

souleb commented Oct 17, 2022

In the OCIRepository controller there is a loop to collect keys from a secret and perform verification using that list. The thing is that we break from the list as soon as a signature verification is successful with a key from the list. Is that the intended behavior, or shall we successful verify with all keys?

@stefanprodan
Copy link
Member

Is that the intended behavior, or shall we successful verify with all keys?

We shouldn't verify all keys, if one is a match than it's all good IMO. This way we allow people to do key rotation, old artifacts will still be valid if the old key is in the secret. The same we do for SOPS and decryption keys.

makkes
makkes reviewed Oct 18, 2022
View reviewed changes
controllers/helmchart_controller.go Show resolved Hide resolved
internal/helm/registry/auth.go Show resolved Hide resolved
internal/helm/registry/auth.go Outdated Show resolved Hide resolved
internal/helm/repository/chart_repository.go Outdated Show resolved Hide resolved
internal/helm/chart/builder_remote.go Show resolved Hide resolved
controllers/helmchart_controller.go Outdated Show resolved Hide resolved
internal/oci/verifier.go Outdated Show resolved Hide resolved
stefanprodan
stefanprodan reviewed Oct 18, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're missing summarize.WithBiPolarityConditionTypes(sourcev1.SourceVerifiedCondition) from the helmchart_controller.

@souleb souleb mentioned this pull request Oct 19, 2022
Merged
darkowlzz
darkowlzz reviewed Oct 19, 2022
View reviewed changes
api/v1beta2/helmchart_types.go Outdated Show resolved Hide resolved
internal/helm/registry/auth.go Outdated Show resolved Hide resolved
internal/helm/repository/chart_repository.go Show resolved Hide resolved
internal/helm/repository/chart_repository.go Outdated Show resolved Hide resolved
docs/spec/v1beta2/ocirepositories.md Outdated Show resolved Hide resolved
docs/spec/v1beta2/helmcharts.md Outdated Show resolved Hide resolved
controllers/helmchart_controller.go Outdated Show resolved Hide resolved
@souleb
Copy link
Member Author

souleb commented Oct 19, 2022

We shouldn't verify all keys, if one is a match than it's all good IMO. This way we allow people to do key rotation, old > artifacts will still be valid if the old key is in the secret. The same we do for SOPS and decryption keys.

I have change the code and documentation to take this into account.

@stefanprodan stefanprodan mentioned this pull request Oct 20, 2022
Closed
15 tasks
@souleb
Copy link
Member Author

souleb commented Oct 20, 2022
edited
Loading

We discussed this with @darkowlzz and we think that we could persist a given chart digest after successfully building in the Status of the resource. We could then pass it to the chartBuilder in future reconciliation in order to enable skipping verification.

Thoughts @stefanprodan @hiddeco @makkes

Edit: The other option is to have Helm surface a digest field in the chart metadata as it does with the version. We would store it as part of the generated artifact.

@stefanprodan
Copy link
Member

stefanprodan commented Oct 20, 2022
edited
Loading

In OCIRepository we persist the digest in the revision field in the format <tag>/<digest>, we could do the same for HelmCharts.

@hiddeco
Copy link
Member

hiddeco commented Oct 20, 2022

Can someone remind me why we continue to prefer <tag>/<digest> over <tag>@<digest>? Which is the more common format used to tie a named reference to a specific unique reference/digest, including while working with the OCI spec itself.

@stefanprodan
Copy link
Member

stefanprodan commented Oct 20, 2022
edited
Loading

Can someone remind me why we continue to prefer / over @?

To be consistent with how we report the revision to consumers. The current format is <label>/<sha-hex> without having the SHA type encoded. Please create an RFC if you wish to change this in across Flux, also NC that relies on this format. If we do change it, then I propose we add the SHA type as well, so for Git it would be <branch|tag>@sha1:<commit-sha> and for OCI would be <tag>@sha256:<digest-hex>.

@hiddeco
Copy link
Member

hiddeco commented Oct 20, 2022

If we do change it, then I propose we add the SHA type as well

This has overlap with the already proposed #855.

@hiddeco hiddeco added this to the GA milestone Oct 20, 2022
@hiddeco hiddeco mentioned this pull request Oct 20, 2022
Merged
@souleb
Refactor to use authn for authentication as OCIrepository does
bb83270 
If implemented the oras registry loginOption will only be used internaly
with the specific ChartRepo struct.

This will permit reusing more easily feature developped with
googlecontainerregistry authn.

Signed-off-by: Soule BA <soule@weave.works>
@souleb
Remove test case on aws
55dd799 
This remove test case for contextual login on
oci://123456789000.dkr.ecr.us-east-2.amazonaws.com.

This is not longer a wrong url since fluxcd/pkg@f7c66eb
and we no longer error on nil auth.

Signed-off-by: Soule BA <soule@weave.works>
@souleb
implement Cosign verification for HelmCharts
0e97547 
If implemented, users will be able to enable chart verification for OCI
based helm charts.

Signed-off-by: Soule BA <soule@weave.works>
@souleb
adding verfication section to HelmChart api doc
5355fb3 
Signed-off-by: Soule BA <soule@weave.works>
@souleb
addressing review comments
25673ac 
Signed-off-by: Soule BA <soule@weave.works>
@souleb souleb force-pushed the cosign-verify-helm branch 2 times, most recently from 46466de to a794e28 Compare October 21, 2022 08:24
darkowlzz
darkowlzz reviewed Oct 21, 2022
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested one last change.
Everything else looks good to me.

controllers/helmchart_controller.go Outdated Show resolved Hide resolved
@souleb
Fix verification condition
06a5559 
Delete a failed verification condition at the beginning of the source
reconciliation and set `SourceVerifiedCondition` to false approprietly.

Set the `BuildOptions.Verify` to true as long as Verify is enabled in the
API fields.

Signed-off-by: Soule BA <soule@weave.works>
darkowlzz
darkowlzz approved these changes Oct 21, 2022
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

hiddeco
hiddeco approved these changes Oct 21, 2022
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did not do an as thorough review as @darkowlzz, but did look at the outline and some common things I tend to nitpick on which all appear to be OK. Based on this, it looks good to me.

Thank you @souleb 🙇

stefanprodan
stefanprodan approved these changes Oct 21, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @souleb and @darkowlzz 🏅

@souleb
Copy link
Member Author

souleb commented Oct 21, 2022
edited
Loading

Following this comment, it has bee decided to always perform verification for now.

In a follow up Pull request we will propose pulling the digest in remote.GetChartVersion() and persist it in the spec.Status in the format <tag>/<digest>. We could then use it in the remoteBuilder to decide whether to verify.

@stefanprodan stefanprodan merged commit 09cae78 into fluxcd:main Oct 21, 2022
@souleb souleb deleted the cosign-verify-helm branch October 21, 2022 14:00
@developer-guy developer-guy mentioned this pull request Nov 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darkowlzz darkowlzz darkowlzz approved these changes

@stefanprodan stefanprodan stefanprodan approved these changes

@hiddeco hiddeco hiddeco approved these changes

@makkes makkes Awaiting requested review from makkes

Assignees
No one assigned
Labels
area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests
Projects
Maintainers' Focus
Status: Done
Milestone
Helm GA
Development

Successfully merging this pull request may close these issues.

[Helm] Add Support for Chart verification using Cosign
5 participants
@souleb @stefanprodan @hiddeco @makkes @darkowlzz