Skip to content

Commit

Permalink
rebase and update gotemplate for readme
Browse files Browse the repository at this point in the history
Signed-off-by: slimm609 <[email protected]>
  • Loading branch information
slimm609 committed Oct 23, 2022
1 parent 563d5b6 commit 13d51cf
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 22 deletions.
14 changes: 6 additions & 8 deletions charts/policy-controller/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)

The Helm chart for Policy Controller
The Helm chart for Policy Controller

**Homepage:** <https://github.com/sigstore/policy-controller>

Expand Down Expand Up @@ -30,12 +30,8 @@ The Helm chart for Policy Controller
| policywebhook.extraArgs | object | `{}` | |
| policywebhook.image.pullPolicy | string | `"IfNotPresent"` | |
| policywebhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-webhook"` | |
<<<<<<< HEAD
| policywebhook.image.version | string | `"sha256:03f6b9807103c988439741fdc2ec4410a85c13ba62fbad58448a070ac07bb5bc"` | `"v0.4.0"` |
=======
| policywebhook.image.version | string | `"sha256:2d8ec2534e903a722a89efd6fe04a52a8a420ca3f8be1703aa697bf5faf418eb"` | |
| policywebhook.image.version | string | `"sha256:03f6b9807103c988439741fdc2ec4410a85c13ba62fbad58448a070ac07bb5bc"` | |
| policywebhook.namespaceOptIn | bool | `true` | |
>>>>>>> c616289 (Add ability to disable opt-in)
| policywebhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| policywebhook.podSecurityContext.capabilities.drop[0] | string | `"all"` | |
| policywebhook.podSecurityContext.enabled | bool | `true` | |
Expand All @@ -59,7 +55,7 @@ The Helm chart for Policy Controller
| webhook.extraArgs | object | `{}` | |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | |
| webhook.image.version | string | `"sha256:2b1c017535f6a0f672ec38279f3792ca1181555342a2deae53605e202afb9764"` | `"v0.4.0"` |
| webhook.image.version | string | `"sha256:2b1c017535f6a0f672ec38279f3792ca1181555342a2deae53605e202afb9764"` | |
| webhook.name | string | `"webhook"` | |
| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| webhook.podSecurityContext.capabilities.drop[0] | string | `"all"` | |
Expand Down Expand Up @@ -164,7 +160,9 @@ Creating a deployment referencing images that are not signed will yield the foll
pod/pod1-signed created
```


## More info

You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/).

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
64 changes: 50 additions & 14 deletions charts/policy-controller/README.md.gotmpl
Original file line number Diff line number Diff line change
@@ -1,13 +1,22 @@
{{ template "chart.header" . }}
{{ template "chart.description" . }}

{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}

## Requirements
* Kubernetes cluster with rights to install admission webhooks
* Helm
{{ template "chart.description" . }}

**Homepage:** <https://github.com/sigstore/policy-controller>


The following table lists the configurable parameters of the policy-controller chart and their default values.
## Maintainers

| Name | Email | Url |
| ---- | ------ | --- |
| dlorenc | | |
| hectorj2f | | |

## Source Code

* <https://github.com/sigstore/policy-controller>


{{ template "chart.requirementsSection" . }}
Expand All @@ -16,28 +25,52 @@ The following table lists the configurable parameters of the policy-controller c

### Deploy `policy-controller` Helm Chart

Install `policy-controller` using Helm:

```shell
helm repo add sigstore https://sigstore.github.io/helm-charts

helm repo update

kubectl create namespace cosign-system

helm install policy-controller -n cosign-system sigstore/policy-controller --devel
```

The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces.

Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`.
By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap.

As supported in previous versions, you could create your own key pair:

```shell
export COSIGN_PASSWORD=<my_cosign_password>
cosign generate-key-pair
```

The previous command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:
This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:

```shell
kubectl create namespace cosign-system

kubectl create secret generic mysecret -n \
cosign-system --from-file=cosign.pub=./cosign.pub
```

Install `policy-controller` using Helm and setting the value of the secret key reference to `mysecret` that you created above:
**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below.

```shell
helm repo add sigstore https://sigstore.github.io/helm-charts

helm repo update
```yaml
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: cip-key-secret
spec:
images:
- glob: "**your-desired-value**"
authorities:
- key:
secretRef:
name: mysecret

helm install policy-controller -n cosign-system sigstore/policy-controller --devel --set cosign.secretKeyRef.name=mysecret
```

### Enabling Admission control
Expand Down Expand Up @@ -76,4 +109,7 @@ Creating a deployment referencing images that are not signed will yield the foll
pod/pod1-signed created
```

## More info

You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/).
{{ template "helm-docs.versionFooter" . }}

0 comments on commit 13d51cf

Please sign in to comment.