search

kubewarden / policy-server

Webhook server that evaluates WebAssembly policies to validate Kubernetes requests
https://kubewarden.io
Apache License 2.0
138 stars 18 forks source link

Feature Request: Add keyless verification by supporting verification-config.yml v1 #210

Closed viccuad closed 2 years ago

viccuad commented 2 years ago

Is your feature request related to a problem?

No response

Solution you'd like

Consume latest changes of policy-fetcher on Config::LatestVerificationConfig (verification-config.yml) and verify::verify(). This enables support for keyless verification.

policy-server already has a flag --verification-path, and doesn't need flags -k, -a as in kwctl. Which means that we don't need to translate those flags into an interim LatestVerificationConfig.

See the analogous work for kwctl here: https://github.com/kubewarden/kwctl/pull/169

Alternatives you've considered

No response

Anything else?

No response

viccuad commented 2 years ago

Reminder: right now, to verify our production images, one needs to pass an updated fulcio cert:

cosign initialize
kwctl verify --verification-config-path ./verification-config.yml --fulcio-cert-path ~/.sigstore/root/targets/fulcio_v1.crt.pem registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.10

This would not be needed once we are consuming sigstore/sigstore-rs/pull/43,

viccuad commented 2 years ago

Closed by https://github.com/kubewarden/policy-server/pull/215.