-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for signing Builders and ClusterBuilders #1208
Add support for signing Builders and ClusterBuilders #1208
Conversation
Codecov Report
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. @@ Coverage Diff @@
## main #1208 +/- ##
==========================================
- Coverage 67.41% 67.32% -0.10%
==========================================
Files 133 133
Lines 8093 8205 +112
==========================================
+ Hits 5456 5524 +68
- Misses 2200 2231 +31
- Partials 437 450 +13
|
7fd6d68
to
c46e3c8
Compare
c46e3c8
to
10108d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do we want to happen if we add a cosign secret after the [Cluster]Builder has been created?
Right now nothing happens, but we could get the builder and clusterbuilder reconcilers to track secrets? It does feel a little heavy hand to continuously read all new secrets in a namespace, but would that provide a better user experience?
(I don't have an opinion either way, just want to pick your brains a bit and maybe explicitly document this)
685f565
to
588b5e7
Compare
For UX purposes, it sounds to me like that would be the best way to go forward. I'll wait for other opinions before making changes though. |
fcddd14
to
a7a9f0a
Compare
We're going to bring this up at the next kpack wg, but from early talks with @tomkennedy513 and @matthewmcnew, we have some ideas:
|
a7a9f0a
to
4873c59
Compare
4873c59
to
529ce1f
Compare
We ended up deciding that because there's no exit-early when reconciling builders, it's ok to rely on the natural (10-hour) resync period. So if the cosign secrets changed, the users will have to wait up to 10 hours before kpack pushes a new builder with the updated signature(s). |
I think this PR is in a good place once #1208 (comment) is addressed, @stormqueen1990 do you mind cleaning/squashing up the commits a little? There are several of them titled "changes from code review" with wildly different changes in them that should really be separated into different commits or squashed into another commit. Just to be clear, I don't care about the amount of commits as long as each individual commit is immediately obvious to what it's trying to do and is focused on one "unit of work" |
Hi there, @chenbh! 👋 Sure thing! I was planning to squash commits into more meaningful chunks once this is good to go. I am a bit busy this week but will try to make all changes (squashing included) by EOD Thursday. |
Hi there, @chenbh! Sorry for the delay, I started facing issues after rebasing the branch for the last time. I'll have to investigate it and will push the updated and squashed branch as soon as possible. |
177fb39
to
82c847f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
@tomkennedy513 @matthewmcnew @samj1912 do one of you mind taking a quick 👀 at this PR? It's a pretty beefy one and I would like at least one more review on it before merging |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @stormqueen1990 would you be able to rebase this pr?
* Implement general logic for finding secrets and signing Builders and ClusterBuilders using cosign. * Create new Fetcher interface to aid testing. * Refactor the cosign ImageSigner to remove unused logger field. * Fix typo in constant name for image signer. * Add unit and e2e tests to verify changes. Signed-off-by: Mauren Berti <stormqueen1990@gmail.com>
82c847f
to
4a76d00
Compare
Hi there, @tomkennedy513! Yes, just rebased it. Please let me know if there's anything else that's needed to move this PR forward 🙏 I also squashed it to a single commit as my previous squash didn't really break this work into atomic pieces. |
Thank you so much for this work! @stormqueen1990 |
Changes
kpack
.Fixes #942