diff --git a/pkg/apis/config/image_policies.go b/pkg/apis/config/image_policies.go index d9c21659261..3bce8bc80fc 100644 --- a/pkg/apis/config/image_policies.go +++ b/pkg/apis/config/image_policies.go @@ -21,7 +21,7 @@ import ( "fmt" "regexp" - internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned" + webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/yaml" ) @@ -35,13 +35,13 @@ const ( type ImagePolicyConfig struct { // This is the list of ImagePolicies that a admission controller uses // to make policy decisions. - Policies map[string]internalcip.ClusterImagePolicy + Policies map[string]webhookcip.ClusterImagePolicy } // NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied // Map func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) { - ret := &ImagePolicyConfig{Policies: make(map[string]internalcip.ClusterImagePolicy, len(data))} + ret := &ImagePolicyConfig{Policies: make(map[string]webhookcip.ClusterImagePolicy, len(data))} // Spin through the ConfigMap. Each key will point to resolved // ImagePatterns. for k, v := range data { @@ -52,7 +52,7 @@ func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, if v == "" { return nil, fmt.Errorf("configmap has an entry %q but no value", k) } - clusterImagePolicy := &internalcip.ClusterImagePolicy{} + clusterImagePolicy := &webhookcip.ClusterImagePolicy{} if err := parseEntry(v, clusterImagePolicy); err != nil { return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err) @@ -79,13 +79,13 @@ func parseEntry(entry string, out interface{}) error { // need to be matched for the given Image. // Returned map contains the name of the CIP as the key, and an array of // authorities from that Policy that must be validated against. -func (p *ImagePolicyConfig) GetMatchingPolicies(image string) (map[string][]internalcip.Authority, error) { +func (p *ImagePolicyConfig) GetMatchingPolicies(image string) (map[string][]webhookcip.Authority, error) { if p == nil { return nil, errors.New("config is nil") } var lastError error - ret := map[string][]internalcip.Authority{} + ret := map[string][]webhookcip.Authority{} // TODO(vaikas): this is very inefficient, we should have a better // way to go from image to Authorities, but just seeing if this is even diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go index f14efa77abd..7ecea12521d 100644 --- a/pkg/apis/config/image_policies_test.go +++ b/pkg/apis/config/image_policies_test.go @@ -21,7 +21,7 @@ import ( "strings" "testing" - internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned" + webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy" . "knative.dev/pkg/configmap/testing" _ "knative.dev/pkg/system/testing" ) @@ -127,7 +127,7 @@ func TestGetAuthorities(t *testing.T) { } } -func checkGetMatches(t *testing.T, c map[string][]internalcip.Authority, err error) { +func checkGetMatches(t *testing.T, c map[string][]webhookcip.Authority, err error) { t.Helper() if err != nil { t.Error("GetMatches Failed =", err) diff --git a/internal/pkg/apis/cosigned/clusterimagepolicy_types.go b/pkg/cosign/kubernetes/webhook/clusterimagepolicy/clusterimagepolicy_types.go similarity index 100% rename from internal/pkg/apis/cosigned/clusterimagepolicy_types.go rename to pkg/cosign/kubernetes/webhook/clusterimagepolicy/clusterimagepolicy_types.go diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go index 595b1a851ea..474d81f35a2 100644 --- a/pkg/cosign/kubernetes/webhook/validator.go +++ b/pkg/cosign/kubernetes/webhook/validator.go @@ -25,8 +25,8 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/pkg/errors" - internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned" "github.com/sigstore/cosign/pkg/apis/config" + webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy" "github.com/sigstore/cosign/pkg/oci" ociremote "github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/fulcio/pkg/api" @@ -227,7 +227,7 @@ func (v *Validator) validatePodSpec(ctx context.Context, ps *corev1.PodSpec, opt // Note that if an image does not match any policies, it's perfectly // reasonable that the return value is 0, nil since there were no errors, but // the image was not validated against any matching policy and hence authority. -func validatePolicies(ctx context.Context, ref name.Reference, kc authn.Keychain, policies map[string][]internalcip.Authority, remoteOpts ...ociremote.Option) (map[string][]oci.Signature, map[string][]error) { +func validatePolicies(ctx context.Context, ref name.Reference, kc authn.Keychain, policies map[string][]webhookcip.Authority, remoteOpts ...ociremote.Option) (map[string][]oci.Signature, map[string][]error) { // Gather all validated signatures here. signatures := map[string][]oci.Signature{} // For a policy that does not pass at least one authority, gather errors @@ -256,7 +256,7 @@ func validatePolicies(ctx context.Context, ref name.Reference, kc authn.Keychain // ValidatePolicy will go through all the Authorities for a given image and // return a success if at least one of the Authorities validated the signatures. // Returns the validated signatures, or the errors encountered. -func ValidatePolicy(ctx context.Context, ref name.Reference, kc authn.Keychain, authorities []internalcip.Authority, remoteOpts ...ociremote.Option) ([]oci.Signature, []error) { +func ValidatePolicy(ctx context.Context, ref name.Reference, kc authn.Keychain, authorities []webhookcip.Authority, remoteOpts ...ociremote.Option) ([]oci.Signature, []error) { // If none of the Authorities for a given policy pass the checks, gather // the errors here. If one passes, do not return the errors. authorityErrors := []error{} diff --git a/pkg/cosign/kubernetes/webhook/validator_test.go b/pkg/cosign/kubernetes/webhook/validator_test.go index cadff0b429d..ad9b3ac56d8 100644 --- a/pkg/cosign/kubernetes/webhook/validator_test.go +++ b/pkg/cosign/kubernetes/webhook/validator_test.go @@ -30,10 +30,10 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-containerregistry/pkg/authn/k8schain" "github.com/google/go-containerregistry/pkg/name" - internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned" "github.com/sigstore/cosign/pkg/apis/config" "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1" "github.com/sigstore/cosign/pkg/cosign" + webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy" "github.com/sigstore/cosign/pkg/oci" "github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/cosign/pkg/oci/static" @@ -231,14 +231,14 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== customContext: config.ToContext(context.Background(), &config.Config{ ImagePolicyConfig: &config.ImagePolicyConfig{ - Policies: map[string]internalcip.ClusterImagePolicy{ + Policies: map[string]webhookcip.ClusterImagePolicy{ "cluster-image-policy": { Images: []v1alpha1.ImagePattern{{ Regex: ".*", }}, - Authorities: []internalcip.Authority{ + Authorities: []webhookcip.Authority{ { - Key: &internalcip.KeyRef{ + Key: &webhookcip.KeyRef{ Data: authorityKeyCosignPubString, PublicKeys: []*ecdsa.PublicKey{authorityKeyCosignPub}, }, @@ -265,12 +265,12 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== customContext: config.ToContext(context.Background(), &config.Config{ ImagePolicyConfig: &config.ImagePolicyConfig{ - Policies: map[string]internalcip.ClusterImagePolicy{ + Policies: map[string]webhookcip.ClusterImagePolicy{ "cluster-image-policy-keyless": { Images: []v1alpha1.ImagePattern{{ Regex: ".*", }}, - Authorities: []internalcip.Authority{ + Authorities: []webhookcip.Authority{ { Keyless: &v1alpha1.KeylessRef{ URL: badURL, @@ -308,12 +308,12 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== customContext: config.ToContext(context.Background(), &config.Config{ ImagePolicyConfig: &config.ImagePolicyConfig{ - Policies: map[string]internalcip.ClusterImagePolicy{ + Policies: map[string]webhookcip.ClusterImagePolicy{ "cluster-image-policy-keyless": { Images: []v1alpha1.ImagePattern{{ Regex: ".*", }}, - Authorities: []internalcip.Authority{ + Authorities: []webhookcip.Authority{ { Keyless: &v1alpha1.KeylessRef{ URL: fulcioURL, @@ -351,12 +351,12 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== customContext: config.ToContext(context.Background(), &config.Config{ ImagePolicyConfig: &config.ImagePolicyConfig{ - Policies: map[string]internalcip.ClusterImagePolicy{ + Policies: map[string]webhookcip.ClusterImagePolicy{ "cluster-image-policy-keyless": { Images: []v1alpha1.ImagePattern{{ Regex: ".*", }}, - Authorities: []internalcip.Authority{ + Authorities: []webhookcip.Authority{ { Keyless: &v1alpha1.KeylessRef{ URL: fulcioURL, diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go index 2401954d52b..7b95067a3af 100644 --- a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go +++ b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go @@ -24,11 +24,11 @@ import ( "fmt" "strings" - internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned" "github.com/sigstore/cosign/pkg/apis/config" "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1" "github.com/sigstore/cosign/pkg/apis/utils" clusterimagepolicyreconciler "github.com/sigstore/cosign/pkg/client/injection/reconciler/cosigned/v1alpha1/clusterimagepolicy" + webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy" "github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy/resources" corev1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -79,18 +79,18 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterIma return cipErr } - // Converting external CIP to internal CIP + // Converting external CIP to webhook CIP bytes, err := json.Marshal(&cipCopy.Spec) if err != nil { return err } - var internalCIP *internalcip.ClusterImagePolicy - if err := json.Unmarshal(bytes, &internalCIP); err != nil { + var webhookCIP *webhookcip.ClusterImagePolicy + if err := json.Unmarshal(bytes, &webhookCIP); err != nil { return err } - internalCIP, cipErr = r.convertKeyData(ctx, internalCIP) + webhookCIP, cipErr = r.convertKeyData(ctx, webhookCIP) if cipErr != nil { r.handleCIPError(ctx, cip.Name) // Note that we return the error about the Invalid cip here to make @@ -106,7 +106,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterIma return err } // Does not exist, create it. - cm, err := resources.NewConfigMap(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, internalCIP) + cm, err := resources.NewConfigMap(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, webhookCIP) if err != nil { logging.FromContext(ctx).Errorf("Failed to construct configmap: %v", err) return err @@ -116,7 +116,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1.ClusterIma } // Check if we need to update the configmap or not. - patchBytes, err := resources.CreatePatch(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, existing.DeepCopy(), internalCIP) + patchBytes, err := resources.CreatePatch(system.Namespace(), config.ImagePoliciesConfigName, cip.Name, existing.DeepCopy(), webhookCIP) if err != nil { logging.FromContext(ctx).Errorf("Failed to create patch: %v", err) return err @@ -153,7 +153,7 @@ func (r *Reconciler) FinalizeKind(ctx context.Context, cip *v1alpha1.ClusterImag // to ecdsa.PublicKey and store it in the returned CIP // When PublicKeys are successfully set, the authority key's data will be // cleared out -func (r *Reconciler) convertKeyData(ctx context.Context, cip *internalcip.ClusterImagePolicy) (*internalcip.ClusterImagePolicy, error) { +func (r *Reconciler) convertKeyData(ctx context.Context, cip *webhookcip.ClusterImagePolicy) (*webhookcip.ClusterImagePolicy, error) { for _, authority := range cip.Authorities { if authority.Key != nil && authority.Key.Data != "" { keys, err := convertAuthorityKeys(ctx, authority.Key.Data) diff --git a/pkg/reconciler/clusterimagepolicy/resources/configmap.go b/pkg/reconciler/clusterimagepolicy/resources/configmap.go index edfac3c7a9e..24d7c94adea 100644 --- a/pkg/reconciler/clusterimagepolicy/resources/configmap.go +++ b/pkg/reconciler/clusterimagepolicy/resources/configmap.go @@ -18,7 +18,7 @@ import ( "encoding/json" "fmt" - internalcip "github.com/sigstore/cosign/internal/pkg/apis/cosigned" + webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/apis/duck" @@ -26,7 +26,7 @@ import ( // NewConfigMap returns a new ConfigMap with an entry for the given // ClusterImagePolicy -func NewConfigMap(ns, name, cipName string, cip *internalcip.ClusterImagePolicy) (*corev1.ConfigMap, error) { +func NewConfigMap(ns, name, cipName string, cip *webhookcip.ClusterImagePolicy) (*corev1.ConfigMap, error) { entry, err := marshal(cip) if err != nil { return nil, err @@ -48,7 +48,7 @@ func NewConfigMap(ns, name, cipName string, cip *internalcip.ClusterImagePolicy) // CreatePatch updates a particular entry to see if they are differing and // returning the patch bytes for it that's suitable for calling // ConfigMap.Patch with. -func CreatePatch(ns, name, cipName string, cm *corev1.ConfigMap, cip *internalcip.ClusterImagePolicy) ([]byte, error) { +func CreatePatch(ns, name, cipName string, cm *corev1.ConfigMap, cip *webhookcip.ClusterImagePolicy) ([]byte, error) { entry, err := marshal(cip) if err != nil { return nil, err @@ -85,7 +85,7 @@ func CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, cipName string) ([ return jsonPatch.MarshalJSON() } -func marshal(spec *internalcip.ClusterImagePolicy) (string, error) { +func marshal(spec *webhookcip.ClusterImagePolicy) (string, error) { bytes, err := json.Marshal(spec) if err != nil { return "", err