Skip to content

Commit

Permalink
chore: do not fail to verify signed images if the secret-name flag is…
Browse files Browse the repository at this point in the history 
… not set
  • Loading branch information
Hector Fernandez authored Jun 29, 2022
2 parents e10d024 + 5aee71c commit 4c932a1
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions pkg/webhook/validator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ import (
"github.com/sigstore/rekor/pkg/generated/client"
"github.com/sigstore/sigstore/pkg/signature"
corev1 "k8s.io/api/core/v1"
apierrs "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/client-go/kubernetes"
listersv1 "k8s.io/client-go/listers/core/v1"
"knative.dev/pkg/apis"
Expand Down Expand Up @@ -123,13 +124,17 @@ func (v *Validator) validatePodSpec(ctx context.Context, namespace string, ps *c
}

s, err := v.lister.Secrets(system.Namespace()).Get(v.secretName)
if err != nil {
if err != nil && !apierrs.IsNotFound(err) {
return apis.ErrGeneric(err.Error(), apis.CurrentField)
}

keys, kerr := getKeys(ctx, s.Data)
if kerr != nil {
return kerr
// If the secret is not found, we verify against the fulcio root.
keys := make([]crypto.PublicKey, 0)
if err == nil {
var kerr *apis.FieldError
keys, kerr = getKeys(ctx, s.Data)
if kerr != nil {
return kerr
}
}

checkContainers := func(cs []corev1.Container, field string) {
Expand Down

0 comments on commit 4c932a1

Please sign in to comment.