Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cleanup container signing POC #107

Merged
merged 1 commit into from
Nov 7, 2024
Merged

cleanup container signing POC #107

merged 1 commit into from
Nov 7, 2024

Conversation

tuminoid
Copy link
Member

@tuminoid tuminoid commented Nov 6, 2024

Update documentation, and make e2e work simpler to follow.

For cosign, add sub-ca in to the mix, and make the verification work with root CA only.

@tuminoid
Copy link
Member Author

tuminoid commented Nov 6, 2024

/cc @lentzi90 @tsaarni @kashifest

@metal3-io-bot
Copy link
Member

@tuminoid: GitHub didn't allow me to request PR reviews from the following users: tsaarni.

Note that only Nordix members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @lentzi90 @tsaarni @kashifest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@tuminoid tuminoid force-pushed the tuomo/update-signing-poc branch 3 times, most recently from e4c06e2 to 25227ed Compare November 6, 2024 13:18
@tuminoid
Copy link
Member Author

tuminoid commented Nov 6, 2024

Added flowchart to cosign README.

@tuminoid tuminoid force-pushed the tuomo/update-signing-poc branch from 25227ed to a3f6c15 Compare November 6, 2024 14:04
@tuminoid
Copy link
Member Author

tuminoid commented Nov 6, 2024

Removed Fulcio ASN1 from signing cert, not needed.

tsaarni
tsaarni reviewed Nov 6, 2024
View reviewed changes
security/container-signing-poc/cosign/gencrt.sh
EOL

# Generate Sub CA
openssl genrsa -out "${OUTPUT_DIR}"/sub-ca.key 4096
Copy link

@tsaarni tsaarni Nov 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: It does not really matter but I noticed that root and leaf are using ECC but sub-CA is RSA, is this intentional?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I wanted to have a mix there to see it does not fail. I will probably change of the of prime384 to some other key format for the same, though it is quite clear that key format do not matter here at all.

tsaarni
tsaarni approved these changes Nov 6, 2024
View reviewed changes
Copy link

@tsaarni tsaarni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a minor question inline, but Looks Good To Me! 👍

lentzi90
lentzi90 previously approved these changes Nov 7, 2024
View reviewed changes
Copy link
Member

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking great!
Commenting for completeness what we discussed on chat: remember to put --name=kyverno also on kind get nodes.
/approve

security/container-signing-poc/kyverno/notation.mk Show resolved Hide resolved
kashifest
kashifest reviewed Nov 7, 2024
View reviewed changes
Copy link
Contributor

@kashifest kashifest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

security/container-signing-poc/README.md Outdated Show resolved Hide resolved
@metal3-io-bot
Copy link
Member

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kashifest, lentzi90, tsaarni

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tuminoid
cleanup container signing POC
7019032 
Update documentation, and make e2e work simpler to follow.

Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
@tuminoid tuminoid force-pushed the tuomo/update-signing-poc branch from a3f6c15 to 7019032 Compare November 7, 2024 07:15
@lentzi90
Copy link
Member

lentzi90 commented Nov 7, 2024

We have two approvals. Putting lgtm and hold. Feel free to unhold when ready to merge.
/lgtm
/hold

@tuminoid
Copy link
Member Author

tuminoid commented Nov 7, 2024

I fixed the typo, and the kind cluster name missing.

/unhold

@metal3-io-bot metal3-io-bot merged commit f953eba into main Nov 7, 2024
4 checks passed
@metal3-io-bot metal3-io-bot deleted the tuomo/update-signing-poc branch November 7, 2024 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kashifest kashifest kashifest left review comments

@tsaarni tsaarni tsaarni approved these changes

@lentzi90 lentzi90 lentzi90 left review comments

Assignees

@lentzi90 lentzi90

Labels
approved lgtm size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tuminoid @metal3-io-bot @lentzi90 @tsaarni @kashifest