New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Keyless verification for kwctl {verify,pull,run} #169
Conversation
@@ -21,7 +21,7 @@ kube = { version = "0.68.0", default-features = false, features = ["client", "ru | |||
lazy_static = "1.4.0" | |||
mdcat = "0.25.1" | |||
policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.2.12" } | |||
policy-fetcher = { git = "https://github.com/kubewarden/policy-fetcher", tag = "v0.4.3" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be updated when kubewarden/policy-fetcher#55 is in.
I'm puzzled by the GHA errors, GH is trying to pull a commit of policy-fetcher that doesn't exist anymore. It seems like a cache problem, but there's no way to clean the GHA cache manually. |
Rebased on top of main and fixed conflicts, ready for review. Still pointing to my fork of policy-fetcher instead of a release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
Consumed |
Bump needed dependencies, particularly cyclic dependency between rustls, tracing and policy-fetcher wrt policy-evaluator: cargo update -p tracing --precise 0.1.31 cargo update -p rustls --precise 0.20.3
Now we accept: ```console kwctl verify --verification-config-path kwctl pull --verification-config-path kwctl run --verification-config-path ``` Still, specific flags have precedence over `--verification-config-path`, respectively: ```console kwctl verify -v foo -k bar=baz kwctl pull -v foo -k bar=baz kwctl run -v foo -k bar=baz ```
`build_verification_config_from_flags()` creates a config from flags. `verification_options()` now tries to: 1. create config from flags. 2. If there's no flags, tries to use `--verification-config-path`. 3. If there's no `--verification-config-path`, looks at default path. 4. If there's no config in default path, it returns Ok(None). Remove `verify::read_key_file()`, and use `policy-fetcher::verify::config::read_verification_file()` instead.
Now `kwctl::verify::verify()` expects a `VerificationSettings`, instead of a key and its annotations.
Since `verification_options()` now returns an `Option` as do `sources_options()` and `sigstore_options()`, we can use it to enable verification. For verify, expect verification_options to be `Some`. For pull, run, verify if verification_options is `Some`.
we need to release a new policy-fetcher and consume it in this pr. We either release policy-fetcher as it is, or we get kubewarden/policy-fetcher#57 in, too. |
From: ``` Error: Policy registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9 cannot be validated: Image verification failed: missing signatures ``` To: ``` Error: Policy registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9 cannot be validated Image verification failed: missing signatures ```
Merging and consuming policy-fetcher from main, as we foresee that we will have several policy-fetcher releases shortly. |
Description
Part of kubewarden/policy-server#142
Implement Sigstore keyless verification for
kwctl {verify,pull,run}
.Now, accept new
--verification-config-path
that contains the config from the Sigstore verification RFC.Previous flags are still supported: they get translated into a VerificationSettings config, to be used with the verification.
Test
Run
make test e2e-test
.Added e2e-tests that exercise
--verification-config-path
.Additional Information
Depends on kubewarden/policy-fetcher#55.
Tradeoff
Potential improvement
Create verification-config:
Provide better info on missing signatures: opened kubewarden/policy-fetcher#57
Provide default verification-config: opened #170