Documentation
¶
Index ¶
- Constants
- func GenerateIntotoAttestationCurlCommand(logIndex int) string
- func GenerateIntotoAttestationKubectlCommand(resourceRef string) string
- func GenerateSBOMDownloadCommand(resBundleRef string) string
- func GenerateSBOMKubectlCommand(resourceRef string) string
- func GetConfigMapFromK8sObjectRef(objRef string) (*corev1.ConfigMap, error)
- func GetConfigResource(configPath string) (*unstructured.Unstructured, error)
- func IsMessageNotFoundError(err error) bool
- func IsSignatureNotFoundError(err error) bool
- func IsSignatureVerificationError(err error) bool
- func K8sResourceRef2FileName(resRef string) string
- func Sign(inputDir string, so *SignOption) ([]byte, error)
- type AnnotationConfig
- func (c AnnotationConfig) AnnotationKeyIgnoreField() ObjectFieldBindingList
- func (c AnnotationConfig) AnnotationKeyMap(i int) map[string]string
- func (c AnnotationConfig) AnnotationKeyMask() []string
- func (c AnnotationConfig) BundleAnnotationKey(i int) string
- func (c AnnotationConfig) CertificateAnnotationKey(i int) string
- func (c AnnotationConfig) GetAllSignatureSets(annotations map[string]string) []map[string]string
- func (c AnnotationConfig) MessageAnnotationKey() string
- func (c AnnotationConfig) ResourceBundleRefAnnotationKey() string
- func (c AnnotationConfig) SignatureAnnotationKey(i int) string
- type ArtifactType
- type BlobManifestFetcher
- type BlobSignatureVerifier
- type BlobSigner
- type CosignSignConfig
- type CosignVerifyConfig
- type DigestSet
- type ImageManifestFetcher
- type ImageProvenanceGetter
- type ImageSignatureVerifier
- type ImageSigner
- type K8sManifestError
- type ManifestFetcher
- type MessageNotFoundError
- type NotImplementedProvenanceGetter
- type ObjectFieldBinding
- type ObjectFieldBindingList
- type ObjectReference
- type ObjectReferenceList
- type ObjectUserBinding
- type Provenance
- type ProvenanceGetter
- type ProvenanceMaterial
- type RecursiveImageProvenanceGetter
- type ResourceProvenanceGetter
- type SignOption
- type SignatureNotFoundError
- type SignatureVerificationError
- type SignatureVerifier
- type Signer
- type SignerList
- type VerifyManifestOption
- type VerifyResourceOption
- type VerifyResourceResult
- type VerifyResult
Constants ¶
View Source
const ( ArtifactUnknown = "" ArtifactManifestImage = "manifestImage" ArtifactManifestResource = "manifestResource" ArtifactContainerImage = "containerImage" )
View Source
const ( AttestationDataKeyName = "attestation" SBOMDataKeyName = "sbom" )
View Source
const DefaultAnnotationKeyDomain = "cosign.sigstore.dev"
View Source
const SigRefEmbeddedInAnnotation = "__embedded_in_annotation__"
Variables ¶
This section is empty.
Functions ¶
func GetConfigResource ¶
func GetConfigResource(configPath string) (*unstructured.Unstructured, error)
func IsMessageNotFoundError ¶ added in v0.4.0
func IsSignatureNotFoundError ¶ added in v0.4.0
errors.As checks if there is at least one error which matches the target in the error chain this works even if the input error is wraped like `errors.Wrap(SignatureNotFoundError, "wapper error")`.
func IsSignatureVerificationError ¶ added in v0.4.0
func K8sResourceRef2FileName ¶
sanitize resrouce ref as a filename e.g.) k8s://ConfigMap/sample-ns/sample-cm --> k8s_ConfigMap_sample-ns_sample-cm.yaml
Types ¶
type AnnotationConfig ¶
type AnnotationConfig struct {
// default "cosign.sigstore.dev"
AnnotationKeyDomain string `json:"annotationKeyDomain,omitempty"`
ResourceBundleRefBaseName string `json:"resourceBundleRefBaseName,omitempty"`
SignatureBaseName string `json:"signatureBaseName,omitempty"`
CertificateBaseName string `json:"certificateBaseName,omitempty"`
MessageBaseName string `json:"messageBaseName,omitempty"`
BundleBaseName string `json:"bundleBaseName,omitempty"`
}
annotation config for signing and verification
func (AnnotationConfig) AnnotationKeyIgnoreField ¶
func (c AnnotationConfig) AnnotationKeyIgnoreField() ObjectFieldBindingList
func (AnnotationConfig) AnnotationKeyMap ¶
func (c AnnotationConfig) AnnotationKeyMap(i int) map[string]string
this map determins annotations in the signed manifest
func (AnnotationConfig) AnnotationKeyMask ¶
func (c AnnotationConfig) AnnotationKeyMask() []string
this list is used as ignorefields for verification
func (AnnotationConfig) BundleAnnotationKey ¶
func (c AnnotationConfig) BundleAnnotationKey(i int) string
func (AnnotationConfig) CertificateAnnotationKey ¶
func (c AnnotationConfig) CertificateAnnotationKey(i int) string
func (AnnotationConfig) GetAllSignatureSets ¶ added in v0.4.0
func (c AnnotationConfig) GetAllSignatureSets(annotations map[string]string) []map[string]string
func (AnnotationConfig) MessageAnnotationKey ¶
func (c AnnotationConfig) MessageAnnotationKey() string
func (AnnotationConfig) ResourceBundleRefAnnotationKey ¶ added in v0.4.0
func (c AnnotationConfig) ResourceBundleRefAnnotationKey() string
func (AnnotationConfig) SignatureAnnotationKey ¶
func (c AnnotationConfig) SignatureAnnotationKey(i int) string
type ArtifactType ¶
type ArtifactType string
type BlobManifestFetcher ¶
type BlobManifestFetcher struct {
AnnotationConfig AnnotationConfig
// contains filtered or unexported fields
}
type BlobSignatureVerifier ¶
type BlobSignatureVerifier struct {
CosignVerifyConfig
// contains filtered or unexported fields
}
type BlobSigner ¶
type BlobSigner struct {
AnnotationConfig AnnotationConfig
CosignSignConfig
// contains filtered or unexported fields
}
type CosignSignConfig ¶ added in v0.4.0
type CosignVerifyConfig ¶ added in v0.4.0
type ImageManifestFetcher ¶
type ImageManifestFetcher struct {
AnnotationConfig AnnotationConfig
// contains filtered or unexported fields
}
ImageManifestFetcher is a fetcher implementation for image reference
func (*ImageManifestFetcher) Fetch ¶
func (f *ImageManifestFetcher) Fetch(objYAMLBytes []byte) ([][]byte, string, error)
func (*ImageManifestFetcher) FetchAll ¶
func (f *ImageManifestFetcher) FetchAll() ([][]byte, error)
type ImageProvenanceGetter ¶
type ImageProvenanceGetter struct {
// contains filtered or unexported fields
}
func (*ImageProvenanceGetter) Get ¶
func (g *ImageProvenanceGetter) Get() ([]*Provenance, error)
type ImageSignatureVerifier ¶
type ImageSignatureVerifier struct {
CosignVerifyConfig
// contains filtered or unexported fields
}
type ImageSigner ¶
type ImageSigner struct {
AnnotationConfig AnnotationConfig
CosignSignConfig
// contains filtered or unexported fields
}
type K8sManifestError ¶ added in v0.4.0
type K8sManifestError struct {
// contains filtered or unexported fields
}
func (*K8sManifestError) Error ¶ added in v0.4.0
func (e *K8sManifestError) Error() string
type ManifestFetcher ¶
This is an interface for fetching YAML manifest a function Fetch() fetches a YAML manifest which matches the input object's kind, name and so on
func NewManifestFetcher ¶
func NewManifestFetcher(resBundleRef, resourceRef string, annotationConfig AnnotationConfig, ignoreFields []string, maxResourceManifestNum int, allowInsecure bool) ManifestFetcher
return a manifest fetcher. `resBundleRef` is used for judging if manifest is inside an image or not. `annotationConfig` is used for annotation domain config like "cosign.sigstore.dev". `ignoreFields` and `maxResourceManifestNum` are used inside manifest detection logic.
type MessageNotFoundError ¶ added in v0.4.0
type MessageNotFoundError struct {
*K8sManifestError
}
func NewMessageNotFoundError ¶ added in v0.4.0
func NewMessageNotFoundError(err error) *MessageNotFoundError
type NotImplementedProvenanceGetter ¶
type NotImplementedProvenanceGetter struct {
}
func (*NotImplementedProvenanceGetter) Get ¶
func (g *NotImplementedProvenanceGetter) Get() ([]*Provenance, error)
type ObjectFieldBinding ¶
type ObjectFieldBinding struct {
Fields []string `json:"fields,omitempty"`
Objects ObjectReferenceList `json:"objects,omitempty"`
}
func (ObjectFieldBinding) Match ¶
func (f ObjectFieldBinding) Match(obj unstructured.Unstructured) (bool, []string)
type ObjectFieldBindingList ¶
type ObjectFieldBindingList []ObjectFieldBinding
func (ObjectFieldBindingList) Match ¶
func (l ObjectFieldBindingList) Match(obj unstructured.Unstructured) (bool, []string)
type ObjectReference ¶
type ObjectReference struct {
Group string `json:"group,omitempty"`
Version string `json:"version,omitempty"`
Kind string `json:"kind,omitempty"`
Name string `json:"name,omitempty"`
Namespace string `json:"namespace,omitempty"`
}
func ObjectToReference ¶
func ObjectToReference(obj unstructured.Unstructured) ObjectReference
func (ObjectReference) Equal ¶
func (r ObjectReference) Equal(r2 ObjectReference) bool
func (ObjectReference) Match ¶
func (r ObjectReference) Match(obj unstructured.Unstructured) bool
type ObjectReferenceList ¶
type ObjectReferenceList []ObjectReference
func GetMatchConditionFromConfigResource ¶
func GetMatchConditionFromConfigResource(configPath, matchField, inScopeObjectField string) (*gkmatch.Match, *ObjectReferenceList, error)
func (ObjectReferenceList) Match ¶
func (l ObjectReferenceList) Match(obj unstructured.Unstructured) bool
type ObjectUserBinding ¶
type ObjectUserBinding struct {
Users []string `json:"users,omitempty"`
Objects ObjectReferenceList `json:"objects,omitempty"`
}
type Provenance ¶
type Provenance struct {
ResourceName *resourceName `json:"resource"`
RawAttestation string `json:"rawAttestation"`
RawSBOM string `json:"rawSBOM"`
Artifact string `json:"artifact"`
ArtifactType ArtifactType `json:"artifactType"`
Hash string `json:"hash"`
AttestationLogIndex *int `json:"attestationLogIndex"`
AttestationMaterials []ProvenanceMaterial `json:"attestationMaterials"`
SBOMRef string `json:"sbom"`
ConfigMapRef string `json:"configMapRef"`
}
type ProvenanceGetter ¶
type ProvenanceGetter interface {
Get() ([]*Provenance, error)
}
func NewProvenanceGetter ¶
func NewProvenanceGetter(obj *unstructured.Unstructured, sigRef, imageHash, provResRef string, allowInsecure bool) ProvenanceGetter
type ProvenanceMaterial ¶
type ProvenanceMaterial struct {
URI string `json:"uri"`
Digest DigestSet `json:"digest,omitempty"`
}
func ParseAttestation ¶
func ParseAttestation(attestationStr string) (*intoto.Statement, interface{}, []ProvenanceMaterial, error)
type RecursiveImageProvenanceGetter ¶
type RecursiveImageProvenanceGetter struct {
// contains filtered or unexported fields
}
func (*RecursiveImageProvenanceGetter) Get ¶
func (g *RecursiveImageProvenanceGetter) Get() ([]*Provenance, error)
type ResourceProvenanceGetter ¶
type ResourceProvenanceGetter struct {
// contains filtered or unexported fields
}
func (*ResourceProvenanceGetter) Get ¶
func (g *ResourceProvenanceGetter) Get() ([]*Provenance, error)
type SignOption ¶
type SignOption struct {
// these options should be input from CLI arguments
KeyPath string `json:"-"`
ResourceBundleRef string `json:"-"`
CertPath string `json:"-"`
Output string `json:"-"`
UpdateAnnotation bool `json:"-"`
ImageAnnotations map[string]interface{} `json:"-"`
PassFunc cosign.PassFunc `json:"-"`
ApplySigConfigMap bool `json:"-"`
Tarball *bool `json:"-"`
AppendSignature bool `json:"-"`
// contains filtered or unexported fields
}
option for Sign()
type SignatureNotFoundError ¶ added in v0.4.0
type SignatureNotFoundError struct {
*K8sManifestError
}
func NewSignatureNotFoundError ¶ added in v0.4.0
func NewSignatureNotFoundError(err error) *SignatureNotFoundError
type SignatureVerificationError ¶ added in v0.4.0
type SignatureVerificationError struct {
*K8sManifestError
}
func NewSignatureVerificationError ¶ added in v0.4.0
func NewSignatureVerificationError(err error) *SignatureVerificationError
type SignatureVerifier ¶
func NewSignatureVerifier ¶
func NewSignatureVerifier(objYAMLBytes []byte, sigRef string, pubkeyPath *string, signers []string, cosignVerifyConfig CosignVerifyConfig, annotationConfig AnnotationConfig) SignatureVerifier
type Signer ¶
type Signer interface {
Sign(inputDir, output string, imageAnnotations map[string]interface{}) ([]byte, error)
}
func NewSigner ¶
func NewSigner(resBundleRef, keyPath, certPath, output string, appendSig, doApply, tarball bool, cosignSignConfig CosignSignConfig, AnnotationConfig AnnotationConfig, pf cosign.PassFunc) Signer
type SignerList ¶
type SignerList []string
func (SignerList) Match ¶
func (l SignerList) Match(signerName string) bool
type VerifyManifestOption ¶
type VerifyManifestOption struct {
// contains filtered or unexported fields
}
option for VerifyManifest()
func LoadVerifyManifestConfig ¶
func LoadVerifyManifestConfig(fpath string) (*VerifyManifestOption, error)
func (*VerifyManifestOption) SetAnnotationIgnoreFields ¶
func (o *VerifyManifestOption) SetAnnotationIgnoreFields()
type VerifyResourceOption ¶
type VerifyResourceOption struct {
SkipObjects ObjectReferenceList `json:"skipObjects,omitempty"`
Provenance bool `json:"-"`
DisableDryRun bool `json:"-"`
CheckDryRunForApply bool `json:"-"`
CheckMutatingResource bool `json:"-"`
DryRunNamespace string `json:"-"`
// contains filtered or unexported fields
}
option for VerifyResource()
func AddDefaultConfig ¶
func AddDefaultConfig(vo *VerifyResourceOption) *VerifyResourceOption
func LoadDefaultConfig ¶
func LoadDefaultConfig() *VerifyResourceOption
func LoadVerifyResourceConfig ¶
func LoadVerifyResourceConfig(fpath string) (*VerifyResourceOption, error)
func LoadVerifyResourceConfigFromResource ¶
func LoadVerifyResourceConfigFromResource(configPath, configField string) (*VerifyResourceOption, error)
func (*VerifyResourceOption) AddDefaultConfig ¶
func (vo *VerifyResourceOption) AddDefaultConfig(defaultConfig *VerifyResourceOption) *VerifyResourceOption
func (*VerifyResourceOption) SetAnnotationIgnoreFields ¶
func (o *VerifyResourceOption) SetAnnotationIgnoreFields()
type VerifyResourceResult ¶
type VerifyResourceResult struct {
Verified bool `json:"verified"`
InScope bool `json:"inScope"`
Signer string `json:"signer"`
SignedTime *time.Time `json:"signedTime"`
SigRef string `json:"sigRef"`
Diff *mapnode.DiffResult `json:"diff"`
ContainerImages []kubeutil.ImageObject `json:"containerImages"`
Provenances []*Provenance `json:"provenances,omitempty"`
}
func VerifyResource ¶
func VerifyResource(obj unstructured.Unstructured, vo *VerifyResourceOption) (*VerifyResourceResult, error)
func (*VerifyResourceResult) String ¶
func (r *VerifyResourceResult) String() string
type VerifyResult ¶
type VerifyResult struct {
Verified bool `json:"verified"`
Signer string `json:"signer"`
Diff *mapnode.DiffResult `json:"diff"`
}
func VerifyManifest ¶
func VerifyManifest(objManifest []byte, vo *VerifyManifestOption) (*VerifyResult, error)
func (*VerifyResult) String ¶
func (r *VerifyResult) String() string
Source Files
Click to show internal directories.
Click to hide internal directories.