Plumb TrustRoot CRD through to CIP CRDs. Make TrustRoot available to webhook, clean up and refactor checkOpts logic. #436
Conversation
…vailable to webhook. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
…rough. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Codecov Report
@@ Coverage Diff @@
## main #436 +/- ##
==========================================
- Coverage 53.11% 51.97% -1.14%
==========================================
Files 38 38
Lines 3660 3771 +111
==========================================
+ Hits 1944 1960 +16
- Misses 1585 1672 +87
- Partials 131 139 +8
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
…h case use offline. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
|
I'm just adding some more tests :)
…On Tue, Dec 13, 2022 at 7:14 AM Hector Fernandez ***@***.***> wrote:
***@***.**** commented on this pull request.
Generally it looks good to me. Is it ready for a final review ?
—
Reply to this email directly, view it on GitHub
<#436 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACWB45DPVRPMCDT65OJX7STWNCHENANCNFSM6AAAAAAS2CBXM4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
@hectorj2f ready to go now. |
vaikas
changed the title
| type: object | ||
| properties: | ||
| trustRootRef: | ||
| description: Use the Public Key from the referred TrustRoot.TLog |
There was a problem hiding this comment.
I realized we are using a confusing mix of terms between CTLog and TLog imho. CTLog sets the configuration to verify the authority against a Rekor instance.For the SigstoreKey, we refer to TLog as that rekor instance. Aren't we mixing these two terms ? Or it is just me :).
There was a problem hiding this comment.
You're not the only one confused :) That was an early screw up in the namings. I reckon we should fix this in the move to say v1beta2 or whatever the next one is that allows us to break the namings. But rather than keep the bad naming going, I tried to fix it here to be consistent with what we want it to be.
There was a problem hiding this comment.
I feel my confusion comes from the usage of ctlog here https://github.com/sigstore/policy-controller/pull/436/files#diff-83af2b17cb5361a5b3357d63c88e4965bfa07cb58917fbc0b88dd071cea39ccaR113 when we refer to a TLog resource type.
There was a problem hiding this comment.
The top level (the one on L103 is the broken name, it should be TLog). The object it points to internally is Tlog, and there we use TLog.
Spec.CTLog Should really be Spec.TLog.
There was a problem hiding this comment.
I opened #442
to track this for the next API rev.
| | url | URL defines a url to the keyless instance. | apis.URL | false | | ||
| | identities | Identities sets a list of identities. | [][Identity](#identity) | false | | ||
| | ca-cert | CACert sets a reference to CA certificate | [KeyRef](#keyref) | false | | ||
| | trustRootRef | Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog | string | false | |
There was a problem hiding this comment.
I thought you wrote TrustRoot.TLog in the description. You use TrustRoot.CTLog here.
There was a problem hiding this comment.
I see you refer to the keyless, so you use CTLog although I will assume you refer to the rekor instance instead and so use TLog.
There was a problem hiding this comment.
Well, this one is actually the CTLog, since it's the CA for Fulcio, and the CTLog for the Trillian that Fulcio writes to.
| URL *apis.URL `json:"url,omitempty"` | ||
| // Use the Public Key from the referred TrustRoot.TLog | ||
| // +optional | ||
| TrustRootRef string `json:"trustRootRef,omitempty"` |
There was a problem hiding this comment.
I assume this value is referred to the name of the TrustRoot, don't you prefer to use an ObjectReference instead ?
There was a problem hiding this comment.
Felt like overkill here since then we'd need to plumb in the gvk stuff as well. If you feel strongly, I can change it, just felt it would convolute the API unnecessarily.
There was a problem hiding this comment.
Also, because where it gets used it's been normalized to configmap, just felt wonky too.
There was a problem hiding this comment.
Definitely it isn't a blocker. You could use a LocalObjectReference due to the cluster scope of trustroots.
3 participants
Summary
Wire the configmap through to the webhook so that we can start pulling the keys from it for validation. Add new fields to CIP to refer to TrustRoot so that you can specify which keys/certs should be used for validation.
Pretty big cleanup / refactoring on the validation logic to clean it up and not pass so much stuff through all over the place, unify by using cosign.CheckOpts for passing arguments, and construct them as appropriate.
Fixes #133
Release Note
Documentation