remove trusted-resources-config

This commit removes trusted-resources-config. The deprecation is announced in release v0.45. The reason of removing is that trusted-resources-config is used to store public keys for verificaiton but Verification Policy has already covered all the functionalities and has more advanced features. Since there are not any other fields in trusted-resources-config we decided to remove it. Closes tektoncd#5852 Signed-off-by: Yongxuan Zhang [email protected]
Yongxuanzhang · Mar 7, 2023 · 16b6735 · 16b6735
1 parent 771fb66
commit 16b6735
Show file tree

Hide file tree

Showing 19 changed files with 88 additions and 722 deletions.
diff --git a/config/config-trusted-resources.yaml b/config/config-trusted-resources.yaml
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -88,10 +88,6 @@ spec:
           mountPath: /etc/config-logging
         - name: config-registry-cert
           mountPath: /etc/config-registry-cert
-        # Mount secret for trusted resources
-        - name: verification-secrets
-          mountPath: /etc/verification-secrets
-          readOnly: true
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom:
@@ -116,8 +112,6 @@ spec:
           value: config-leader-election
         - name: CONFIG_SPIRE
           value: config-spire
-        - name: CONFIG_TRUSTED_RESOURCES_NAME
-          value: config-trusted-resources
         - name: SSL_CERT_FILE
           value: /etc/config-registry-cert/cert
         - name: SSL_CERT_DIR
@@ -172,11 +166,6 @@ spec:
         - name: config-registry-cert
           configMap:
             name: config-registry-cert
-        # Mount secret for trusted resources
-        - name: verification-secrets
-          secret:
-            secretName: verification-secrets
-            optional: true
 ---
 apiVersion: v1
 kind: Service

diff --git a/docs/trusted-resources.md b/docs/trusted-resources.md
@@ -69,37 +69,6 @@ Or patch the new values:
 kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"resource-verification-mode":"enforce"}}
 ```
 
-
-#### Config key at configmap (Deprecated)
-
-**Note:** key configuration in configmap is deprecated, the issue [#5852](https://github.com/tektoncd/pipeline/issues/5852) will track the deprecation. Please use [VerificationPolicy](#config-key-at-verificationpolicy) instead.
-
-Multiple keys reference should be separated by comma. If the resource can pass any key in the list, it will pass the verification.
-
-We currently hardcode SHA256 as hashfunc for loading public keys as verifiers.
-
-Public key files should be added into secret and mounted into controller volumes. To add keys into secret you may execute:
-
-```shell
-kubectl create secret generic verification-secrets \
-  --from-file=cosign.pub=./cosign.pub \
-    --from-file=cosign.pub=./cosign2.pub \
-  -n tekton-pipelines
-```
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-trusted-resources
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-pipelines
-data:
-  publickeys: "/etc/verification-secrets/cosign.pub, /etc/verification-secrets/cosign2.pub"
-```
-
 #### Config key at VerificationPolicy
 VerificationPolicy supports SecretRef or encoded public key data.
 
@@ -170,3 +139,45 @@ To learn more about `ConfigSource` please refer to resolvers doc for more contex
 
 `hashAlgorithm` is the algorithm for the public key, by default is `sha256`. It also supports `SHA224`, `SHA384`, `SHA512`.
 
+
+#### Migrate Config key at configmap to VerificationPolicy
+**Note:** key configuration in configmap is deprecated,
+The following usage of public keys in configmap can be migrated to VerificationPolicy/
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-trusted-resources
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  publickeys: "/etc/verification-secrets/cosign.pub, /etc/verification-secrets/cosign2.pub"
+```
+
+To migrate to VerificationPolicy: Stores the public key files in a secret, and configure the secret ref in VerificationPolicy
+
+```yaml
+apiVersion: tekton.dev/v1alpha1
+kind: VerificationPolicy
+metadata:
+  name: verification-policy-name
+  namespace: resource-namespace
+spec:
+  authorities:
+    - name: key1
+      key:
+        # secretRef refers to a secret in the cluster, this secret should contain public keys data
+        secretRef:
+          name: secret-name-cosign
+          namespace: secret-namespace
+        hashAlgorithm: sha256
+    - name: key2
+      key:
+        secretRef:
+          name: secret-name-cosign2
+          namespace: secret-namespace
+        hashAlgorithm: sha256
+```
diff --git a/pkg/apis/config/store.go b/pkg/apis/config/store.go
@@ -28,13 +28,12 @@ type cfgKey struct{}
 // Config holds the collection of configurations that we attach to contexts.
 // +k8s:deepcopy-gen=false
 type Config struct {
-	Defaults         *Defaults
-	FeatureFlags     *FeatureFlags
-	ArtifactBucket   *ArtifactBucket
-	ArtifactPVC      *ArtifactPVC
-	Metrics          *Metrics
-	TrustedResources *TrustedResources
-	SpireConfig      *sc.SpireConfig
+	Defaults       *Defaults
+	FeatureFlags   *FeatureFlags
+	ArtifactBucket *ArtifactBucket
+	ArtifactPVC    *ArtifactPVC
+	Metrics        *Metrics
+	SpireConfig    *sc.SpireConfig
 }
 
 // FromContext extracts a Config from the provided context.
@@ -57,17 +56,15 @@ func FromContextOrDefaults(ctx context.Context) *Config {
 	artifactBucket, _ := NewArtifactBucketFromMap(map[string]string{})
 	artifactPVC, _ := NewArtifactPVCFromMap(map[string]string{})
 	metrics, _ := newMetricsFromMap(map[string]string{})
-	trustedresources, _ := NewTrustedResourcesConfigFromMap(map[string]string{})
 	spireconfig, _ := NewSpireConfigFromMap(map[string]string{})
 
 	return &Config{
-		Defaults:         defaults,
-		FeatureFlags:     featureFlags,
-		ArtifactBucket:   artifactBucket,
-		ArtifactPVC:      artifactPVC,
-		Metrics:          metrics,
-		TrustedResources: trustedresources,
-		SpireConfig:      spireconfig,
+		Defaults:       defaults,
+		FeatureFlags:   featureFlags,
+		ArtifactBucket: artifactBucket,
+		ArtifactPVC:    artifactPVC,
+		Metrics:        metrics,
+		SpireConfig:    spireconfig,
 	}
 }
 
@@ -90,13 +87,12 @@ func NewStore(logger configmap.Logger, onAfterStore ...func(name string, value i
 			"defaults/features/artifacts",
 			logger,
 			configmap.Constructors{
-				GetDefaultsConfigName():         NewDefaultsFromConfigMap,
-				GetFeatureFlagsConfigName():     NewFeatureFlagsFromConfigMap,
-				GetArtifactBucketConfigName():   NewArtifactBucketFromConfigMap,
-				GetArtifactPVCConfigName():      NewArtifactPVCFromConfigMap,
-				GetMetricsConfigName():          NewMetricsFromConfigMap,
-				GetTrustedResourcesConfigName(): NewTrustedResourcesConfigFromConfigMap,
-				GetSpireConfigName():            NewSpireConfigFromConfigMap,
+				GetDefaultsConfigName():       NewDefaultsFromConfigMap,
+				GetFeatureFlagsConfigName():   NewFeatureFlagsFromConfigMap,
+				GetArtifactBucketConfigName(): NewArtifactBucketFromConfigMap,
+				GetArtifactPVCConfigName():    NewArtifactPVCFromConfigMap,
+				GetMetricsConfigName():        NewMetricsFromConfigMap,
+				GetSpireConfigName():          NewSpireConfigFromConfigMap,
 			},
 			onAfterStore...,
 		),
@@ -133,22 +129,18 @@ func (s *Store) Load() *Config {
 	if metrics == nil {
 		metrics, _ = newMetricsFromMap(map[string]string{})
 	}
-	trustedresources := s.UntypedLoad(GetTrustedResourcesConfigName())
-	if trustedresources == nil {
-		trustedresources, _ = NewTrustedResourcesConfigFromMap(map[string]string{})
-	}
+
 	spireconfig := s.UntypedLoad(GetSpireConfigName())
 	if spireconfig == nil {
 		spireconfig, _ = NewSpireConfigFromMap(map[string]string{})
 	}
 
 	return &Config{
-		Defaults:         defaults.(*Defaults).DeepCopy(),
-		FeatureFlags:     featureFlags.(*FeatureFlags).DeepCopy(),
-		ArtifactBucket:   artifactBucket.(*ArtifactBucket).DeepCopy(),
-		ArtifactPVC:      artifactPVC.(*ArtifactPVC).DeepCopy(),
-		Metrics:          metrics.(*Metrics).DeepCopy(),
-		TrustedResources: trustedresources.(*TrustedResources).DeepCopy(),
-		SpireConfig:      spireconfig.(*sc.SpireConfig).DeepCopy(),
+		Defaults:       defaults.(*Defaults).DeepCopy(),
+		FeatureFlags:   featureFlags.(*FeatureFlags).DeepCopy(),
+		ArtifactBucket: artifactBucket.(*ArtifactBucket).DeepCopy(),
+		ArtifactPVC:    artifactPVC.(*ArtifactPVC).DeepCopy(),
+		Metrics:        metrics.(*Metrics).DeepCopy(),
+		SpireConfig:    spireconfig.(*sc.SpireConfig).DeepCopy(),
 	}
 }
diff --git a/pkg/apis/config/store_test.go b/pkg/apis/config/store_test.go
@@ -34,25 +34,22 @@ func TestStoreLoadWithContext(t *testing.T) {
 	artifactBucketConfig := test.ConfigMapFromTestFile(t, "config-artifact-bucket")
 	artifactPVCConfig := test.ConfigMapFromTestFile(t, "config-artifact-pvc")
 	metricsConfig := test.ConfigMapFromTestFile(t, "config-observability")
-	trustedresourcesConfig := test.ConfigMapFromTestFile(t, "config-trusted-resources")
 	spireConfig := test.ConfigMapFromTestFile(t, "config-spire")
 
 	expectedDefaults, _ := config.NewDefaultsFromConfigMap(defaultConfig)
 	expectedFeatures, _ := config.NewFeatureFlagsFromConfigMap(featuresConfig)
 	expectedArtifactBucket, _ := config.NewArtifactBucketFromConfigMap(artifactBucketConfig)
 	expectedArtifactPVC, _ := config.NewArtifactPVCFromConfigMap(artifactPVCConfig)
 	metrics, _ := config.NewMetricsFromConfigMap(metricsConfig)
-	expectedTrustedResources, _ := config.NewTrustedResourcesConfigFromConfigMap(trustedresourcesConfig)
 	expectedSpireConfig, _ := config.NewSpireConfigFromConfigMap(spireConfig)
 
 	expected := &config.Config{
-		Defaults:         expectedDefaults,
-		FeatureFlags:     expectedFeatures,
-		ArtifactBucket:   expectedArtifactBucket,
-		ArtifactPVC:      expectedArtifactPVC,
-		Metrics:          metrics,
-		TrustedResources: expectedTrustedResources,
-		SpireConfig:      expectedSpireConfig,
+		Defaults:       expectedDefaults,
+		FeatureFlags:   expectedFeatures,
+		ArtifactBucket: expectedArtifactBucket,
+		ArtifactPVC:    expectedArtifactPVC,
+		Metrics:        metrics,
+		SpireConfig:    expectedSpireConfig,
 	}
 
 	store := config.NewStore(logtesting.TestLogger(t))
@@ -61,7 +58,6 @@ func TestStoreLoadWithContext(t *testing.T) {
 	store.OnConfigChanged(artifactBucketConfig)
 	store.OnConfigChanged(artifactPVCConfig)
 	store.OnConfigChanged(metricsConfig)
-	store.OnConfigChanged(trustedresourcesConfig)
 	store.OnConfigChanged(spireConfig)
 
 	cfg := config.FromContext(store.ToContext(context.Background()))
@@ -77,17 +73,15 @@ func TestStoreLoadWithContext_Empty(t *testing.T) {
 	artifactBucket, _ := config.NewArtifactBucketFromMap(map[string]string{})
 	artifactPVC, _ := config.NewArtifactPVCFromMap(map[string]string{})
 	metrics, _ := config.NewMetricsFromConfigMap(&corev1.ConfigMap{Data: map[string]string{}})
-	trustedresources, _ := config.NewTrustedResourcesConfigFromMap(map[string]string{})
 	spireConfig, _ := config.NewSpireConfigFromMap(map[string]string{})
 
 	want := &config.Config{
-		Defaults:         defaults,
-		FeatureFlags:     featureFlags,
-		ArtifactBucket:   artifactBucket,
-		ArtifactPVC:      artifactPVC,
-		Metrics:          metrics,
-		TrustedResources: trustedresources,
-		SpireConfig:      spireConfig,
+		Defaults:       defaults,
+		FeatureFlags:   featureFlags,
+		ArtifactBucket: artifactBucket,
+		ArtifactPVC:    artifactPVC,
+		Metrics:        metrics,
+		SpireConfig:    spireConfig,
 	}
 
 	store := config.NewStore(logtesting.TestLogger(t))

diff --git a/pkg/apis/config/testdata/config-trusted-resources-empty.yaml b/pkg/apis/config/testdata/config-trusted-resources-empty.yaml
diff --git a/pkg/apis/config/testdata/config-trusted-resources.yaml b/pkg/apis/config/testdata/config-trusted-resources.yaml