Integrate k8schain to authenticate digest resolution. (sigstore#804)

`k8schain` implements a GGCR keychain that attempts to replicate the authentication done by the kubelet when pulling container images. It supports ambient credentials (e.g. GCE/AWS's `http://metadata`) as well as `imagePullSecret` resolution, and is also currently used by Tekton and Knative for similar purposes. Fixes: sigstore#801 Signed-off-by: Matt Moore <[email protected]> Signed-off-by: Joel Kamp <[email protected]>
mrjoelkamp · Sep 28, 2021 · 025a759 · 025a759
1 parent 4e2f2f8
commit 025a759
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 42 deletions.
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -36,3 +36,11 @@ rules:
     # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
     # which requires we can Get the system namespace.
     resourceNames: ["cosign-system"]
+
+  # This is needed by k8schain to support fetching pull secrets attached to pod specs
+  # or their service accounts.  If pull secrets aren't used, the "secrets" below can
+  # be safely dropped, but the logic will fetch the service account to check for pull
+  # secrets.
+  - apiGroups: [""]
+    resources: ["serviceaccounts", "secrets"]
+    verbs: ["get"]
diff --git a/go.mod b/go.mod
@@ -15,7 +15,6 @@ require (
 	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c
 	github.com/in-toto/in-toto-golang v0.2.1-0.20210806133539-f50646681592
 	github.com/manifoldco/promptui v0.8.0
-	github.com/open-policy-agent/opa v0.32.1
 	github.com/peterbourgon/ff/v3 v3.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb
@@ -33,19 +32,22 @@ require (
 
 require (
 	cloud.google.com/go/kms v0.1.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect
 	github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
 	github.com/envoyproxy/go-control-plane v0.9.9 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/golang/glog v1.0.0 // indirect
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20210924194000-308547aa3b27
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/onsi/gomega v1.15.0 // indirect
-	github.com/peterh/liner v1.2.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/spf13/cobra v1.2.1
 	github.com/urfave/cli v1.22.5 // indirect
 	go.opentelemetry.io/contrib v0.22.0 // indirect