Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds initial Attestor implementation. #998

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented Nov 23, 2023

Changes

This is the initial implementation of Attestors, which uses generics to link chains components together with strict typing.

To start, this adds Attestor implementations of OCI signing and v1 SLSA attestations. These Attestors are NOT wired up to the controller yet, since they don't yet support the full range of config options (and there's likely a few tweaks we need to make in order to help reuse components like signers between Attestors).

attestors.go is the file to pay most attention to in this PR.

Part of #780

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

This is the initial implementation of Attestors, which uses generics to
link chains components together with strict typing.

To start, this adds Attestor implementations of OCI signing and v1 SLSA
attestations. These Attestors are NOT wired up to the controller yet,
since they don't yet support the full range of config options (and
there's likely a few tweaks we need to make in order to help reuse
components like signers between Attestors).
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Nov 23, 2023
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from wlynch after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 70.2% 69.5% -0.7
pkg/chains/formats/simple/simple.go 72.7% 61.5% -11.2
pkg/chains/formats/slsa/extract/extract.go 61.5% 60.6% -0.9
pkg/chains/formats/slsa/v1/intotoite6.go 88.9% 62.1% -26.8
pkg/chains/internal/attestors/attestors.go Do not exist 20.0%
pkg/chains/signing.go 73.7% 71.6% -2.2
pkg/chains/signing/x509/x509.go 44.0% 44.1% 0.1
pkg/chains/storage/oci/attestation.go 80.0% 41.7% -38.3
pkg/chains/storage/oci/legacy.go 40.0% 37.3% -2.7
pkg/chains/storage/oci/simple.go 81.5% 86.2% 4.7
pkg/chains/storage/tekton/tekton.go 78.6% 71.0% -7.6

@tekton-robot
Copy link

@wlynch: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-tekton-chains-build-tests bac7923 link true /test pull-tekton-chains-build-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Copy link
Contributor

@lcarva lcarva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, it makes sense to me. Need to have a more thorough look.

_ formats.Formatter[name.Digest, SimpleContainerImage] = &SimpleSigningPayloader{}
)

type SimpleSigningPayloader SimpleSigning
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit, but this should probably be called something like SimpleSigningFormatter.

}

type InTotoIte6 struct {
slsaConfig *slsaconfig.SlsaConfig
}

func NewFormatter(cfg config.Config) (formats.Payloader, error) {
func NewPayloader(cfg config.Config) (formats.Payloader, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be marked as deprecated (also NewPayloaderFromConfig)?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually... I don't think I fully understand Payloader vs Formatter 🤔

}

var opts []oci.Option
if repo := cfg.Storage.OCI.Repository; repo != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's pay special attention here. We recently had to fix a bug in our handling of this config value.

We should also make sure cfg.Storage.OCI.Insecure is handled properly.

return &Attestor[objects.TektonObject, *v1.ProvenanceStatement]{
payloader: v1.NewPayloaderFromConfig(cfg),
signer: wrapped,
// TODO: add support for other storage options.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'd be curious to see what this function would look like once we have support for all. It could end up quite large. Or maybe, storer is determined by another function that takes into account the current configuration, and returns the right thing.


func (s *AttestationStorer[T]) storeImage(ctx context.Context, img name.Digest, att oci.Signature) error {
logger := logging.FromContext(ctx)
repo := img.Repository
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to handle cfg.Storage.OCI.Insecure here somehow.

@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 17, 2024
@tekton-robot
Copy link

@wlynch: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants