-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPNODE-2339: Add PKI field to (cluster)imagepolicy #2088
base: master
Are you sure you want to change the base?
Conversation
Hello @QiWang19! Some important instructions when contributing to openshift/api: |
@QiWang19: This pull request references OCPNODE-2339 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test all |
/test verify-crd-schema |
/test integration |
/test all |
/test verify-crd-schema |
/test integration |
/test verify-crd-schema |
/test integration |
type PolicyType string | ||
|
||
const ( | ||
PublicKeyRootOfTrust PolicyType = "PublicKey" | ||
FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" | ||
PKIRootOfTrust PolicyType = "PKI" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there some way to make this enum-entry gated too? It's currently getting added to the tech-preview CRD manifest:
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
/test integration |
/test integration |
e43b2c9
to
1a30d73
Compare
/test integration |
/test integration |
/test integration |
151a1ee
to
6dae8df
Compare
/test integration |
/test integration |
@JoelSpeed could you help take a look? I am not sure the integration test failures: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_api/2088/pull-ci-openshift-api-master-integration/1865931550843998208 |
...ig/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
Outdated
Show resolved
Hide resolved
// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." | ||
// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice validation addition, thanks
// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 bytes. | ||
// +required | ||
// +kubebuilder:validation:MaxLength=8192 | ||
// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Potentially want a check that you have the same number of begin and end certificate lines?
self.findAll('-----BEGIN CERTIFICATE-----').size() == self.findAll('-----END CERTIFICATE-----').size()
// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." | ||
CertificateAuthorityRootsData []byte `json:"caRootsData"` | ||
// caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. | ||
// caIntermediatesData requires CertificateAuthorityRoots to be set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validate this with CEL
has(self.caIntermediatesData) ? has(self.caRootsData) : true
Also, you are using the go type name for CertificateAuthorityRoots
, use the serialised version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested it a bit, maybe it's not necessary? it seems we can not trigger validation if required caRootsData hasn't being set
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: ****
pkiCertificateSubject:
email: [email protected]
hostname: invalid-email
The ClusterImagePolicy "pki-policy" is invalid:
* spec.policy.rootOfTrust.pki.caRootsData: Required value
* <nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, caRootsData is required so this isn't needed, good point
926b445
to
2a9ff48
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking pretty good, would like the email and hostname godoc updating with validation requirements and one more test for the new validation, then I think this is good to go
// +kubebuilder:validation:MaxLength:=320 | ||
// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" | ||
Email string `json:"email,omitempty"` | ||
// hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. | |
// hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. | |
// The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. | |
// It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. |
// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" | ||
// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI | ||
type PKICertificateSubject struct { | ||
// email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would you explain the validation requirements of this field? Must be a valid email address and be at most 320 characters in length?
// +kubebuilder:validation:MaxLength=8192 | ||
// +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." | ||
// +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." | ||
// +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make sure this validation is tested
…olicy Add PKI to clusterimagepolicy with DevPreview featuregate SigstoreImageVerificationPKI. This field allow verification of image signature created by cosign BYOPKI feature. Signed-off-by: Qi Wang <[email protected]>
@QiWang19: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/lgtm New required fields are within an optional struct, so are valid. This is an error in the detection. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed, QiWang19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/verify-crd-schema In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Add PKI to clusterimagepolicy with DevPreview featuregate SigstoreImageVerificationPKI.
This field allows verification of image signature created by cosign BYOPKI feature.
The enhancement: openshift/enhancements@3b62d2f
hold this PR before containers/image#2579