mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
fix: expect base64 string in raw tuf root (#11117)
* fix: expect base64 string in raw tuf root Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: rename kyverno yaml file Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
7402803593
commit
ea19244876
11 changed files with 115 additions and 1 deletions
20
.github/workflows/conformance.yaml
vendored
20
.github/workflows/conformance.yaml
vendored
|
@ -563,6 +563,26 @@ jobs:
|
|||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
chainsaw-tests: ${{ matrix.tests }}
|
||||
|
||||
sigstore-custom-tuf:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
packages: read
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).sigstore-custom-tuf }}
|
||||
needs: [ prepare-images, define-matrix ]
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kind-config: ./scripts/config/kind/vap-v1beta1.yaml
|
||||
kyverno-configs: standard,sigstore-custom-tuf
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
chainsaw-tests: ${{ matrix.tests }}
|
||||
|
||||
custom-sigstore:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
|
|
|
@ -2,6 +2,7 @@ package internal
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
|
@ -24,7 +25,11 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
|
|||
checkError(logger, err, fmt.Sprintf("Failed to read alternate TUF root file %s : %v", tufRoot, err))
|
||||
}
|
||||
} else if tufRootRaw != "" {
|
||||
tufRootBytes = []byte(tufRootRaw)
|
||||
root, err := base64.StdEncoding.DecodeString(tufRootRaw)
|
||||
if err != nil {
|
||||
checkError(logger, err, fmt.Sprintf("Failed to base64 decode TUF root %s : %v", tufRootRaw, err))
|
||||
}
|
||||
tufRootBytes = root
|
||||
}
|
||||
|
||||
logger.Info("Initializing TUF root")
|
||||
|
|
|
@ -83,6 +83,8 @@ func verifyBundles(bundles []*Bundle, desc *v1.Descriptor, trustedRoot *root.Tru
|
|||
result, err := verifier.Verify(bundle.ProtoBundle, policy)
|
||||
if err == nil {
|
||||
verificationResults = append(verificationResults, &VerificationResult{Bundle: bundle, Result: result, Desc: desc})
|
||||
} else {
|
||||
logger.V(4).Info("failed to verify sigstore bundle", "err", err.Error(), "bundle", bundle)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
5
scripts/config/sigstore-custom-tuf/kyverno.yaml
Normal file
5
scripts/config/sigstore-custom-tuf/kyverno.yaml
Normal file
File diff suppressed because one or more lines are too long
|
@ -106,6 +106,9 @@
|
|||
"reports": [
|
||||
"^reports$"
|
||||
],
|
||||
"sigstore-custom-tuf": [
|
||||
"^sigstore-custom-tuf$"
|
||||
],
|
||||
"ttl": [
|
||||
"^ttl$"
|
||||
],
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
## Description
|
||||
|
||||
This test verifies sigstore bundle attached to an image.
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: sigstore-image-verification
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: pod.yaml
|
||||
- assert:
|
||||
file: pod-assert.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-pod
|
||||
namespace: default
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/nirmata/github-signing-demo:latest
|
||||
name: test-container
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sigstore-image-verification
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: sigstore-image-verification
|
||||
spec:
|
||||
background: false
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: sigstore-image-verification
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "*"
|
||||
type: SigstoreBundle
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
subject: https://github.com/nirmata/github-signing-demo/.github/workflows/build-attested-image.yaml@refs/heads/main
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
Loading…
Reference in a new issue