1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

fix: expect base64 string in raw tuf root (#11117)

* fix: expect base64 string in raw tuf root

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add tests

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: rename kyverno yaml file

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-09-12 18:04:52 +05:30 committed by GitHub
parent 7402803593
commit ea19244876
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 115 additions and 1 deletions

View file

@ -563,6 +563,26 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
sigstore-custom-tuf:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).sigstore-custom-tuf }}
needs: [ prepare-images, define-matrix ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
kind-config: ./scripts/config/kind/vap-v1beta1.yaml
kyverno-configs: standard,sigstore-custom-tuf
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
custom-sigstore:
runs-on: ubuntu-latest
permissions:

View file

@ -2,6 +2,7 @@ package internal
import (
"context"
"encoding/base64"
"fmt"
"github.com/go-logr/logr"
@ -24,7 +25,11 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
checkError(logger, err, fmt.Sprintf("Failed to read alternate TUF root file %s : %v", tufRoot, err))
}
} else if tufRootRaw != "" {
tufRootBytes = []byte(tufRootRaw)
root, err := base64.StdEncoding.DecodeString(tufRootRaw)
if err != nil {
checkError(logger, err, fmt.Sprintf("Failed to base64 decode TUF root %s : %v", tufRootRaw, err))
}
tufRootBytes = root
}
logger.Info("Initializing TUF root")

View file

@ -83,6 +83,8 @@ func verifyBundles(bundles []*Bundle, desc *v1.Descriptor, trustedRoot *root.Tru
result, err := verifier.Verify(bundle.ProtoBundle, policy)
if err == nil {
verificationResults = append(verificationResults, &VerificationResult{Bundle: bundle, Result: result, Desc: desc})
} else {
logger.V(4).Info("failed to verify sigstore bundle", "err", err.Error(), "bundle", bundle)
}
}

File diff suppressed because one or more lines are too long

View file

@ -106,6 +106,9 @@
"reports": [
"^reports$"
],
"sigstore-custom-tuf": [
"^sigstore-custom-tuf$"
],
"ttl": [
"^ttl$"
],

View file

@ -0,0 +1,4 @@
## Description
This test verifies sigstore bundle attached to an image.

View file

@ -0,0 +1,20 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: sigstore-image-verification
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: pod.yaml
- assert:
file: pod-assert.yaml

View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: default

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: default
spec:
containers:
- image: ghcr.io/nirmata/github-signing-demo:latest
name: test-container

View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sigstore-image-verification
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
name: sigstore-image-verification
spec:
background: false
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- match:
any:
- resources:
kinds:
- Pod
name: sigstore-image-verification
verifyImages:
- imageReferences:
- "*"
type: SigstoreBundle
attestors:
- entries:
- keyless:
issuer: https://token.actions.githubusercontent.com
subject: https://github.com/nirmata/github-signing-demo/.github/workflows/build-attested-image.yaml@refs/heads/main
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true