1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

feat: migrate ignoreSCT from rekor to ctlog (#8166)

* feat: migrate ignoreSCT from rekor to ctlog

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: update tests for new crd

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2023-08-30 12:09:49 +05:30 committed by GitHub
parent 414c3c77dd
commit 62634af6aa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 4524 additions and 2555 deletions

View file

@ -142,7 +142,7 @@ func Test_ImageVerification(t *testing.T) {
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keyless: &KeylessAttestor{Rekor: &CTLog{}, Issuer: "", Subject: ""},
Keyless: &KeylessAttestor{Rekor: &Rekor{}, Issuer: "", Subject: ""},
}}},
},
},
@ -159,7 +159,7 @@ func Test_ImageVerification(t *testing.T) {
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keyless: &KeylessAttestor{Rekor: &CTLog{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
Keyless: &KeylessAttestor{Rekor: &Rekor{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
}}},
},
},

View file

@ -187,11 +187,15 @@ type StaticKeyAttestor struct {
// Reference to a Secret resource that contains a public key
Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// or an empty object is provided, the public instance of
// Rekor (https://rekor.sigstore.dev) is used.
// Rekor provides configuration for the Rekor transparency log service. If an empty object
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
// CTLog provides configuration for validation of SCTs.
// If the value is nil, default ctlog public key is used
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}
type SecretReference struct {
@ -211,19 +215,27 @@ type CertificateAttestor struct {
// +kubebuilder:validation:Optional
CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// Rekor is not checked. If an empty object is provided the public instance of
// Rekor (https://rekor.sigstore.dev) is used.
// Rekor provides configuration for the Rekor transparency log service. If an empty object
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
// CTLog provides configuration for validation of SCTs.
// If the value is nil, default ctlog public key is used
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}
type KeylessAttestor struct {
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// Rekor is not checked and a root certificate chain is expected instead. If an empty object
// Rekor provides configuration for the Rekor transparency log service. If an empty object
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
// CTLog provides configuration for validation of SCTs.
// If the value is nil, default ctlog public key is used
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
// Issuer is the certificate issuer used for keyless signing.
// +kubebuilder:validation:Optional
@ -243,7 +255,7 @@ type KeylessAttestor struct {
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
}
type CTLog struct {
type Rekor struct {
// URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
// +kubebuilder:validation:Required
// +kubebuilder:Default:=https://rekor.sigstore.dev
@ -254,15 +266,21 @@ type CTLog struct {
// +kubebuilder:validation:Optional
RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
// IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log.
// +kubebuilder:validation:Optional
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
// IgnoreTlog skip tlog verification
// +kubebuilder:validation:Optional
IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
}
type CTLog struct {
// IgnoreSCT requires that a certificate contain an embedded SCT during verification.
// +kubebuilder:validation:Optional
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
// CTLogPubKey, if set, is used to validate SCTs against those keys.
// +kubebuilder:validation:Optional
CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
}
// Attestation are checks for signed in-toto Statements that are used to verify the image.
// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
// OCI registry and decodes them into a list of Statements.

View file

@ -276,6 +276,11 @@ func (in *CertificateAttestor) DeepCopyInto(out *CertificateAttestor) {
*out = *in
if in.Rekor != nil {
in, out := &in.Rekor, &out.Rekor
*out = new(Rekor)
**out = **in
}
if in.CTLog != nil {
in, out := &in.CTLog, &out.CTLog
*out = new(CTLog)
**out = **in
}
@ -804,6 +809,11 @@ func (in *KeylessAttestor) DeepCopyInto(out *KeylessAttestor) {
*out = *in
if in.Rekor != nil {
in, out := &in.Rekor, &out.Rekor
*out = new(Rekor)
**out = **in
}
if in.CTLog != nil {
in, out := &in.CTLog, &out.CTLog
*out = new(CTLog)
**out = **in
}
@ -1081,6 +1091,22 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Rekor) DeepCopyInto(out *Rekor) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rekor.
func (in *Rekor) DeepCopy() *Rekor {
if in == nil {
return nil
}
out := new(Rekor)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RequestData) DeepCopyInto(out *RequestData) {
*out = *in
@ -1394,6 +1420,11 @@ func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor) {
}
if in.Rekor != nil {
in, out := &in.Rekor, &out.Rekor
*out = new(Rekor)
**out = **in
}
if in.CTLog != nil {
in, out := &in.CTLog, &out.CTLog
*out = new(CTLog)
**out = **in
}

View file

@ -85,7 +85,7 @@ func Test_ImageVerification(t *testing.T) {
ImageReferences: []string{"*"},
Attestors: []kyvernov1.AttestorSet{
{Entries: []kyvernov1.Attestor{{
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.CTLog{}, Issuer: "", Subject: ""},
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.Rekor{}, Issuer: "", Subject: ""},
}}},
},
},
@ -102,7 +102,7 @@ func Test_ImageVerification(t *testing.T) {
ImageReferences: []string{"*"},
Attestors: []kyvernov1.AttestorSet{
{Entries: []kyvernov1.Attestor{{
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.CTLog{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.Rekor{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
}}},
},
},

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -1105,13 +1105,13 @@ The variables defined here will be available under <code>variables</code> in oth
<tbody>
<tr>
<td>
<code>url</code><br/>
<code>ignoreSCT</code><br/>
<em>
string
bool
</em>
</td>
<td>
<p>URL is the address of the transparency log. Defaults to the public log <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
<p>IgnoreSCT requires that a certificate contain an embedded SCT during verification.</p>
</td>
</tr>
<tr>
@ -1122,30 +1122,7 @@ string
</em>
</td>
<td>
<p>RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
If set, is used to validate signatures on log entries from Rekor.</p>
</td>
</tr>
<tr>
<td>
<code>ignoreSCT</code><br/>
<em>
bool
</em>
</td>
<td>
<p>IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log.</p>
</td>
</tr>
<tr>
<td>
<code>ignoreTlog</code><br/>
<em>
bool
</em>
</td>
<td>
<p>IgnoreTlog skip tlog verification</p>
<p>CTLogPubKey, if set, is used to validate SCTs against those keys.</p>
</td>
</tr>
</tbody>
@ -1193,15 +1170,28 @@ string
<td>
<code>rekor</code><br/>
<em>
<a href="#kyverno.io/v1.Rekor">
Rekor
</a>
</em>
</td>
<td>
<p>Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
</td>
</tr>
<tr>
<td>
<code>ctlog</code><br/>
<em>
<a href="#kyverno.io/v1.CTLog">
CTLog
</a>
</em>
</td>
<td>
<p>Rekor provides configuration for the Rekor transparency log service. If the value is nil,
Rekor is not checked. If an empty object is provided the public instance of
Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
<p>CTLog provides configuration for validation of SCTs.
If the value is nil, default ctlog public key is used</p>
</td>
</tr>
</tbody>
@ -2404,15 +2394,28 @@ bool
<td>
<code>rekor</code><br/>
<em>
<a href="#kyverno.io/v1.Rekor">
Rekor
</a>
</em>
</td>
<td>
<p>Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
</td>
</tr>
<tr>
<td>
<code>ctlog</code><br/>
<em>
<a href="#kyverno.io/v1.CTLog">
CTLog
</a>
</em>
</td>
<td>
<p>Rekor provides configuration for the Rekor transparency log service. If the value is nil,
Rekor is not checked and a root certificate chain is expected instead. If an empty object
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
<p>CTLog provides configuration for validation of SCTs.
If the value is nil, default ctlog public key is used</p>
</td>
</tr>
<tr>
@ -2943,6 +2946,61 @@ RuleCountStatus
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.Rekor">Rekor
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.CertificateAttestor">CertificateAttestor</a>,
<a href="#kyverno.io/v1.KeylessAttestor">KeylessAttestor</a>,
<a href="#kyverno.io/v1.StaticKeyAttestor">StaticKeyAttestor</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>url</code><br/>
<em>
string
</em>
</td>
<td>
<p>URL is the address of the transparency log. Defaults to the public log <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
</td>
</tr>
<tr>
<td>
<code>pubkey</code><br/>
<em>
string
</em>
</td>
<td>
<p>RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
If set, is used to validate signatures on log entries from Rekor.</p>
</td>
</tr>
<tr>
<td>
<code>ignoreTlog</code><br/>
<em>
bool
</em>
</td>
<td>
<p>IgnoreTlog skip tlog verification</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.RequestData">RequestData
</h3>
<p>
@ -3859,15 +3917,28 @@ SecretReference
<td>
<code>rekor</code><br/>
<em>
<a href="#kyverno.io/v1.Rekor">
Rekor
</a>
</em>
</td>
<td>
<p>Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
</td>
</tr>
<tr>
<td>
<code>ctlog</code><br/>
<em>
<a href="#kyverno.io/v1.CTLog">
CTLog
</a>
</em>
</td>
<td>
<p>Rekor provides configuration for the Rekor transparency log service. If the value is nil,
or an empty object is provided, the public instance of
Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
<p>CTLog provides configuration for validation of SCTs.
If the value is nil, default ctlog public key is used</p>
</td>
</tr>
</tbody>

View file

@ -23,7 +23,8 @@ package v1
type CertificateAttestorApplyConfiguration struct {
Certificate *string `json:"cert,omitempty"`
CertificateChain *string `json:"certChain,omitempty"`
Rekor *CTLogApplyConfiguration `json:"rekor,omitempty"`
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
}
// CertificateAttestorApplyConfiguration constructs an declarative configuration of the CertificateAttestor type for use with
@ -51,7 +52,15 @@ func (b *CertificateAttestorApplyConfiguration) WithCertificateChain(value strin
// WithRekor sets the Rekor field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Rekor field is set to the value of the last call.
func (b *CertificateAttestorApplyConfiguration) WithRekor(value *CTLogApplyConfiguration) *CertificateAttestorApplyConfiguration {
func (b *CertificateAttestorApplyConfiguration) WithRekor(value *RekorApplyConfiguration) *CertificateAttestorApplyConfiguration {
b.Rekor = value
return b
}
// WithCTLog sets the CTLog field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CTLog field is set to the value of the last call.
func (b *CertificateAttestorApplyConfiguration) WithCTLog(value *CTLogApplyConfiguration) *CertificateAttestorApplyConfiguration {
b.CTLog = value
return b
}

View file

@ -21,10 +21,8 @@ package v1
// CTLogApplyConfiguration represents an declarative configuration of the CTLog type for use
// with apply.
type CTLogApplyConfiguration struct {
URL *string `json:"url,omitempty"`
RekorPubKey *string `json:"pubkey,omitempty"`
IgnoreSCT *bool `json:"ignoreSCT,omitempty"`
IgnoreTlog *bool `json:"ignoreTlog,omitempty"`
CTLogPubKey *string `json:"pubkey,omitempty"`
}
// CTLogApplyConfiguration constructs an declarative configuration of the CTLog type for use with
@ -33,22 +31,6 @@ func CTLog() *CTLogApplyConfiguration {
return &CTLogApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *CTLogApplyConfiguration) WithURL(value string) *CTLogApplyConfiguration {
b.URL = &value
return b
}
// WithRekorPubKey sets the RekorPubKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RekorPubKey field is set to the value of the last call.
func (b *CTLogApplyConfiguration) WithRekorPubKey(value string) *CTLogApplyConfiguration {
b.RekorPubKey = &value
return b
}
// WithIgnoreSCT sets the IgnoreSCT field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IgnoreSCT field is set to the value of the last call.
@ -57,10 +39,10 @@ func (b *CTLogApplyConfiguration) WithIgnoreSCT(value bool) *CTLogApplyConfigura
return b
}
// WithIgnoreTlog sets the IgnoreTlog field in the declarative configuration to the given value
// WithCTLogPubKey sets the CTLogPubKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IgnoreTlog field is set to the value of the last call.
func (b *CTLogApplyConfiguration) WithIgnoreTlog(value bool) *CTLogApplyConfiguration {
b.IgnoreTlog = &value
// If called multiple times, the CTLogPubKey field is set to the value of the last call.
func (b *CTLogApplyConfiguration) WithCTLogPubKey(value string) *CTLogApplyConfiguration {
b.CTLogPubKey = &value
return b
}

View file

@ -21,7 +21,8 @@ package v1
// KeylessAttestorApplyConfiguration represents an declarative configuration of the KeylessAttestor type for use
// with apply.
type KeylessAttestorApplyConfiguration struct {
Rekor *CTLogApplyConfiguration `json:"rekor,omitempty"`
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
Issuer *string `json:"issuer,omitempty"`
Subject *string `json:"subject,omitempty"`
Roots *string `json:"roots,omitempty"`
@ -37,11 +38,19 @@ func KeylessAttestor() *KeylessAttestorApplyConfiguration {
// WithRekor sets the Rekor field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Rekor field is set to the value of the last call.
func (b *KeylessAttestorApplyConfiguration) WithRekor(value *CTLogApplyConfiguration) *KeylessAttestorApplyConfiguration {
func (b *KeylessAttestorApplyConfiguration) WithRekor(value *RekorApplyConfiguration) *KeylessAttestorApplyConfiguration {
b.Rekor = value
return b
}
// WithCTLog sets the CTLog field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CTLog field is set to the value of the last call.
func (b *KeylessAttestorApplyConfiguration) WithCTLog(value *CTLogApplyConfiguration) *KeylessAttestorApplyConfiguration {
b.CTLog = value
return b
}
// WithIssuer sets the Issuer field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Issuer field is set to the value of the last call.

View file

@ -0,0 +1,57 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// RekorApplyConfiguration represents an declarative configuration of the Rekor type for use
// with apply.
type RekorApplyConfiguration struct {
URL *string `json:"url,omitempty"`
RekorPubKey *string `json:"pubkey,omitempty"`
IgnoreTlog *bool `json:"ignoreTlog,omitempty"`
}
// RekorApplyConfiguration constructs an declarative configuration of the Rekor type for use with
// apply.
func Rekor() *RekorApplyConfiguration {
return &RekorApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *RekorApplyConfiguration) WithURL(value string) *RekorApplyConfiguration {
b.URL = &value
return b
}
// WithRekorPubKey sets the RekorPubKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RekorPubKey field is set to the value of the last call.
func (b *RekorApplyConfiguration) WithRekorPubKey(value string) *RekorApplyConfiguration {
b.RekorPubKey = &value
return b
}
// WithIgnoreTlog sets the IgnoreTlog field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IgnoreTlog field is set to the value of the last call.
func (b *RekorApplyConfiguration) WithIgnoreTlog(value bool) *RekorApplyConfiguration {
b.IgnoreTlog = &value
return b
}

View file

@ -25,7 +25,8 @@ type StaticKeyAttestorApplyConfiguration struct {
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty"`
KMS *string `json:"kms,omitempty"`
Secret *SecretReferenceApplyConfiguration `json:"secret,omitempty"`
Rekor *CTLogApplyConfiguration `json:"rekor,omitempty"`
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
}
// StaticKeyAttestorApplyConfiguration constructs an declarative configuration of the StaticKeyAttestor type for use with
@ -69,7 +70,15 @@ func (b *StaticKeyAttestorApplyConfiguration) WithSecret(value *SecretReferenceA
// WithRekor sets the Rekor field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Rekor field is set to the value of the last call.
func (b *StaticKeyAttestorApplyConfiguration) WithRekor(value *CTLogApplyConfiguration) *StaticKeyAttestorApplyConfiguration {
func (b *StaticKeyAttestorApplyConfiguration) WithRekor(value *RekorApplyConfiguration) *StaticKeyAttestorApplyConfiguration {
b.Rekor = value
return b
}
// WithCTLog sets the CTLog field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CTLog field is set to the value of the last call.
func (b *StaticKeyAttestorApplyConfiguration) WithCTLog(value *CTLogApplyConfiguration) *StaticKeyAttestorApplyConfiguration {
b.CTLog = value
return b
}

View file

@ -105,6 +105,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.PolicyApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("PolicyStatus"):
return &kyvernov1.PolicyStatusApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Rekor"):
return &kyvernov1.RekorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("RequestData"):
return &kyvernov1.RequestDataApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ResourceDescription"):

View file

@ -63,8 +63,10 @@ var testPolicyGood = `{
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHMmDjK65krAyDaGaeyWNzgvIu155JI50B2vezCw8+3CVeE0lJTL5dbL3OP98Za0oAEBJcOxky8Riy/XcmfKZbw==\n-----END PUBLIC KEY-----",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
}
@ -298,8 +300,10 @@ var testSampleSingleKeyPolicy = `
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
}
@ -353,8 +357,10 @@ var testSampleMultipleKeyPolicy = `
"publicKeys": "KEY1",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
},
@ -363,8 +369,10 @@ var testSampleMultipleKeyPolicy = `
"publicKeys": "KEY2",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
}
@ -429,8 +437,10 @@ var testConfigMapMissing = `{
"publicKeys": "{{myconfigmap.data.configmapkey}}",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
}
@ -673,8 +683,10 @@ var testNestedAttestorPolicy = `
"publicKeys": "KEY1",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
},
@ -686,8 +698,10 @@ var testNestedAttestorPolicy = `
"publicKeys": "KEY2",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
}
@ -895,8 +909,10 @@ func Test_ParsePEMDelimited(t *testing.T) {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfVMHGmFK4OgVqhy36KZ7a3r4R4/o\nCwaCVvXZV4ZULFbkFZ0IodGqKqcVmgycnoj7d8TpKpAUVNF8kKh90ewH3A==\n-----END PUBLIC KEY-----\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0f1W0XigyPFbX8Xq3QmkbL9gDFTf\nRfc8jF7UadBcwKxiyvPSOKZn+igQfXzpNjrwPSZ58JGvF4Fs8BB3fSRP2g==\n-----END PUBLIC KEY-----",
"rekor": {
"url": "https://rekor.sigstore.dev",
"ignoreSCT": true,
"ignoreTlog": true
},
"ctlog": {
"ignoreSCT": true
}
}
}

View file

@ -525,13 +525,18 @@ func (iv *ImageVerifier) buildCosignVerifier(
if attestor.Keys.Rekor != nil {
opts.RekorURL = attestor.Keys.Rekor.URL
opts.RekorPubKey = attestor.Keys.Rekor.RekorPubKey
opts.IgnoreSCT = attestor.Keys.Rekor.IgnoreSCT
opts.IgnoreTlog = attestor.Keys.Rekor.IgnoreTlog
} else {
opts.RekorURL = "https://rekor.sigstore.dev"
opts.IgnoreSCT = false
opts.IgnoreTlog = false
}
if attestor.Keys.CTLog != nil {
opts.IgnoreSCT = attestor.Keys.CTLog.IgnoreSCT
} else {
opts.IgnoreSCT = false
}
opts.SignatureAlgorithm = attestor.Keys.SignatureAlgorithm
} else if attestor.Certificates != nil {
path = path + ".certificates"
@ -545,7 +550,6 @@ func (iv *ImageVerifier) buildCosignVerifier(
if attestor.Keyless.Rekor != nil {
opts.RekorURL = attestor.Keyless.Rekor.URL
opts.RekorPubKey = attestor.Keyless.Rekor.RekorPubKey
opts.IgnoreSCT = attestor.Keyless.Rekor.IgnoreSCT
opts.IgnoreTlog = attestor.Keyless.Rekor.IgnoreTlog
} else {
opts.RekorURL = "https://rekor.sigstore.dev"
@ -553,6 +557,12 @@ func (iv *ImageVerifier) buildCosignVerifier(
opts.IgnoreTlog = false
}
if attestor.Keyless.CTLog != nil {
opts.IgnoreSCT = attestor.Keyless.CTLog.IgnoreSCT
} else {
opts.IgnoreSCT = false
}
opts.Roots = attestor.Keyless.Roots
opts.Issuer = attestor.Keyless.Issuer
opts.Subject = attestor.Keyless.Subject

View file

@ -28,4 +28,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -26,9 +26,10 @@ spec:
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ignoreSCT: true
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -64,6 +65,7 @@ spec:
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ignoreSCT: true
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -30,4 +30,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -30,4 +30,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -27,4 +27,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -45,4 +45,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -25,9 +25,10 @@ spec:
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
-----END PUBLIC KEY-----
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ignoreSCT: true
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
@ -35,6 +36,7 @@ spec:
FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
-----END PUBLIC KEY-----
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ignoreSCT: true
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -28,6 +28,7 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true
imageReferences:
- ghcr.io/kyverno/test-verify-image:*
@ -53,6 +54,7 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true
imageReferences:
- my.local.repo/*

View file

@ -28,4 +28,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true

View file

@ -31,6 +31,7 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true
validationFailureAction: Audit
webhookTimeoutSeconds: 30

View file

@ -30,5 +30,6 @@ spec:
subject: "https://github.com/*"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
required: true

View file

@ -28,6 +28,7 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
conditions:
- all:

View file

@ -27,6 +27,7 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
conditions:
- all:

View file

@ -27,6 +27,7 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
conditions:
- all:

View file

@ -27,12 +27,14 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
count: 1
conditions:

View file

@ -27,12 +27,14 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
count: 2
conditions:

View file

@ -27,12 +27,14 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
conditions:
- all:

View file

@ -25,4 +25,5 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true

View file

@ -25,4 +25,5 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true

View file

@ -25,4 +25,5 @@ spec:
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true

View file

@ -34,4 +34,5 @@ spec:
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true