Skip to content

Commit

Permalink
Merge pull request #10 from cpanato/add-cosigned
Browse files Browse the repository at this point in the history
charts: move cosigned chart from s/cosign to the helm repo
  • Loading branch information
dlorenc authored Sep 16, 2021
2 parents c99c5fd + 8553435 commit 822b7c1
Show file tree
Hide file tree
Showing 20 changed files with 557 additions and 3 deletions.
15 changes: 13 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ jobs:
with:
fetch-depth: 0

- uses: sigstore/[email protected]

- name: Set up Helm
uses: azure/setup-helm@v1
with:
Expand All @@ -26,17 +28,26 @@ jobs:
- name: Set up chart-testing
uses: helm/[email protected]

- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --config ct.yaml)
if [[ -n "$changed" ]]; then
echo "::set-output name=changed::true"
fi
- name: Run chart-testing (lint)
run: ct lint --config ct.yaml --all
run: ct lint --config ct.yaml

- name: "Add NGINX Ingress Repository"
run: "helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx"

- name: Create KIND Cluster
uses: helm/[email protected]
if: steps.list-changed.outputs.changed == 'true'

- name: Install Ingress Controller
run: "helm install ingress-nginx/ingress-nginx --generate-name --set controller.service.type='NodePort' --set controller.admissionWebhooks.enabled=false"

- name: Run chart-testing (install)
run: ct install --config ct.yaml --all
run: ct install --config ct.yaml
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,5 @@ $ helm repo update

## Charts

* [rekor](charts/rekor)
* [rekor](charts/rekor)
* [cosigned](charts/cosigned)
20 changes: 20 additions & 0 deletions charts/cosigned/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
12 changes: 12 additions & 0 deletions charts/cosigned/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v2
description: The Helm chart for Cosigned
home: https://github.com/sigstore/cosign
sources:
- https://github.com/sigstore/cosign
name: cosigned
type: application
version: v0.0.3-dev
appVersion: v1.2.0
maintainers:
- name: dlorenc
- name: hectorj2f
56 changes: 56 additions & 0 deletions charts/cosigned/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Cosigned Admission Webhook

## Requirements
* Kubernetes cluster with rights to install admission webhooks
* Helm

## Deploy `cosigned` Helm Chart

Generate a keypair to validate the signatures of the deployed Kubernetes resources and their images:

```shell
export COSIGN_PASSWORD=<my_cosign_password>
cosign generate-key-pair
```

The previous command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:

```shell
kubectl create namespace cosign-system

kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub --from-file=cosign.key=./cosign.key --from-literal=cosign.password=$COSING_PASSWORD
```

Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above:

```shell
helm repo add sigstore https://sigstore.github.io/helm-charts

helm repo update

helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
```

To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch:

Annotation: `cosigned.sigstore.dev/include: "true"`

```yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
cosigned.sigstore.dev/include: "true"
kubernetes.io/metadata.name: my-namespace
name: my-namespace
spec:
finalizers:
- kubernetes
```
Then when creating, for example, a Deployment that does not have the images signed you will get the following error:
```shell
kubectl apply -f my-deployment.yaml
Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
```
4 changes: 4 additions & 0 deletions charts/cosigned/ci/ci-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
cosign:
cosignKey: LS0tLS1CRUdJTiBFTkNSWVBURUQgQ09TSUdOIFBSSVZBVEUgS0VZLS0tLS0KZXlKclpHWWlPbnNpYm1GdFpTSTZJbk5qY25sd2RDSXNJbkJoY21GdGN5STZleUpPSWpvek1qYzJPQ3dpY2lJNgpPQ3dpY0NJNk1YMHNJbk5oYkhRaU9pSkRXbVJYVFdkdlZFdFFUVkZ1YmxkU01VVnVabU0xYmxWVFZFcHBNamMxClRHSklMMVpJVmtzclZqVlpQU0o5TENKamFYQm9aWElpT25zaWJtRnRaU0k2SW01aFkyd3ZjMlZqY21WMFltOTQKSWl3aWJtOXVZMlVpT2lKTFYwMDBWVWRvTURseGNpOWlhV00wYXpjMVRuY3pURFZPTm5WaldqazNlaUo5TENKagphWEJvWlhKMFpYaDBJam9pZG5kUFZsSTVNazE1VmtGUVlWRkthVVp6YW0xbkwwVklkMk5uUTBaTE5tUmlRelk1CmJFOVpWVWRRUkdoV1owWjFaM0UwWVV4UGVqZEZVREZzTUc1a2N6ZFFWVEZFTVcwNGNqVnNWV3h1TW1KcU5UWXgKSzNnd2NqbDBTbFJLYzJOdk1WRnNTVmhJVEhaQ2RYa3ZSa2hMVEc4M2FEWlhXVmxMY1NzemRtRnFjMEZTY25SWApjRTFFYlVaYWNsTjVOa2Q1T1dwUVRHTXpTMkY2YVRVNE5IRTJaVnBIZGk5WU5YaE1RMmxoWkhaR1pscDFhVTlNCk5qaHFhelJNTVRRNVVsSXhkV1ppV1Zab1EwcENZU3NyUm5jOVBTSjkKLS0tLS1FTkQgRU5DUllQVEVEIENPU0lHTiBQUklWQVRFIEtFWS0tLS0tCg==
cosignPub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZ3VQMEd0aEUrTGYxQzZyWlQ4ZzlDbUtWQk5ReApicnZTWTdGMG94ODFUVzlBcExrSjVIdmtTNzJVQ0ZkZjJaV2JNMXkxZEMyS0FIM1l0Q1lOM1JCdHp3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
cosignPassword: aG9ua0AxMjM=
117 changes: 117 additions & 0 deletions charts/cosigned/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "cosigned.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cosigned.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cosigned.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "cosigned.labels" -}}
helm.sh/chart: {{ include "cosigned.chart" . }}
{{ include "cosigned.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "cosigned.selectorLabels" -}}
app.kubernetes.io/name: {{ include "cosigned.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "cosigned.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "cosigned.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Self-signed certificate authority issuer name
*/}}
{{- define "cosigned.CAIssuerName" -}}
{{- if .Values.certificates.ca.issuer.name -}}
{{ .Values.certificates.ca.issuer.name }}
{{- else -}}
{{ template "cosigned.fullname" . }}-ca-issuer
{{- end -}}
{{- end -}}

{{/*
CA Certificate issuer name
*/}}
{{- define "cosigned.CAissuerName" -}}
{{- if .Values.certificates.selfSigned -}}
{{ template "cosigned.CAIssuerName" . }}
{{- else -}}
{{ required "A valid .Values.certificates.ca.issuer.name is required!" .Values.certificates.issuer.name }}
{{- end -}}
{{- end -}}

{{/*
CA signed certificate issuer name
*/}}
{{- define "cosigned.IssuerName" -}}
{{- if .Values.certificates.issuer.name -}}
{{ .Values.certificates.issuer.name }}
{{- else -}}
{{ template "cosigned.fullname" . }}-issuer
{{- end -}}
{{- end -}}

{{/*
Certificate issuer name
*/}}
{{- define "cosigned.issuerName" -}}
{{- if .Values.certificates.selfSigned -}}
{{ template "cosigned.IssuerName" . }}
{{- else -}}
{{ required "A valid .Values.certificates.issuer.name is required!" .Values.certificates.issuer.name }}
{{- end -}}
{{- end -}}

{{/*
Create the image path for the passed in image field
*/}}
{{- define "cosigned.image" -}}
{{- if eq (substr 0 7 .version) "sha256:" -}}
{{- printf "%s@%s" .repository .version -}}
{{- else -}}
{{- printf "%s:%s" .repository .version -}}
{{- end -}}
{{- end -}}
27 changes: 27 additions & 0 deletions charts/cosigned/templates/webhook/clusterrole_webhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cosigned.fullname" . }}-webhook
labels:
{{- include "cosigned.labels" . | nindent 4 }}
control-plane: {{ template "cosigned.fullname" . }}-webhook
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
# Allow the reconciliation of exactly our validating webhook.
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["list", "watch"]

- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames: ["cosigned.sigstore.dev"]

- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
# which requires we can Get the system namespace.
resourceNames: [ "{{ .Release.Namespace }}" ]
15 changes: 15 additions & 0 deletions charts/cosigned/templates/webhook/clusterrolebindings_webhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cosigned.fullname" . }}-webhook
labels:
{{- include "cosigned.labels" . | nindent 4 }}
control-plane: {{ template "cosigned.fullname" . }}-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cosigned.fullname" . }}-webhook
subjects:
- kind: ServiceAccount
name: {{ template "cosigned.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
34 changes: 34 additions & 0 deletions charts/cosigned/templates/webhook/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "cosigned.labels" . | nindent 4 }}
control-plane: {{ template "cosigned.fullname" . }}-webhook
name: {{ template "cosigned.fullname" . }}-webhook-logging
namespace: {{ .Release.Namespace }}
data:
zap-logger-config: |-
{
"level": "info",
"development": false,
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "ts",
"levelKey": "level",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "msg",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "iso8601",
"durationEncoder": "",
"callerEncoder": ""
}
}
# Log level overrides
# Changes are be picked up immediately.
loglevel.controller: "info"
loglevel.webhook: "info"
12 changes: 12 additions & 0 deletions charts/cosigned/templates/webhook/cosign_secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "cosigned.labels" . | nindent 4 }}
name: {{ template "cosigned.fullname" . }}-cosign-key
namespace: {{ .Release.Namespace }}
type: Opaque
data:
cosign.key: {{ .Values.cosign.cosignKey}}
cosign.password: {{ .Values.cosign.cosignPassword}}
cosign.pub: {{ .Values.cosign.cosignPub}}
Loading

0 comments on commit 822b7c1

Please sign in to comment.