diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go index c7f7292a210..c4a6329e279 100644 --- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go +++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go @@ -115,6 +115,9 @@ type KeyRef struct { type Source struct { // +optional OCI string `json:"oci,omitempty"` + // SignaturePullSecrets is an optional list of references to secrets in the + // same namespace as the deploying resource for pulling any of the signatures + // used by this Source. // +optional SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"` } diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go index 3e8fe3965a5..d1a2454fd1a 100644 --- a/pkg/cosign/kubernetes/webhook/validator.go +++ b/pkg/cosign/kubernetes/webhook/validator.go @@ -322,7 +322,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c name string attestations map[string][]PolicySignature signatures []PolicySignature - errs []error + err error } results := make(chan retChannelType, len(cip.Authorities)) for _, authority := range cip.Authorities { @@ -337,7 +337,9 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c signaturePullSecretsOpts, err := authority.SourceSignaturePullSecretsOpts(ctx, namespace) if err != nil { - result.errs = append(result.errs, err) + result.err = err + results <- result + return } authorityRemoteOpts = append(authorityRemoteOpts, signaturePullSecretsOpts...) @@ -345,14 +347,14 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c // We're doing the verify-attestations path, so validate (.att) validatedAttestations, err := ValidatePolicyAttestationsForAuthority(ctx, ref, authority, authorityRemoteOpts...) if err != nil { - result.errs = append(result.errs, err) + result.err = err } else { result.attestations = validatedAttestations } } else { validatedSignatures, err := ValidatePolicySignaturesForAuthority(ctx, ref, authority, authorityRemoteOpts...) if err != nil { - result.errs = append(result.errs, err) + result.err = err } else { result.signatures = validatedSignatures } @@ -376,8 +378,8 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c continue } switch { - case len(result.errs) > 0: - authorityErrors = append(authorityErrors, result.errs...) + case result.err != nil: + authorityErrors = append(authorityErrors, result.err) case len(result.signatures) > 0: policyResult.AuthorityMatches[result.name] = AuthorityMatch{Signatures: result.signatures} case len(result.attestations) > 0: diff --git a/pkg/cosign/kubernetes/webhook/validator_test.go b/pkg/cosign/kubernetes/webhook/validator_test.go index feae66c2c66..183ef8e7bd1 100644 --- a/pkg/cosign/kubernetes/webhook/validator_test.go +++ b/pkg/cosign/kubernetes/webhook/validator_test.go @@ -531,7 +531,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw== return errs }(), - cvs: authorityPublicKeyCVS, + cvs: fail, }, { name: "simple, no error, authority source signaturePullSecrets, valid secret", ps: &corev1.PodSpec{