Sign container images #501
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
area/release-eng
|
We need to pass the signer an external identity token, if not the cli will ask the user to follow the OIDC flow from the browser: This PR enables that: kubernetes-sigs/release-sdk#42 |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
Do you plan to use Github as an identity provider ? |
k8s-ci-robot
added
size/M
k8s-ci-robot
added
size/L
|
Hey @ameukam sorry, I missed your message last week. No, since we will run everything in GCP the identity will come from GCP service accounts. The idea is that the service account that runs the promoter will impersonate a service account that will eventually do the signing. I'm thinking that we should have two accounts: One for the actual signing of the artifacts and one that we can impersonate while we run the tests. I still have to decipher which service accounts are working in the promoter and then we need to set permissions and roles for all of them. |
puerco
force-pushed
the
sign-images
branch
6 times, most recently
from
e588d4d
to
df609be
Compare
Before comparing pre and after snapshots, remove the signature layers to ensure images match. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
In order to ensure the same blobs in all images, we now sign one image of a set of mirrors and replicate the signature to the rest. This avoids signing multiple times, ensure one operation in the transparency log and identical blobs (and therefore digests) whe signing promoted images. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
k8s-ci-robot
added
size/L
|
/test pull-cip-e2e |
This commit modifies the signature copy to crane and ensures we have the SA token ready if we need to pass it to crane. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
/test pull-cip-verify |
Add OCIManifestSchema1 from GGCR to supported media types to ensure we copy existing images. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
I tracked a problem where the staging images were getting wiped out when adding the k8s-org signatures to a problem in cosign. Fixed it here: sigstore/cosign#1616. Before that PR merges and we pull the commit into our deps, the promoter will copy the signatures from staging but will delete them when re-signing. |
At some point, attaching signatures will be performed via OCI reference types or other mechanism. Therefore, we will not be "promoting" the sig/sbom layers, ie copying them by listing them in the manifest. The promoter will verify any signed images, if sigs are found and valid, the signatures will be copied to the newly promoted images before signing them with the K8s-wide signature. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit creates a new option `--signer-account` which defines the service account that the promoter will use to sign promoted images. Signed-off-by: Adolfo García Veytia <[email protected]>
This commit adds a new `--sign` flag to `kpromo cip` that allows to enable disable signing of container images. Signed-off-by: Adolfo García Veytia <[email protected]>
k8s-ci-robot
added
size/XL
Signed-off-by: Adolfo García Veytia <[email protected]>
k8s-ci-robot
added
release-note
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
| ) | ||
| srcRef, err := name.ParseReference(sourceRefStr) | ||
| if err != nil { | ||
| return fmt.Errorf("parsing reference %q: %w", sourceRefStr, err) |
There was a problem hiding this comment.
non-blocking nit: either use consistently errors.Wrap or wrapping with %w.
| gopts.WithCredentialsFile(opts.SignerInitCredentials), | ||
| } | ||
| } | ||
| ctx := context.Background() |
There was a problem hiding this comment.
non-blocking nit: consider using a context with timeout here.
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: puerco, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR introduces digital signing into the promoter. The signing flow is enabled by default and will use the default kubernetes service account ([email protected]).
Signing is controlled by two new flags in
kpromo cip:Image signing involves four steps which begin after promotion. After promoting, kpromo will look for signatures attached to images in the original registry and copy them to the destination registries. It will generate tokens for the signer account to invoke the keyless signing flow. Once the tokens are available, it will sign one of the images and copy the resulting combined signature to the rest of the mirrors (if any).
Which issue(s) this PR fixes:
Part of: kubernetes/release#2383
Special notes for your reviewer:
/assign @justaugustus
Stephen I think this is ready, please take a look when you can!
Does this PR introduce a user-facing change?