search

sigstore / k8s-manifest-sigstore

kubectl plugin for signing Kubernetes manifest YAML files with sigstore
Apache License 2.0
79 stars 21 forks source link

support directly attached signature and related things into k8s annotations #23

Closed hirokuni-kitahara closed 3 years ago

hirokuni-kitahara commented 3 years ago

Signed-off-by: Hirokuni-Kitahara1 hirokuni.kitahara1@ibm.com

This PR aims to support directly attached signature and some others like certificate / rekor entry bundle, and these values are used for verification later. (It uses cosign sign-blob and cosign verify-blob internally)

Generated signatures will be attached into annotations of a YAML manifest like below.

Example:

apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    cosign.sigstore.dev/bundle: H4sIA ... JAAA=
    cosign.sigstore.dev/certificate: H4sIA ... AAA==
    cosign.sigstore.dev/message: H4sIA ... ZAQAA
    cosign.sigstore.dev/signature: MEQCI ... rsg==
  name: sample-cm
data:
  key1: val1
  key2: val2