sigstore · dlorenc · Apr 29, 2022 · Apr 26, 2022 · Apr 26, 2022 · Apr 26, 2022
diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
@@ -139,6 +139,15 @@ spec:
                           properties:
                             oci:
                               type: string
+                            signaturePullSecrets:
+                              description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.
+                              type: array
+                              items:
+                                type: object
+                                properties:
+                                  name:
+                                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                    type: string
                 images:
                   type: array
                   items:

diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go
@@ -154,6 +154,37 @@ func TestGetAuthorities(t *testing.T) {
 	if got := c[matchedPolicy].Authorities[0].Attestations[0].Data; got != want {
 		t.Errorf("Did not get what I wanted %q, got %+v", want, got)
 	}
+
+	// Test source oci
+	matchedPolicy = "cluster-image-policy-source-oci"
+	c, err = defaults.GetMatchingPolicies("sourceocionly")
+	checkGetMatches(t, c, err)
+	if len(c) != 1 {
+		t.Errorf("Wanted 1 match, got %d", len(c))
+	}
+
+	checkSourceOCI(t, c[matchedPolicy].Authorities)
+	want = "example.registry.com/alternative/signature"
+	if got := c[matchedPolicy].Authorities[0].Sources[0].OCI; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, got)
+	}
+
+	// Test source signaturePullSecrets
+	matchedPolicy = "cluster-image-policy-source-oci-signature-pull-secrets"
+	c, err = defaults.GetMatchingPolicies("sourceocisignaturepullsecrets")
+	checkGetMatches(t, c, err)
+	if len(c) != 1 {
+		t.Errorf("Wanted 1 match, got %d", len(c))
+	}
+
+	checkSourceOCI(t, c[matchedPolicy].Authorities)
+	if got := len(c[matchedPolicy].Authorities[0].Sources[0].SignaturePullSecrets); got != 1 {
+		t.Errorf("Did not get what I wanted %d, got %d", 1, got)
+	}
+	want = "examplePullSecret"
+	if got := c[matchedPolicy].Authorities[0].Sources[0].SignaturePullSecrets[0].Name; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, got)
+	}
 }
 
 func checkGetMatches(t *testing.T, c map[string]webhookcip.ClusterImagePolicy, err error) {
@@ -191,3 +222,19 @@ func checkPublicKey(t *testing.T, gotKey crypto.PublicKey) {
 		t.Errorf("Did not get what I wanted %s, got %s", inlineKeyData, string(pemBytes))
 	}
 }
+
+func checkSourceOCI(t *testing.T, authority []webhookcip.Authority) {
+	t.Helper()
+
+	if got := len(authority); got != 1 {
+		t.Errorf("Did not get what I wanted %d, got %d", 1, got)
+	}
+	if got := len(authority[0].Sources); got != 1 {
+		t.Errorf("Did not get what I wanted %d, got %d", 1, got)
+	}
+
+	want := len(authority[0].Sources)
+	if got := len(authority[0].RemoteOpts); got != want {
+		t.Errorf("Did not get what I wanted %d, got %d", want, got)
+	}
+}
diff --git a/pkg/apis/config/store_test.go b/pkg/apis/config/store_test.go
@@ -20,6 +20,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/sigstore/cosign/pkg/oci/remote"
 	"k8s.io/apimachinery/pkg/api/resource"
 	logtesting "knative.dev/pkg/logging/testing"
 
@@ -28,6 +29,8 @@ import (
 
 var ignoreStuff = cmp.Options{
 	cmpopts.IgnoreUnexported(resource.Quantity{}),
+	// Ignore functional remote options
+	cmpopts.IgnoreTypes((remote.Option)(nil)),
 }
 
 func TestStoreLoadWithContext(t *testing.T) {

diff --git a/pkg/apis/config/testdata/config-image-policies.yaml b/pkg/apis/config/testdata/config-image-policies.yaml
@@ -105,3 +105,23 @@ data:
       policy:
         type: cue
         data: "cip level cue here"
+    cluster-image-policy-source-oci: |
+      images:
+      - regex: .*sourceocionly.*
+      authorities:
+      - name: attestation-0
+        key:
+          data: inlinedata here
+        source:
+        - oci: "example.registry.com/alternative/signature"
+    cluster-image-policy-source-oci-signature-pull-secrets: |
+      images:
+      - regex: .*sourceocisignaturepullsecrets.*
+      authorities:
+      - name: attestation-0
+        key:
+          data: inlinedata here
+        source:
+        - oci: "example.registry.com/alternative/signature"
+          signaturePullSecrets:
+          - name: examplePullSecret
diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go
@@ -115,6 +115,11 @@ type KeyRef struct {
 type Source struct {
 	// +optional
 	OCI string `json:"oci,omitempty"`
+	// SignaturePullSecrets is an optional list of references to secrets in the
+	// same namespace as the deploying resource for pulling any of the signatures
+	// used by this Source.
+	// +optional
+	SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"`
 }
 
 // TLog specifies the URL to a transparency log that holds

diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
@@ -84,8 +84,8 @@ func (authority *Authority) Validate(ctx context.Context) *apis.FieldError {
 		errs = errs.Also(authority.Keyless.Validate(ctx).ViaField("keyless"))
 	}
 
-	for _, source := range authority.Sources {
-		errs = errs.Also(source.Validate(ctx).ViaField("source"))
+	for i, source := range authority.Sources {
+		errs = errs.Also(source.Validate(ctx).ViaFieldIndex("source", i))
 	}
 
 	for _, att := range authority.Attestations {
@@ -144,6 +144,14 @@ func (source *Source) Validate(ctx context.Context) *apis.FieldError {
 	if source.OCI == "" {
 		errs = errs.Also(apis.ErrMissingField("oci"))
 	}
+
+	if len(source.SignaturePullSecrets) > 0 {
+		for i, secret := range source.SignaturePullSecrets {
+			if secret.Name == "" {
+				errs = errs.Also(apis.ErrMissingField("name")).ViaFieldIndex("signaturePullSecrets", i)
+			}
+		}
+	}
 	return errs
 }
 

diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go
@@ -19,6 +19,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
 	"knative.dev/pkg/apis"
 )
 
@@ -415,7 +416,7 @@ func TestAuthoritiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when source oci is empty",
 			expectErr:   true,
-			errorString: "missing field(s): spec.authorities[0].source.oci",
+			errorString: "missing field(s): spec.authorities[0].source[0].oci",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{{Regex: ".*"}},
@@ -486,6 +487,51 @@ func TestAuthoritiesValidation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Should fail with signaturePullSecret name empty",
+			expectErr:   true,
+			errorString: "missing field(s): spec.authorities[0].source[0].signaturePullSecrets[0].name",
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{{Regex: ".*"}},
+					Authorities: []Authority{
+						{
+							Key: &KeyRef{KMS: "kms://key/path"},
+							Sources: []Source{
+								{
+									OCI: "registry1",
+									SignaturePullSecrets: []v1.LocalObjectReference{
+										{Name: ""},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:      "Should pass with signaturePullSecret name filled",
+			expectErr: false,
+			policy: ClusterImagePolicy{
+				Spec: ClusterImagePolicySpec{
+					Images: []ImagePattern{{Regex: ".*"}},
+					Authorities: []Authority{
+						{
+							Key: &KeyRef{KMS: "kms://key/path"},
+							Sources: []Source{
+								{
+									OCI: "registry1",
+									SignaturePullSecrets: []v1.LocalObjectReference{
+										{Name: "testPullSecrets"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/cosign/kubernetes/webhook/clusterimagepolicy/clusterimagepolicy_types.go b/pkg/cosign/kubernetes/webhook/clusterimagepolicy/clusterimagepolicy_types.go
@@ -15,17 +15,21 @@
 package clusterimagepolicy
 
 import (
+	"context"
 	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 
+	"github.com/google/go-containerregistry/pkg/authn/k8schain"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
-	"github.com/sigstore/cosign/pkg/oci/remote"
-
+	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"knative.dev/pkg/apis"
+	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	"knative.dev/pkg/logging"
 )
 
 // ClusterImagePolicy defines the images that go through verification
@@ -58,7 +62,7 @@ type Authority struct {
 	// RemoteOpts are not marshalled because they are an unsupported type
 	// RemoteOpts will be populated by the Authority UnmarshalJSON override
 	// +optional
-	RemoteOpts []remote.Option `json:"-"`
+	RemoteOpts []ociremote.Option `json:"-"`
 	// +optional
 	Attestations []AttestationPolicy `json:"attestations,omitempty"`
 }
@@ -139,7 +143,7 @@ func (a *Authority) UnmarshalJSON(data []byte) error {
 			if targetRepoOverride, err := name.NewRepository(source.OCI); err != nil {
 				return errors.Wrap(err, "failed to determine source")
 			} else if (targetRepoOverride != name.Repository{}) {
-				rawAuthority.RemoteOpts = append(rawAuthority.RemoteOpts, remote.WithTargetRepository(targetRepoOverride))
+				rawAuthority.RemoteOpts = append(rawAuthority.RemoteOpts, ociremote.WithTargetRepository(targetRepoOverride))
 			}
 		}
 	}
@@ -149,6 +153,35 @@ func (a *Authority) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+// SourceSignaturePullSecretsOpts creates the signaturePullSecrets remoteOpts
+// This is not stored in the Authority under RemoteOpts as the namespace can be different
+func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error) {
+	var ret []ociremote.Option
+	for _, source := range a.Sources {
+		if len(source.SignaturePullSecrets) > 0 {
+			signaturePullSecrets := make([]string, 0, len(source.SignaturePullSecrets))
+			for _, s := range source.SignaturePullSecrets {
+				signaturePullSecrets = append(signaturePullSecrets, s.Name)
+			}
+
+			opt := k8schain.Options{
+				Namespace:        namespace,
+				ImagePullSecrets: signaturePullSecrets,
+			}
+
+			kc, err := k8schain.New(ctx, kubeclient.Get(ctx), opt)
+			if err != nil {
+				logging.FromContext(ctx).Errorf("failed creating keychain: %+v", err)
+				return nil, err
+			}
+
+			ret = append(ret, ociremote.WithRemoteOptions(remote.WithAuthFromKeychain(kc)))
+		}
+	}
+
+	return ret, nil
+}
+
 func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy {
 	copyIn := in.DeepCopy()