search

fluxcd / source-controller

The GitOps Toolkit source management component
https://fluxcd.io
Apache License 2.0
238 stars 187 forks source link

Improve cosign configuration options #1103

Open hiddeco opened 1 year ago

hiddeco commented 1 year ago

For future improvements these are the things I think we should address:

  • appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
  • verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI): cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com <IMAGE>
  • k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
  • rekor-url, for private rekor instances
  • signature-digest-algorithm, the default is sha-256

There is also the topic of sbom attachement but there is different discussion for that.

Originally posted by @souleb in https://github.com/fluxcd/source-controller/issues/1096#issuecomment-1556769007

timaebi commented 10 months ago

Adding options to the CRD to verify the oidc issuer and the certificate identity would be very helpful.

stefanprodan commented 10 months ago

@timaebi see https://github.com/fluxcd/source-controller/pull/1250