Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notary V1 Integration #541

Merged
merged 7 commits into from
Nov 23, 2020
Merged

Notary V1 Integration #541

merged 7 commits into from
Nov 23, 2020

Conversation

djoyahoy
Copy link
Contributor

@djoyahoy djoyahoy commented Nov 4, 2020
edited

This PR integrates with Notary for image singing. The following explains the singing process:

  1. notary init example.registry.io/my-app generates/encrypts the root, targets, and snapshot private keys. The targets key will be used for singing new image tags.
  2. notary key rotate example.registry.io/my-app snapshot -r rotates the snapshot key to the server so that it is not managed locally. This is the default behavior of the docker CLI when signing images.
  3. notary publish example.registry.io/my-app publishes local changes to the Notary server.
  4. kubectl create secret generic notary-secret --from-literal=password=<password> --from-file=$HOME/.notary/private/<targets-hash>.key create a k8s secret with the targets private key and the password used to decrypt the key.
  5. Create an image config that references the notary secret and the notary server URL.
  6. After export, the completion container uploads the image tag, manifest digest, manifest size to the Notary server. It verifies the content using the private targets key. Registry secrets are used to authenticate with the Notary server as Notary traditionally uses the same auth method as the registry (see here and here).
  7. docker CLI users with docker content trust enabled will connect to the Notary server when pulling images to validate their authenticity. This simply validates that the manifest digest is correct (as it is a cryptographic hash function).

@djoyahoy djoyahoy changed the title WIP - Notary V1 Integration Notary V1 Integration Nov 12, 2020
@djoyahoy djoyahoy marked this pull request as ready for review November 12, 2020 21:33
@matthewmcnew
Copy link
Collaborator

This is really good PR and really does a good job of implementing the notary integration without unnecessary complexity. The exact mechanics/terminology of how notary signs images is still a bit murky for me. Could you walk through that again at somepoint?

@djoyahoy
Copy link
Contributor Author

This is really good PR and really does a good job of implementing the notary integration without unnecessary complexity. The exact mechanics/terminology of how notary signs images is still a bit murky for me. Could you walk through that again at somepoint?

Sounds good. I'll create a summary in the PR description.

Address PR comments
fa417e3 
- Remove configMapKeyRef for certs
- NotaryConfig is now a pointer
@djoyahoy djoyahoy linked an issue Nov 17, 2020 that may be closed by this pull request
Integrate with Notary V1 for image signing #540
Closed
tylerphelan
tylerphelan reviewed Nov 18, 2020
View reviewed changes
Copy link
Contributor

@tylerphelan tylerphelan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have image and/or build validation for notary config? (must all fields not empty, maybe check that notary secret exists, maybe check url is valid url)

Also maybe run a goimports

pkg/apis/build/v1alpha1/build.go Outdated Show resolved Hide resolved
pkg/notary/authenticating_round_tripper.go Outdated Show resolved Hide resolved
djoyahoy and others added 2 commits November 18, 2020 14:53
@djoyahoy djoyahoy merged commit f9f96c9 into master Nov 23, 2020
@djoyahoy djoyahoy deleted the notary-v1-integration branch November 23, 2020 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewmcnew matthewmcnew matthewmcnew approved these changes

@tomkennedy513 tomkennedy513 tomkennedy513 approved these changes

@sukhil-suresh sukhil-suresh Awaiting requested review from sukhil-suresh

@aemengo aemengo Awaiting requested review from aemengo

@elenorebastian elenorebastian Awaiting requested review from elenorebastian

@tylerphelan tylerphelan Awaiting requested review from tylerphelan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Integrate with Notary V1 for image signing
4 participants
@djoyahoy @matthewmcnew @tylerphelan @tomkennedy513