k8smanifest

package
v0.5.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2024 License: Apache-2.0 Imports: 46 Imported by: 16

Documentation

Index

Constants

View Source 
const (
	ArtifactUnknown          = ""
	ArtifactManifestImage    = "manifestImage"
	ArtifactManifestResource = "manifestResource"
	ArtifactContainerImage   = "containerImage"
)
View Source 
const (
	AttestationDataKeyName = "attestation"
	SBOMDataKeyName        = "sbom"
)
View Source 
const DefaultAnnotationKeyDomain = "cosign.sigstore.dev"
View Source 
const SigRefEmbeddedInAnnotation = "__embedded_in_annotation__"

Variables

This section is empty.

Functions

func GenerateIntotoAttestationCurlCommand 

func GenerateIntotoAttestationCurlCommand(logIndex int) string

func GenerateIntotoAttestationKubectlCommand 

func GenerateIntotoAttestationKubectlCommand(resourceRef string) string

func GenerateSBOMDownloadCommand 

func GenerateSBOMDownloadCommand(resBundleRef string) string

func GenerateSBOMKubectlCommand 

func GenerateSBOMKubectlCommand(resourceRef string) string

func GetConfigMapFromK8sObjectRef 

func GetConfigMapFromK8sObjectRef(objRef string) (*corev1.ConfigMap, error)

func GetConfigResource 

func GetConfigResource(configPath string) (*unstructured.Unstructured, error)

func IsMessageNotFoundError added in v0.4.0 

func IsMessageNotFoundError(err error) bool

func IsSignatureNotFoundError added in v0.4.0 

func IsSignatureNotFoundError(err error) bool

errors.As checks if there is at least one error which matches the target in the error chain this works even if the input error is wraped like `errors.Wrap(SignatureNotFoundError, "wapper error")`.

func IsSignatureVerificationError added in v0.4.0 

func IsSignatureVerificationError(err error) bool

func K8sResourceRef2FileName 

func K8sResourceRef2FileName(resRef string) string

sanitize resrouce ref as a filename e.g.) k8s://ConfigMap/sample-ns/sample-cm --> k8s_ConfigMap_sample-ns_sample-cm.yaml

func Sign 

func Sign(inputDir string, so *SignOption) ([]byte, error)

Types

type AnnotationConfig 

type AnnotationConfig struct {
	// default "cosign.sigstore.dev"
	AnnotationKeyDomain string `json:"annotationKeyDomain,omitempty"`

	ResourceBundleRefBaseName string `json:"resourceBundleRefBaseName,omitempty"`
	SignatureBaseName         string `json:"signatureBaseName,omitempty"`
	CertificateBaseName       string `json:"certificateBaseName,omitempty"`
	MessageBaseName           string `json:"messageBaseName,omitempty"`
	BundleBaseName            string `json:"bundleBaseName,omitempty"`
}

annotation config for signing and verification

func (AnnotationConfig) AnnotationKeyIgnoreField 

func (c AnnotationConfig) AnnotationKeyIgnoreField() ObjectFieldBindingList

func (AnnotationConfig) AnnotationKeyMap 

func (c AnnotationConfig) AnnotationKeyMap(i int) map[string]string

this map determins annotations in the signed manifest

func (AnnotationConfig) AnnotationKeyMask 

func (c AnnotationConfig) AnnotationKeyMask() []string

this list is used as ignorefields for verification

func (AnnotationConfig) BundleAnnotationKey 

func (c AnnotationConfig) BundleAnnotationKey(i int) string

func (AnnotationConfig) CertificateAnnotationKey 

func (c AnnotationConfig) CertificateAnnotationKey(i int) string

func (AnnotationConfig) GetAllSignatureSets added in v0.4.0 

func (c AnnotationConfig) GetAllSignatureSets(annotations map[string]string) []map[string]string

func (AnnotationConfig) MessageAnnotationKey 

func (c AnnotationConfig) MessageAnnotationKey() string

func (AnnotationConfig) ResourceBundleRefAnnotationKey added in v0.4.0 

func (c AnnotationConfig) ResourceBundleRefAnnotationKey() string

func (AnnotationConfig) SignatureAnnotationKey 

func (c AnnotationConfig) SignatureAnnotationKey(i int) string

type ArtifactType 

type ArtifactType string

type BlobManifestFetcher 

type BlobManifestFetcher struct {
	AnnotationConfig AnnotationConfig
	// contains filtered or unexported fields
}

func (*BlobManifestFetcher) Fetch 

func (f *BlobManifestFetcher) Fetch(objYAMLBytes []byte) ([][]byte, string, error)

type BlobSignatureVerifier 

type BlobSignatureVerifier struct {
	CosignVerifyConfig
	// contains filtered or unexported fields
}

func (*BlobSignatureVerifier) Verify 

func (v *BlobSignatureVerifier) Verify() (bool, string, *int64, error)

type BlobSigner 

type BlobSigner struct {
	AnnotationConfig AnnotationConfig

	CosignSignConfig
	// contains filtered or unexported fields
}

func (*BlobSigner) Sign 

func (s *BlobSigner) Sign(inputDir, output string, imageAnnotations map[string]interface{}) ([]byte, error)

type CosignSignConfig added in v0.4.0 

type CosignSignConfig struct {
	RekorURL      string
	NoTlogUpload  bool
	AllowInsecure bool
	Force         bool
}

type CosignVerifyConfig added in v0.4.0 

type CosignVerifyConfig struct {
	CertRef       string
	CertChain     string
	RekorURL      string
	OIDCIssuer    string
	RootCerts     *cryptox509.CertPool
	AllowInsecure bool
}

type DigestSet 

type DigestSet map[string]string

type ImageManifestFetcher 

type ImageManifestFetcher struct {
	AnnotationConfig AnnotationConfig
	// contains filtered or unexported fields
}

ImageManifestFetcher is a fetcher implementation for image reference

func (*ImageManifestFetcher) Fetch 

func (f *ImageManifestFetcher) Fetch(objYAMLBytes []byte) ([][]byte, string, error)

func (*ImageManifestFetcher) FetchAll 

func (f *ImageManifestFetcher) FetchAll() ([][]byte, error)

type ImageProvenanceGetter 

type ImageProvenanceGetter struct {
	// contains filtered or unexported fields
}

func (*ImageProvenanceGetter) Get 

func (g *ImageProvenanceGetter) Get() ([]*Provenance, error)

type ImageSignatureVerifier 

type ImageSignatureVerifier struct {
	CosignVerifyConfig
	// contains filtered or unexported fields
}

func (*ImageSignatureVerifier) Verify 

func (v *ImageSignatureVerifier) Verify() (bool, string, *int64, error)

type ImageSigner 

type ImageSigner struct {
	AnnotationConfig AnnotationConfig

	CosignSignConfig
	// contains filtered or unexported fields
}

func (*ImageSigner) Sign 

func (s *ImageSigner) Sign(inputDir, output string, imageAnnotations map[string]interface{}) ([]byte, error)

type K8sManifestError added in v0.4.0 

type K8sManifestError struct {
	// contains filtered or unexported fields
}

func (*K8sManifestError) Error added in v0.4.0 

func (e *K8sManifestError) Error() string

type ManifestFetcher 

type ManifestFetcher interface {
	Fetch(objYAMLBytes []byte) ([][]byte, string, error)
}

This is an interface for fetching YAML manifest a function Fetch() fetches a YAML manifest which matches the input object's kind, name and so on

func NewManifestFetcher 

func NewManifestFetcher(resBundleRef, resourceRef string, annotationConfig AnnotationConfig, ignoreFields []string, maxResourceManifestNum int, allowInsecure bool) ManifestFetcher

return a manifest fetcher. `resBundleRef` is used for judging if manifest is inside an image or not. `annotationConfig` is used for annotation domain config like "cosign.sigstore.dev". `ignoreFields` and `maxResourceManifestNum` are used inside manifest detection logic.

type MessageNotFoundError added in v0.4.0 

type MessageNotFoundError struct {
	*K8sManifestError
}

func NewMessageNotFoundError added in v0.4.0 

func NewMessageNotFoundError(err error) *MessageNotFoundError

type NotImplementedProvenanceGetter 

type NotImplementedProvenanceGetter struct {
}

func (*NotImplementedProvenanceGetter) Get 

func (g *NotImplementedProvenanceGetter) Get() ([]*Provenance, error)

type ObjectFieldBinding 

type ObjectFieldBinding struct {
	Fields  []string            `json:"fields,omitempty"`
	Objects ObjectReferenceList `json:"objects,omitempty"`
}

func (ObjectFieldBinding) Match 

func (f ObjectFieldBinding) Match(obj unstructured.Unstructured) (bool, []string)

type ObjectFieldBindingList 

type ObjectFieldBindingList []ObjectFieldBinding

func (ObjectFieldBindingList) Match 

func (l ObjectFieldBindingList) Match(obj unstructured.Unstructured) (bool, []string)

type ObjectReference 

type ObjectReference struct {
	Group     string `json:"group,omitempty"`
	Version   string `json:"version,omitempty"`
	Kind      string `json:"kind,omitempty"`
	Name      string `json:"name,omitempty"`
	Namespace string `json:"namespace,omitempty"`
}

func ObjectToReference 

func ObjectToReference(obj unstructured.Unstructured) ObjectReference

func (ObjectReference) Equal 

func (r ObjectReference) Equal(r2 ObjectReference) bool

func (ObjectReference) Match 

func (r ObjectReference) Match(obj unstructured.Unstructured) bool

type ObjectReferenceList 

type ObjectReferenceList []ObjectReference

func GetMatchConditionFromConfigResource 

func GetMatchConditionFromConfigResource(configPath, matchField, inScopeObjectField string) (*gkmatch.Match, *ObjectReferenceList, error)

func (ObjectReferenceList) Match 

func (l ObjectReferenceList) Match(obj unstructured.Unstructured) bool

type ObjectUserBinding 

type ObjectUserBinding struct {
	Users   []string            `json:"users,omitempty"`
	Objects ObjectReferenceList `json:"objects,omitempty"`
}

type Provenance 

type Provenance struct {
	ResourceName *resourceName `json:"resource"`

	RawAttestation string `json:"rawAttestation"`
	RawSBOM        string `json:"rawSBOM"`

	Artifact             string               `json:"artifact"`
	ArtifactType         ArtifactType         `json:"artifactType"`
	Hash                 string               `json:"hash"`
	AttestationLogIndex  *int                 `json:"attestationLogIndex"`
	AttestationMaterials []ProvenanceMaterial `json:"attestationMaterials"`

	SBOMRef string `json:"sbom"`

	ConfigMapRef string `json:"configMapRef"`
}

type ProvenanceGetter 

type ProvenanceGetter interface {
	Get() ([]*Provenance, error)
}

func NewProvenanceGetter 

func NewProvenanceGetter(obj *unstructured.Unstructured, sigRef, imageHash, provResRef string, allowInsecure bool) ProvenanceGetter

type ProvenanceMaterial 

type ProvenanceMaterial struct {
	URI    string    `json:"uri"`
	Digest DigestSet `json:"digest,omitempty"`
}

func ParseAttestation 

func ParseAttestation(attestationStr string) (*intoto.Statement, interface{}, []ProvenanceMaterial, error)

type RecursiveImageProvenanceGetter 

type RecursiveImageProvenanceGetter struct {
	// contains filtered or unexported fields
}

func (*RecursiveImageProvenanceGetter) Get 

func (g *RecursiveImageProvenanceGetter) Get() ([]*Provenance, error)

type ResourceProvenanceGetter 

type ResourceProvenanceGetter struct {
	// contains filtered or unexported fields
}

func (*ResourceProvenanceGetter) Get 

func (g *ResourceProvenanceGetter) Get() ([]*Provenance, error)

type SignOption 

type SignOption struct {

	// these options should be input from CLI arguments
	KeyPath           string                 `json:"-"`
	ResourceBundleRef string                 `json:"-"`
	CertPath          string                 `json:"-"`
	Output            string                 `json:"-"`
	UpdateAnnotation  bool                   `json:"-"`
	ImageAnnotations  map[string]interface{} `json:"-"`
	PassFunc          cosign.PassFunc        `json:"-"`
	ApplySigConfigMap bool                   `json:"-"`
	Tarball           *bool                  `json:"-"`
	AppendSignature   bool                   `json:"-"`
	// contains filtered or unexported fields
}

option for Sign()

type SignatureNotFoundError added in v0.4.0 

type SignatureNotFoundError struct {
	*K8sManifestError
}

func NewSignatureNotFoundError added in v0.4.0 

func NewSignatureNotFoundError(err error) *SignatureNotFoundError

type SignatureVerificationError added in v0.4.0 

type SignatureVerificationError struct {
	*K8sManifestError
}

func NewSignatureVerificationError added in v0.4.0 

func NewSignatureVerificationError(err error) *SignatureVerificationError

type SignatureVerifier 

type SignatureVerifier interface {
	Verify() (bool, string, *int64, error)
}

func NewSignatureVerifier 

func NewSignatureVerifier(objYAMLBytes []byte, sigRef string, pubkeyPath *string, signers []string, cosignVerifyConfig CosignVerifyConfig, annotationConfig AnnotationConfig) SignatureVerifier

type Signer 

type Signer interface {
	Sign(inputDir, output string, imageAnnotations map[string]interface{}) ([]byte, error)
}

func NewSigner 

func NewSigner(resBundleRef, keyPath, certPath, output string, appendSig, doApply, tarball bool, cosignSignConfig CosignSignConfig, AnnotationConfig AnnotationConfig, pf cosign.PassFunc) Signer

type SignerList 

type SignerList []string

func (SignerList) Match 

func (l SignerList) Match(signerName string) bool

type VerifyManifestOption 

type VerifyManifestOption struct {
	// contains filtered or unexported fields
}

option for VerifyManifest()

func LoadVerifyManifestConfig 

func LoadVerifyManifestConfig(fpath string) (*VerifyManifestOption, error)

func (*VerifyManifestOption) SetAnnotationIgnoreFields 

func (o *VerifyManifestOption) SetAnnotationIgnoreFields()

type VerifyResourceOption 

type VerifyResourceOption struct {
	SkipObjects ObjectReferenceList `json:"skipObjects,omitempty"`

	Provenance            bool   `json:"-"`
	DisableDryRun         bool   `json:"-"`
	CheckDryRunForApply   bool   `json:"-"`
	CheckMutatingResource bool   `json:"-"`
	DryRunNamespace       string `json:"-"`
	// contains filtered or unexported fields
}

option for VerifyResource()

func AddDefaultConfig 

func AddDefaultConfig(vo *VerifyResourceOption) *VerifyResourceOption

func LoadDefaultConfig 

func LoadDefaultConfig() *VerifyResourceOption

func LoadVerifyResourceConfig 

func LoadVerifyResourceConfig(fpath string) (*VerifyResourceOption, error)

func LoadVerifyResourceConfigFromResource 

func LoadVerifyResourceConfigFromResource(configPath, configField string) (*VerifyResourceOption, error)

func (*VerifyResourceOption) AddDefaultConfig 

func (vo *VerifyResourceOption) AddDefaultConfig(defaultConfig *VerifyResourceOption) *VerifyResourceOption

func (*VerifyResourceOption) SetAnnotationIgnoreFields 

func (o *VerifyResourceOption) SetAnnotationIgnoreFields()

type VerifyResourceResult 

type VerifyResourceResult struct {
	Verified        bool                   `json:"verified"`
	InScope         bool                   `json:"inScope"`
	Signer          string                 `json:"signer"`
	SignedTime      *time.Time             `json:"signedTime"`
	SigRef          string                 `json:"sigRef"`
	Diff            *mapnode.DiffResult    `json:"diff"`
	ContainerImages []kubeutil.ImageObject `json:"containerImages"`
	Provenances     []*Provenance          `json:"provenances,omitempty"`
}

func VerifyResource 

func VerifyResource(obj unstructured.Unstructured, vo *VerifyResourceOption) (*VerifyResourceResult, error)

func (*VerifyResourceResult) String 

func (r *VerifyResourceResult) String() string

type VerifyResult 

type VerifyResult struct {
	Verified bool                `json:"verified"`
	Signer   string              `json:"signer"`
	Diff     *mapnode.DiffResult `json:"diff"`
}

func VerifyManifest 

func VerifyManifest(objManifest []byte, vo *VerifyManifestOption) (*VerifyResult, error)

func (*VerifyResult) String 

func (r *VerifyResult) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.