v1beta1 API for cosigned (#1890)

* autogen, start of conversion Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * V1beta1 and conversions. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Fix the lints. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Codegen seems to actually leave v1beta1 alone. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Remove some things from third_party, version of go skew. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Permissions for conversion webhook. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Glob is not optional anymore :) Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · May 18, 2022 · 1afff48 · 1afff48
1 parent 2616953
commit 1afff48
Show file tree

Hide file tree

Showing 45 changed files with 4,054 additions and 24 deletions.
diff --git a/cmd/cosign/policy_webhook/main.go b/cmd/cosign/policy_webhook/main.go
@@ -28,11 +28,14 @@ import (
 	"knative.dev/pkg/webhook"
 	"knative.dev/pkg/webhook/certificates"
 	"knative.dev/pkg/webhook/resourcesemantics"
+	"knative.dev/pkg/webhook/resourcesemantics/conversion"
 	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	"sigs.k8s.io/release-utils/version"
 
+	"github.com/sigstore/cosign/pkg/apis/cosigned"
 	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
+	"github.com/sigstore/cosign/pkg/apis/cosigned/v1beta1"
 	"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy"
 
 	// Register the provider-specific plugins
@@ -61,6 +64,13 @@ var (
 	validatingWebhookName = flag.String("validating-webhook-name", "validating.clusterimagepolicy.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
 )
 
+var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+	// v1alpha1
+	v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
+	// v1beta1
+	v1beta1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1beta1.ClusterImagePolicy{},
+}
+
 func main() {
 	opts := webhook.Options{
 		ServiceName: "policy-webhook",
@@ -81,6 +91,7 @@ func main() {
 		clusterimagepolicy.NewController,
 		NewPolicyValidatingAdmissionController,
 		NewPolicyMutatingAdmissionController,
+		newConversionController,
 	)
 }
 
@@ -89,9 +100,7 @@ func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.W
 		ctx,
 		*validatingWebhookName,
 		"/validating",
-		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
-			v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
-		},
+		types,
 		func(ctx context.Context) context.Context {
 			return ctx
 		},
@@ -104,12 +113,40 @@ func NewPolicyMutatingAdmissionController(ctx context.Context, cmw configmap.Wat
 		ctx,
 		*mutatingWebhookName,
 		"/defaulting",
-		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
-			v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
-		},
+		types,
 		func(ctx context.Context) context.Context {
 			return ctx
 		},
 		true,
 	)
 }
+
+func newConversionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	// nolint: revive
+	var (
+		v1alpha1GroupVersion = v1alpha1.SchemeGroupVersion.Version
+		v1beta1GroupVersion  = v1beta1.SchemeGroupVersion.Version
+	)
+
+	return conversion.NewConversionController(ctx,
+		// The path on which to serve the webhook
+		"/resource-conversion",
+
+		// Specify the types of custom resource definitions that should be converted
+		map[schema.GroupKind]conversion.GroupKindConversion{
+			v1beta1.Kind("ClusterImagePolicy"): {
+				DefinitionName: cosigned.ClusterImagePolicyResource.String(),
+				HubVersion:     v1alpha1GroupVersion,
+				Zygotes: map[string]conversion.ConvertibleObject{
+					v1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{},
+					v1beta1GroupVersion:  &v1beta1.ClusterImagePolicy{},
+				},
+			},
+		},
+
+		// A function that infuses the context passed to ConvertTo/ConvertFrom/SetDefaults with custom metadata
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+	)
+}
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -37,16 +37,15 @@ rules:
     # which requires we can Get the system namespace.
     resourceNames: ["cosign-system"]
 
-  # TODO: We will need this once we have conversion webhooks.
-  # # Allow the reconciliation of exactly our CRDs.
-  # # This is needed for us to patch in conversion webhook information.
-  # - apiGroups: ["apiextensions.k8s.io"]
-  #   resources: ["customresourcedefinitions"]
-  #   verbs: ["list", "watch"]
-  # - apiGroups: ["apiextensions.k8s.io"]
-  #   resources: ["customresourcedefinitions"]
-  #   verbs: ["get", "update"]
-  #   resourceNames: ["clusterimagepolicies.cosigned.sigstore.dev"]
+  # Allow the reconciliation of exactly our CRDs.
+  # This is needed for us to patch in conversion webhook information.
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["list", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "update"]
+    resourceNames: ["clusterimagepolicies.cosigned.sigstore.dev"]
 
   # Allow reconciliation of the ClusterImagePolic CRDs.
   - apiGroups: ["cosigned.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]

diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
@@ -175,3 +175,150 @@ spec:
                       type: string
                     url:
                       type: string
+    - name: v1beta1
+      served: true
+      storage: false
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              description: Spec holds the desired state of the ClusterImagePolicy (from the client).
+              type: object
+              properties:
+                authorities:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      attestations:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            name:
+                              description: Name of the attestation. These can then be referenced at the CIP level policy.
+                              type: string
+                            policy:
+                              type: object
+                              properties:
+                                configMapRef:
+                                  type: object
+                                  properties:
+                                    name:
+                                      description: Name is unique within a namespace to reference a configmap resource.
+                                      type: string
+                                    namespace:
+                                      description: Namespace defines the space within which the configmap name must be unique.
+                                      type: string
+                                data:
+                                  type: string
+                                type:
+                                  description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
+                                  type: string
+                                url:
+                                  type: string
+                            predicateType:
+                              description: Which predicate type to verify. Matches cosign verify-attestation options.
+                              type: string
+                      ctlog:
+                        type: object
+                        properties:
+                          url:
+                            type: string
+                      key:
+                        type: object
+                        properties:
+                          data:
+                            description: Data contains the inline public key
+                            type: string
+                          kms:
+                            description: KMS contains the KMS url of the public key
+                            type: string
+                          secretRef:
+                            type: object
+                            properties:
+                              name:
+                                description: Name is unique within a namespace to reference a secret resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the space within which the secret name must be unique.
+                                type: string
+                      keyless:
+                        type: object
+                        properties:
+                          ca-cert:
+                            type: object
+                            properties:
+                              data:
+                                description: Data contains the inline public key
+                                type: string
+                              kms:
+                                description: KMS contains the KMS url of the public key
+                                type: string
+                              secretRef:
+                                type: object
+                                properties:
+                                  name:
+                                    description: Name is unique within a namespace to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: Namespace defines the space within which the secret name must be unique.
+                                    type: string
+                          identities:
+                            type: array
+                            items:
+                              type: object
+                              properties:
+                                issuer:
+                                  type: string
+                                subject:
+                                  type: string
+                          url:
+                            type: string
+                      name:
+                        description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority-<index in array>
+                        type: string
+                      source:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            oci:
+                              type: string
+                            signaturePullSecrets:
+                              description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.
+                              type: array
+                              items:
+                                type: object
+                                properties:
+                                  name:
+                                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                    type: string
+                images:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      glob:
+                        type: string
+                policy:
+                  description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed.
+                  type: object
+                  properties:
+                    configMapRef:
+                      type: object
+                      properties:
+                        name:
+                          description: Name is unique within a namespace to reference a configmap resource.
+                          type: string
+                        namespace:
+                          description: Namespace defines the space within which the configmap name must be unique.
+                          type: string
+                    data:
+                      type: string
+                    type:
+                      description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
+                      type: string
+                    url:
+                      type: string
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
@@ -45,15 +45,15 @@ group "Kubernetes Codegen"
 #                  instead of the $GOPATH directly. For normal projects this can be dropped.
 ${CODEGEN_PKG}/generate-groups.sh "deepcopy,client,informer,lister" \
   github.com/sigstore/cosign/pkg/client github.com/sigstore/cosign/pkg/apis \
-  "cosigned:v1alpha1" \
+  "cosigned:v1alpha1 cosigned:v1beta1" \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
 
 group "Knative Codegen"
 
 # Knative Injection
 ${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
   github.com/sigstore/cosign/pkg/client github.com/sigstore/cosign/pkg/apis \
-  "cosigned:v1alpha1" \
+  "cosigned:v1alpha1 cosigned:v1beta1" \
   --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
 
 group "Update CRD Schema"

diff --git a/pkg/apis/cosigned/register.go b/pkg/apis/cosigned/register.go
@@ -14,7 +14,17 @@
 
 package cosigned
 
+import "k8s.io/apimachinery/pkg/runtime/schema"
+
 const (
 	// GroupName is the name of the API group.
 	GroupName = "cosigned.sigstore.dev"
 )
+
+var (
+	// ClusterImagePolicyResource represents a ClusterImagePolicy
+	ClusterImagePolicyResource = schema.GroupResource{
+		Group:    GroupName,
+		Resource: "clusterimagepolicies",
+	}
+)