From d9db36f57c47de409f0ed8cbec36ae06db662951 Mon Sep 17 00:00:00 2001 From: Carlos Panato Date: Thu, 2 Sep 2021 14:01:08 +0200 Subject: [PATCH 1/2] charts: move cosigned chart from s/cosign to the helm repo Signed-off-by: Carlos Panato --- .github/workflows/test.yml | 15 ++- README.md | 3 +- charts/cosigned/.helmignore | 20 +++ charts/cosigned/Chart.yaml | 12 ++ charts/cosigned/README.md | 58 +++++++++ charts/cosigned/ci/ci-values.yaml | 4 + charts/cosigned/templates/_helpers.tpl | 117 ++++++++++++++++++ .../webhook/clusterrole_webhook.yaml | 27 ++++ .../webhook/clusterrolebindings_webhook.yaml | 15 +++ .../cosigned/templates/webhook/configmap.yaml | 34 +++++ .../templates/webhook/cosign_secret.yaml | 12 ++ .../templates/webhook/deployment_webhook.yaml | 95 ++++++++++++++ .../templates/webhook/role_webhook.yaml | 17 +++ .../webhook/rolebinding_webhook.yaml | 15 +++ .../templates/webhook/sa_webhook.yaml | 8 ++ .../webhook/secret_certs_webhook.yaml | 13 ++ .../templates/webhook/service_webhook.yaml | 25 ++++ .../templates/webhook/webhook_validating.yaml | 19 +++ charts/cosigned/values.yaml | 50 ++++++++ ct.yaml | 2 + 20 files changed, 558 insertions(+), 3 deletions(-) create mode 100644 charts/cosigned/.helmignore create mode 100644 charts/cosigned/Chart.yaml create mode 100644 charts/cosigned/README.md create mode 100644 charts/cosigned/ci/ci-values.yaml create mode 100644 charts/cosigned/templates/_helpers.tpl create mode 100644 charts/cosigned/templates/webhook/clusterrole_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/clusterrolebindings_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/configmap.yaml create mode 100644 charts/cosigned/templates/webhook/cosign_secret.yaml create mode 100644 charts/cosigned/templates/webhook/deployment_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/role_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/rolebinding_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/sa_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/secret_certs_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/service_webhook.yaml create mode 100644 charts/cosigned/templates/webhook/webhook_validating.yaml create mode 100644 charts/cosigned/values.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 77cca9fd..a61fa1f3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,6 +14,8 @@ jobs: with: fetch-depth: 0 + - uses: sigstore/cosign-installer@v1.1.0 + - name: Set up Helm uses: azure/setup-helm@v1 with: @@ -26,17 +28,26 @@ jobs: - name: Set up chart-testing uses: helm/chart-testing-action@v2.1.0 + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config ct.yaml) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + - name: Run chart-testing (lint) - run: ct lint --config ct.yaml --all + run: ct lint --config ct.yaml - name: "Add NGINX Ingress Repository" run: "helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx" - name: Create KIND Cluster uses: helm/kind-action@v1.2.0 + if: steps.list-changed.outputs.changed == 'true' - name: Install Ingress Controller run: "helm install ingress-nginx/ingress-nginx --generate-name --set controller.service.type='NodePort' --set controller.admissionWebhooks.enabled=false" - name: Run chart-testing (install) - run: ct install --config ct.yaml --all + run: ct install --config ct.yaml diff --git a/README.md b/README.md index e7d7f779..a6221a18 100644 --- a/README.md +++ b/README.md @@ -14,4 +14,5 @@ $ helm repo update ## Charts -* [rekor](charts/rekor) \ No newline at end of file +* [rekor](charts/rekor) +* [cosigned](charts/cosigned) diff --git a/charts/cosigned/.helmignore b/charts/cosigned/.helmignore new file mode 100644 index 00000000..351b35f4 --- /dev/null +++ b/charts/cosigned/.helmignore @@ -0,0 +1,20 @@ +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml new file mode 100644 index 00000000..aae4587e --- /dev/null +++ b/charts/cosigned/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +description: The Helm chart for Cosigned +home: https://github.com/sigstore/cosign +sources: + - https://github.com/sigstore/cosign +name: cosigned +type: application +version: v0.0.3-dev +appVersion: "dev" +maintainers: + - name: dlorenc + - name: hectorj2f diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md new file mode 100644 index 00000000..ef4d134d --- /dev/null +++ b/charts/cosigned/README.md @@ -0,0 +1,58 @@ +# Cosigned Admission Webhook + +## Requirements +* Kubernetes cluster with rights to install admission webhooks +* Helm + +## Deploy `cosigned` Helm Chart + +Generate a keypair to validate the signatures of the deployed Kubernetes resources and their images: + +```shell +export COSIGN_PASSWORD= +cosign generate-key-pair +``` + +The previous command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures: + +```shell +kubectl create namespace cosign-system + +kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub --from-file=cosign.key=./cosign.key --from-literal=cosign.password=$COSING_PASSWORD +``` + +Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above: + +```shell +helm repo add sigstore https://sigstore.github.io/helm-charts + +helm repo update + +helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret +``` + +We need to add the `--devel` flag because we are still in the development of the chart. This will be removed when we release cosigned `v1.2.0` + +To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch: + +Annotation: `cosigned.sigstore.dev/include: "true"` + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + cosigned.sigstore.dev/include: "true" + kubernetes.io/metadata.name: my-namespace + name: my-namespace +spec: + finalizers: + - kubernetes +``` + +Then when creating, for example, a Deployment that does not have the images signed you will get the following error: + +```shell +kubectl apply -f my-deployment.yaml +Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image +``` diff --git a/charts/cosigned/ci/ci-values.yaml b/charts/cosigned/ci/ci-values.yaml new file mode 100644 index 00000000..15c62bef --- /dev/null +++ b/charts/cosigned/ci/ci-values.yaml @@ -0,0 +1,4 @@ +cosign: + cosignKey: LS0tLS1CRUdJTiBFTkNSWVBURUQgQ09TSUdOIFBSSVZBVEUgS0VZLS0tLS0KZXlKclpHWWlPbnNpYm1GdFpTSTZJbk5qY25sd2RDSXNJbkJoY21GdGN5STZleUpPSWpvek1qYzJPQ3dpY2lJNgpPQ3dpY0NJNk1YMHNJbk5oYkhRaU9pSkRXbVJYVFdkdlZFdFFUVkZ1YmxkU01VVnVabU0xYmxWVFZFcHBNamMxClRHSklMMVpJVmtzclZqVlpQU0o5TENKamFYQm9aWElpT25zaWJtRnRaU0k2SW01aFkyd3ZjMlZqY21WMFltOTQKSWl3aWJtOXVZMlVpT2lKTFYwMDBWVWRvTURseGNpOWlhV00wYXpjMVRuY3pURFZPTm5WaldqazNlaUo5TENKagphWEJvWlhKMFpYaDBJam9pZG5kUFZsSTVNazE1VmtGUVlWRkthVVp6YW0xbkwwVklkMk5uUTBaTE5tUmlRelk1CmJFOVpWVWRRUkdoV1owWjFaM0UwWVV4UGVqZEZVREZzTUc1a2N6ZFFWVEZFTVcwNGNqVnNWV3h1TW1KcU5UWXgKSzNnd2NqbDBTbFJLYzJOdk1WRnNTVmhJVEhaQ2RYa3ZSa2hMVEc4M2FEWlhXVmxMY1NzemRtRnFjMEZTY25SWApjRTFFYlVaYWNsTjVOa2Q1T1dwUVRHTXpTMkY2YVRVNE5IRTJaVnBIZGk5WU5YaE1RMmxoWkhaR1pscDFhVTlNCk5qaHFhelJNTVRRNVVsSXhkV1ppV1Zab1EwcENZU3NyUm5jOVBTSjkKLS0tLS1FTkQgRU5DUllQVEVEIENPU0lHTiBQUklWQVRFIEtFWS0tLS0tCg== + cosignPub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZ3VQMEd0aEUrTGYxQzZyWlQ4ZzlDbUtWQk5ReApicnZTWTdGMG94ODFUVzlBcExrSjVIdmtTNzJVQ0ZkZjJaV2JNMXkxZEMyS0FIM1l0Q1lOM1JCdHp3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + cosignPassword: aG9ua0AxMjM= diff --git a/charts/cosigned/templates/_helpers.tpl b/charts/cosigned/templates/_helpers.tpl new file mode 100644 index 00000000..1108e175 --- /dev/null +++ b/charts/cosigned/templates/_helpers.tpl @@ -0,0 +1,117 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cosigned.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cosigned.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cosigned.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cosigned.labels" -}} +helm.sh/chart: {{ include "cosigned.chart" . }} +{{ include "cosigned.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cosigned.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cosigned.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cosigned.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cosigned.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Self-signed certificate authority issuer name +*/}} +{{- define "cosigned.CAIssuerName" -}} +{{- if .Values.certificates.ca.issuer.name -}} +{{ .Values.certificates.ca.issuer.name }} +{{- else -}} +{{ template "cosigned.fullname" . }}-ca-issuer +{{- end -}} +{{- end -}} + +{{/* +CA Certificate issuer name +*/}} +{{- define "cosigned.CAissuerName" -}} +{{- if .Values.certificates.selfSigned -}} +{{ template "cosigned.CAIssuerName" . }} +{{- else -}} +{{ required "A valid .Values.certificates.ca.issuer.name is required!" .Values.certificates.issuer.name }} +{{- end -}} +{{- end -}} + +{{/* +CA signed certificate issuer name +*/}} +{{- define "cosigned.IssuerName" -}} +{{- if .Values.certificates.issuer.name -}} +{{ .Values.certificates.issuer.name }} +{{- else -}} +{{ template "cosigned.fullname" . }}-issuer +{{- end -}} +{{- end -}} + +{{/* +Certificate issuer name +*/}} +{{- define "cosigned.issuerName" -}} +{{- if .Values.certificates.selfSigned -}} +{{ template "cosigned.IssuerName" . }} +{{- else -}} +{{ required "A valid .Values.certificates.issuer.name is required!" .Values.certificates.issuer.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the image path for the passed in image field +*/}} +{{- define "cosigned.image" -}} +{{- if eq (substr 0 7 .version) "sha256:" -}} +{{- printf "%s@%s" .repository .version -}} +{{- else -}} +{{- printf "%s:%s" .repository .version -}} +{{- end -}} +{{- end -}} diff --git a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml new file mode 100644 index 00000000..dcc6cb02 --- /dev/null +++ b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cosigned.fullname" . }}-webhook + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] + # Allow the reconciliation of exactly our validating webhook. + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["list", "watch"] + + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "update"] + resourceNames: ["cosigned.sigstore.dev"] + + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, + # which requires we can Get the system namespace. + resourceNames: [ "{{ .Release.Namespace }}" ] diff --git a/charts/cosigned/templates/webhook/clusterrolebindings_webhook.yaml b/charts/cosigned/templates/webhook/clusterrolebindings_webhook.yaml new file mode 100644 index 00000000..71c714db --- /dev/null +++ b/charts/cosigned/templates/webhook/clusterrolebindings_webhook.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cosigned.fullname" . }}-webhook + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cosigned.fullname" . }}-webhook +subjects: +- kind: ServiceAccount + name: {{ template "cosigned.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} diff --git a/charts/cosigned/templates/webhook/configmap.yaml b/charts/cosigned/templates/webhook/configmap.yaml new file mode 100644 index 00000000..ea332d05 --- /dev/null +++ b/charts/cosigned/templates/webhook/configmap.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + name: {{ template "cosigned.fullname" . }}-webhook-logging + namespace: {{ .Release.Namespace }} +data: + zap-logger-config: |- + { + "level": "info", + "development": false, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "ts", + "levelKey": "level", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "msg", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + # Log level overrides + # Changes are be picked up immediately. + loglevel.controller: "info" + loglevel.webhook: "info" diff --git a/charts/cosigned/templates/webhook/cosign_secret.yaml b/charts/cosigned/templates/webhook/cosign_secret.yaml new file mode 100644 index 00000000..fcede41f --- /dev/null +++ b/charts/cosigned/templates/webhook/cosign_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "cosigned.labels" . | nindent 4 }} + name: {{ template "cosigned.fullname" . }}-cosign-key + namespace: {{ .Release.Namespace }} +type: Opaque +data: + cosign.key: {{ .Values.cosign.cosignKey}} + cosign.password: {{ .Values.cosign.cosignPassword}} + cosign.pub: {{ .Values.cosign.cosignPub}} diff --git a/charts/cosigned/templates/webhook/deployment_webhook.yaml b/charts/cosigned/templates/webhook/deployment_webhook.yaml new file mode 100644 index 00000000..c90623ec --- /dev/null +++ b/charts/cosigned/templates/webhook/deployment_webhook.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + name: {{ template "cosigned.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "cosigned.selectorLabels" . | nindent 6 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + template: + metadata: + labels: + {{- include "cosigned.selectorLabels" . | nindent 8 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + spec: + nodeSelector: + {{- toYaml .Values.commonNodeSelector | nindent 8 }} + tolerations: + {{- toYaml .Values.commonTolerations | nindent 8 }} + serviceAccountName: {{ template "cosigned.fullname" . }}-webhook + terminationGracePeriodSeconds: 10 + containers: + - name: {{ template "cosigned.name" . }}-{{ .Values.webhook.name }} + image: "{{ template "cosigned.image" .Values.webhook.image }}" + imagePullPolicy: "{{ .Values.webhook.image.pullPolicy }}" + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: {{ template "cosigned.fullname" . }}-webhook-logging + - name: METRICS_DOMAIN + value: sigstore.dev/cosigned + - name: WEBHOOK_NAME + value: webhook +{{- if .Values.webhook.env }} +{{- range $key, $value := .Values.webhook.env }} + - name: "{{ $key }}" + value: "{{ $value }}" +{{- end }} +{{- end }} + args: + - -secret-name={{ template "cosigned.fullname" . }}-cosign-key + {{- range $key, $value := .Values.webhook.extraArgs }} + - -{{ $key }}={{ $value }} + {{- end }} + ports: + - containerPort: 8443 + name: https + protocol: TCP + - containerPort: 9090 + name: metrics + protocol: TCP + resources: + {{- with .Values.webhook.resources }} + {{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 20 + periodSeconds: 1 + httpGet: + port: 8443 + scheme: HTTPS + path: /healthz + httpHeaders: + - name: k-kubelet-probe + value: "webhook" + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 20 + periodSeconds: 1 + httpGet: + port: 8443 + scheme: HTTPS + path: /readyz + httpHeaders: + - name: k-kubelet-probe + value: "webhook" + securityContext: + {{- with .Values.webhook.podSecurityContext }} + {{- toYaml . | nindent 10}} + {{- end }} + {{- if .Values.webhook.securityContext.enabled }} + securityContext: + {{- with .Values.webhook.securityContext }} + {{- toYaml . | nindent 8}} + {{- end }} + {{- end }} diff --git a/charts/cosigned/templates/webhook/role_webhook.yaml b/charts/cosigned/templates/webhook/role_webhook.yaml new file mode 100644 index 00000000..776e93d3 --- /dev/null +++ b/charts/cosigned/templates/webhook/role_webhook.yaml @@ -0,0 +1,17 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cosigned.fullname" . }}-webhook + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook +rules: + # Needed to watch and load configuration and secret data. + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "update", "watch"] + + # Needed for leader election + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/charts/cosigned/templates/webhook/rolebinding_webhook.yaml b/charts/cosigned/templates/webhook/rolebinding_webhook.yaml new file mode 100644 index 00000000..b02e621a --- /dev/null +++ b/charts/cosigned/templates/webhook/rolebinding_webhook.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "cosigned.fullname" . }}-webhook + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook +subjects: +- kind: ServiceAccount + name: {{ template "cosigned.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ template "cosigned.fullname" . }}-webhook + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/cosigned/templates/webhook/sa_webhook.yaml b/charts/cosigned/templates/webhook/sa_webhook.yaml new file mode 100644 index 00000000..3b185547 --- /dev/null +++ b/charts/cosigned/templates/webhook/sa_webhook.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + name: {{ template "cosigned.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} diff --git a/charts/cosigned/templates/webhook/secret_certs_webhook.yaml b/charts/cosigned/templates/webhook/secret_certs_webhook.yaml new file mode 100644 index 00000000..1aaeae8d --- /dev/null +++ b/charts/cosigned/templates/webhook/secret_certs_webhook.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + {{- if .Values.webhook.service.annotations }} + {{ toYaml .Values.webhook.service.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + name: webhook-certs + namespace: {{ .Release.Namespace }} +# The data is populated at install time. diff --git a/charts/cosigned/templates/webhook/service_webhook.yaml b/charts/cosigned/templates/webhook/service_webhook.yaml new file mode 100644 index 00000000..adf0cc89 --- /dev/null +++ b/charts/cosigned/templates/webhook/service_webhook.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- if .Values.webhook.service.annotations }} + {{ toYaml .Values.webhook.service.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "cosigned.labels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook + name: webhook + namespace: {{ .Release.Namespace }} +spec: + type: {{.Values.webhook.service.type}} + ports: + - name: https + port: {{ .Values.webhook.service.port }} + protocol: TCP + targetPort: https + {{- if and .Values.webhook.service.nodePort (eq "NodePort" .Values.webhook.service.type) }} + nodePort: {{ .Values.webhook.service.nodePort }} + {{- end }} + selector: + {{- include "cosigned.selectorLabels" . | nindent 4 }} + control-plane: {{ template "cosigned.fullname" . }}-webhook diff --git a/charts/cosigned/templates/webhook/webhook_validating.yaml b/charts/cosigned/templates/webhook/webhook_validating.yaml new file mode 100644 index 00000000..a49b9200 --- /dev/null +++ b/charts/cosigned/templates/webhook/webhook_validating.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: cosigned.sigstore.dev +webhooks: +- name: cosigned.sigstore.dev + namespaceSelector: + # The webhook should only apply to things that opt-in + matchExpressions: + - key: cosigned.sigstore.dev/include + operator: In + values: ["true"] + admissionReviewVersions: [v1] + clientConfig: + service: + name: webhook + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml new file mode 100644 index 00000000..b882188a --- /dev/null +++ b/charts/cosigned/values.yaml @@ -0,0 +1,50 @@ +cosign: + # add the values in base64 encoded + cosignKey: + cosignPub: + cosignPassword: + +webhook: + name: webhook + image: + repository: gcr.io/projectsigstore/cosign/ci/cosigned + version: sha256:33fe35284cb3648cdd998f6ed6524e1d7b69a3edbf1234bf39a1547ecf27b28f + pullPolicy: IfNotPresent + env: {} + extraArgs: {} + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + enabled: false + runAsUser: 65532 + podSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + service: + annotations: {} + type: ClusterIP + port: 443 + # For nodeport, specify the following: + # type: NodePort + # nodePort: + +## common node selector for all the pods +commonNodeSelector: {} +# key1: value1 +# key2: value2 + +## common tolerations for all the pods +commonTolerations: [] +# - key: "key" +# operator: "Equal" +# value: "value" +# effect: "NoSchedule" diff --git a/ct.yaml b/ct.yaml index 157243f9..f178aec1 100644 --- a/ct.yaml +++ b/ct.yaml @@ -1,3 +1,5 @@ chart-dirs: - charts validate-maintainers: false +remote: origin +target-branch: main From 85534352071d9375fad73014efafc7bb288709f2 Mon Sep 17 00:00:00 2001 From: Carlos Panato Date: Wed, 15 Sep 2021 13:44:39 +0200 Subject: [PATCH 2/2] use official release and drop devel Signed-off-by: Carlos Panato --- charts/cosigned/Chart.yaml | 2 +- charts/cosigned/README.md | 2 -- charts/cosigned/values.yaml | 5 +++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml index aae4587e..32d34752 100644 --- a/charts/cosigned/Chart.yaml +++ b/charts/cosigned/Chart.yaml @@ -6,7 +6,7 @@ sources: name: cosigned type: application version: v0.0.3-dev -appVersion: "dev" +appVersion: v1.2.0 maintainers: - name: dlorenc - name: hectorj2f diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md index ef4d134d..a1be849c 100644 --- a/charts/cosigned/README.md +++ b/charts/cosigned/README.md @@ -31,8 +31,6 @@ helm repo update helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret ``` -We need to add the `--devel` flag because we are still in the development of the chart. This will be removed when we release cosigned `v1.2.0` - To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch: Annotation: `cosigned.sigstore.dev/include: "true"` diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index b882188a..2dbf0fec 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -7,8 +7,9 @@ cosign: webhook: name: webhook image: - repository: gcr.io/projectsigstore/cosign/ci/cosigned - version: sha256:33fe35284cb3648cdd998f6ed6524e1d7b69a3edbf1234bf39a1547ecf27b28f + repository: gcr.io/projectsigstore/cosigned + # crane digest gcr.io/projectsigstore/cosigned:v1.2.0 + version: sha256:55640ca4ad7803d0002d97c0200636b37318570702a74bd1f7650e1fda6206ae pullPolicy: IfNotPresent env: {} extraArgs: {}