Skip to content

Added fetchAttestations method to notaryV2 implimentation #6800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 156 commits into from
Jun 1, 2023
Merged

Added fetchAttestations method to notaryV2 implimentation #6800

merged 156 commits into from
Jun 1, 2023

Conversation

vishal-chdhry
Copy link
Member

Explanation

Implements a method to fetch attestations, returns digest, and statements of the image

Related issue

Part of #6142

Milestone of this PR

What type of PR is this

Proposed Changes

Proof Manifests

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

@vishal-chdhry
moved to oras
604c045 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
Merge branch 'main' into notary-v2-attestations
cea5ecd
@vishal-chdhry
Copy link
Member Author

/assign @JimBugwadia

@codecov
Copy link

codecov bot commented Apr 5, 2023
edited
Loading

Codecov Report

Merging #6800 (9357e4c) into main (d9359b7) will decrease coverage by 0.58%.
The diff coverage is 6.74%.

@@            Coverage Diff             @@
##             main    #6800      +/-   ##
==========================================
- Coverage   33.56%   32.99%   -0.58%     
==========================================
  Files         227      231       +4     
  Lines       22226    22711     +485     
==========================================
+ Hits         7461     7493      +32     
- Misses      14039    14477     +438     
- Partials      726      741      +15
Impacted Files Coverage Δ
api/kyverno/v1/image_verification_types.go 60.84% <0.00%> (-3.49%) ⬇️
api/kyverno/v2beta1/image_verification_types.go 58.62% <0.00%> (-26.38%) ⬇️
pkg/engine/api/context.go 0.00% <0.00%> (ø)
pkg/engine/handlers/mutation/mutate_image.go 0.00% <0.00%> (ø)
pkg/notary/registry.go 0.00% <0.00%> (ø)
pkg/notary/repository.go 0.00% <0.00%> (ø)
pkg/notary/truststore.go 0.00% <ø> (ø)
pkg/cosign/cosign.go 28.50% <9.09%> (-0.15%) ⬇️
pkg/notary/notary.go 10.00% <10.00%> (ø)
pkg/validation/policy/validate.go 53.42% <50.00%> (-0.04%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@vishal-chdhry
linting error fix
aabfa55 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
added error checking
25cca4d 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
fixed errors
6c5f036 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
added final build
ce1806b 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry vishal-chdhry changed the title WIP: Added fetchAttestations method to notaryV2 implimentation Added fetchAttestations method to notaryV2 implimentation Apr 7, 2023
vishal-chdhry and others added 7 commits April 7, 2023 21:09
@vishal-chdhry
Merge branch 'kyverno:main' into notary-v2-attestations
f344059
@vishal-chdhry
added predicate fetching
2156244 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
added checks in statements
dcdea2f 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
removed continuous checking if predicate is found
c9b86e2 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
Merge branch 'main' into notary-v2-attestations
808e623
@vishal-chdhry
renamed notaryv2 to notary
0e87175 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
changed notaryv2 to notary
17c686d 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry vishal-chdhry marked this pull request as ready for review April 9, 2023 12:46
@chipzoller chipzoller added this to the Kyverno Release 1.11.0 milestone Apr 10, 2023
@JimBugwadia
run codegen all
b41bb10 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia JimBugwadia requested a review from chipzoller as a code owner April 10, 2023 16:09
MarcelMue
MarcelMue reviewed Apr 11, 2023
View reviewed changes
@vishal-chdhry
changes
69a1c1b 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
commented cert
be06624 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
added variable support to certs
49330f3 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
Merge branch 'main' into notary-v2-attestations
795a418
eddycharly and others added 3 commits May 24, 2023 20:26
@eddycharly @vishal-chdhry
feat: add yaml util to check empty document (kyverno#7276)
a827c2e 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
@dependabot @vishal-chdhry
chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (ky…
be90998 
…verno#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@vishal-chdhry
Merge branch 'main' into notary-v2-attestations
0063e3e 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@realshuting
Copy link
Member

I see two kuttl failures for the notary tests, can you fix them @vishal-chdhry ?

@vishal-chdhry
Copy link
Member Author

vishal-chdhry commented May 25, 2023
edited
Loading

@realshuting I have updated the image being used to ghcr.io/kyverno/test-verify-image:signed
There has to be attestations attached to it (preferably an SBOM) for the attestation test case to pass. cc @JimBugwadia
Thanks Jim!

oras discover ghcr.io/kyverno/test-verify-image:signed -o tree
ghcr.io/kyverno/test-verify-image:signed
└── application/vnd.cncf.notary.signature
    └── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265

@vishal-chdhry
fixed api version in kuttl tests
f624d73 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
realshuting
realshuting previously approved these changes May 25, 2023
View reviewed changes
@vishal-chdhry
updated kuttl tests
805baba 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
Merge branch 'main' into notary-v2-attestations
5fefbdf 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
sonatype-lift[bot]
sonatype-lift bot reviewed May 25, 2023
View reviewed changes
vishal-chdhry and others added 5 commits May 25, 2023 22:47
@vishal-chdhry
go sum update
d62cbeb 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
updated admission controller assert
ec4832b 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
updated image
f809cbf 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
removed admission controller changes
22ccbb1 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@realshuting
Merge branch 'main' into notary-v2-attestations
4c3cf65
realshuting
realshuting previously approved these changes May 31, 2023
View reviewed changes
Copy link
Member

@realshuting realshuting left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs review from @JimBugwadia .

JimBugwadia
JimBugwadia previously approved these changes May 31, 2023
View reviewed changes
Copy link
Member

@JimBugwadia JimBugwadia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @vishal-chdhry!

pkg/cosign/cosign.go
@@ -360,6 +360,7 @@ func decodeStatement(sig oci.Signature) (map[string]interface{}, string, error)
if err != nil {
return nil, "", fmt.Errorf("failed to decode statement %s: %w", string(pld), err)
}
decodedStatement["type"] = decodedStatement["predicateType"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please check the unit and conformance tests.

@JimBugwadia JimBugwadia enabled auto-merge (squash) May 31, 2023 20:44
@realshuting
Copy link
Member

@vishal-chdhry - can you please resolve conflicts?

@vishal-chdhry
Merge branch 'main' into notary-v2-attestations
62a0133 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
auto-merge was automatically disabled June 1, 2023 07:26

Head branch was pushed to by a user without write access

@vishal-chdhry vishal-chdhry dismissed stale reviews from realshuting and JimBugwadia via 62a0133 June 1, 2023 07:26
@vishal-chdhry
go mod fix
9357e4c 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@realshuting realshuting merged commit 80d139b into kyverno:main Jun 1, 2023
@realshuting
Copy link
Member

Nice work @vishal-chdhry !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

@JimBugwadia JimBugwadia JimBugwadia left review comments

@treydock treydock Awaiting requested review from treydock

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@chipzoller chipzoller Awaiting requested review from chipzoller

@MarcelMue MarcelMue Awaiting requested review from MarcelMue

+1 more reviewer

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@JimBugwadia JimBugwadia

Labels
None yet
Projects
None yet
Milestone
Kyverno Release 1.11.0
Development

Successfully merging this pull request may close these issues.