Add TrustedKeys CRD for holding TUF or bring your own keys.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

cmd/trustedkeys/main.go

@@ -0,0 +1,116 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/pkg/configmap"
+	"knative.dev/pkg/controller"
+	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/signals"
+	"knative.dev/pkg/webhook"
+	"knative.dev/pkg/webhook/certificates"
+	"knative.dev/pkg/webhook/resourcesemantics"
+	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
+	"knative.dev/pkg/webhook/resourcesemantics/validation"
+	"sigs.k8s.io/release-utils/version"
+
+	"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1"
+	"github.com/sigstore/policy-controller/pkg/reconciler/trustedkeys"
+
+	// Register the provider-specific plugins
+	_ "github.com/sigstore/sigstore/pkg/signature/kms/aws"
+	_ "github.com/sigstore/sigstore/pkg/signature/kms/azure"
+	_ "github.com/sigstore/sigstore/pkg/signature/kms/gcp"
+	_ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault"
+)
+
+var (
+	// mutatingWebhookName holds the name of the mutating webhook configuration
+	// resource dispatching admission requests to policy-webhook.
+	// It is also the name of the webhook which is injected by the controller
+	// with the resource types, namespace selectors, CABindle and service path.
+	// If this changes, you must also change:
+	//    ./config/501-policy-webhook-configurations.yaml
+	//    https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
+	mutatingWebhookName = flag.String("mutating-webhook-name", "defaulting.tufroot.sigstore.dev", "The name of the mutating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
+	// validatingWebhookName holds the name of the validating webhook configuration
+	// resource dispatching admission requests to policy-webhook.
+	// It is also the name of the webhook which is injected by the controller
+	// with the resource types, namespace selectors, CABindle and service path.
+	// If this changes, you must also change:
+	//    ./config/501-policy-webhook-configurations.yaml
+	//    https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
+	validatingWebhookName = flag.String("validating-webhook-name", "validating.tufroot.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
+)
+
+var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+	// v1alpha1
+	v1alpha1.SchemeGroupVersion.WithKind("TrustedKeys"): &v1alpha1.TrustedKeys{},
+}
+
+func main() {
+	opts := webhook.Options{
+		ServiceName: "policy-webhook",
+		Port:        8443,
+		SecretName:  "policy-webhook-certs",
+	}
+	ctx := webhook.WithOptions(signals.NewContext(), opts)
+
+	// Allow folks to configure the port the webhook serves on.
+	flag.IntVar(&opts.Port, "secure-port", opts.Port, "The port on which to serve HTTPS.")
+
+	v := version.GetVersionInfo()
+	vJSON, _ := v.JSONString()
+	log.Printf("%v", vJSON)
+	// This calls flag.Parse()
+	sharedmain.MainWithContext(ctx, "trustedkeys",
+		certificates.NewController,
+		trustedkeys.NewController,
+		NewTUFRootValidatingAdmissionController,
+		NewTUFRootMutatingAdmissionController,
+	)
+}
+
+func NewTUFRootValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return validation.NewAdmissionController(
+		ctx,
+		*validatingWebhookName,
+		"/validating",
+		types,
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+		true,
+	)
+}
+
+func NewTUFRootMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return defaulting.NewAdmissionController(
+		ctx,
+		*mutatingWebhookName,
+		"/defaulting",
+		types,
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+		true,
+	)
+}

config/config-tuf-roots.yaml

@@ -0,0 +1,28 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-tuf-roots
+  namespace: cosign-system
+
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+    my-custom-tuf-root: "H4sIAAAAAAAA/+x6V3MbudL2XvNXqHSrb61GBlx1LoY5iFEUJeqrU65GYg7ikKLEU/vf36KCLYdj77u2tX5r+VxoigMI3Wh0eAbAKiwX6Wi9WN3/9tMAAKCEeHzKxydQ/vh8xG+EMyKZYlSR34AwKeVvR+LnqfQBm3SNq98AbnE0wfS/90vXGONXxnmeyPPz/wg+rP8pebNaLNZvxuli/mNl7O0hOf9v688pqE/WX+y7Hb2KEf/h6/+fzNFxOhrMgz9+e/SfzNHR8bv1/TIcvz063nvD8f/bv0qXwb27Dat0tJjvW8gbeGz48I48/A53y9EqpPs+FCj7HfjvQLuEvWX6LVG/g3oLT/85Cffpk8SjY2CGKKmJ14aFaDUxzljGCDMgoxUuekOY8Jx5jWgVcUiks/u+ynFw5Hmgh2Gf1Q+eCkHMg7j9HNwwzL7UMAn3I/9uiOnwHU4Hi9VoPZztVfv/D81Hx+kQqZBPvR9+CkKPH379+8MQtzh9r8XR8XJjpyO3F2aio94qK70iVFMwVlqBxFpjGAQdDY1EctTOeaaN55FETtEzoo1mWttHQX/s//7xIO2YWYUgiHPWEcOVZA4V8daQYCFKYJpZB94pNEJaSaQKxjC0KqJgAFT8wsYilFFBPPU0GB80QwXRGs6s0t4FIMqBIkZSbyHyQDWTlIKjQJi3QknyubE0YHDSMI7BWow8Gq8g2BBtiMxw8ExZLSJ1DIViHqxVSjHFDSgvlHC/sLGMUjF4ETwIDiCF90opxRVYpsEhcEs5dSJEqzxGY6RRTDhrwBKphWCfGyvGgFagQxIsemENi1QyYzhqBMlRKS8C49ILJ6JVylgEQxlXPhIeuf+FjUUE2qgtMYRQ7rng0QshvDaOUGTonbLAkUrnTSRaOAQFQkqMTHDDuHpprMyTwY5Xi2n4kMQe0uVLC4z8S/2/O2w/mup6uArpcDHd25y8WMJ0jst0+FVFvjvZ/ilF1rgahHX6FT2+29v+nB6jWUjXOFt+RZPvThLf0OS9w7jFPB2l6zBfv3uxUBGnacg8dHkoxbjePNbQvX6PvvWg8t6Pv9uLntxkNNiPppFErj0wB4YwoqUVkknFokXvtXAsOsEdiii150EapZmiVLh9qJAQvZXBa+ReeEsgBOEJomJWOBuF1cyFgAKC8zFiVE5SgRScItEwL4SDsDfcH5mjf2f++Ltp0D8WL/j/T2L/f4n/SyoP/P81cOD/B/7/yxjrwP8P/P/A/w/8/8D/D/z/gFfBC/7/7JI//BvgG/yfEPEp/5cC2IH/vwa+wv/fp6if9Q0wC2t8Xz6fCsaD833I1dMwH6yH+7GB0acEu+cIH+ruBy7w9uhY8KgRLETlrZA0EKQyaK7QKIeeeGqNipIQx2V03jnr0XrODAhOHZcEPI1BM6PQGQ4UNdUGkHFLAtFURuK8E5YSZ71hQAxwZj31xEupPNLwRBOeFH1hmfd14E/m+e8u0h/leWK8FYa6CBKtEEFzIqk3yqloiPVSgiJCBmopFVpR1CxGC5RE4bhAR8ASLb30kRlCGEZpI1MUQtACqBFsXwGoVICCWuIsJ0pLF12kCoJggIc8/8viRf5/isAfL+N/f/4vGFOH8//XwOfrf+rWMbxZbuwPk/Gt+s9BfrL+CgQc6v9r4Pc9soVSpXHUOU+OWhfZs0ruqFboPzRk6pVKLjeo5ZJBIdmQZMjntKWrpbWh7YGWRd/RkSwXG87u534wqG86uSuoZk/s2ZysLoqdJFNr9/zJ3XzueeuqenbmZ1N9vRjmVjAdZjf1u2u1y+7W0DV6YqcXubvsIMm2GsvLyqQ7QHef05n6tNLvn95nzzf5y6TaTESlNuLloZlXTuoze1q8GtjmTqCYXd/prVrWR936Bk463rjWrjO5uM7k2/E6PWs2VrK1nd3nksoZWdQ0xHB7V7tu1Qtw0dO22Lqcd+5CD4sr4b0/zTfDvKfL8rx1n1nxZt6eNyvr5VSwe5nsYMaK3cpF1O48ve8oHwt8t0xYnfvxeL2o5RvFTtodX9DOZa99aa4ydbzb7ealXml4VthOcidpf9wRjfZtWYxGndse0TcnuVL7pnFFTy4v6+y8tVnfs7nTspNtdKDYzAzO2wl0z2gzSaWtNmZx57bXd0mtb8fqVOv1WN6sxmfYXhe7NjujqE66STum7KI7ao8AdplCvn8Tzsf0sn2LrjEj/rKQ3N9Bu3FWHtVK3Tnvng9LY312sSjdj6tU9mWvlS7Wt7nFWI/rEDLY0C1nTpP+/bZXOWlP1mNsXaOqlcrsqlquTrqVdrvjLu6a63y6ri3dapSEmE/1eHwmxhuzzogquyncDnYzN21Ua535FPmSzbAOt5MT7XKqcFXv8RbZbXLbFcMJlovVhegDFoe1dF6+6WacgrM4Ki5OT/VpO729H59VLtaFy3J3UgqbyFtL279aiZtlVa4vhyVaTzp3Pgx0LtkWkqT9r39lHhy60Mh/yc//7ij8+/CF/B83UzdavLslb9xq/WYZZt8r45v5X4mP8z8FCYfzn1fBi/yfK3S6lWIll3QLH5J/Y5fLJZ4Okm0lmwwq3dZZdpFtD6dkeFNs5M35yXnp0sYddrpJLTsY3Awn42ar3c4n4+wiU2+n21y7n++126XCtto73xXO69mklJCLQi5br/boNPXlxgKvqtN6p74tPPYtF7bLPJam24wr9TZYKq7rbb3NPzbWCtvr8+vLTqV/1b7L5/dSG71sknYTaFx0d4VOPdEPApK7eiXjS72dLzWmbt7eloeuUR8XtvVd4b4+rt838m1xuX+3K2zr4wp//26cXTxrnvmrqj9rnvmrqj9rntmrftlNutmBe7JuJfvB0vVsdtvIJUm7Mz9JpveLKO9arNTOTc+3gx40ipt+pl/Yzmqt08uzy9Xp2TYrzy76u7W45aYzvSlpVttg9XwZmmNVUvVekvXLynX/cnuTjK57bEH728x1PmnuVS23dTaJupBN6rmk3d8WBv18rwPdpF0+zSaDbXZQyJ7u/aSb+Mf+vFActC8yXV3dzmR107Pg09GmfNFpjsrNZq/cm2zL24dBxtnsYFtcJBdf6pt57pwb9Cu1xXVlN4ZCsq3kz5Nk22lXhkl10rietWRaS050IdjOVXGSRZNvjdFll12XaU7H1cX6tjbynWEySjaNVQV3tcKWlrjf6juyk4X+xJROVKy2xMwwO56dVmM9u05eVo5PI+TvDt4fgC/k/1WYLFY/8gPgG/kfqCSf8n/K1SH/vwZe5P/PuH9xsi1s++WngNuH/HPw5ZO2y7cHSaEoxzTtVtZnLoVtbdFc1neVEzOtznK7mGnIWZ8uV82A2U6P+nla3eUMHzbvJnWxPF+auU1qpJttVriIzWYrLdPVeefkpLz6KOgOVO1n4vP4//FXgL4R/xTIp/s/kgE9xP9r4Cv7/89HuD9r+/+TI+Lj532nL+z+K8W/vflvjHQoiGIBGXKtNEPvMIKWjChFdUDvEXzgCokRFqyXmgIPQlMTpAsYQ7SKUxmYclEGZcEQ0BSdjDEwxZwRQTJj0PMYwVmMiEIpJYLVFvQXLlR8+iX1halpar49NRqC0Y5ShkghUqoJCyZY7iTlFNFbaZkyjnEN1jpOhTHaSSk1k1FQY0EHLSVlkiBYFBQcQ0YF0VGgQyRGBxnFXoZhaAMLJAATlnACCFrh51N7TxK+dFaj1LenJBG8doFraTmiQmoZ2AiGA2plEMATa6li2nGtuOAsEGWUJp5TqwMST2hkXBrtnRGW2RCsUVoAk1FFShUNNDpDrTEcgaMTBgMX2orIkaJyn97o+JMHM999a+Gjg5nAMIJgVplAg+UBFNEESdBWWeal1J4674W2KiqhhGEuWBcMeJBowSGhDB3hIUqqHAhCUUrhpHeeUYIYlJFBE0ql1CSKGE2whAYGUlnNBMTDwcw/HS/r//NVmR/NAL55/i8/q/+Sk0P9fw18rf6/vzr1KhcAPrp+8oWqIin7ExcAovVahhC99EJZwwKgIRhs4CEAU8Lr4DnwaAwzgUmQhmpOmQOC3DglDGhOmJEKHKWGSR6jJBAeGGnkikGgwCVFRxCFNpo6aZnV2nvpjbU/7ALAd99J+6jOUMEYRkWAcmZ1VIFwQ4kBSTglmgcSjeTec1TCg3HUBMUJE4FFwUNAQjByL2gkQggjo2csmBgp5Tx4qRwgjUJ5E4wHDS4oETnhUlkRqQ8B7KHOHHDAAQf8avifAAAA//8nr2ImAEQAAA=="

config/kustomization.yaml

@@ -30,4 +30,5 @@ resources:
   - config-logging.yaml
   - config-leader-election.yaml
   - config-image-policies.yaml
+  - config-tuf-roots.yaml
   - config-policy-controller.yaml

pkg/apis/config/store.go

@@ -26,7 +26,8 @@ type cfgKey struct{}
 // Config holds the collection of configurations that we attach to contexts.
 // +k8s:deepcopy-gen=false
 type Config struct {
-	ImagePolicyConfig *ImagePolicyConfig
+	ImagePolicyConfig  *ImagePolicyConfig
+	SigstoreKeysConfig *SigstoreKeysMap
 }
 
 // FromContext extracts a Config from the provided context.
@@ -70,6 +71,7 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i
 			logger,
 			configmap.Constructors{
 				ImagePoliciesConfigName: NewImagePoliciesConfigFromConfigMap,
+				SigstoreKeysConfigName:  NewSigstoreKeysFromConfigMap,
 			},
 			onAfterStore...,
 		),

pkg/apis/config/testdata/config-tuf-roots.yaml

@@ -0,0 +1,30 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-tuf-roots
+  namespace: cosign-system
+  labels:
+    policy.sigstore.dev/release: devel
+
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+    my-custom-tuf-root: "H4sIAAAAAAAA/+x6V3MbudL2XvNXqHSrb61GBlx1LoY5iFEUJeqrU65GYg7ikKLEU/vf36KCLYdj77u2tX5r+VxoigMI3Wh0eAbAKiwX6Wi9WN3/9tMAAKCEeHzKxydQ/vh8xG+EMyKZYlSR34AwKeVvR+LnqfQBm3SNq98AbnE0wfS/90vXGONXxnmeyPPz/wg+rP8pebNaLNZvxuli/mNl7O0hOf9v688pqE/WX+y7Hb2KEf/h6/+fzNFxOhrMgz9+e/SfzNHR8bv1/TIcvz063nvD8f/bv0qXwb27Dat0tJjvW8gbeGz48I48/A53y9EqpPs+FCj7HfjvQLuEvWX6LVG/g3oLT/85Cffpk8SjY2CGKKmJ14aFaDUxzljGCDMgoxUuekOY8Jx5jWgVcUiks/u+ynFw5Hmgh2Gf1Q+eCkHMg7j9HNwwzL7UMAn3I/9uiOnwHU4Hi9VoPZztVfv/D81Hx+kQqZBPvR9+CkKPH379+8MQtzh9r8XR8XJjpyO3F2aio94qK70iVFMwVlqBxFpjGAQdDY1EctTOeaaN55FETtEzoo1mWttHQX/s//7xIO2YWYUgiHPWEcOVZA4V8daQYCFKYJpZB94pNEJaSaQKxjC0KqJgAFT8wsYilFFBPPU0GB80QwXRGs6s0t4FIMqBIkZSbyHyQDWTlIKjQJi3QknyubE0YHDSMI7BWow8Gq8g2BBtiMxw8ExZLSJ1DIViHqxVSjHFDSgvlHC/sLGMUjF4ETwIDiCF90opxRVYpsEhcEs5dSJEqzxGY6RRTDhrwBKphWCfGyvGgFagQxIsemENi1QyYzhqBMlRKS8C49ILJ6JVylgEQxlXPhIeuf+FjUUE2qgtMYRQ7rng0QshvDaOUGTonbLAkUrnTSRaOAQFQkqMTHDDuHpprMyTwY5Xi2n4kMQe0uVLC4z8S/2/O2w/mup6uArpcDHd25y8WMJ0jst0+FVFvjvZ/ilF1rgahHX6FT2+29v+nB6jWUjXOFt+RZPvThLf0OS9w7jFPB2l6zBfv3uxUBGnacg8dHkoxbjePNbQvX6PvvWg8t6Pv9uLntxkNNiPppFErj0wB4YwoqUVkknFokXvtXAsOsEdiii150EapZmiVLh9qJAQvZXBa+ReeEsgBOEJomJWOBuF1cyFgAKC8zFiVE5SgRScItEwL4SDsDfcH5mjf2f++Ltp0D8WL/j/T2L/f4n/SyoP/P81cOD/B/7/yxjrwP8P/P/A/w/8/8D/D/z/gFfBC/7/7JI//BvgG/yfEPEp/5cC2IH/vwa+wv/fp6if9Q0wC2t8Xz6fCsaD833I1dMwH6yH+7GB0acEu+cIH+ruBy7w9uhY8KgRLETlrZA0EKQyaK7QKIeeeGqNipIQx2V03jnr0XrODAhOHZcEPI1BM6PQGQ4UNdUGkHFLAtFURuK8E5YSZ71hQAxwZj31xEupPNLwRBOeFH1hmfd14E/m+e8u0h/leWK8FYa6CBKtEEFzIqk3yqloiPVSgiJCBmopFVpR1CxGC5RE4bhAR8ASLb30kRlCGEZpI1MUQtACqBFsXwGoVICCWuIsJ0pLF12kCoJggIc8/8viRf5/isAfL+N/f/4vGFOH8//XwOfrf+rWMbxZbuwPk/Gt+s9BfrL+CgQc6v9r4Pc9soVSpXHUOU+OWhfZs0ruqFboPzRk6pVKLjeo5ZJBIdmQZMjntKWrpbWh7YGWRd/RkSwXG87u534wqG86uSuoZk/s2ZysLoqdJFNr9/zJ3XzueeuqenbmZ1N9vRjmVjAdZjf1u2u1y+7W0DV6YqcXubvsIMm2GsvLyqQ7QHef05n6tNLvn95nzzf5y6TaTESlNuLloZlXTuoze1q8GtjmTqCYXd/prVrWR936Bk463rjWrjO5uM7k2/E6PWs2VrK1nd3nksoZWdQ0xHB7V7tu1Qtw0dO22Lqcd+5CD4sr4b0/zTfDvKfL8rx1n1nxZt6eNyvr5VSwe5nsYMaK3cpF1O48ve8oHwt8t0xYnfvxeL2o5RvFTtodX9DOZa99aa4ydbzb7ealXml4VthOcidpf9wRjfZtWYxGndse0TcnuVL7pnFFTy4v6+y8tVnfs7nTspNtdKDYzAzO2wl0z2gzSaWtNmZx57bXd0mtb8fqVOv1WN6sxmfYXhe7NjujqE66STum7KI7ao8AdplCvn8Tzsf0sn2LrjEj/rKQ3N9Bu3FWHtVK3Tnvng9LY312sSjdj6tU9mWvlS7Wt7nFWI/rEDLY0C1nTpP+/bZXOWlP1mNsXaOqlcrsqlquTrqVdrvjLu6a63y6ri3dapSEmE/1eHwmxhuzzogquyncDnYzN21Ua535FPmSzbAOt5MT7XKqcFXv8RbZbXLbFcMJlovVhegDFoe1dF6+6WacgrM4Ki5OT/VpO729H59VLtaFy3J3UgqbyFtL279aiZtlVa4vhyVaTzp3Pgx0LtkWkqT9r39lHhy60Mh/yc//7ij8+/CF/B83UzdavLslb9xq/WYZZt8r45v5X4mP8z8FCYfzn1fBi/yfK3S6lWIll3QLH5J/Y5fLJZ4Okm0lmwwq3dZZdpFtD6dkeFNs5M35yXnp0sYddrpJLTsY3Awn42ar3c4n4+wiU2+n21y7n++126XCtto73xXO69mklJCLQi5br/boNPXlxgKvqtN6p74tPPYtF7bLPJam24wr9TZYKq7rbb3NPzbWCtvr8+vLTqV/1b7L5/dSG71sknYTaFx0d4VOPdEPApK7eiXjS72dLzWmbt7eloeuUR8XtvVd4b4+rt838m1xuX+3K2zr4wp//26cXTxrnvmrqj9rnvmrqj9rntmrftlNutmBe7JuJfvB0vVsdtvIJUm7Mz9JpveLKO9arNTOTc+3gx40ipt+pl/Yzmqt08uzy9Xp2TYrzy76u7W45aYzvSlpVttg9XwZmmNVUvVekvXLynX/cnuTjK57bEH728x1PmnuVS23dTaJupBN6rmk3d8WBv18rwPdpF0+zSaDbXZQyJ7u/aSb+Mf+vFActC8yXV3dzmR107Pg09GmfNFpjsrNZq/cm2zL24dBxtnsYFtcJBdf6pt57pwb9Cu1xXVlN4ZCsq3kz5Nk22lXhkl10rietWRaS050IdjOVXGSRZNvjdFll12XaU7H1cX6tjbynWEySjaNVQV3tcKWlrjf6juyk4X+xJROVKy2xMwwO56dVmM9u05eVo5PI+TvDt4fgC/k/1WYLFY/8gPgG/kfqCSf8n/K1SH/vwZe5P/PuH9xsi1s++WngNuH/HPw5ZO2y7cHSaEoxzTtVtZnLoVtbdFc1neVEzOtznK7mGnIWZ8uV82A2U6P+nla3eUMHzbvJnWxPF+auU1qpJttVriIzWYrLdPVeefkpLz6KOgOVO1n4vP4//FXgL4R/xTIp/s/kgE9xP9r4Cv7/89HuD9r+/+TI+Lj532nL+z+K8W/vflvjHQoiGIBGXKtNEPvMIKWjChFdUDvEXzgCokRFqyXmgIPQlMTpAsYQ7SKUxmYclEGZcEQ0BSdjDEwxZwRQTJj0PMYwVmMiEIpJYLVFvQXLlR8+iX1halpar49NRqC0Y5ShkghUqoJCyZY7iTlFNFbaZkyjnEN1jpOhTHaSSk1k1FQY0EHLSVlkiBYFBQcQ0YF0VGgQyRGBxnFXoZhaAMLJAATlnACCFrh51N7TxK+dFaj1LenJBG8doFraTmiQmoZ2AiGA2plEMATa6li2nGtuOAsEGWUJp5TqwMST2hkXBrtnRGW2RCsUVoAk1FFShUNNDpDrTEcgaMTBgMX2orIkaJyn97o+JMHM999a+Gjg5nAMIJgVplAg+UBFNEESdBWWeal1J4674W2KiqhhGEuWBcMeJBowSGhDB3hIUqqHAhCUUrhpHeeUYIYlJFBE0ql1CSKGE2whAYGUlnNBMTDwcw/HS/r//NVmR/NAL55/i8/q/+Sk0P9fw18rf6/vzr1KhcAPrp+8oWqIin7ExcAovVahhC99EJZwwKgIRhs4CEAU8Lr4DnwaAwzgUmQhmpOmQOC3DglDGhOmJEKHKWGSR6jJBAeGGnkikGgwCVFRxCFNpo6aZnV2nvpjbU/7ALAd99J+6jOUMEYRkWAcmZ1VIFwQ4kBSTglmgcSjeTec1TCg3HUBMUJE4FFwUNAQjByL2gkQggjo2csmBgp5Tx4qRwgjUJ5E4wHDS4oETnhUlkRqQ8B7KHOHHDAAQf8avifAAAA//8nr2ImAEQAAA=="

pkg/apis/config/tuf_roots.go

@@ -0,0 +1,122 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	// SigstoreKeysConfigName is the name of ConfigMap created by the
+	// reconciler and consumed by the admission webhook for validating.
+	SigstoreKeysConfigName = "config-sigstore-keys"
+)
+
+// serializedTUF represents a serialized TUF Root that has root.json as well as
+// the serialized Repository for it.
+type serializedTUF struct {
+	// This is the initial root.json file.
+	RootJSON []byte `json:"rootJSON"`
+	// This is the serialized TUF repository
+	Repository []byte `json:"repository"`
+}
+
+// SigstoreKeys contains all the necessary Keys and Certificates for validating
+// against a specific instance of Sigstore.
+type SigstoreKeys struct {
+	// FulcioRoots has Fulcio Root Certificates.
+	// TODO(vaikas); Should there really be multiples here?
+	FulcioRoots [][]byte `json:"fulcioRoots"`
+	// FulcioIntermediates has Fulcio Intermediate Certificates
+	// TODO(vaikas); Should there really be multiples here?
+	FulcioIntermediates [][]byte `json:"fulcioIntermediates"`
+	RekorKeys           [][]byte `json:"rekorKeys"`
+	CTLogKeys           [][]byte `json:"ctLogKeys"`
+	TSAKeys             []byte   `json:"tsaKeys"`
+}
+
+type SigstoreKeysMap struct {
+	SigstoreKeys map[string]SigstoreKeys
+}
+
+// NewSigstoreKeysFromMap creates a map of SigstoreKeys to use for validation.
+func NewSigstoreKeysFromMap(data map[string]string) (map[string]SigstoreKeys, error) {
+	ret := make(map[string]SigstoreKeys, len(data))
+	// Spin through the ConfigMap. Each entry will have a serialized form of
+	// necessary validation keys in the form of SigstoreKeys.
+	for k, v := range data {
+		// This is the example that we use to document / test the ConfigMap.
+		if k == "_example" {
+			continue
+		}
+		if v == "" {
+			return nil, fmt.Errorf("configmap has an entry %q but no value", k)
+		}
+		sigstoreKeys := &SigstoreKeys{}
+
+		if err := parseSigstoreKeys(v, sigstoreKeys); err != nil {
+			return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err)
+		}
+		ret[k] = *sigstoreKeys
+	}
+	return ret, nil
+}
+
+// NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap
+func NewSigstoreKeysFromConfigMap(config *corev1.ConfigMap) (map[string]SigstoreKeys, error) {
+	return NewSigstoreKeysFromMap(config.Data)
+}
+
+func parseSigstoreKeys(entry string, out interface{}) error {
+	j, err := yaml.YAMLToJSON([]byte(entry))
+	if err != nil {
+		return fmt.Errorf("config's value could not be converted to JSON: %w : %s", err, entry)
+	}
+	return json.Unmarshal(j, &out)
+}
+
+// CreateTUFClientFromSerialized takes a serialized TUF Repository which has
+// been tarred, gzipped and base64 encoded.
+// unmarshals it and returns an initialized TUF Client.
+/*
+func CreateTUFClientFromSerialized(in []byte, targets string) (*client.Client, error) {
+	serialized := &serializedTUF{}
+	if err := json.Unmarshal(in, serialized); err != nil {
+		return nil, fmt.Errorf("unmarshaling %w", err)
+	}
+
+	decoded := make([]byte, 0, len(in))
+	_, err := base64.RawStdEncoding.Decode(decoded, in)
+	if err != nil {
+		return nil, fmt.Errorf("base64 decoding: %w", err)
+	}
+	remoteFS, err := tuf.UncompressMemFS(bytes.NewReader(decoded))
+	if err != nil {
+		return nil, fmt.Errorf("uncompressing: %w", err)
+	}
+
+	remote, err := client.NewFileRemoteStore(remoteFS, targets)
+	local := client.MemoryLocalStore()
+	client := client.NewClient(local, remote)
+
+	// Does this need to be inited here or something?
+	return client, nil
+}
+*/