sigstore · mattmoor · Mar 9, 2022 · Mar 8, 2022 · Mar 8, 2022 · Mar 8, 2022
@@ -29,6 +29,7 @@ import (
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/logging"
 	"knative.dev/pkg/signals"
 	"knative.dev/pkg/webhook"
 	"knative.dev/pkg/webhook/certificates"
@@ -37,6 +38,7 @@ import (
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	"sigs.k8s.io/release-utils/version"
 
+	"github.com/sigstore/cosign/pkg/apis/config"
 	cwebhook "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook"
 	"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy"
 )
@@ -85,6 +87,9 @@ var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 }
 
 func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	// Decorate contexts with the current state of the config.
+	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
+	store.WatchConfigs(cmw)
 	validator := cwebhook.NewValidator(ctx, *secretName)
 
 	return validation.NewAdmissionController(ctx,
@@ -99,6 +104,7 @@ func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher
 
 		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
 		func(ctx context.Context) context.Context {
+			ctx = store.ToContext(ctx)
 			ctx = duckv1.WithPodValidator(ctx, validator.ValidatePod)
 			ctx = duckv1.WithPodSpecValidator(ctx, validator.ValidatePodSpecable)
 			ctx = duckv1.WithCronJobValidator(ctx, validator.ValidateCronJob)

@@ -27,3 +27,10 @@ rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+
+  # This is needed to create / patch ConfigMap that is created by the reconciler
+  # to consolidate various CIP configuration into a policy ConfigMap.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["config-image-policies"]
+    verbs: ["get", "list", "create", "update", "patch", "watch"]
@@ -0,0 +1,29 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-image-policies
+  namespace: cosign-system
+
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+    cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\",\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}]}"
+
@@ -56,6 +56,7 @@ require (
 	k8s.io/utils v0.0.0-20220127004650-9b3446523e65
 	knative.dev/pkg v0.0.0-20220202132633-df430fa0dd96
 	sigs.k8s.io/release-utils v0.4.1-0.20220207182343-6dadf2228617
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
@@ -264,7 +265,6 @@ require (
 	k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect
 	k8s.io/klog/v2 v2.40.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 require (

@@ -0,0 +1,23 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +k8s:deepcopy-gen=package
+
+// Package config holds the typed objects that define the schemas for
+// ConfigMap objects that pertain to our API objects.
+// This ConfigMap gets created by the Reconciler by combining all the
+// ClusterImagePolicy CR into a single ConfigMap so that the AdmissionController
+// only needs to deal with a single resource when validationg.
+package config
@@ -0,0 +1,104 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	// ImagePoliciesConfigName is the name of ConfigMap created by the
+	// reconciler and consumed by the admission webhook.
+	ImagePoliciesConfigName = "config-image-policies"
+)
+
+type ImagePolicyConfig struct {
+	// This is the list of ImagePolicies that a admission controller uses
+	// to make policy decisions.
+	// TODO(vaikas): Revisit the datastructure. For now seems fine to use the
+	// same definitions from the API definition. The _only_ difference is that
+	// we do not use SecretReference fields, they get resolved and inlined
+	// in the Secret. So it seemed unnecessary to mirror those all over.
+	// Key in the map is the name of the ClusterImagePolicy where the Policy
+	// was received from.
+	Policies map[string]v1alpha1.ClusterImagePolicySpec
+}
+
+// NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied
+// Map
+func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) {
+	ret := &ImagePolicyConfig{Policies: make(map[string]v1alpha1.ClusterImagePolicySpec, len(data))}
+	// Spin through the ConfigMap. Each key will point to resolved
+	// ImagePatterns.
+	for k, v := range data {
+		// This is the example that we use to document / test the ConfigMap.
+		if k == "_example" {
+			continue
+		}
+		if v == "" {
+			return nil, fmt.Errorf("configmap has an entry %q but no value", k)
+		}
+		clusterImagePolicy := &v1alpha1.ClusterImagePolicySpec{}
+
+		if err := parseEntry(v, clusterImagePolicy); err != nil {
+			return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err)
+		}
+		ret.Policies[k] = *clusterImagePolicy
+	}
+	return ret, nil
+}
+
+// NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap
+func NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*ImagePolicyConfig, error) {
+	return NewImagePoliciesConfigFromMap(config.Data)
+}
+
+func parseEntry(entry string, out interface{}) error {
+	j, err := yaml.YAMLToJSON([]byte(entry))
+	if err != nil {
+		return fmt.Errorf("config's value could not be converted to JSON: %w : %s", err, entry)
+	}
+	return json.Unmarshal(j, &out)
+}
+
+// GetAuthorities returns all matching Authorities that need to be matched for
+// the given Image.
+func (p *ImagePolicyConfig) GetAuthorities(image string) ([]v1alpha1.Authority, error) {
+	if p == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	ret := []v1alpha1.Authority{}
+
+	// TODO(vaikas): this is very inefficient, we should have a better
+	// way to go from image to Authorities, but just seeing if this is even
+	// workable so fine for now.
+	for _, v := range p.Policies {
+		for _, pattern := range v.Images {
+			// TODO(vaikas): do the actual glob match.
+			if image == pattern.Glob {
+				ret = append(ret, pattern.Authorities...)
+			}
+		}
+	}
+	return ret, nil
+}
@@ -0,0 +1,110 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"testing"
+
+	. "knative.dev/pkg/configmap/testing"
+	_ "knative.dev/pkg/system/testing"
+)
+
+const (
+	// Just some public key that was laying around, only format matters.
+	inlineKeyData = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
+RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
+-----END PUBLIC KEY-----`
+)
+
+func TestDefaultsConfigurationFromFile(t *testing.T) {
+	_, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)
+	if _, err := NewImagePoliciesConfigFromConfigMap(example); err != nil {
+		t.Error("NewImagePoliciesConfigFromConfigMap(example) =", err)
+	}
+}
+
+func TestGetAuthorities(t *testing.T) {
+	_, example := ConfigMapsFromTestFile(t, ImagePoliciesConfigName)
+	defaults, err := NewImagePoliciesConfigFromConfigMap(example)
+	if err != nil {
+		t.Error("NewImagePoliciesConfigFromConfigMap(example) =", err)
+	}
+	c, err := defaults.GetAuthorities("rando")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want := "inlinedata here"
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+	c, err = defaults.GetAuthorities("rando*")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = "otherinline here"
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+	c, err = defaults.GetAuthorities("rando3")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = "cakey chilling here"
+	if got := c[0].Keyless.CAKey.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CAKey.Data)
+	}
+	want = "issuer"
+	if got := c[0].Keyless.Identities[0].Issuer; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.Identities[0].Issuer)
+	}
+	want = "subject"
+	if got := c[0].Keyless.Identities[0].Subject; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.Identities[0].Subject)
+	}
+	// Test multiline yaml cert
+	c, err = defaults.GetAuthorities("inlinecert")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = inlineKeyData
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+	// Test multiline cert but json encoded
+	c, err = defaults.GetAuthorities("ghcr.io/example/*")
+	if err != nil {
+		t.Error("GetMatches Failed =", err)
+	}
+	if len(c) == 0 {
+		t.Error("Wanted a config, got none.")
+	}
+	want = inlineKeyData
+	if got := c[0].Key.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Key.Data)
+	}
+}