-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds initial Attestor implementation. #998
base: main
Are you sure you want to change the base?
Conversation
This is the initial implementation of Attestors, which uses generics to link chains components together with strict typing. To start, this adds Attestor implementations of OCI signing and v1 SLSA attestations. These Attestors are NOT wired up to the controller yet, since they don't yet support the full range of config options (and there's likely a few tweaks we need to make in order to help reuse components like signers between Attestors).
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The following is the coverage report on the affected files.
|
@wlynch: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, it makes sense to me. Need to have a more thorough look.
_ formats.Formatter[name.Digest, SimpleContainerImage] = &SimpleSigningPayloader{} | ||
) | ||
|
||
type SimpleSigningPayloader SimpleSigning |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, but this should probably be called something like SimpleSigningFormatter
.
} | ||
|
||
type InTotoIte6 struct { | ||
slsaConfig *slsaconfig.SlsaConfig | ||
} | ||
|
||
func NewFormatter(cfg config.Config) (formats.Payloader, error) { | ||
func NewPayloader(cfg config.Config) (formats.Payloader, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be marked as deprecated (also NewPayloaderFromConfig
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually... I don't think I fully understand Payloader vs Formatter 🤔
} | ||
|
||
var opts []oci.Option | ||
if repo := cfg.Storage.OCI.Repository; repo != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's pay special attention here. We recently had to fix a bug in our handling of this config value.
We should also make sure cfg.Storage.OCI.Insecure
is handled properly.
return &Attestor[objects.TektonObject, *v1.ProvenanceStatement]{ | ||
payloader: v1.NewPayloaderFromConfig(cfg), | ||
signer: wrapped, | ||
// TODO: add support for other storage options. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'd be curious to see what this function would look like once we have support for all. It could end up quite large. Or maybe, storer
is determined by another function that takes into account the current configuration, and returns the right thing.
|
||
func (s *AttestationStorer[T]) storeImage(ctx context.Context, img name.Digest, att oci.Signature) error { | ||
logger := logging.FromContext(ctx) | ||
repo := img.Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to handle cfg.Storage.OCI.Insecure
here somehow.
@wlynch: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes
This is the initial implementation of Attestors, which uses generics to link chains components together with strict typing.
To start, this adds Attestor implementations of OCI signing and v1 SLSA attestations. These Attestors are NOT wired up to the controller yet, since they don't yet support the full range of config options (and there's likely a few tweaks we need to make in order to help reuse components like signers between Attestors).
attestors.go
is the file to pay most attention to in this PR.Part of #780
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes