feat: support pubkey secret creation for oci signature verification (#…

…240)

* feat: support pubkey secret creation

* feat: add support for .env files

* fix: update values to address linting issues

* feat: ensure pub key data is only added data key has suffix .pub

* chore: bump oci plugin to v0.0.8

* feat: update validationresults crd

.gitignore

@@ -1,4 +1,3 @@
-
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -27,3 +26,7 @@ Dockerfile.cross
 *.swp
 *.swo
 *~
+
+# misc
+.DS_Store
+.env

Makefile

@@ -1,3 +1,7 @@
+ifneq (,$(wildcard ./.env))
+	include .env
+	export
+endif
 
 # Image URL to use all building/pushing image targets
 IMG ?= quay.io/spectrocloud-labs/validator:latest
@@ -201,4 +205,4 @@ helm-package: generate manifests
 
 .PHONY: frigate
 frigate:
-	frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md
+	frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md

chart/validator/crds/validation.spectrocloud.labs_validationresults.yaml

@@ -62,6 +62,52 @@ spec:
             description: ValidationResultStatus defines the observed state of ValidationResult
             properties:
               conditions:
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition. This field may be empty.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase. The specific API may choose whether or not this
+                        field is considered a guaranteed API. This field may not be
+                        empty.
+                      type: string
+                    severity:
+                      description: Severity provides an explicit classification of
+                        Reason code, so the users or machines can immediately understand
+                        the current situation and act accordingly. The Severity field
+                        MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              state:
+                type: string
+              validationConditions:
                 items:
                   properties:
                     details:
@@ -87,7 +133,7 @@ spec:
                       type: string
                     status:
                       description: True if the validation rule succeeded, otherwise
-                        False
+                        False.
                       type: string
                     validationRule:
                       description: Unique, one-word description of the validation
@@ -104,10 +150,6 @@ spec:
                   - validationType
                   type: object
                 type: array
-              sinkState:
-                type: string
-              state:
-                type: string
             required:
             - state
             type: object

chart/validator/templates/plugin-secret-oci-auth.yaml

@@ -0,0 +1,10 @@
+{{- range .Values.pluginSecrets.oci.auth }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ required ".Values.pluginSecrets.oci.auth.secretName is required!" .secretName }}
+stringData:
+  username: {{ required ".Values.pluginSecrets.oci.auth.username is required!" .username }}
+  password: {{ required ".Values.pluginSecrets.oci.auth.password is required!" .password }}
+---
+{{- end }}

chart/validator/templates/plugin-secret-oci-pubkey.yaml

@@ -0,0 +1,13 @@
+{{- range .Values.pluginSecrets.oci.pubKeys }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ required ".Values.pluginSecrets.oci.pubKeys.secretName is required!" .secretName }}
+data:
+ {{- range $key, $val := . }}
+ {{- if hasSuffix ".pub" $key }}
+ {{ $key }}: {{ $val | b64enc | quote }}
+ {{- end }}
+ {{- end }}
+---
+{{- end }}

chart/validator/values.yaml

@@ -372,7 +372,7 @@ plugins:
 - chart:
     name: validator-plugin-oci
     repository: "https://spectrocloud-labs.github.io/validator-plugin-oci"
-    version: v0.0.2
+    version: v0.0.8
   values: |-
     controllerManager:
       kubeRbacProxy:
@@ -407,7 +407,7 @@ plugins:
             - ALL
         image:
           repository: quay.io/spectrocloud-labs/validator-plugin-oci
-          tag: v0.0.2
+          tag: v0.0.8
         resources:
           limits:
             cpu: 500m
@@ -477,12 +477,25 @@ pluginSecrets:
     # vcenterServer: ""
     # insecureSkipVerify: ""
 
-  # If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:
-  # - The target cluster already contains secrets with the correct format for all private registries.
-  #   If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci.yaml for
-  #   an example of the expected format and ensure that it exists in the same namespace as the Helm release.
-  #
-  oci: []  # Don't forget to delete these square brackets if you're specifying credentials here!
-    # - secretName: registry-creds # ensure this matches the secretName in the OciRegistryRule
-    #   username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here
-    #   password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here
+  oci:
+    # If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:
+    # - The target cluster already contains secrets with the correct format for all private registries.
+    #   If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-auth.yaml for
+    #   an example of the expected format and ensure that it exists in the same namespace as the Helm release.
+    #
+    auth: []  # Don't forget to delete these square brackets if you're specifying credentials here!
+      # - secretName: registry-creds # ensure this matches the credentials secretName in the OciRegistryRule
+      #   username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here
+      #   password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here
+
+    # If installing the OCI plugin and enabling signature verification of artifacts, the below config is required unless the following applies:
+    # - The target cluster already contains secrets with the correct format for all public keys used for signing artifacts.
+    #   If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-pubkey.yaml for
+    #   an example of the expected format and ensure that it exists in the same namespace as the Helm release.
+    #
+    pubKeys: []  # Don't forget to delete these square brackets if you're specifying public keys here!
+      # - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule
+      #   key1.pub: |  # multiple public keys can be added to your secret, ensure each key name ends in .pub
+      #    -----BEGIN PUBLIC KEY-----
+      #    <your public key content here>
+      #    -----END PUBLIC KEY-----