early return err; add signaturePullSecrets comment

Signed-off-by: Denny Hoang <dhoang@vmware.com>
sigstore · Apr 28, 2022 · 350e17e · 350e17e
1 parent 65bd3fd
commit 350e17e
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go
@@ -115,6 +115,9 @@ type KeyRef struct {
 type Source struct {
 	// +optional
 	OCI string `json:"oci,omitempty"`
+	// SignaturePullSecrets is an optional list of references to secrets in the
+	// same namespace as the deploying resource for pulling any of the signatures
+	// used by this Source.
 	// +optional
 	SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"`
 }

diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go
@@ -322,7 +322,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 		name         string
 		attestations map[string][]PolicySignature
 		signatures   []PolicySignature
-		errs         []error
+		err          error
 	}
 	results := make(chan retChannelType, len(cip.Authorities))
 	for _, authority := range cip.Authorities {
@@ -337,22 +337,24 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 
 			signaturePullSecretsOpts, err := authority.SourceSignaturePullSecretsOpts(ctx, namespace)
 			if err != nil {
-				result.errs = append(result.errs, err)
+				result.err = err
+				results <- result
+				return
 			}
 			authorityRemoteOpts = append(authorityRemoteOpts, signaturePullSecretsOpts...)
 
 			if len(authority.Attestations) > 0 {
 				// We're doing the verify-attestations path, so validate (.att)
 				validatedAttestations, err := ValidatePolicyAttestationsForAuthority(ctx, ref, authority, authorityRemoteOpts...)
 				if err != nil {
-					result.errs = append(result.errs, err)
+					result.err = err
 				} else {
 					result.attestations = validatedAttestations
 				}
 			} else {
 				validatedSignatures, err := ValidatePolicySignaturesForAuthority(ctx, ref, authority, authorityRemoteOpts...)
 				if err != nil {
-					result.errs = append(result.errs, err)
+					result.err = err
 				} else {
 					result.signatures = validatedSignatures
 				}
@@ -376,8 +378,8 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 				continue
 			}
 			switch {
-			case len(result.errs) > 0:
-				authorityErrors = append(authorityErrors, result.errs...)
+			case result.err != nil:
+				authorityErrors = append(authorityErrors, result.err)
 			case len(result.signatures) > 0:
 				policyResult.AuthorityMatches[result.name] = AuthorityMatch{Signatures: result.signatures}
 			case len(result.attestations) > 0:

diff --git a/pkg/cosign/kubernetes/webhook/validator_test.go b/pkg/cosign/kubernetes/webhook/validator_test.go
@@ -531,7 +531,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 
 			return errs
 		}(),
-		cvs: authorityPublicKeyCVS,
+		cvs: fail,
 	}, {
 		name: "simple, no error, authority source signaturePullSecrets, valid secret",
 		ps: &corev1.PodSpec{