-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Notary V1 Integration #541
Conversation
e6c3da9
to
6500351
Compare
a234480
to
190baaa
Compare
This is really good PR and really does a good job of implementing the notary integration without unnecessary complexity. The exact mechanics/terminology of how notary signs images is still a bit murky for me. Could you walk through that again at somepoint? |
Sounds good. I'll create a summary in the PR description. |
- Remove configMapKeyRef for certs - NotaryConfig is now a pointer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have image and/or build validation for notary config? (must all fields not empty, maybe check that notary secret exists, maybe check url is valid url)
Also maybe run a goimports
- Check token type in authenticating round tripper
This PR integrates with Notary for image singing. The following explains the singing process:
notary init example.registry.io/my-app
generates/encrypts the root, targets, and snapshot private keys. The targets key will be used for singing new image tags.notary key rotate example.registry.io/my-app snapshot -r
rotates the snapshot key to the server so that it is not managed locally. This is the default behavior of the docker CLI when signing images.notary publish example.registry.io/my-app
publishes local changes to the Notary server.kubectl create secret generic notary-secret --from-literal=password=<password> --from-file=$HOME/.notary/private/<targets-hash>.key
create a k8s secret with the targets private key and the password used to decrypt the key.