1417 policy webhooks rev2

.gitignore

@@ -27,3 +27,6 @@
 
 bin*
 dist/
+
+sample.yaml
+

Makefile

@@ -103,6 +103,10 @@ cross:
 	go build -trimpath -ldflags "$(LDFLAGS)" -o cosign-$(GOOS)-$(GOARCH) ./cmd/cosign; \
 	shasum -a 256 cosign-$(GOOS)-$(GOARCH) > cosign-$(GOOS)-$(GOARCH).sha256 ))) \
 
+.PHONY: manifests
+manifests:
+	controller-gen object crd:trivialVersions=true,preserveUnknownFields=false paths="./pkg/cosign/kubernetes/apis/..." output:crd:artifacts:config=config
+
 #####################
 # lint / test section
 #####################
@@ -163,6 +167,11 @@ ko-local:
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
 		github.com/sigstore/cosign/cmd/cosign
 
+	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths --bare \
+		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
+		github.com/sigstore/cosign/cmd/cosign/webhook
+
 ##################
 # help
 ##################

cmd/cosign/webhook/main.go

@@ -37,6 +37,7 @@ import (
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	"sigs.k8s.io/release-utils/version"
 
+	"github.com/sigstore/cosign/pkg/cosign/kubernetes/apis/v1alpha1"
 	cwebhook "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook"
 )
 
@@ -66,6 +67,8 @@ func main() {
 		certificates.NewController,
 		NewValidatingAdmissionController,
 		NewMutatingAdmissionController,
+		NewPolicyValidatingAdmissionController,
+		NewPolicyMutatingAdmissionController,
 	)
 }
 
@@ -138,3 +141,33 @@ func NewMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher)
 		false,
 	)
 }
+
+func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return validation.NewAdmissionController(
+		ctx,
+		"validating.clusterimagepolicy.sigstore.dev",
+		"/validate-sigstore-dev-v1alpha1-clusterimagepolicy",
+		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+			v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
+		},
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+		true,
+	)
+}
+
+func NewPolicyMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return defaulting.NewAdmissionController(
+		ctx,
+		"defaulting.clusterimagepolicy.sigstore.dev",
+		"/default-sigstore-dev-v1alpha1-clusterimagepolicy",
+		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+			v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
+		},
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
+		true,
+	)
+}

config/200-clusterrole.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -20,23 +19,23 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create"]
-
   # Allow the reconciliation of exactly our validating and mutating webhooks.
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["list", "watch"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["get", "update"]
-    resourceNames: ["cosigned.sigstore.dev"]
-
+    resourceNames: 
+      - "cosigned.sigstore.dev"
+      - "defaulting.clusterimagepolicy.sigstore.dev"
+      - "validating.clusterimagepolicy.sigstore.dev"
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get"]
     # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
     # which requires we can Get the system namespace.
     resourceNames: ["cosign-system"]
-
   # This is needed by k8schain to support fetching pull secrets attached to pod specs
   # or their service accounts.  If pull secrets aren't used, the "secrets" below can
   # be safely dropped, but the logic will fetch the service account to check for pull

config/501-policy-webhook-configuration.yaml

@@ -0,0 +1,55 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: defaulting.clusterimagepolicy.sigstore.dev
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: webhook
+        namespace: cosign-system
+        path: /default-sigstore-dev-v1alpha1-clusterimagepolicy
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: defaulting.clusterimagepolicy.sigstore.dev
+    rules:
+      - apiGroups:
+          - sigstore.dev
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clusterimagepolicies
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validating.clusterimagepolicy.sigstore.dev
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: webhook
+        namespace: cosign-system
+        path: /validate-sigstore-dev-v1alpha1-clusterimagepolicy
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: validating.clusterimagepolicy.sigstore.dev
+    rules:
+      - apiGroups:
+          - sigstore.dev
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clusterimagepolicies
+    sideEffects: None

config/sigstore.dev_clusterimagepolicies.yaml

@@ -0,0 +1,101 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: clusterimagepolicies.sigstore.dev
+spec:
+  group: sigstore.dev
+  names:
+    kind: ClusterImagePolicy
+    listKind: ClusterImagePolicyList
+    plural: clusterimagepolicies
+    singular: clusterimagepolicy
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              images:
+                items:
+                  properties:
+                    authorities:
+                      items:
+                        properties:
+                          ctlog:
+                            properties:
+                              url:
+                                type: string
+                            type: object
+                          key:
+                            properties:
+                              data:
+                                type: string
+                              kms:
+                                type: string
+                              secretRef:
+                                properties:
+                                  name:
+                                    type: string
+                                type: object
+                            type: object
+                          keyless:
+                            properties:
+                              ca-key:
+                                properties:
+                                  data:
+                                    type: string
+                                  name:
+                                    type: string
+                                type: object
+                              identities:
+                                items:
+                                  properties:
+                                    issuer:
+                                      type: string
+                                    subject:
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          source:
+                            items:
+                              properties:
+                                oci:
+                                  type: string
+                              type: object
+                            type: array
+                        type: object
+                      type: array
+                    pattern:
+                      type: string
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/webhook.yaml

@@ -42,7 +42,7 @@ spec:
       - name: webhook
         # This is the Go import path for the binary that is containerized
         # and substituted here.
-        image: ko://github.com/sigstore/cosign/cmd/cosign/webhook
+        image: ko.local/webhook:70c8e156ba665ade1745f695dad6052f7f265e91c28aaaab6710ece2d5274224
         args: ["-secret-name=verification-key"]
         resources:
           requests:
@@ -103,4 +103,4 @@ metadata:
   namespace: cosign-system
 # stringData:
 #   cosign.pub: |
-#     <PEM encoded public key>
+#     <PEM encoded public key>

pkg/cosign/kubernetes/apis/v1alpha1/clusterimagepolicy_defaults.go

@@ -0,0 +1,8 @@
+package v1alpha1
+
+import (
+	"context"
+)
+
+func (ip *ClusterImagePolicy) SetDefaults(ctx context.Context) {
+}

pkg/cosign/kubernetes/apis/v1alpha1/clusterimagepolicy_types.go

@@ -0,0 +1,70 @@
+// +kubebuilder:validation:Optional
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"knative.dev/pkg/apis"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=clusterimagepolicies,scope=Cluster
+// +kubebuilder:storageversion
+type ClusterImagePolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              ClusterImagePolicySpec `json:"spec,omitempty"`
+}
+
+var (
+	_ apis.Validatable = (*ClusterImagePolicy)(nil)
+	_ apis.Defaultable = (*ClusterImagePolicy)(nil)
+)
+
+type ClusterImagePolicySpec struct {
+	Images []ImagePattern `json:"images,omitempty"`
+}
+
+type ImagePattern struct {
+	Pattern     string      `json:"pattern,omitempty"`
+	Authorities []Authority `json:"authorities,anyOf,omitempty"`
+}
+
+type Authority struct {
+	Key     KeyRef     `json:"key,omitempty"`
+	Keyless KeylessRef `json:"keyless,omitempty"`
+	Sources []Source   `json:"source,anyOf,omitempty"`
+	CTLog   TLog       `json:"ctlog,omitempty"`
+}
+
+type KeyRef struct {
+	SecretRef SecretRef `json:"secretRef,omitempty"`
+	Data      string    `json:"data,omitempty"`
+	KMS       string    `json:"kms,omitempty"`
+}
+
+type SecretRef struct {
+	Name string `json:"name,omitempty"`
+}
+
+type Source struct {
+	OCI string `json:"oci"`
+}
+
+type TLog struct {
+	URL string `json:"url,omitempty"`
+}
+
+type KeylessRef struct {
+	Identities []Identity `json:"identities,anyOf,omitempty"`
+	CAKey      CAKey      `json:"ca-key,omitempty"`
+}
+
+type Identity struct {
+	Issuer  string `json:"issuer,omitempty"`
+	Subject string `json:"subject,omitempty"`
+}
+
+type CAKey struct {
+	Name string `json:"name,omitempty"`
+	Data string `json:"data,omitempty"`
+}

pkg/cosign/kubernetes/apis/v1alpha1/clusterimagepolicy_validation.go

@@ -0,0 +1,11 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"knative.dev/pkg/apis"
+)
+
+func (ip *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError {
+	return nil
+}

pkg/cosign/kubernetes/apis/v1alpha1/doc.go

@@ -0,0 +1,4 @@
+// +groupName=sigstore.dev
+// +kubebuilder:object:generate=true
+
+package v1alpha1