Merge pull request #1961 from fluxcd/cosign-v3-bundles

Discover cosign v3 NewBundleFormat for verification

Author: stealthybox

config/testdata/helmchart-from-oci/cosign-v3.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo-cosign-v3
+spec:
+  url: oci://ghcr.io/fluxcd-testing/cosign-testing/v3/charts
+  type: "oci"
+  interval: 1m
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo-cosign-v3-keyless
+spec:
+  chart: podinfo
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo-cosign-v3
+  version: '6.9.4'
+  interval: 1m
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+    - issuer: ^https://token\.actions\.githubusercontent\.com$
+      subject: ^https://github\.com/fluxcd-testing/cosign-testing/\.github/workflows/release\.yml@refs/tags/.*

…tdata/ocirepository/signed-with-key.yaml …epository/signed-with-cosign-v2-key.yamlconfig/testdata/ocirepository/signed-with-key.yaml renamed to config/testdata/ocirepository/signed-with-cosign-v2-key.yaml config/testdata/ocirepository/signed-with-key.yaml renamed to config/testdata/ocirepository/signed-with-cosign-v2-key.yaml

@@ -2,7 +2,7 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
-  name: podinfo-deploy-signed-with-key
+  name: podinfo-deploy-signed-with-v2-key
 spec:
   interval: 5m
   url: oci://ghcr.io/stefanprodan/podinfo-deploy

…a/ocirepository/signed-with-keyless.yaml …itory/signed-with-cosign-v2-keyless.yamlconfig/testdata/ocirepository/signed-with-keyless.yaml renamed to config/testdata/ocirepository/signed-with-cosign-v2-keyless.yaml config/testdata/ocirepository/signed-with-keyless.yaml renamed to config/testdata/ocirepository/signed-with-cosign-v2-keyless.yaml

@@ -2,7 +2,7 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
-  name: podinfo-deploy-signed-with-keyless
+  name: podinfo-deploy-signed-with-v2-keyless
 spec:
   interval: 5m
   url: oci://ghcr.io/stefanprodan/manifests/podinfo

config/testdata/ocirepository/signed-with-cosign-v3-key.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: podinfo-deploy-signed-with-v3-key
+spec:
+  interval: 5m
+  url: oci://ghcr.io/fluxcd-testing/cosign-testing/v3/podinfo-deploy
+  ref:
+    semver: "6.9.4"
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-testing-key

config/testdata/ocirepository/signed-with-cosign-v3-keyless.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: podinfo-deploy-signed-with-v3-keyless
+spec:
+  interval: 5m
+  url: oci://ghcr.io/fluxcd-testing/cosign-testing/v3/manifests/podinfo
+  ref:
+    semver: "6.9.4"
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+    - issuer: ^https://token\.actions\.githubusercontent\.com$
+      subject: ^https://github\.com/fluxcd-testing/cosign-testing/\.github/workflows/release\.yml@refs/tags/.*

go.mod

@@ -85,20 +85,29 @@ kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oc
 kubectl -n source-system wait helmchart/podinfo --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmchart/podinfo-keyless --for=condition=ready --timeout=1m
 
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oci/cosign-v3.yaml"
+kubectl -n source-system wait helmchart/podinfo-cosign-v3-keyless --for=condition=ready --timeout=1m
+
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oci/notation.yaml"
 curl -sSLo notation.crt https://raw.githubusercontent.com/stefanprodan/podinfo/master/.notation/notation.crt
 curl -sSLo trustpolicy.json https://raw.githubusercontent.com/stefanprodan/podinfo/master/.notation/trustpolicy.json
 kubectl -n source-system create secret generic notation-config --from-file=notation.crt --from-file=trustpolicy.json --dry-run=client -o yaml | kubectl apply -f -
 kubectl -n source-system wait helmchart/podinfo-notation --for=condition=ready --timeout=1m
 
 echo "Run OCIRepository verify tests"
-kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-key.yaml"
-kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-keyless.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v2-key.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v2-keyless.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v3-key.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v3-keyless.yaml"
 curl -sSLo cosign.pub https://raw.githubusercontent.com/stefanprodan/podinfo/master/.cosign/cosign.pub
 kubectl -n source-system create secret generic cosign-key --from-file=cosign.pub --dry-run=client -o yaml | kubectl apply -f -
+curl -sSLo cosign-testing.pub https://raw.githubusercontent.com/fluxcd-testing/cosign-testing/main/cosign.pub
+kubectl -n source-system create secret generic cosign-testing-key --from-file=cosign-testing.pub --dry-run=client -o yaml | kubectl apply -f -
 
-kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-key --for=condition=ready --timeout=1m
-kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-keyless --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v2-key --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v2-keyless --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v3-key --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v3-keyless --for=condition=ready --timeout=1m
 
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-notation.yaml"
 kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-notation --for=condition=ready --timeout=1m

go.sum

@@ -31,7 +31,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	"github.com/opencontainers/go-digest"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	helmgetter "helm.sh/helm/v4/pkg/getter"
 	helmreg "helm.sh/helm/v4/pkg/registry"
 	helmrepo "helm.sh/helm/v4/pkg/repo/v1"
@@ -131,9 +131,10 @@ type HelmChartReconciler struct {
 	kuberecorder.EventRecorder
 	helper.Metrics
 
-	Storage        *storage.Storage
-	Getters        helmgetter.Providers
-	ControllerName string
+	Storage               *storage.Storage
+	Getters               helmgetter.Providers
+	ControllerName        string
+	CosignVerifierFactory *scosign.CosignVerifierFactory
 
 	Cache *cache.Cache
 	TTL   time.Duration
@@ -1330,7 +1331,7 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *sourcev1.H
 			for k, data := range pubSecret.Data {
 				// search for public keys in the secret
 				if strings.HasSuffix(k, ".pub") {
-					verifier, err := scosign.NewCosignVerifier(ctx, append(defaultCosignOciOpts, scosign.WithPublicKey(data))...)
+					verifier, err := r.CosignVerifierFactory.NewCosignVerifier(ctx, append(defaultCosignOciOpts, scosign.WithPublicKey(data))...)
 					if err != nil {
 						return nil, err
 					}
@@ -1354,7 +1355,7 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *sourcev1.H
 		}
 		defaultCosignOciOpts = append(defaultCosignOciOpts, scosign.WithIdentities(identities))
 
-		verifier, err := scosign.NewCosignVerifier(ctx, defaultCosignOciOpts...)
+		verifier, err := r.CosignVerifierFactory.NewCosignVerifier(ctx, defaultCosignOciOpts...)
 		if err != nil {
 			return nil, err
 		}

hack/ci/e2e.sh

@@ -43,9 +43,9 @@ import (
 	"github.com/notaryproject/notation-go/signer"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	. "github.com/onsi/gomega"
-	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	coptions "github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	hchart "helm.sh/helm/v4/pkg/chart/v2"
 	"helm.sh/helm/v4/pkg/chart/v2/loader"
 	helmreg "helm.sh/helm/v4/pkg/registry"
@@ -111,9 +111,10 @@ func TestHelmChartReconciler_deleteBeforeFinalizer(t *testing.T) {
 	g.Expect(k8sClient.Delete(ctx, helmchart)).NotTo(HaveOccurred())
 
 	r := &HelmChartReconciler{
-		Client:        k8sClient,
-		EventRecorder: record.NewFakeRecorder(32),
-		Storage:       testStorage,
+		Client:                k8sClient,
+		EventRecorder:         record.NewFakeRecorder(32),
+		Storage:               testStorage,
+		CosignVerifierFactory: testCosignVerifierFactory,
 	}
 	// NOTE: Only a real API server responds with an error in this scenario.
 	_, err := r.Reconcile(ctx, ctrl.Request{NamespacedName: client.ObjectKeyFromObject(helmchart)})
@@ -792,10 +793,11 @@ func TestHelmChartReconciler_reconcileSource(t *testing.T) {
 			}
 
 			r := &HelmChartReconciler{
-				Client:        clientBuilder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Storage:       st,
-				patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				Client:                clientBuilder.Build(),
+				EventRecorder:         record.NewFakeRecorder(32),
+				Storage:               st,
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 
 			obj := sourcev1.HelmChart{
@@ -1128,11 +1130,12 @@ func TestHelmChartReconciler_buildFromHelmRepository(t *testing.T) {
 			g.Expect(err).ToNot(HaveOccurred())
 
 			r := &HelmChartReconciler{
-				Client:        clientBuilder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Getters:       testGetters,
-				Storage:       testStorage,
-				patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				Client:                clientBuilder.Build(),
+				EventRecorder:         record.NewFakeRecorder(32),
+				Getters:               testGetters,
+				Storage:               testStorage,
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 
 			repository := &sourcev1.HelmRepository{
@@ -1380,11 +1383,12 @@ func TestHelmChartReconciler_buildFromOCIHelmRepository(t *testing.T) {
 			}
 
 			r := &HelmChartReconciler{
-				Client:        clientBuilder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Getters:       testGetters,
-				Storage:       st,
-				patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				Client:                clientBuilder.Build(),
+				EventRecorder:         record.NewFakeRecorder(32),
+				Getters:               testGetters,
+				Storage:               st,
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 
 			repository := &sourcev1.HelmRepository{
@@ -1907,8 +1911,9 @@ func TestHelmChartReconciler_getSource(t *testing.T) {
 		WithObjects(mocks...)
 
 	r := &HelmChartReconciler{
-		Client:       clientBuilder.Build(),
-		patchOptions: getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+		Client:                clientBuilder.Build(),
+		CosignVerifierFactory: testCosignVerifierFactory,
+		patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 	}
 
 	tests := []struct {
@@ -2023,9 +2028,10 @@ func TestHelmChartReconciler_reconcileDelete(t *testing.T) {
 	g := NewWithT(t)
 
 	r := &HelmChartReconciler{
-		EventRecorder: record.NewFakeRecorder(32),
-		Storage:       testStorage,
-		patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+		EventRecorder:         record.NewFakeRecorder(32),
+		Storage:               testStorage,
+		CosignVerifierFactory: testCosignVerifierFactory,
+		patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 	}
 
 	obj := &sourcev1.HelmChart{
@@ -2163,7 +2169,8 @@ func TestHelmChartReconciler_reconcileSubRecs(t *testing.T) {
 					WithScheme(testEnv.GetScheme()).
 					WithStatusSubresource(&sourcev1.HelmChart{}).
 					Build(),
-				patchOptions: getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 			obj := &sourcev1.HelmChart{
 				ObjectMeta: metav1.ObjectMeta{
@@ -2877,11 +2884,12 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t
 			clientBuilder.WithObjects(repository)
 
 			r := &HelmChartReconciler{
-				Client:        clientBuilder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Getters:       testGetters,
-				Storage:       testStorage,
-				patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				Client:                clientBuilder.Build(),
+				EventRecorder:         record.NewFakeRecorder(32),
+				Getters:               testGetters,
+				Storage:               testStorage,
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 
 			obj := &sourcev1.HelmChart{
@@ -3182,11 +3190,12 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureNotation(t *t
 			clientBuilder.WithObjects(repository, secret, caSecret)
 
 			r := &HelmChartReconciler{
-				Client:        clientBuilder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Getters:       testGetters,
-				Storage:       st,
-				patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				Client:                clientBuilder.Build(),
+				EventRecorder:         record.NewFakeRecorder(32),
+				Getters:               testGetters,
+				Storage:               testStorage,
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 
 			obj := &sourcev1.HelmChart{
@@ -3433,11 +3442,12 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 			clientBuilder.WithObjects(repository, secret)
 
 			r := &HelmChartReconciler{
-				Client:        clientBuilder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Getters:       testGetters,
-				Storage:       st,
-				patchOptions:  getPatchOptions(helmChartReadyCondition.Owned, "sc"),
+				Client:                clientBuilder.Build(),
+				EventRecorder:         record.NewFakeRecorder(32),
+				Getters:               testGetters,
+				Storage:               st,
+				CosignVerifierFactory: testCosignVerifierFactory,
+				patchOptions:          getPatchOptions(helmChartReadyCondition.Owned, "sc"),
 			}
 
 			obj := &sourcev1.HelmChart{
@@ -3468,7 +3478,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 					Timeout: timeout,
 				}
 
-				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+				err = sign.SignCmd(ctx, ro, ko, coptions.SignOptions{
 					Upload:           true,
 					SkipConfirmation: true,
 					TlogUpload:       false,