diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8265c89..cf5ecd8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,6 @@ name: Release on: push: tags: - - policy-controller-v* - trust-policies-v* jobs: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ccd23fb..92c7fc0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -37,8 +37,10 @@ jobs: - name: Install policy-controller run: | - helm install policy-controller charts/policy-controller \ - --create-namespace --namespace artifact-attestations --atomic + helm install policy-controller --atomic \ + --create-namespace --namespace artifact-attestations \ + oci://ghcr.io/sigstore/helm-charts/policy-controller \ + --version 0.10.5 - name: Install trust-policies run: | diff --git a/README.md b/README.md index dd35c51..2bc6419 100644 --- a/README.md +++ b/README.md @@ -3,16 +3,15 @@ This repository hosts GitHub's Helm charts for deploying [a Kubernetes admission controller for Artifact Attestations](https://docs.github.com/en/actions/security-guides/enforcing-artifact-attestations-with-a-kubernetes-admission-controller). This admission controller allows you to enforce the provenance of artifacts deployed to your cluster by verifying their [Artifact Attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli). The admission controller consists of: -- The [`policy-controller` chart](https://github.com/github/artifact-attestations-helm-charts/tree/main/charts/policy-controller), which is used to deploy [our temporary fork](https://github.com/github/policy-controller) of the [Sigstore Policy Controller](https://github.com/sigstore/policy-controller) - The [`trust-policies` chart](https://github.com/github/artifact-attestations-helm-charts/tree/main/charts/trust-policies), which is used to deploy GitHub's `TrustRoot` and a default `ClusterImagePolicy`. This policy ensures that images installed on a cluster must have provenance attestations generated with the [Attest Build Provenance GitHub Action](https://github.com/actions/attest-build-provenance). -These charts are published to GitHub Container Registry (GHCR) as OCI images. Every release is attested with -the [Attest Build Provenance Action](https://github.com/github/artifact-attestations-helm-charts/blob/a50f0ad3880a562892156ab8f4ed01a349807bb3/.github/workflows/release.yml#L50). +This chart is published to GitHub Container Registry (GHCR) as an OCI images. Every release is attested with +the [Attest Build Provenance Action](https://github.com/github/artifact-attestations-helm-charts/blob/a50f0ad3880a562892156ab8f4ed01a349807bb3/.github/workflows/release.yml#L49). You can verify these releases using the [`gh` CLI](https://cli.github.com/manual/gh_attestation_verify): ```bash gh attestation verify --owner github \ - oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.12.0-github12 + oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies:v0.7.0 ``` For more information, see [our documentation](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) on using artifact attestations to establish build provenance and [our blog post](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/) introducing Artifact Attestations. @@ -25,8 +24,8 @@ You will need to install two charts. First, install the Sigstore policy controll ```bash helm install policy-controller --atomic \ --create-namespace --namespace artifact-attestations \ - oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \ - --version v0.12.0-github12 + oci://ghcr.io/sigstore/helm-charts/policy-controller \ + --version 0.10.5 ``` The `--atomic` flag will delete the installation if failure occurs. @@ -40,7 +39,7 @@ Next, install the GitHub `TrustRoot` and our default `ClusterImagePolicy`: helm install trust-policies --atomic \ --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \ - --version v0.6.2 \ + --version v0.7.0 \ --set policy.enabled=true \ --set policy.organization=MY-ORGANIZATION ``` @@ -91,8 +90,8 @@ please file an [issue](https://github.com/github/artifact-attestations-helm-char When you are ready to cut a new release for a given Helm chart 1. Update the chart's `AppVersion` and `Version` to the appropriate values -1. Create a new tag prefixed with the targeted chart name in the format -v0.1.2, ex: `git tag -s "policy-controller-v0.12.0-github12" -m "policy-controller-v0.12.0-github12"` -1. Push the tag, ex: `git push origin "policy-controller-v0.12.0-github12"` -1. The [release workflow](.github/workflows/release.yml) will be triggered if +2. Create a new tag prefixed with the targeted chart name in the format -v0.1.2, ex: `git tag -s "trust-policies-v0.7.0" -m "trust-policies-v0.7.0"` +3. Push the tag, ex: `git push origin "trust-policies-v0.7.0"` +4. The [release workflow](.github/workflows/release.yml) will be triggered if the chart's tag format is included in the list of tags that trigger the workflow. The tag must follow the format `-v` diff --git a/charts/policy-controller/.helmignore b/charts/policy-controller/.helmignore deleted file mode 100644 index 351b35f..0000000 --- a/charts/policy-controller/.helmignore +++ /dev/null @@ -1,20 +0,0 @@ -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml deleted file mode 100644 index 0842014..0000000 --- a/charts/policy-controller/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v2 -description: Artifact Attestations Policy Controller Helm Chart -home: https://github.com/github/policy-controller - -sources: - - https://github.com/github/policy-controller - -type: application - -name: policy-controller -version: "v0.12.0-github12" -appVersion: "v0.12.0-github12" - -maintainers: - - name: codysoyland - - name: malancas diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md deleted file mode 100644 index f21d6d4..0000000 --- a/charts/policy-controller/README.md +++ /dev/null @@ -1,176 +0,0 @@ -# policy-controller - -The Helm chart for Policy Controller - -**Homepage:** - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| commonAnnotations | object | `{}` | | -| commonNodeSelector | object | `{}` | | -| commonTolerations | list | `[]` | | -| cosign.cosignPub | string | `""` | | -| cosign.webhookName | string | `"policy.sigstore.dev"` | | -| imagePullSecrets | list | `[]` | | -| installCRDs | bool | `true` | | -| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | -| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | -| leasescleanup.image.version | string | `"sha256:dfa420c3fe94a8365b274fd714fb829b466cd762d6870d579db8744e6f27450a"` | | -| loglevel | string | `"info"` | | -| serviceMonitor.enabled | bool | `false` | | -| webhook.configData | object | `{}` | | -| webhook.customLabels | object | `{}` | | -| webhook.env | object | `{}` | | -| webhook.extraArgs | object | `{}` | | -| webhook.failurePolicy | string | `"Fail"` | | -| webhook.image.pullPolicy | string | `"IfNotPresent"` | | -| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | -| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | `"v0.8.2"` | -| webhook.name | string | `"webhook"` | | -| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | -| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | -| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | -| webhook.podDisruptionBudget.enabled | bool | `true` | | -| webhook.podDisruptionBudget.minAvailable | int | `1` | | -| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | -| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | -| webhook.podSecurityContext.enabled | bool | `true` | | -| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | -| webhook.podSecurityContext.runAsUser | int | `1000` | | -| webhook.registryCaBundle | object | `{}` | | -| webhook.replicaCount | int | `1` | | -| webhook.resources.limits.cpu | string | `"200m"` | | -| webhook.resources.limits.memory | string | `"512Mi"` | | -| webhook.resources.requests.cpu | string | `"100m"` | | -| webhook.resources.requests.memory | string | `"128Mi"` | | -| webhook.securityContext.enabled | bool | `false` | | -| webhook.securityContext.runAsUser | int | `65532` | | -| webhook.service.annotations | object | `{}` | | -| webhook.service.port | int | `443` | | -| webhook.service.type | string | `"ClusterIP"` | | -| webhook.serviceAccount.annotations | object | `{}` | | -| webhook.serviceAccount.create | bool | `true` | | -| webhook.serviceAccount.name | string | `""` | | -| webhook.volumeMounts | list | `[]` | | -| webhook.volumes | list | `[]` | | -| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | -| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | - - -### Deploy `policy-controller` Helm Chart - -Install `policy-controller` using Helm: - -```shell -helm install policy-controller oci://ghcr.io/github/helm-charts/policy-controller --create-namespace -n cosign-system --version 0.9.0-github1 -``` - -The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces. - -Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`. -By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap. - -As supported in previous versions, you could create your own key pair: - -```shell -export COSIGN_PASSWORD= -cosign generate-key-pair -``` - -This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures: - -```shell -kubectl create secret generic mysecret -n \ -cosign-system --from-file=cosign.pub=./cosign.pub -``` - -**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below. - -```yaml -apiVersion: policy.sigstore.dev/v1alpha1 -kind: ClusterImagePolicy -metadata: - name: cip-key-secret -spec: - images: - - glob: "**your-desired-value**" - authorities: - - key: - secretRef: - name: mysecret -``` -#### Configuring Custom Certificate Authorities (CA) - -The `policy-controller` can be configured to use custom CAs to communicate to container registries, for example, when you have a private registry with a self-signed TLS certificate. - -To configure `policy-controller` to use custom CAs, follow these steps: - -1. Make sure the `policy-controller` namespace exists: - - ```shell - kubectl create namespace cosign-system - ``` - -2. Create a bundle file with all the root and intermediate certificates and name it `ca-bundle.crt`. - -3. Create a `ConfigMap` from the bundle: - ```shell - kubectl -n cosign-system create cm ca-bundle-config \ - --from-file=ca-bundle.crt="ca-bundle.crt" - ``` - -4. Install the `policy-controller`: - - ```shell - helm install -n cosign-system \ - --set webhook.registryCaBundle.name=ca-bundle-config \ - --set webhook.registryCaBundle.key=ca-bundle.crt \ - policy-controller sigstore/policy-controller - ``` - -### Enabling Admission control - -To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered: - -Label: `policy.sigstore.dev/include: "true"` - -```yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - policy.sigstore.dev/include: "true" - kubernetes.io/metadata.name: my-namespace - name: my-namespace -spec: - finalizers: - - kubernetes -``` - -### Testing the webhook - -1. Using Unsigned Images: -Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: - - ```shell - kubectl apply -f my-deployment.yaml - Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image - ``` - -2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created. - - ```shell - kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns - pod/pod1-signed created - ``` - - -## More info - -You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). diff --git a/charts/policy-controller/templates/_helpers.tpl b/charts/policy-controller/templates/_helpers.tpl deleted file mode 100644 index c54259e..0000000 --- a/charts/policy-controller/templates/_helpers.tpl +++ /dev/null @@ -1,145 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "policy-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "policy-controller.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "policy-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "policy-controller.labels" -}} -helm.sh/chart: {{ include "policy-controller.chart" . }} -{{ include "policy-controller.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- range $key, $value := .Values.webhook.customLabels }} -{{ $key }}: {{ $value }} -{{- end }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "policy-controller.selectorLabels" -}} -app.kubernetes.io/name: {{ include "policy-controller.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use for webhook -*/}} -{{- define "webhook.serviceAccountName" -}} -{{- if .Values.webhook.serviceAccount.create }} -{{- default ( print (include "policy-controller.fullname" .) "-webhook" ) .Values.webhook.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.webhook.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Self-signed certificate authority issuer name -*/}} -{{- define "policy-controller.CAIssuerName" -}} -{{- if .Values.certificates.ca.issuer.name -}} -{{ .Values.certificates.ca.issuer.name }} -{{- else -}} -{{ template "policy-controller.fullname" . }}-ca-issuer -{{- end -}} -{{- end -}} - -{{/* -CA Certificate issuer name -*/}} -{{- define "policy-controller.CAissuerName" -}} -{{- if .Values.certificates.selfSigned -}} -{{ template "policy-controller.CAIssuerName" . }} -{{- else -}} -{{ required "A valid .Values.certificates.ca.issuer.name is required!" .Values.certificates.issuer.name }} -{{- end -}} -{{- end -}} - -{{/* -CA signed certificate issuer name -*/}} -{{- define "policy-controller.IssuerName" -}} -{{- if .Values.certificates.issuer.name -}} -{{ .Values.certificates.issuer.name }} -{{- else -}} -{{ template "policy-controller.fullname" . }}-issuer -{{- end -}} -{{- end -}} - -{{/* -Certificate issuer name -*/}} -{{- define "policy-controller.issuerName" -}} -{{- if .Values.certificates.selfSigned -}} -{{ template "policy-controller.IssuerName" . }} -{{- else -}} -{{ required "A valid .Values.certificates.issuer.name is required!" .Values.certificates.issuer.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the image path for the passed in image field -*/}} -{{- define "policy-controller.image" -}} -{{- if eq (substr 0 7 .version) "sha256:" -}} -{{- printf "%s@%s" .repository .version -}} -{{- else -}} -{{- printf "%s:%s" .repository .version -}} -{{- end -}} -{{- end -}} - - -{{/* -Create the image path for the passed in leases-cleanup image field -*/}} -{{- define "leases-cleanup.image" -}} -{{- if eq (substr 0 7 .version) "sha256:" -}} -{{- printf "%s@%s" .repository .version -}} -{{- else -}} -{{- printf "%s:%s" .repository .version -}} -{{- end -}} -{{- end -}} - -{{/* -*/}} -{{- define "policy-controller.webhook.namespaceSelector" -}} -{{- if .Values.webhook.namespaceSelector }} -{{ toYaml .Values.webhook.namespaceSelector }} -{{- else }} -matchExpressions: - - key: policy.sigstore.dev/include - operator: In - values: ["true"] -{{- end }} -{{- end -}} diff --git a/charts/policy-controller/templates/crds/clusterimagepolicy.yaml b/charts/policy-controller/templates/crds/clusterimagepolicy.yaml deleted file mode 100644 index 078eaf5..0000000 --- a/charts/policy-controller/templates/crds/clusterimagepolicy.yaml +++ /dev/null @@ -1,716 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterimagepolicies.policy.sigstore.dev -spec: - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1", "v1alpha1"] - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - group: policy.sigstore.dev - names: - kind: ClusterImagePolicy - plural: clusterimagepolicies - singular: clusterimagepolicy - categories: - - all - - sigstore - shortNames: - - cip - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - description: Spec holds the desired state of the ClusterImagePolicy (from the client). - type: object - properties: - authorities: - description: Authorities defines the rules for discovering and validating signatures. - type: array - items: - type: object - properties: - attestations: - description: Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. - type: array - items: - type: object - properties: - name: - description: Name of the attestation. These can then be referenced at the CIP level policy. - type: string - policy: - description: Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified). - type: object - properties: - configMapRef: - description: ConfigMapRef defines the reference to a configMap with the policy definition. - type: object - properties: - key: - description: Key defines the key to pull from the configmap. - type: string - name: - description: Name is unique within a namespace to reference a configmap resource. - type: string - namespace: - description: Namespace defines the space within which the configmap name must be unique. - type: string - data: - description: Data contains the policy definition. - type: string - fetchConfigFile: - description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md' - type: boolean - includeObjectMeta: - description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - includeSpec: - description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy. - type: boolean - includeTypeMeta: - description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - remote: - description: Remote defines the url to a policy. - type: object - properties: - sha256sum: - description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. - type: string - url: - description: URL to the policy data. - type: string - type: - description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :) - type: string - predicateType: - description: PredicateType defines which predicate type to verify. Matches cosign verify-attestation options. - type: string - ctlog: - description: CTLog sets the configuration to verify the authority against a Rekor instance. - type: object - properties: - trustRootRef: - description: Use the Public Key from the referred TrustRoot.TLog - type: string - url: - description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) - type: string - key: - description: Key defines the type of key to validate the image. - type: object - properties: - data: - description: Data contains the inline public key. - type: string - hashAlgorithm: - description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set - type: string - kms: - description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. - type: string - secretRef: - description: SecretRef sets a reference to a secret with the key. - type: object - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - keyless: - description: Keyless sets the configuration to verify the authority against a Fulcio instance. - type: object - properties: - ca-cert: - description: CACert sets a reference to CA certificate - type: object - properties: - data: - description: Data contains the inline public key. - type: string - hashAlgorithm: - description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set - type: string - kms: - description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. - type: string - secretRef: - description: SecretRef sets a reference to a secret with the key. - type: object - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - identities: - description: Identities sets a list of identities. - type: array - items: - type: object - properties: - issuer: - description: Issuer defines the issuer for this identity. - type: string - issuerRegExp: - description: IssuerRegExp specifies a regular expression to match the issuer for this identity. - type: string - subject: - description: Subject defines the subject for this identity. - type: string - subjectRegExp: - description: SubjectRegExp specifies a regular expression to match the subject for this identity. - type: string - insecureIgnoreSCT: - description: InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT - type: boolean - trustRootRef: - description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog - type: string - url: - description: URL defines a url to the keyless instance. - type: string - name: - description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority- - type: string - rfc3161timestamp: - description: RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. - type: object - properties: - trustRootRef: - description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities - type: string - signatureFormat: - description: SignatureFormat specifies the format the authority expects. Supported formats are "simplesigning" and "bundle". If not specified, the default is "simplesigning" (cosign's default). - type: string - source: - description: Sources sets the configuration to specify the sources from where to consume the signatures. - type: array - items: - type: object - properties: - oci: - description: OCI defines the registry from where to pull the signature / attestations. - type: string - signaturePullSecrets: - description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source. - type: array - items: - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tagPrefix: - description: TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these. - type: string - static: - description: Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images. - type: object - properties: - action: - description: Action defines how to handle a matching policy. - type: string - message: - description: For fail actions, emit an optional custom message - type: string - images: - description: Images defines the patterns of image names that should be subject to this policy. - type: array - items: - type: object - properties: - glob: - description: Glob defines a globbing pattern. - type: string - match: - description: Match allows selecting resources based on their properties. - type: array - items: - type: object - properties: - group: - type: string - resource: - type: string - selector: - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - type: object - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - mode: - description: Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn - type: string - policy: - description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed. - type: object - properties: - configMapRef: - description: ConfigMapRef defines the reference to a configMap with the policy definition. - type: object - properties: - key: - description: Key defines the key to pull from the configmap. - type: string - name: - description: Name is unique within a namespace to reference a configmap resource. - type: string - namespace: - description: Namespace defines the space within which the configmap name must be unique. - type: string - data: - description: Data contains the policy definition. - type: string - fetchConfigFile: - description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md' - type: boolean - includeObjectMeta: - description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - includeSpec: - description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy. - type: boolean - includeTypeMeta: - description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - remote: - description: Remote defines the url to a policy. - type: object - properties: - sha256sum: - description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. - type: string - url: - description: URL to the policy data. - type: string - type: - description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :) - type: string - status: - description: Status represents the current state of the ClusterImagePolicy. This data may be out of date. - type: object - properties: - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - x-kubernetes-preserve-unknown-fields: true - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - type: object - required: - - type - - status - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - - name: v1beta1 - served: true - storage: false - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - description: Spec holds the desired state of the ClusterImagePolicy (from the client). - type: object - properties: - authorities: - description: Authorities defines the rules for discovering and validating signatures. - type: array - items: - type: object - properties: - attestations: - description: Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. - type: array - items: - type: object - properties: - name: - description: Name of the attestation. These can then be referenced at the CIP level policy. - type: string - policy: - description: Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified). - type: object - properties: - configMapRef: - description: ConfigMapRef defines the reference to a configMap with the policy definition. - type: object - properties: - key: - description: Key defines the key to pull from the configmap. - type: string - name: - description: Name is unique within a namespace to reference a configmap resource. - type: string - namespace: - description: Namespace defines the space within which the configmap name must be unique. - type: string - data: - description: Data contains the policy definition. - type: string - fetchConfigFile: - description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md' - type: boolean - includeObjectMeta: - description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - includeSpec: - description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy. - type: boolean - includeTypeMeta: - description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - remote: - description: Remote defines the url to a policy. - type: object - properties: - sha256sum: - description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. - type: string - url: - description: URL to the policy data. - type: string - type: - description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :) - type: string - predicateType: - description: PredicateType defines which predicate type to verify. Matches cosign verify-attestation options. - type: string - ctlog: - description: CTLog sets the configuration to verify the authority against a Rekor instance. - type: object - properties: - trustRootRef: - description: Use the Public Key from the referred TrustRoot.TLog - type: string - url: - description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) - type: string - key: - description: Key defines the type of key to validate the image. - type: object - properties: - data: - description: Data contains the inline public key. - type: string - hashAlgorithm: - description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set - type: string - kms: - description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. - type: string - secretRef: - description: SecretRef sets a reference to a secret with the key. - type: object - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - keyless: - description: Keyless sets the configuration to verify the authority against a Fulcio instance. - type: object - properties: - ca-cert: - description: CACert sets a reference to CA certificate - type: object - properties: - data: - description: Data contains the inline public key. - type: string - hashAlgorithm: - description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set - type: string - kms: - description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. - type: string - secretRef: - description: SecretRef sets a reference to a secret with the key. - type: object - properties: - name: - description: name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: namespace defines the space within which the secret name must be unique. - type: string - identities: - description: Identities sets a list of identities. - type: array - items: - type: object - properties: - issuer: - description: Issuer defines the issuer for this identity. - type: string - issuerRegExp: - description: IssuerRegExp specifies a regular expression to match the issuer for this identity. - type: string - subject: - description: Subject defines the subject for this identity. - type: string - subjectRegExp: - description: SubjectRegExp specifies a regular expression to match the subject for this identity. - type: string - insecureIgnoreSCT: - description: InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT - type: boolean - trustRootRef: - description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog - type: string - url: - description: URL defines a url to the keyless instance. - type: string - name: - description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority- - type: string - rfc3161timestamp: - description: RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. - type: object - properties: - trustRootRef: - description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities - type: string - signatureFormat: - description: SignatureFormat specifies the format the authority expects. Supported formats are "simplesigning" and "bundle". If not specified, the default is "simplesigning" (cosign's default). - type: string - source: - description: Sources sets the configuration to specify the sources from where to consume the signatures. - type: array - items: - type: object - properties: - oci: - description: OCI defines the registry from where to pull the signature / attestations. - type: string - signaturePullSecrets: - description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source. - type: array - items: - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - tagPrefix: - description: TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these. - type: string - static: - description: Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images. - type: object - properties: - action: - description: Action defines how to handle a matching policy. - type: string - message: - description: For fail actions, emit an optional custom message - type: string - images: - description: Images defines the patterns of image names that should be subject to this policy. - type: array - items: - type: object - properties: - glob: - description: Glob defines a globbing pattern. - type: string - match: - description: Match allows selecting resources based on their properties. - type: array - items: - type: object - properties: - group: - type: string - resource: - type: string - selector: - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - type: object - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - x-kubernetes-preserve-unknown-fields: true - version: - type: string - mode: - description: Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn - type: string - policy: - description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed. - type: object - properties: - configMapRef: - description: ConfigMapRef defines the reference to a configMap with the policy definition. - type: object - properties: - key: - description: Key defines the key to pull from the configmap. - type: string - name: - description: Name is unique within a namespace to reference a configmap resource. - type: string - namespace: - description: Namespace defines the space within which the configmap name must be unique. - type: string - data: - description: Data contains the policy definition. - type: string - fetchConfigFile: - description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md' - type: boolean - includeObjectMeta: - description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - includeSpec: - description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy. - type: boolean - includeTypeMeta: - description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches. - type: boolean - remote: - description: Remote defines the url to a policy. - type: object - properties: - sha256sum: - description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. - type: string - url: - description: URL to the policy data. - type: string - type: - description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :) - type: string - status: - description: Status represents the current state of the ClusterImagePolicy. This data may be out of date. - type: object - properties: - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - x-kubernetes-preserve-unknown-fields: true - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - type: object - required: - - type - - status - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 diff --git a/charts/policy-controller/templates/crds/trustroots.yaml b/charts/policy-controller/templates/crds/trustroots.yaml deleted file mode 100644 index 9f61f27..0000000 --- a/charts/policy-controller/templates/crds/trustroots.yaml +++ /dev/null @@ -1,188 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: trustroots.policy.sigstore.dev -spec: - conversion: - strategy: None - group: policy.sigstore.dev - names: - kind: TrustRoot - plural: trustroots - singular: trustroot - categories: - - all - - sigstore - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - description: Spec is the definition for a trust root. This is either a TUF root and remote or local repository. You can also bring your own keys/certs here. - type: object - properties: - remote: - description: Remote specifies initial root of trust & remote mirror. - type: object - properties: - mirror: - description: 'Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev' - type: string - root: - description: Root is the base64 encoded, json trusted initial root. - type: string - targets: - description: Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted. - type: string - trustedRootTarget: - description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. - type: string - repository: - description: Repository contains the serialized TUF remote repository. - type: object - properties: - mirrorFS: - description: MirrorFS is the base64 tarred, gzipped, and base64 encoded remote repository that can be used for example in air-gap environments. Will not make outbound network connections, and must then be kept up to date in some other manner. The repository must contain metadata as well as targets. - type: string - root: - description: Root is the base64 encoded, json trusted initial root. - type: string - targets: - description: Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted. - type: string - trustedRootTarget: - description: TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used. - type: string - sigstoreKeys: - description: SigstoreKeys contains the serialized keys. - type: object - properties: - certificateAuthorities: - description: Trusted certificate authorities (e.g Fulcio). - type: array - items: - type: object - properties: - certChain: - description: The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate. - type: string - subject: - description: The root certificate MUST be self-signed, and so the subject and issuer are the same. - type: object - properties: - commonName: - type: string - organization: - type: string - uri: - description: The URI at which the CA can be accessed. - type: string - ctLogs: - description: Certificate Transparency Log - type: array - items: - type: object - properties: - baseURL: - description: The base URL which can be used for URLs for clients. - type: string - hashAlgorithm: - description: / The hash algorithm used for the Merkle Tree - type: string - publicKey: - description: PEM encoded public key - type: string - tLogs: - description: Rekor log specifications - type: array - items: - type: object - properties: - baseURL: - description: The base URL which can be used for URLs for clients. - type: string - hashAlgorithm: - description: / The hash algorithm used for the Merkle Tree - type: string - publicKey: - description: PEM encoded public key - type: string - timestampAuthorities: - description: Trusted timestamping authorities - type: array - items: - type: object - properties: - certChain: - description: The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate. - type: string - subject: - description: The root certificate MUST be self-signed, and so the subject and issuer are the same. - type: object - properties: - commonName: - type: string - organization: - type: string - uri: - description: The URI at which the CA can be accessed. - type: string - status: - description: Status represents the current state of the TrustRoot. This data may be out of date. - type: object - properties: - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - x-kubernetes-preserve-unknown-fields: true - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - type: object - required: - - type - - status - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 diff --git a/charts/policy-controller/templates/webhook/cleanup-leases.yaml b/charts/policy-controller/templates/webhook/cleanup-leases.yaml deleted file mode 100644 index 0cccbb1..0000000 --- a/charts/policy-controller/templates/webhook/cleanup-leases.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: leases-cleanup - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-weight": "3" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - metadata: - name: leases-cleanup - spec: - serviceAccountName: {{ template "webhook.serviceAccountName" . }}-cleanup - containers: - - name: kubectl - image: "{{ template "leases-cleanup.image" .Values.leasescleanup.image }}" - imagePullPolicy: "{{ .Values.leasescleanup.image.pullPolicy }}" - command: - - /bin/sh - - -c - - kubectl delete leases --all --ignore-not-found -n {{ .Release.Namespace }} - restartPolicy: OnFailure ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "policy-controller.fullname" . }}-cleanup - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-cleanup - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded -subjects: -- kind: ServiceAccount - name: {{ include "webhook.serviceAccountName" . }}-cleanup - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ template "policy-controller.fullname" . }}-cleanup - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "policy-controller.fullname" . }}-cleanup - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-cleanup - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["list","delete"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-cleanup - name: {{ template "webhook.serviceAccountName" . }}-cleanup - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": hook-succeeded diff --git a/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml b/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml deleted file mode 100644 index 189272d..0000000 --- a/charts/policy-controller/templates/webhook/clusterrole_webhook.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "policy-controller.fullname" . }}-webhook - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - # Allow the reconciliation of exactly our validating webhook. - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["list", "watch"] - - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "update", "delete"] - resourceNames: - - {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName | quote }} - - {{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting | quote }} - - {{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating | quote }} - - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, - # which requires we can Get the system namespace. - resourceNames: [ "{{ .Release.Namespace }}" ] - - - apiGroups: [""] - resources: ["namespaces/finalizers"] - verbs: ["update"] - resourceNames: [ "{{ .Release.Namespace }}" ] - - # This is needed by k8schain to support fetching pull secrets attached to pod specs - # or their service accounts. If pull secrets aren't used, the "secrets" below can - # be safely dropped, but the logic will fetch the service account to check for pull - # secrets. - - apiGroups: [""] - resources: ["serviceaccounts", "secrets"] - verbs: ["get"] - - # Allow reconciliation of the ClusterImagePolic CRDs. - - apiGroups: ["policy.sigstore.dev"] - resources: ["clusterimagepolicies", "clusterimagepolicies/status"] - verbs: ["get", "list", "update", "watch", "patch"] - - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch", "update"] - - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "update", "list"] - resourceNames: ["trustroots.policy.sigstore.dev"] - - - apiGroups: ["policy.sigstore.dev"] - resources: ["trustroots", "trustroots/status"] - verbs: ["get", "list", "update", "watch", "patch"] diff --git a/charts/policy-controller/templates/webhook/clusterrolebindings_webhook.yaml b/charts/policy-controller/templates/webhook/clusterrolebindings_webhook.yaml deleted file mode 100644 index dedfd31..0000000 --- a/charts/policy-controller/templates/webhook/clusterrolebindings_webhook.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "policy-controller.fullname" . }}-webhook - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "policy-controller.fullname" . }}-webhook -subjects: -- kind: ServiceAccount - name: {{ include "webhook.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/policy-controller/templates/webhook/config-sigstore-keys.yaml b/charts/policy-controller/templates/webhook/config-sigstore-keys.yaml deleted file mode 100644 index 8bd9ac0..0000000 --- a/charts/policy-controller/templates/webhook/config-sigstore-keys.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-sigstore-keys - namespace: {{ .Release.Namespace }} - {{- if .Values.commonAnnotations }} - annotations: - {{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} -data: - _example: | - ################################## - # # - # EXAMPLE CONFIGURATION # - # # - # # - # my-custom-sigstore-keys: |- - # {"certificateAuthority":[{"subject":{"organization":"fulcio-organization","commonName":"fulcio-common-name"},"uri":"https://fulcio.example.com","certChain":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlGd3pDQ0E2dWdBd0lCQWdJSUs3eGIrcnFZNGdFd0RRWUpLb1pJaHZjTkFRRUxCUUF3ZmpFTU1Bb0dBMVVFCglCaE1EVlZOQk1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGhNUll3RkFZRFZRUUhFdzFUWVc0Z1JuSmhibU5wCgljMk52TVJZd0ZBWURWUVFKRXcwMU5EZ2dUV0Z5YTJWMElGTjBNUTR3REFZRFZRUVJFd1UxTnpJM05ERVpNQmNHCglBMVVFQ2hNUVRHbHVkWGdnUm05MWJtUmhkR2x2YmpBZUZ3MHlNakV5TURnd01qRTNOVEZhRncweU16RXlNRGd3CglNakUzTlRGYU1INHhEREFLQmdOVkJBWVRBMVZUUVRFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHCglBMVVFQnhNTlUyRnVJRVp5WVc1amFYTmpiekVXTUJRR0ExVUVDUk1OTlRRNElFMWhjbXRsZENCVGRERU9NQXdHCglBMVVFRVJNRk5UY3lOelF4R1RBWEJnTlZCQW9URUV4cGJuVjRJRVp2ZFc1a1lYUnBiMjR3Z2dJaU1BMEdDU3FHCglTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDMTQyRWpsZzJReEl3cE5qYmFlVy9mdDlzSDFUWFU2Q1dnCglic3ZWcDc3dlJnY2tTbnBNM1JUQy9nd0V3Skh0WCtHT1RyUDlybzZuRkpOM0czaGNGbmFNSExLZEdyb2Y5aUh1Cgkvdy9sWkx3UXpYelZUKzBaeVp4eXRIQVdHRkJ2bVlNNEozM2pINkRqOVB2cU9Od3RTQlNtWkJQYy9ILzhFdllzCglVenhQV3VraE90b3RTSDNWWERxWjRqbDk2TUxlMCs1ZzJXaTdNeFJYNDRYMVJpUFMxNGJhMUVTNTM4YlRoaGNRCgk0U01qM3VoYmRzQ0lrY203ZUY0RVkzcEVYUXBYRUVHblpHZndZZ1FyKzZjVDA3WmQvV0RNME5YM0t4SDZxUms5CglnRGpQbmZjTXVGYk9UYmZEL251dng2Rk5YNk9VcnpyWlNnbGtMdmNQSUJWT1c3TG40MUxBYjdhWG1iV0xGRUpuCgl1TG9vUHBZWXIrNk5obkZETkdwc0JLR0tyL2t2YlF5REtLc3QzQ0tqOW90UFMxMzYzbmk0MXFub0E3WVdTcXh3Cgl6NDE4NWRLS2MrWTd5dkpRc1JscjZxRzFzTkxPK2M3N2ZTUzVWWkltek5vekJjUmt1TEpGbFgrV0IwdXpnUVU1CglzNDVJWlcrZks5Mm5mdThNbUtqekhSK2lkeXI0T3lqUzBZU04zR01nYzBVUDdLNmhWcGhMZWRBcEZweWtCU0ZHCglVZ2lQWndyVCttR1NWZ21PWHE1bjFkUVRDRDE0bEVoMnF0My9yZmY4ek5jMENNQU5XeWJhTUdCR1E0YmhWVlhlCglSS1l4OXUyUFpqUHY1M3A3WWIvRENkcW5HRUR3L0hDQkRpQ3M0b1llNGRhRTM2eFVvanhEU20zRGFlTkc2OHo5CglSTDdnZlVqQXhRSURBUUFCbzBVd1F6QU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCgkvd0lCQVRBZEJnTlZIUTRFRmdRVWYrbGJOWDBXaDRoK1EwU1J0aFJLK0tmTGpxRXdEUVlKS29aSWh2Y05BUUVMCglCUUFEZ2dJQkFFaEpqYTBaU0t3WGNhT1hDWVJYVEUwNitKYnBlekk1TGV2QmhtYlJRSzc4OVJxMTBKZUFYYTdtCglFVG9SR2xHRkxIMnVEVDExbXNGS3lNM3Y2N0tsRTFTWVZjcUttQ2xZZklWRVlIM0xhMHVJKzlySFpuV2diNEJsCgl5MUI4d2JsS0p6aFlRRDlaNEgvZ3MrQkFzb1JYNVZvRnlJZ2tOQmsxcDNmdGFWQ2JrUXZTME9ZdFlzNWl3NGVLCgljSTcxL0lzVElUM1pwcGo5UjhJR3Nxd0xLZ3pmbnlOY0ZKZHorb2hjNlYyMlBqWk1FQkhDc0hQTzRhdjJMbFdLCgk1WTFmbEwrMmJxVHFibU8vYmpmWDB3NFoxRHVvalJjT1pGN1NINE8zUXUyWTcvNjlnSDdDcDBuaVZDbTV6K1M1CgkwMTFWNlB2TWpybWlFK3hWa3hMSGJZRWdvY2JGaGQ1RGNpTUNYcHZzdURab2phSTNGUkVtQnFpSWhLb2tpM3JiCgl3dUVseWE3OGJNd2taMWtycDc2bldzbzQ3LzArNTFpby9XcmlBZHIwY2ptem9uaG83UnFJRTNEQzc3Q0VNa2FnCgladktTbUwzc2ZmK1dOU3JuUGx6bksxOU5BMno0SW1XOU1zenFQckNUUUdQLy9CQnU3U2Ftem9mVk05ZjRQQUlyCglGVHBuVzZzR2RwQ3pQOEUwV1V1OUIrdmlLcnRmTS85c3huSTlXaGZKUGRyRVAwaVpXM3Zod3ZnUWJLYjVEMk9TCglVNG5yVm92NkJXci9CbmhRSzhJWG8xdHEzajhGQ1JJb2xlWE5oa3M0Z25rT2FEc1cyS3RWcXd0SzNpTzNCdlBiCglMNXcwZ2RMandNTGtlazcyeTYxWHF6NVd4WndOaGw1WWNtQkt1U3ZtVlNIdkE2OEJWU2JCCgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgk="}],"tLog":[{"baseURL":"https://rekor.example.com","hashAlgorithm":"sha-256","publicKey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KCU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTdEMld2Z3FTenM5anBkSnNPSjVObDZ4ZzhKWG0KCU5tbzdNM2JONytkUWRkdzlJYmMyUjNTVjh0ekJadzByU1Q4RktjbjRhcEplcGNLTTRxVXBZVWVOZnc9PQoJLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCgk=","logID":"rekor-log-id"}],"ctLog":[{"baseURL":"https://ctfe.example.com","hashAlgorithm":"sha-256","publicKey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KCU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUp2Q0ppNzA3ZnY1dE1KMVUyVFZNWit1TzRkS0cKCWFFY3ZqbENrZ0JDS1hicmt1bVpWMG0wZFNsSzFWMWd4RWl5UTh5NmhrMU14Sk5lMkFaclpVdDdhNHc9PQoJLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCgk=","logID":"ctfe-log-id"}],"timestampAuthorities":[{"subject":{"organization":"tsa-organization","commonName":"tsa-common-name"},"uri":"https://tsa.example.com","certChain":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlCekRDQ0FYS2dBd0lCQWdJVWZ5R0tEb0ZhN3k2cy9XMXAxQ2lUbUJSczFlQXdDZ1lJS29aSXpqMEVBd0l3CglNREVPTUF3R0ExVUVDaE1GYkc5allXd3hIakFjQmdOVkJBTVRGVlJsYzNRZ1ZGTkJJRWx1ZEdWeWJXVmthV0YwCglaVEFlRncweU1qRXhNRGt5TURNeE16UmFGdzB6TVRFeE1Ea3lNRE0wTXpSYU1EQXhEakFNQmdOVkJBb1RCV3h2CglZMkZzTVI0d0hBWURWUVFERXhWVVpYTjBJRlJUUVNCVWFXMWxjM1JoYlhCcGJtY3dXVEFUQmdjcWhrak9QUUlCCglCZ2dxaGtqT1BRTUJCd05DQUFSM0tjRHk5andBUlgwckR2eXIrTUdHa0czbjFPQTBNVTUrWmlEbWd1c0Z5azZVCgk2Ym92S1dWTWZEOEo4TlRjSlpFMFJhWUpyOC9kRTlrZ2NJSVhsaE13bzJvd2FEQU9CZ05WSFE4QkFmOEVCQU1DCglCNEF3SFFZRFZSME9CQllFRkhObjVSM2IzTXRVZFNOckZPNDlRNlhEVlNua01COEdBMVVkSXdRWU1CYUFGTkxTCgk2Z25vN09tKytRdDV6SWErSDlvMEhpVDJNQllHQTFVZEpRRUIvd1FNTUFvR0NDc0dBUVVGQndNSU1Bb0dDQ3FHCglTTTQ5QkFNQ0EwZ0FNRVVDSVFDRjBvbG9obnZkVXE2VDcvd1BrMTlaNWFRUC95eFJUakNXWXVobi9UQ3lIZ0lnCglhelYzYWlyNEdSWmJOOWJkWXRjUTdKVUFLcTg5R09odEZmbDZrY29WVXZVPQoJLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoJLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlCMGpDQ0FYaWdBd0lCQWdJVVhwQm1ZSkZGYUdXM2NDOHA2Yi9ESHIxaThJb3dDZ1lJS29aSXpqMEVBd0l3CglLREVPTUF3R0ExVUVDaE1GYkc5allXd3hGakFVQmdOVkJBTVREVlJsYzNRZ1ZGTkJJRkp2YjNRd0hoY05Nakl4CglNVEE1TWpBeU9UTTBXaGNOTXpJeE1UQTVNakF6TkRNMFdqQXdNUTR3REFZRFZRUUtFd1ZzYjJOaGJERWVNQndHCglBMVVFQXhNVlZHVnpkQ0JVVTBFZ1NXNTBaWEp0WldScFlYUmxNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBECglBUWNEUWdBRUtEUERSSXdEUzFaQ3ltdWI2eWFuQ0c1bWEwcURqTHBOb25Edm9vU2tSSEVnVTBUTmliZUpuNk0rCgk1VzYwOGhDdzhud3V1Y01iWFE0MWtOZXVCZWV2eXFONE1IWXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CTUdBMVVkCglKUVFNTUFvR0NDc0dBUVVGQndNSU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZOTFM2Z25vCgk3T20rK1F0NXpJYStIOW8wSGlUMk1COEdBMVVkSXdRWU1CYUFGQjFudlhwTks3QXVRbGJKK3lhNm5QU3FXaStUCglNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJR2l3cUNJMjl3N0M0VjhUbHRDc2k3MjhzNUR0a2xDUHlTREFTVVN1CglhNXk1QWlFQTQwSWZkbHdmN1VqOHE4TlNENlo0Zy8wanMwdEdOZExTVUoxZG8vV29OMHM9CgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgktLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KCU1JSUJsRENDQVRxZ0F3SUJBZ0lVWVp4OXNTMTRFbjdTdUhET0pKUDRJUG9wTWpVd0NnWUlLb1pJemowRUF3SXcKCUtERU9NQXdHQTFVRUNoTUZiRzlqWVd3eEZqQVVCZ05WQkFNVERWUmxjM1FnVkZOQklGSnZiM1F3SGhjTk1qSXgKCU1UQTVNakF5T1RNMFdoY05Nekl4TVRBNU1qQXpORE0wV2pBb01RNHdEQVlEVlFRS0V3VnNiMk5oYkRFV01CUUcKCUExVUVBeE1OVkdWemRDQlVVMEVnVW05dmREQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBYkIKCUIwU1U4Rzc1aFZJVXBoQ2hBNG5mT3dOV1AzNDdUalNjSWRzRVByS1ZuKy9ZMUhtbUxISkRqU2ZuK3hoRUZvRWsKCTdqcWdycW9uNDhpNHhibzd4QXVqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQUQKCUFRSC9NQjBHQTFVZERnUVdCQlFkWjcxNlRTdXdMa0pXeWZzbXVwejBxbG92a3pBS0JnZ3Foa2pPUFFRREFnTkkKCUFEQkZBaUJlNVA1NmZvcW1GY1pBVnBFZUFPRlpyQWxFaXEwNUNDcE1OWWg1RWpMdm1BSWhBS05GNnhJVjV1RmQKCXBTVEpzQXd6alc3OENLUW03cW9sMHVQbVBQdTZtTmF3CgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"}]} - ################################### \ No newline at end of file diff --git a/charts/policy-controller/templates/webhook/configmap-clusterimagepolicy.yaml b/charts/policy-controller/templates/webhook/configmap-clusterimagepolicy.yaml deleted file mode 100644 index 2495504..0000000 --- a/charts/policy-controller/templates/webhook/configmap-clusterimagepolicy.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-image-policies - namespace: {{ .Release.Namespace }} - {{- if .Values.commonAnnotations }} - annotations: - {{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} -data: - _example: | - ####################################### - # # - # EXAMPLE CONFIGURATION # - # # - # # - # cluster-image-policy-json: '{"images":[{"glob":"ghcr.io/example/*","regex":""}],"authorities":[{"key":{"data":"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----"}}]}' - ####################################### diff --git a/charts/policy-controller/templates/webhook/configmap-policy-controller.yaml b/charts/policy-controller/templates/webhook/configmap-policy-controller.yaml deleted file mode 100644 index 9ea919f..0000000 --- a/charts/policy-controller/templates/webhook/configmap-policy-controller.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-policy-controller - namespace: {{ .Release.Namespace }} - {{- if .Values.commonAnnotations }} - annotations: - {{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} -data: - {{- if not .Values.webhook.configData }} - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - # # - # no-match-policy: warn # - ################################ - {{- else if .Values.webhook.configData }} -{{ toYaml .Values.webhook.configData | indent 4 }} - {{- end }} - diff --git a/charts/policy-controller/templates/webhook/configmap.yaml b/charts/policy-controller/templates/webhook/configmap.yaml deleted file mode 100644 index a2155a8..0000000 --- a/charts/policy-controller/templates/webhook/configmap.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: {{ template "policy-controller.fullname" . }}-webhook-logging - namespace: {{ .Release.Namespace }} - {{- if .Values.commonAnnotations }} - annotations: - {{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} -data: - zap-logger-config: |- - { - "level": "{{ .Values.loglevel }}", - "development": false, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "", - "callerEncoder": "" - } - } - # Log level overrides - # Changes are be picked up immediately. - loglevel.controller: "{{ .Values.loglevel }}" - loglevel.webhook: "{{ .Values.loglevel }}" -{{- if .Values.serviceMonitor.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: {{ template "policy-controller.fullname" . }}-webhook-observability - namespace: {{ .Release.Namespace }} - {{- if .Values.commonAnnotations }} - annotations: -{{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} -data: - metrics.backend-destination: prometheus - metrics.request-metrics-backend-destination: prometheus -{{- end }} diff --git a/charts/policy-controller/templates/webhook/cosign_secret.yaml b/charts/policy-controller/templates/webhook/cosign_secret.yaml deleted file mode 100644 index 85ad658..0000000 --- a/charts/policy-controller/templates/webhook/cosign_secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.cosign.cosignPub }} -apiVersion: v1 -kind: Secret -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - name: {{ template "policy-controller.fullname" . }}-cosign-key - namespace: {{ .Release.Namespace }} - {{- if .Values.commonAnnotations }} - annotations: - {{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} -type: Opaque -data: - cosign.pub: {{ .Values.cosign.cosignPub}} -{{- end -}} diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml deleted file mode 100644 index 716a31f..0000000 --- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml +++ /dev/null @@ -1,153 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: {{ template "policy-controller.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.webhook.replicaCount }} - selector: - matchLabels: - {{- include "policy-controller.selectorLabels" . | nindent 6 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - template: - metadata: - labels: - control-plane: {{ template "policy-controller.fullname" . }}-webhook - {{- include "policy-controller.labels" . | nindent 8 }} - spec: - nodeSelector: - {{- toYaml .Values.commonNodeSelector | nindent 8 }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} - tolerations: - {{- toYaml .Values.commonTolerations | nindent 8 }} - serviceAccountName: {{ include "webhook.serviceAccountName" . }} - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - control-plane: {{ template "policy-controller.fullname" . }}-webhook - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - name: {{ template "policy-controller.name" . }}-{{ .Values.webhook.name }} - image: "{{ template "policy-controller.image" .Values.webhook.image }}" - imagePullPolicy: "{{ .Values.webhook.image.pullPolicy }}" - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: {{ template "policy-controller.fullname" . }}-webhook-logging - - name: CONFIG_OBSERVABILITY_NAME - value: {{ template "policy-controller.fullname" . }}-webhook-observability - - name: METRICS_DOMAIN - value: sigstore.dev/policy - - name: WEBHOOK_NAME - value: webhook - - name: HOME - value: /home/nonroot - {{- if .Values.webhook.registryCaBundle.name }} - - name: SSL_CERT_DIR - value: /etc/custom-ca:/etc/ssl/certs - {{- end }} -{{- if .Values.webhook.env }} -{{- range $key, $value := .Values.webhook.env }} - - name: "{{ $key }}" - value: "{{ $value }}" -{{- end }} -{{- end }} - args: - {{- if semverCompare ">= 0.9.0-0" .Chart.AppVersion }} - - -webhook-name={{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }} - - -mutating-webhook-name={{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting }} - - -validating-webhook-name={{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating }} - {{- end }} - {{- range $key, $value := .Values.webhook.extraArgs }} - - -{{ $key }}={{ $value }} - {{- end }} - ports: - - containerPort: 8443 - name: https - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP - resources: - {{- with .Values.webhook.resources }} - {{- toYaml . | nindent 10 }} - {{- end }} - livenessProbe: - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 1 - httpGet: - port: 8443 - scheme: HTTPS - path: /healthz - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 20 - periodSeconds: 1 - httpGet: - port: 8443 - scheme: HTTPS - path: /readyz - httpHeaders: - - name: k-kubelet-probe - value: "webhook" -{{- if .Values.webhook.podSecurityContext.enabled }} - securityContext: - {{- with .Values.webhook.podSecurityContext }} - {{- omit . "enabled" | toYaml | nindent 10}} - {{- end }} -{{- end }} - volumeMounts: - # Failing to provide a writable $HOME can cause TUF client initialization to panic - - mountPath: /home/nonroot - name: writable-home-dir - {{- with .Values.webhook.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.webhook.registryCaBundle.name }} - - mountPath: /etc/custom-ca - name: custom-ca - readOnly: true - {{- end }} - - # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently - # high value that we respect whatever value it has configured for the lame duck grace period. - terminationGracePeriodSeconds: 300 - - {{- if .Values.webhook.securityContext.enabled }} - securityContext: - {{- with .Values.webhook.securityContext }} - {{- omit . "enabled" | toYaml | nindent 8}} - {{- end }} - {{- end }} - volumes: - - emptyDir: {} - name: writable-home-dir - {{- with .Values.webhook.volumes }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if .Values.webhook.registryCaBundle.name }} - - name: custom-ca - configMap: - name: {{ .Values.webhook.registryCaBundle.name }} - items: - - key: {{ .Values.webhook.registryCaBundle.key }} - path: {{ .Values.webhook.registryCaBundle.key }} - {{- end }} diff --git a/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml b/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml deleted file mode 100644 index 2a81115..0000000 --- a/charts/policy-controller/templates/webhook/poddisruptionbudget.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ if .Values.webhook.podDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ template "policy-controller.fullname" . }}-webhook - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -{{- if .Values.labels }} -{{- with .Values.labels }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} - annotations: -{{- if .Values.annotations }} -{{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} -spec: - minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }} - maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }} - selector: - matchLabels: - {{- include "policy-controller.selectorLabels" . | nindent 6 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -{{- end }} diff --git a/charts/policy-controller/templates/webhook/policy_webhook_configurations.yaml b/charts/policy-controller/templates/webhook/policy_webhook_configurations.yaml deleted file mode 100644 index b8c7f0c..0000000 --- a/charts/policy-controller/templates/webhook/policy_webhook_configurations.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting }} -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - matchPolicy: Equivalent - name: {{ required "A valid webhook.webhookNames.defaulting is required" .Values.webhook.webhookNames.defaulting }} - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating }} -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - matchPolicy: Equivalent - name: {{ required "A valid webhook.webhookNames.validating is required" .Values.webhook.webhookNames.validating }} - sideEffects: None diff --git a/charts/policy-controller/templates/webhook/role_webhook.yaml b/charts/policy-controller/templates/webhook/role_webhook.yaml deleted file mode 100644 index 3f2d516..0000000 --- a/charts/policy-controller/templates/webhook/role_webhook.yaml +++ /dev/null @@ -1,36 +0,0 @@ -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "policy-controller.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -rules: - # Needed to watch and load configuration and secret data. - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "list", "update", "watch"] - - # Needed for leader election - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - # This is needed to create / patch ConfigMap that is created by the reconciler - # to consolidate various CIP configuration into a policy ConfigMap. - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["config-image-policies"] - verbs: ["get", "list", "create", "update", "patch", "watch"] - - # This is needed to create / patch ConfigMap that is created by the reconciler - # to consolidate various TrustRoot configuration into SigstoreKeys ConfigMap. - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["config-sigstore-keys"] - verbs: ["get", "list", "create", "update", "patch", "watch"] - - - apiGroups: ["policy.sigstore.dev"] - resources: ["trustroots"] - verbs: ["get", "list"] \ No newline at end of file diff --git a/charts/policy-controller/templates/webhook/rolebinding_webhook.yaml b/charts/policy-controller/templates/webhook/rolebinding_webhook.yaml deleted file mode 100644 index 4f406ff..0000000 --- a/charts/policy-controller/templates/webhook/rolebinding_webhook.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "policy-controller.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -subjects: -- kind: ServiceAccount - name: {{ include "webhook.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ template "policy-controller.fullname" . }}-webhook - apiGroup: rbac.authorization.k8s.io diff --git a/charts/policy-controller/templates/webhook/sa_webhook.yaml b/charts/policy-controller/templates/webhook/sa_webhook.yaml deleted file mode 100644 index 734896d..0000000 --- a/charts/policy-controller/templates/webhook/sa_webhook.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.webhook.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: {{ template "webhook.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - {{- with .Values.webhook.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml b/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml deleted file mode 100644 index e0aa837..0000000 --- a/charts/policy-controller/templates/webhook/secret_certs_webhook.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - annotations: - {{- if .Values.webhook.service.annotations }} - {{ toYaml .Values.webhook.service.annotations | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- toYaml .Values.commonAnnotations | nindent 4 }} - {{- end }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: webhook-certs - namespace: {{ .Release.Namespace }} -# The data is populated at install time. \ No newline at end of file diff --git a/charts/policy-controller/templates/webhook/service_monitor_webhook.yaml b/charts/policy-controller/templates/webhook/service_monitor_webhook.yaml deleted file mode 100644 index 7523659..0000000 --- a/charts/policy-controller/templates/webhook/service_monitor_webhook.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "policy-controller.fullname" . }}-webhook-monitor - namespace: {{ .Release.Namespace }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook -spec: - endpoints: - - path: /metrics - port: metrics - selector: - matchLabels: - control-plane: {{ template "policy-controller.fullname" . }}-webhook -{{- end }} diff --git a/charts/policy-controller/templates/webhook/service_webhook.yaml b/charts/policy-controller/templates/webhook/service_webhook.yaml deleted file mode 100644 index 8a0e66c..0000000 --- a/charts/policy-controller/templates/webhook/service_webhook.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - annotations: - {{- if .Values.webhook.service.annotations }} - {{ toYaml .Values.webhook.service.annotations | nindent 4 }} - {{- end }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: webhook - namespace: {{ .Release.Namespace }} -spec: - type: {{.Values.webhook.service.type}} - ports: - - name: https - port: {{ .Values.webhook.service.port }} - protocol: TCP - targetPort: https - {{- if and .Values.webhook.service.nodePort (eq "NodePort" .Values.webhook.service.type) }} - nodePort: {{ .Values.webhook.service.nodePort }} - {{- end }} - selector: - {{- include "policy-controller.selectorLabels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{- if .Values.webhook.service.annotations }} - {{ toYaml .Values.webhook.service.annotations | nindent 4 }} - {{- end }} - labels: - {{- include "policy-controller.labels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook - name: {{ template "policy-controller.fullname" . }}-webhook-metrics - namespace: {{ .Release.Namespace }} -spec: - type: ClusterIP - ports: - - name: metrics - port: 9090 - protocol: TCP - targetPort: metrics - selector: - {{- include "policy-controller.selectorLabels" . | nindent 4 }} - control-plane: {{ template "policy-controller.fullname" . }}-webhook diff --git a/charts/policy-controller/templates/webhook/webhook_mutating.yaml b/charts/policy-controller/templates/webhook/webhook_mutating.yaml deleted file mode 100644 index b5c969d..0000000 --- a/charts/policy-controller/templates/webhook/webhook_mutating.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }} -webhooks: -- name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }} - namespaceSelector: -{{- include "policy-controller.webhook.namespaceSelector" . | indent 4 }} - admissionReviewVersions: [v1] - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: {{ .Values.webhook.failurePolicy }} - sideEffects: None - reinvocationPolicy: IfNeeded diff --git a/charts/policy-controller/templates/webhook/webhook_validating.yaml b/charts/policy-controller/templates/webhook/webhook_validating.yaml deleted file mode 100644 index 1a00339..0000000 --- a/charts/policy-controller/templates/webhook/webhook_validating.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }} -webhooks: -- name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }} - namespaceSelector: -{{- include "policy-controller.webhook.namespaceSelector" . | indent 4 }} - admissionReviewVersions: [v1] - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: {{ .Values.webhook.failurePolicy }} - sideEffects: None diff --git a/charts/policy-controller/values.schema.json b/charts/policy-controller/values.schema.json deleted file mode 100644 index f2e2faa..0000000 --- a/charts/policy-controller/values.schema.json +++ /dev/null @@ -1,252 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "commonAnnotations": { - "type": "object" - }, - "commonNodeSelector": { - "type": "object" - }, - "commonTolerations": { - "type": "array" - }, - "cosign": { - "type": "object", - "properties": { - "cosignPub": { - "type": "string" - }, - "webhookName": { - "type": "string" - } - } - }, - "imagePullSecrets": { - "type": "array" - }, - "installCRDs": { - "type": "boolean" - }, - "leasescleanup": { - "type": "object", - "properties": { - "image": { - "type": "object", - "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "version": { - "type": "string" - } - } - } - } - }, - "loglevel": { - "type": "string" - }, - "serviceMonitor": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "webhook": { - "type": "object", - "properties": { - "configData": { - "type": "object" - }, - "customLabels": { - "type": "object" - }, - "env": { - "type": "object" - }, - "extraArgs": { - "type": "object" - }, - "failurePolicy": { - "type": "string" - }, - "image": { - "type": "object", - "properties": { - "pullPolicy": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "version": { - "type": "string" - } - } - }, - "name": { - "type": "string" - }, - "namespaceSelector": { - "type": "object", - "properties": { - "matchExpressions": { - "type": "array", - "items": { - "type": "object", - "properties": { - "key": { - "type": "string" - }, - "operator": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "minAvailable": { - "type": "integer" - } - } - }, - "podSecurityContext": { - "type": "object", - "properties": { - "allowPrivilegeEscalation": { - "type": "boolean" - }, - "capabilities": { - "type": "object", - "properties": { - "drop": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enabled": { - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "type": "boolean" - }, - "runAsUser": { - "type": "integer" - } - } - }, - "registryCaBundle": { - "type": "object" - }, - "replicaCount": { - "type": "integer" - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "securityContext": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "runAsUser": { - "type": "integer" - } - } - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "port": { - "type": "integer" - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "create": { - "type": "boolean" - }, - "name": { - "type": "string" - } - } - }, - "volumeMounts": { - "type": "array" - }, - "volumes": { - "type": "array" - }, - "webhookNames": { - "type": "object", - "properties": { - "defaulting": { - "type": "string" - }, - "validating": { - "type": "string" - } - } - } - } - } - } -} diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml deleted file mode 100644 index 988b450..0000000 --- a/charts/policy-controller/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -cosign: - # add the values in base64 encoded - cosignPub: "" - webhookName: "policy.sigstore.dev" - -installCRDs: true - -imagePullSecrets: [] - -loglevel: info - -webhook: - customLabels: {} - configData: {} - replicaCount: 1 - name: webhook - image: - repository: ghcr.io/github/policy-controller-webhook - # crane digest ghcr.io/github/policy-controller-webhook:v0.12.0-github12 - version: sha256:ab78d1c03f5f1fac5462015fbc32b024d19ce0e2aad6a0fd87400a1d443972ef - pullPolicy: IfNotPresent - env: {} - extraArgs: {} - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - enabled: false - runAsUser: 65532 - failurePolicy: Fail - podSecurityContext: - enabled: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1000 - capabilities: - drop: - - ALL - podDisruptionBudget: - enabled: true - minAvailable: 1 - # maxUnavailable: 3 - serviceAccount: - annotations: {} - create: true - name: "" - service: - annotations: {} - type: ClusterIP - port: 443 - # For nodeport, specify the following: - # type: NodePort - # nodePort: - volumeMounts: [] - volumes: [] - namespaceSelector: - matchExpressions: - - key: policy.sigstore.dev/include - operator: In - values: ["true"] - registryCaBundle: {} - webhookNames: - defaulting: "defaulting.clusterimagepolicy.sigstore.dev" - validating: "validating.clusterimagepolicy.sigstore.dev" - -leasescleanup: - image: - repository: cgr.dev/chainguard/kubectl - # crane digest cgr.dev/chainguard/kubectl:latest - version: sha256:12a6dcc2bbacbf6114ea9ea54127b9487f469fac1b5ff0b8b19643eeffe45269 - pullPolicy: IfNotPresent - -## common node selector for all the pods -commonNodeSelector: {} -# key1: value1 -# key2: value2 - -## common tolerations for all the pods -commonTolerations: [] -# - key: "key" -# operator: "Equal" -# value: "value" -# effect: "NoSchedule" - -## This will set some annotations in config maps and secrets. Use case: Disable versioning to deploy helm chart using spinnaker -commonAnnotations: {} -# strategy.spinnaker.io/versioned: "false" -# key2: value2 - -## serviceMonitor makes policy controller metrics discoverable to prometheus -serviceMonitor: - enabled: false diff --git a/charts/trust-policies/Chart.yaml b/charts/trust-policies/Chart.yaml index 60ee671..db4d067 100644 --- a/charts/trust-policies/Chart.yaml +++ b/charts/trust-policies/Chart.yaml @@ -8,8 +8,8 @@ sources: type: application name: trust-policies -version: "v0.6.2" -appVersion: "v0.6.2" +version: "v0.7.0" +appVersion: "v0.7.0" maintainers: - name: codysoyland diff --git a/charts/trust-policies/templates/clusterimagepolicy-github.yaml b/charts/trust-policies/templates/clusterimagepolicy-github.yaml index 8d176a1..e138c18 100644 --- a/charts/trust-policies/templates/clusterimagepolicy-github.yaml +++ b/charts/trust-policies/templates/clusterimagepolicy-github.yaml @@ -10,6 +10,7 @@ spec: - name: github keyless: trustRootRef: github + insecureIgnoreSCT: true url: https://fulcio.githubapp.com identities: - issuer: https://token.actions.githubusercontent.com