Merge pull request #10 from cpanato/add-cosigned

charts: move cosigned chart from s/cosign to the helm repo

.github/workflows/test.yml

@@ -14,6 +14,8 @@ jobs:
         with:
           fetch-depth: 0
 
+      - uses: sigstore/cosign-installer@v1.1.0
+
       - name: Set up Helm
         uses: azure/setup-helm@v1
         with:
@@ -26,17 +28,26 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.1.0
 
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
       - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml --all
+        run: ct lint --config ct.yaml
 
       - name: "Add NGINX Ingress Repository"
         run: "helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx"
 
       - name: Create KIND Cluster
         uses: helm/kind-action@v1.2.0
+        if: steps.list-changed.outputs.changed == 'true'
 
       - name: Install Ingress Controller
         run: "helm install ingress-nginx/ingress-nginx --generate-name --set controller.service.type='NodePort' --set controller.admissionWebhooks.enabled=false"
 
       - name: Run chart-testing (install)
-        run: ct install --config ct.yaml --all
+        run: ct install --config ct.yaml

README.md

@@ -14,4 +14,5 @@ $ helm repo update
 
 ## Charts
 
-* [rekor](charts/rekor)
+* [rekor](charts/rekor)
+* [cosigned](charts/cosigned)

charts/cosigned/.helmignore

@@ -0,0 +1,20 @@
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cosigned/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+description: The Helm chart for Cosigned
+home: https://github.com/sigstore/cosign
+sources:
+  - https://github.com/sigstore/cosign
+name: cosigned
+type: application
+version: v0.0.3-dev
+appVersion: v1.2.0
+maintainers:
+  - name: dlorenc
+  - name: hectorj2f

charts/cosigned/README.md

@@ -0,0 +1,56 @@
+# Cosigned Admission Webhook
+
+## Requirements
+* Kubernetes cluster with rights to install admission webhooks
+* Helm
+
+## Deploy `cosigned` Helm Chart
+
+Generate a keypair to validate the signatures of the deployed Kubernetes resources and their images:
+
+```shell
+export COSIGN_PASSWORD=<my_cosign_password>
+cosign generate-key-pair
+```
+
+The previous command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:
+
+```shell
+kubectl create namespace cosign-system
+
+kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub --from-file=cosign.key=./cosign.key --from-literal=cosign.password=$COSING_PASSWORD
+```
+
+Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above:
+
+```shell
+helm repo add sigstore https://sigstore.github.io/helm-charts
+
+helm repo update
+
+helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
+```
+
+To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch:
+
+Annotation: `cosigned.sigstore.dev/include: "true"`
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    cosigned.sigstore.dev/include: "true"
+    kubernetes.io/metadata.name: my-namespace
+  name: my-namespace
+spec:
+  finalizers:
+  - kubernetes
+```
+
+Then when creating, for example, a Deployment that does not have the images signed you will get the following error:
+
+```shell
+kubectl apply -f my-deployment.yaml
+Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
+```

charts/cosigned/ci/ci-values.yaml

@@ -0,0 +1,4 @@
+cosign:
+  cosignKey: LS0tLS1CRUdJTiBFTkNSWVBURUQgQ09TSUdOIFBSSVZBVEUgS0VZLS0tLS0KZXlKclpHWWlPbnNpYm1GdFpTSTZJbk5qY25sd2RDSXNJbkJoY21GdGN5STZleUpPSWpvek1qYzJPQ3dpY2lJNgpPQ3dpY0NJNk1YMHNJbk5oYkhRaU9pSkRXbVJYVFdkdlZFdFFUVkZ1YmxkU01VVnVabU0xYmxWVFZFcHBNamMxClRHSklMMVpJVmtzclZqVlpQU0o5TENKamFYQm9aWElpT25zaWJtRnRaU0k2SW01aFkyd3ZjMlZqY21WMFltOTQKSWl3aWJtOXVZMlVpT2lKTFYwMDBWVWRvTURseGNpOWlhV00wYXpjMVRuY3pURFZPTm5WaldqazNlaUo5TENKagphWEJvWlhKMFpYaDBJam9pZG5kUFZsSTVNazE1VmtGUVlWRkthVVp6YW0xbkwwVklkMk5uUTBaTE5tUmlRelk1CmJFOVpWVWRRUkdoV1owWjFaM0UwWVV4UGVqZEZVREZzTUc1a2N6ZFFWVEZFTVcwNGNqVnNWV3h1TW1KcU5UWXgKSzNnd2NqbDBTbFJLYzJOdk1WRnNTVmhJVEhaQ2RYa3ZSa2hMVEc4M2FEWlhXVmxMY1NzemRtRnFjMEZTY25SWApjRTFFYlVaYWNsTjVOa2Q1T1dwUVRHTXpTMkY2YVRVNE5IRTJaVnBIZGk5WU5YaE1RMmxoWkhaR1pscDFhVTlNCk5qaHFhelJNTVRRNVVsSXhkV1ppV1Zab1EwcENZU3NyUm5jOVBTSjkKLS0tLS1FTkQgRU5DUllQVEVEIENPU0lHTiBQUklWQVRFIEtFWS0tLS0tCg==
+  cosignPub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZ3VQMEd0aEUrTGYxQzZyWlQ4ZzlDbUtWQk5ReApicnZTWTdGMG94ODFUVzlBcExrSjVIdmtTNzJVQ0ZkZjJaV2JNMXkxZEMyS0FIM1l0Q1lOM1JCdHp3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
+  cosignPassword: aG9ua0AxMjM=

charts/cosigned/templates/_helpers.tpl

@@ -0,0 +1,117 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cosigned.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cosigned.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cosigned.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cosigned.labels" -}}
+helm.sh/chart: {{ include "cosigned.chart" . }}
+{{ include "cosigned.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cosigned.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cosigned.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cosigned.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cosigned.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Self-signed certificate authority issuer name
+*/}}
+{{- define "cosigned.CAIssuerName" -}}
+{{- if .Values.certificates.ca.issuer.name -}}
+{{ .Values.certificates.ca.issuer.name }}
+{{- else -}}
+{{ template "cosigned.fullname" . }}-ca-issuer
+{{- end -}}
+{{- end -}}
+
+{{/*
+CA Certificate issuer name
+*/}}
+{{- define "cosigned.CAissuerName" -}}
+{{- if .Values.certificates.selfSigned -}}
+{{ template "cosigned.CAIssuerName" . }}
+{{- else -}}
+{{ required "A valid .Values.certificates.ca.issuer.name is required!" .Values.certificates.issuer.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+CA signed certificate issuer name
+*/}}
+{{- define "cosigned.IssuerName" -}}
+{{- if .Values.certificates.issuer.name -}}
+{{ .Values.certificates.issuer.name }}
+{{- else -}}
+{{ template "cosigned.fullname" . }}-issuer
+{{- end -}}
+{{- end -}}
+
+{{/*
+Certificate issuer name
+*/}}
+{{- define "cosigned.issuerName" -}}
+{{- if .Values.certificates.selfSigned -}}
+{{ template "cosigned.IssuerName" . }}
+{{- else -}}
+{{ required "A valid .Values.certificates.issuer.name is required!" .Values.certificates.issuer.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the image path for the passed in image field
+*/}}
+{{- define "cosigned.image" -}}
+{{- if eq (substr 0 7 .version) "sha256:" -}}
+{{- printf "%s@%s" .repository .version -}}
+{{- else -}}
+{{- printf "%s:%s" .repository .version -}}
+{{- end -}}
+{{- end -}}

charts/cosigned/templates/webhook/clusterrole_webhook.yaml

@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cosigned.fullname" . }}-webhook
+  labels:
+    {{- include "cosigned.labels" . | nindent 4 }}
+    control-plane: {{ template "cosigned.fullname" . }}-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create"]
+  # Allow the reconciliation of exactly our validating webhook.
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "update"]
+    resourceNames: ["cosigned.sigstore.dev"]
+
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
+    # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
+    # which requires we can Get the system namespace.
+    resourceNames: [ "{{ .Release.Namespace }}" ]

charts/cosigned/templates/webhook/clusterrolebindings_webhook.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cosigned.fullname" . }}-webhook
+  labels:
+    {{- include "cosigned.labels" . | nindent 4 }}
+    control-plane: {{ template "cosigned.fullname" . }}-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cosigned.fullname" . }}-webhook
+subjects:
+- kind: ServiceAccount
+  name: {{ template "cosigned.fullname" . }}-webhook
+  namespace: {{ .Release.Namespace }}

charts/cosigned/templates/webhook/configmap.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "cosigned.labels" . | nindent 4 }}
+    control-plane: {{ template "cosigned.fullname" . }}-webhook
+  name: {{ template "cosigned.fullname" . }}-webhook-logging
+  namespace: {{ .Release.Namespace }}
+data:
+  zap-logger-config: |-
+    {
+      "level": "info",
+      "development": false,
+      "outputPaths": ["stdout"],
+      "errorOutputPaths": ["stderr"],
+      "encoding": "json",
+      "encoderConfig": {
+        "timeKey": "ts",
+        "levelKey": "level",
+        "nameKey": "logger",
+        "callerKey": "caller",
+        "messageKey": "msg",
+        "stacktraceKey": "stacktrace",
+        "lineEnding": "",
+        "levelEncoder": "",
+        "timeEncoder": "iso8601",
+        "durationEncoder": "",
+        "callerEncoder": ""
+      }
+    }
+  # Log level overrides
+  # Changes are be picked up immediately.
+  loglevel.controller: "info"
+  loglevel.webhook: "info"

charts/cosigned/templates/webhook/cosign_secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    {{- include "cosigned.labels" . | nindent 4 }}
+  name: {{ template "cosigned.fullname" . }}-cosign-key
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  cosign.key: {{ .Values.cosign.cosignKey}}
+  cosign.password: {{ .Values.cosign.cosignPassword}}
+  cosign.pub: {{ .Values.cosign.cosignPub}}