Allow specifying ImagePullSecrets in ClusterImagePolicies

[tcnghia]

Description

Currently cosigned uses ImagePullSecrets through the PodSpec-providing resources (#801). However, there is no guarantee that signatures are stored in the same repository of the image (for instance, if COSIGN_REPOSITORY was set when signing).

If we can specify ImagePullSecrets in the ClusterImagePolicies, cosigned can use them for verification.

[hectorj2f]

@tcnghia We are working on adding support to ClusterImagePolicy where you could specify where to look for the signatures. These changes and others are coming from the following design document https://docs.google.com/document/d/1gBLEOOHWOmvHVsoJbgGU74GdwA6CGxMRp3MAeEB50l4/edit#.

[tcnghia]

@hectorj2f I see. Thanks for pointing out. I am not sure if we should close this bug or re-use it to track part of the the design doc implementation? You know better than me about what the right thing to do for the repo, so I'll let you close or leave open as necessary. Thanks!

[hectorj2f]

This issue is related to #1651

[DennyHoang]

Going to start working on this. The proposed change is adding "signaturePullSecrets" field to authority source types to access secrets containing registry source credentials.

[shawnho1018]

@DennyHoang Is there any test bit for 1.9 or when will 1.9 be released? I am trying to use cosigned with GCP's gcr.io with 1.8 but stuck in the permission against private repository (gcr.io). Is there any workaround I could test before 1.9?

Error from server (BadRequest): error when creating "nginx-1.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: GET https://gcr.io/v2/shawn-demo-2022/nginx/manifests/sha256:61face6bf030edce7ef6d7dd66fe452298d6f5f7ce032afdd01683ef02b2b841: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication: spec.containers[0].image
gcr.io/shawn-demo-2022/nginx@sha256:61face6bf030edce7ef6d7dd66fe452298d6f5f7ce032afdd01683ef02b2b841

[elfotografo007]

@shawnho1018 Are the signature and the container in the same registry or different registries? If they are in the same registry, have you tried passing a service account with the imagePullSecrets to the Pod Spec?

[shawnho1018]

@elfotografo007 Signature and container are in the same registry.
Please note that the current validation failed is from "admission webhook" instead of my nginx-1.yaml file. If I choose to apply this yaml to the namespace without label "cosigned.sigstore.dev/include=true", the deployment is successful. I don't think this is my node cannot access the gcr.io but something related to the webhook. However, how to provide webhook credentials for private repository? Kindly need experts's hints.