update install instructions (prometheus-community#19)

* update install instructions Signed-off-by: Jackline Mutua <jmutua@vmware.com> * fix typo on cosigned readme Signed-off-by: Jackline Mutua <jmutua@vmware.com> * update signed example case Signed-off-by: Jackline Mutua <jmutua@vmware.com> * update chart version Signed-off-by: Jackline Mutua <jmutua@vmware.com> * update chart version Signed-off-by: Jackline Mutua <jmutua@vmware.com> * update chart version Signed-off-by: Jackline Mutua <jmutua@vmware.com>
hectorj2f · Oct 26, 2021 · 72bac9e · 72bac9e
1 parent 9317058
commit 72bac9e
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 10 deletions.
diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml
@@ -6,8 +6,9 @@ sources:
   - https://github.com/sigstore/cosign
 
 type: application
+
 name: cosigned
-version: v0.0.5
+version: v0.0.6
 appVersion: v1.2.1
 
 maintainers:

diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md
@@ -4,9 +4,8 @@
 * Kubernetes cluster with rights to install admission webhooks
 * Helm
 
-## Deploy `cosigned` Helm Chart
+### Deploy `cosigned` Helm Chart
 
-Generate a keypair to validate the signatures of the deployed Kubernetes resources and their images:
 
 ```shell
 export COSIGN_PASSWORD=<my_cosign_password>
@@ -18,7 +17,10 @@ The previous command generates two key files `cosign.key` and `cosign.pub`. Next
 ```shell
 kubectl create namespace cosign-system
 
-kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub --from-file=cosign.key=./cosign.key --from-literal=cosign.password=$COSING_PASSWORD
+kubectl create secret generic mysecret -n \
+cosign-system --from-file=cosign.pub=./cosign.pub \
+--from-file=cosign.key=./cosign.key \
+--from-literal=cosign.password=$COSIGN_PASSWORD
 ```
 
 Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above:
@@ -31,7 +33,9 @@ helm repo update
 helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
 ```
 
-To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch:
+### Enabling Admission control 
+
+To enable the `cosigned admission webhook` to check for signed images, you will need to add the following annotation in each namespace that you would want the webhook triggered:
 
 Annotation: `cosigned.sigstore.dev/include: "true"`
 
@@ -48,9 +52,21 @@ spec:
   - kubernetes
 ```
 
-Then when creating, for example, a Deployment that does not have the images signed you will get the following error:
+### Testing the webhook 
+
+1. Using Unsigned Images: 
+Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:
+
+    ```shell
+    kubectl apply -f my-deployment.yaml
+    Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
+    ```
+2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created.
+
+   ```shell
+   kubectl run pod1-signed  --image=< REGISTRY_USER >/nginx:signed -n testns
+   pod/pod1-signed created
+   ```
+
+
 
-```shell
-kubectl apply -f my-deployment.yaml
-Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
-```