Skip to content

Commit

Permalink
update install instructions (#19)
Browse files Browse the repository at this point in the history
* update install instructions

Signed-off-by: Jackline Mutua <[email protected]>

* fix typo on cosigned readme

Signed-off-by: Jackline Mutua <[email protected]>

* update signed example case

Signed-off-by: Jackline Mutua <[email protected]>

* update chart version

Signed-off-by: Jackline Mutua <[email protected]>

* update chart version

Signed-off-by: Jackline Mutua <[email protected]>

* update chart version

Signed-off-by: Jackline Mutua <[email protected]>
  • Loading branch information
katmutua authored Oct 26, 2021
1 parent 9317058 commit 72bac9e
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 10 deletions.
3 changes: 2 additions & 1 deletion charts/cosigned/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ sources:
- https://github.com/sigstore/cosign

type: application

name: cosigned
version: v0.0.5
version: v0.0.6
appVersion: v1.2.1

maintainers:
Expand Down
34 changes: 25 additions & 9 deletions charts/cosigned/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,8 @@
* Kubernetes cluster with rights to install admission webhooks
* Helm

## Deploy `cosigned` Helm Chart
### Deploy `cosigned` Helm Chart

Generate a keypair to validate the signatures of the deployed Kubernetes resources and their images:

```shell
export COSIGN_PASSWORD=<my_cosign_password>
Expand All @@ -18,7 +17,10 @@ The previous command generates two key files `cosign.key` and `cosign.pub`. Next
```shell
kubectl create namespace cosign-system

kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub --from-file=cosign.key=./cosign.key --from-literal=cosign.password=$COSING_PASSWORD
kubectl create secret generic mysecret -n \
cosign-system --from-file=cosign.pub=./cosign.pub \
--from-file=cosign.key=./cosign.key \
--from-literal=cosign.password=$COSIGN_PASSWORD
```

Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above:
Expand All @@ -31,7 +33,9 @@ helm repo update
helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
```

To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch:
### Enabling Admission control

To enable the `cosigned admission webhook` to check for signed images, you will need to add the following annotation in each namespace that you would want the webhook triggered:

Annotation: `cosigned.sigstore.dev/include: "true"`

Expand All @@ -48,9 +52,21 @@ spec:
- kubernetes
```
Then when creating, for example, a Deployment that does not have the images signed you will get the following error:
### Testing the webhook
1. Using Unsigned Images:
Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:
```shell
kubectl apply -f my-deployment.yaml
Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
```
2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created.

```shell
kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns
pod/pod1-signed created
```



```shell
kubectl apply -f my-deployment.yaml
Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
```

0 comments on commit 72bac9e

Please sign in to comment.