Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1beta1 API for cosigned #1890

Merged
merged 7 commits into from May 18, 2022
Merged

v1beta1 API for cosigned #1890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d2b4322
autogen, start of conversion
vaikas May 14, 2022
5d36f8a
V1beta1 and conversions.
vaikas May 17, 2022
5adaecf
Fix the lints.
vaikas May 17, 2022
243bb99
Codegen seems to actually leave v1beta1 alone.
vaikas May 17, 2022
9b3793e
Remove some things from third_party, version of go skew.
vaikas May 17, 2022
0384e73
Permissions for conversion webhook.
vaikas May 17, 2022
6c6dee6
Glob is not optional anymore :)
vaikas May 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
49 changes: 43 additions & 6 deletions cmd/cosign/policy_webhook/main.go
View file
Open in desktop
Expand Up @@ -28,11 +28,14 @@ import (
"knative.dev/pkg/webhook"
"knative.dev/pkg/webhook/certificates"
"knative.dev/pkg/webhook/resourcesemantics"
"knative.dev/pkg/webhook/resourcesemantics/conversion"
"knative.dev/pkg/webhook/resourcesemantics/defaulting"
"knative.dev/pkg/webhook/resourcesemantics/validation"
"sigs.k8s.io/release-utils/version"

"github.com/sigstore/cosign/pkg/apis/cosigned"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
"github.com/sigstore/cosign/pkg/apis/cosigned/v1beta1"
"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy"

// Register the provider-specific plugins
Expand Down Expand Up @@ -61,6 +64,13 @@ var (
validatingWebhookName = flag.String("validating-webhook-name", "validating.clusterimagepolicy.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
)

var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
// v1alpha1
v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
// v1beta1
v1beta1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1beta1.ClusterImagePolicy{},
}

func main() {
opts := webhook.Options{
ServiceName: "policy-webhook",
Expand All @@ -81,6 +91,7 @@ func main() {
clusterimagepolicy.NewController,
NewPolicyValidatingAdmissionController,
NewPolicyMutatingAdmissionController,
newConversionController,
)
}

Expand All @@ -89,9 +100,7 @@ func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.W
ctx,
*validatingWebhookName,
"/validating",
map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
},
types,
func(ctx context.Context) context.Context {
return ctx
},
Expand All @@ -104,12 +113,40 @@ func NewPolicyMutatingAdmissionController(ctx context.Context, cmw configmap.Wat
ctx,
*mutatingWebhookName,
"/defaulting",
map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
},
types,
func(ctx context.Context) context.Context {
return ctx
},
true,
)
}

func newConversionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
// nolint: revive
var (
v1alpha1GroupVersion = v1alpha1.SchemeGroupVersion.Version
v1beta1GroupVersion = v1beta1.SchemeGroupVersion.Version
)

return conversion.NewConversionController(ctx,
// The path on which to serve the webhook
"/resource-conversion",

// Specify the types of custom resource definitions that should be converted
map[schema.GroupKind]conversion.GroupKindConversion{
v1beta1.Kind("ClusterImagePolicy"): {
DefinitionName: cosigned.ClusterImagePolicyResource.String(),
HubVersion: v1alpha1GroupVersion,
Zygotes: map[string]conversion.ConvertibleObject{
v1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{},
v1beta1GroupVersion: &v1beta1.ClusterImagePolicy{},
},
},
},

// A function that infuses the context passed to ConvertTo/ConvertFrom/SetDefaults with custom metadata
func(ctx context.Context) context.Context {
return ctx
},
)
}
19 changes: 9 additions & 10 deletions config/200-clusterrole.yaml
View file
Open in desktop
Expand Up @@ -37,16 +37,15 @@ rules:
# which requires we can Get the system namespace.
resourceNames: ["cosign-system"]

# TODO: We will need this once we have conversion webhooks.
# # Allow the reconciliation of exactly our CRDs.
# # This is needed for us to patch in conversion webhook information.
# - apiGroups: ["apiextensions.k8s.io"]
# resources: ["customresourcedefinitions"]
# verbs: ["list", "watch"]
# - apiGroups: ["apiextensions.k8s.io"]
# resources: ["customresourcedefinitions"]
# verbs: ["get", "update"]
# resourceNames: ["clusterimagepolicies.cosigned.sigstore.dev"]
# Allow the reconciliation of exactly our CRDs.
# This is needed for us to patch in conversion webhook information.
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "update"]
resourceNames: ["clusterimagepolicies.cosigned.sigstore.dev"]

# Allow reconciliation of the ClusterImagePolic CRDs.
- apiGroups: ["cosigned.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]
Expand Down
147 changes: 147 additions & 0 deletions config/300-clusterimagepolicy.yaml
View file
Open in desktop
Expand Up @@ -175,3 +175,150 @@ spec:
type: string
url:
type: string
- name: v1beta1
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
properties:
authorities:
type: array
items:
type: object
properties:
attestations:
type: array
items:
type: object
properties:
name:
description: Name of the attestation. These can then be referenced at the CIP level policy.
type: string
policy:
type: object
properties:
configMapRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a configmap resource.
type: string
namespace:
description: Namespace defines the space within which the configmap name must be unique.
type: string
data:
type: string
type:
description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
type: string
url:
type: string
predicateType:
description: Which predicate type to verify. Matches cosign verify-attestation options.
type: string
ctlog:
type: object
properties:
url:
type: string
key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
keyless:
type: object
properties:
ca-cert:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
identities:
type: array
items:
type: object
properties:
issuer:
type: string
subject:
type: string
url:
type: string
name:
description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority-<index in array>
type: string
source:
type: array
items:
type: object
properties:
oci:
type: string
signaturePullSecrets:
description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.
type: array
items:
type: object
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
images:
type: array
items:
type: object
properties:
glob:
type: string
policy:
description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed.
type: object
properties:
configMapRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a configmap resource.
type: string
namespace:
description: Namespace defines the space within which the configmap name must be unique.
type: string
data:
type: string
type:
description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
type: string
url:
type: string
4 changes: 2 additions & 2 deletions hack/update-codegen.sh
View file
Open in desktop
Expand Up @@ -45,15 +45,15 @@ group "Kubernetes Codegen"
# instead of the $GOPATH directly. For normal projects this can be dropped.
${CODEGEN_PKG}/generate-groups.sh "deepcopy,client,informer,lister" \
github.com/sigstore/cosign/pkg/client github.com/sigstore/cosign/pkg/apis \
"cosigned:v1alpha1" \
"cosigned:v1alpha1 cosigned:v1beta1" \
--go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt

group "Knative Codegen"

# Knative Injection
${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
github.com/sigstore/cosign/pkg/client github.com/sigstore/cosign/pkg/apis \
"cosigned:v1alpha1" \
"cosigned:v1alpha1 cosigned:v1beta1" \
--go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt

group "Update CRD Schema"
Expand Down
10 changes: 10 additions & 0 deletions pkg/apis/cosigned/register.go
View file
Open in desktop
Expand Up @@ -14,7 +14,17 @@

package cosigned

import "k8s.io/apimachinery/pkg/runtime/schema"

const (
// GroupName is the name of the API group.
GroupName = "cosigned.sigstore.dev"
)

var (
// ClusterImagePolicyResource represents a ClusterImagePolicy
ClusterImagePolicyResource = schema.GroupResource{
Group: GroupName,
Resource: "clusterimagepolicies",
}
)