OCPNODE-2339: Add PKI field to (cluster)imagepolicy #2088
Conversation
|
Hello @QiWang19! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/XXL
QiWang19
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@QiWang19: This pull request references OCPNODE-2339 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/test all |
|
/test verify-crd-schema |
|
/test integration |
|
/test all |
|
/test verify-crd-schema |
|
/test integration |
|
/test verify-crd-schema |
|
/test integration |
| type PolicyType string | ||
|
|
||
| const ( | ||
| PublicKeyRootOfTrust PolicyType = "PublicKey" | ||
| FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" | ||
| PKIRootOfTrust PolicyType = "PKI" |
There was a problem hiding this comment.
Is there some way to make this enum-entry gated too? It's currently getting added to the tech-preview CRD manifest:
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
|
/test integration |
|
/test integration |
QiWang19
force-pushed
the
byopki-api
branch
2 times, most recently
from
e43b2c9 to
1a30d73
Compare
|
/test integration |
|
/test integration |
|
/test integration |
QiWang19
force-pushed
the
byopki-api
branch
7 times, most recently
from
151a1ee to
6dae8df
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/test integration |
|
/test integration |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@JoelSpeed could you help take a look? I am not sure the integration test failures: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_api/2088/pull-ci-openshift-api-master-integration/1865931550843998208 |
...ig/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
Outdated
Show resolved
Hide resolved
| // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." | ||
| // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." |
There was a problem hiding this comment.
Nice validation addition, thanks
| // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 bytes. | ||
| // +required | ||
| // +kubebuilder:validation:MaxLength=8192 | ||
| // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." |
There was a problem hiding this comment.
Potentially want a check that you have the same number of begin and end certificate lines?
self.findAll('-----BEGIN CERTIFICATE-----').size() == self.findAll('-----END CERTIFICATE-----').size()
| // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." | ||
| CertificateAuthorityRootsData []byte `json:"caRootsData"` | ||
| // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. | ||
| // caIntermediatesData requires CertificateAuthorityRoots to be set. |
There was a problem hiding this comment.
Validate this with CEL
has(self.caIntermediatesData) ? has(self.caRootsData) : true
Also, you are using the go type name for CertificateAuthorityRoots, use the serialised version
There was a problem hiding this comment.
I tested it a bit, maybe it's not necessary? it seems we can not trigger validation if required caRootsData hasn't being set
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: ****
pkiCertificateSubject:
email: [email protected]
hostname: invalid-email
The ClusterImagePolicy "pki-policy" is invalid:
* spec.policy.rootOfTrust.pki.caRootsData: Required value
* <nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation
There was a problem hiding this comment.
You're right, caRootsData is required so this isn't needed, good point
QiWang19
force-pushed
the
byopki-api
branch
2 times, most recently
from
926b445 to
2a9ff48
Compare
| // +kubebuilder:validation:MaxLength:=320 | ||
| // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" | ||
| Email string `json:"email,omitempty"` | ||
| // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. |
There was a problem hiding this comment.
| // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. | |
| // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. | |
| // The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. | |
| // It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. |
| // +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" | ||
| // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI | ||
| type PKICertificateSubject struct { | ||
| // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. |
There was a problem hiding this comment.
How would you explain the validation requirements of this field? Must be a valid email address and be at most 320 characters in length?
| // +kubebuilder:validation:MaxLength=8192 | ||
| // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." | ||
| // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." | ||
| // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." |
There was a problem hiding this comment.
Please make sure this validation is tested
…olicy Add PKI to clusterimagepolicy with DevPreview featuregate SigstoreImageVerificationPKI. This field allow verification of image signature created by cosign BYOPKI feature. Signed-off-by: Qi Wang <[email protected]>
|
@QiWang19: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm New required fields are within an optional struct, so are valid. This is an error in the detection. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed, QiWang19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/verify-crd-schema In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Add PKI to clusterimagepolicy with DevPreview featuregate SigstoreImageVerificationPKI.
This field allows verification of image signature created by cosign BYOPKI feature.
The enhancement: openshift/enhancements@3b62d2f
hold this PR before containers/image#2579