Skip to content

Commit

Permalink
cosigned: update to release v1.3.0
Browse files Browse the repository at this point in the history
cosigned: update to release v1.3.0
  • Loading branch information
hectorj2f authored Nov 11, 2021
2 parents 72bac9e + ee32cd4 commit a8bbda6
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 11 deletions.
6 changes: 3 additions & 3 deletions charts/cosigned/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ sources:
type: application

name: cosigned
version: v0.0.6
appVersion: v1.2.1
version: v0.1.0
appVersion: v1.3.0

maintainers:
- name: dlorenc
Expand All @@ -19,4 +19,4 @@ annotations:
artifacthub.io/license: Apache-2.0
artifacthub.io/images: |
- name: cosigned
image: gcr.io/projectsigstore/cosigned:v1.2.1@sha256:44c89910a4a480fe3d9ab1733d09a357e7fd681cfc1d964752ffe1b83600cb9f
image: gcr.io/projectsigstore/cosigned:1.3.0@sha256:9fe107b183d6c6badaca52e380720c0549db09b645d055f00601797f48060aa2
6 changes: 3 additions & 3 deletions charts/cosigned/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ helm repo update
helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
```

### Enabling Admission control
### Enabling Admission control

To enable the `cosigned admission webhook` to check for signed images, you will need to add the following annotation in each namespace that you would want the webhook triggered:

Expand All @@ -52,9 +52,9 @@ spec:
- kubernetes
```
### Testing the webhook
### Testing the webhook
1. Using Unsigned Images:
1. Using Unsigned Images:
Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:
```shell
Expand Down
4 changes: 2 additions & 2 deletions charts/cosigned/templates/webhook/clusterrole_webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ rules:
verbs: ["create"]
# Allow the reconciliation of exactly our validating webhook.
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["list", "watch"]

- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames: ["cosigned.sigstore.dev"]

Expand Down
19 changes: 19 additions & 0 deletions charts/cosigned/templates/webhook/webhook_mutating.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: cosigned.sigstore.dev
webhooks:
- name: cosigned.sigstore.dev
namespaceSelector:
# The webhook should only apply to things that opt-in
matchExpressions:
- key: cosigned.sigstore.dev/include
operator: In
values: ["true"]
admissionReviewVersions: [v1]
clientConfig:
service:
name: webhook
namespace: {{ .Release.Namespace }}
failurePolicy: Fail
sideEffects: None
6 changes: 3 additions & 3 deletions charts/cosigned/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ webhook:
name: webhook
image:
repository: gcr.io/projectsigstore/cosigned
# crane digest gcr.io/projectsigstore/cosigned:v1.2.1
version: sha256:44c89910a4a480fe3d9ab1733d09a357e7fd681cfc1d964752ffe1b83600cb9f
# crane digest gcr.io/projectsigstore/cosigned:1.3.0
version: sha256:9fe107b183d6c6badaca52e380720c0549db09b645d055f00601797f48060aa2
pullPolicy: IfNotPresent
env: {}
extraArgs: {}
Expand All @@ -26,7 +26,7 @@ webhook:
podSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- all
Expand Down

0 comments on commit a8bbda6

Please sign in to comment.