Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support pubkey secret creation for oci signature verification #240

Merged
merged 6 commits into from
Mar 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

# Binaries for programs and plugins
*.exe
*.exe~
Expand Down Expand Up @@ -27,3 +26,7 @@ Dockerfile.cross
*.swp
*.swo
*~

# misc
.DS_Store
.env
6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
ifneq (,$(wildcard ./.env))
include .env
export
endif

# Image URL to use all building/pushing image targets
IMG ?= quay.io/spectrocloud-labs/validator:latest
Expand Down Expand Up @@ -201,4 +205,4 @@ helm-package: generate manifests

.PHONY: frigate
frigate:
frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md
frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md
80 changes: 43 additions & 37 deletions chart/validator/README.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,52 @@ spec:
description: ValidationResultStatus defines the observed state of ValidationResult
properties:
conditions:
items:
description: Condition defines an observation of a Cluster API resource
operational state.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another. This should be when the underlying condition changed.
If that is not known, then using the time when the API field
changed is acceptable.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition. This field may be empty.
type: string
reason:
description: The reason for the condition's last transition
in CamelCase. The specific API may choose whether or not this
field is considered a guaranteed API. This field may not be
empty.
type: string
severity:
description: Severity provides an explicit classification of
Reason code, so the users or machines can immediately understand
the current situation and act accordingly. The Severity field
MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important.
type: string
required:
- lastTransitionTime
- status
- type
type: object
type: array
state:
type: string
validationConditions:
items:
properties:
details:
Expand All @@ -87,7 +133,7 @@ spec:
type: string
status:
description: True if the validation rule succeeded, otherwise
False
False.
type: string
validationRule:
description: Unique, one-word description of the validation
Expand All @@ -104,10 +150,6 @@ spec:
- validationType
type: object
type: array
sinkState:
type: string
state:
type: string
required:
- state
type: object
Expand Down
10 changes: 10 additions & 0 deletions chart/validator/templates/plugin-secret-oci-auth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- range .Values.pluginSecrets.oci.auth }}
apiVersion: v1
kind: Secret
metadata:
name: {{ required ".Values.pluginSecrets.oci.auth.secretName is required!" .secretName }}
stringData:
username: {{ required ".Values.pluginSecrets.oci.auth.username is required!" .username }}
password: {{ required ".Values.pluginSecrets.oci.auth.password is required!" .password }}
---
{{- end }}
13 changes: 13 additions & 0 deletions chart/validator/templates/plugin-secret-oci-pubkey.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- range .Values.pluginSecrets.oci.pubKeys }}
apiVersion: v1
kind: Secret
metadata:
name: {{ required ".Values.pluginSecrets.oci.pubKeys.secretName is required!" .secretName }}
data:
{{- range $key, $val := . }}
{{- if hasSuffix ".pub" $key }}
{{ $key }}: {{ $val | b64enc | quote }}
{{- end }}
{{- end }}
---
{{- end }}
10 changes: 0 additions & 10 deletions chart/validator/templates/plugin-secret-oci.yaml

This file was deleted.

35 changes: 24 additions & 11 deletions chart/validator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -372,7 +372,7 @@ plugins:
- chart:
name: validator-plugin-oci
repository: "https://spectrocloud-labs.github.io/validator-plugin-oci"
version: v0.0.2
version: v0.0.8
values: |-
controllerManager:
kubeRbacProxy:
Expand Down Expand Up @@ -407,7 +407,7 @@ plugins:
- ALL
image:
repository: quay.io/spectrocloud-labs/validator-plugin-oci
tag: v0.0.2
tag: v0.0.8
resources:
limits:
cpu: 500m
Expand Down Expand Up @@ -477,12 +477,25 @@ pluginSecrets:
# vcenterServer: ""
# insecureSkipVerify: ""

# If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:
# - The target cluster already contains secrets with the correct format for all private registries.
# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci.yaml for
# an example of the expected format and ensure that it exists in the same namespace as the Helm release.
#
oci: [] # Don't forget to delete these square brackets if you're specifying credentials here!
# - secretName: registry-creds # ensure this matches the secretName in the OciRegistryRule
# username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here
# password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here
oci:
# If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:
# - The target cluster already contains secrets with the correct format for all private registries.
# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-auth.yaml for
# an example of the expected format and ensure that it exists in the same namespace as the Helm release.
#
auth: [] # Don't forget to delete these square brackets if you're specifying credentials here!
# - secretName: registry-creds # ensure this matches the credentials secretName in the OciRegistryRule
# username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here
# password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here

# If installing the OCI plugin and enabling signature verification of artifacts, the below config is required unless the following applies:
# - The target cluster already contains secrets with the correct format for all public keys used for signing artifacts.
# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-pubkey.yaml for
# an example of the expected format and ensure that it exists in the same namespace as the Helm release.
#
pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here!
# - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule
# key1.pub: | # multiple public keys can be added to your secret, ensure each key name ends in .pub
# -----BEGIN PUBLIC KEY-----
# <your public key content here>
# -----END PUBLIC KEY-----
Loading