Compare commits
14 Commits
attest-pro
...
attest-pro
| Author | SHA1 | Date | |
|---|---|---|---|
|
a4fe4eb4bd | ||
|
|
c5a07018f7 | ||
|
|
1a14ca3042 | ||
|
|
033f760ba3 | ||
|
|
9753cb15b9 | ||
|
|
372982c90e | ||
|
|
2ed9e72456 | ||
|
|
f971ededd0 | ||
|
|
f823962909 | ||
|
|
08ab6326f1 | ||
|
|
da3534192a | ||
|
|
63ddd22803 | ||
|
|
2efeb7ed64 | ||
|
|
4f4e2d3608 |
2
.github/workflows/release.yml
vendored
2
.github/workflows/release.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
||||
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
|
||||
- name: Generate GitHub App Token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
|
||||
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
|
||||
with:
|
||||
app-id: ${{ vars.APP_ID }}
|
||||
private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
|
||||
|
||||
4
.github/workflows/scorecards.yml
vendored
4
.github/workflows/scorecards.yml
vendored
@@ -42,7 +42,7 @@ jobs:
|
||||
|
||||
- name: Generate GitHub App Token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
|
||||
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
|
||||
with:
|
||||
app-id: ${{ vars.DOCKER_READ_APP_ID }}
|
||||
private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
|
||||
@@ -70,7 +70,7 @@ jobs:
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
|
||||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
|
||||
4
.github/workflows/workflow.yaml
vendored
4
.github/workflows/workflow.yaml
vendored
@@ -26,7 +26,7 @@ jobs:
|
||||
|
||||
- name: Generate GitHub App Token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
|
||||
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
|
||||
with:
|
||||
app-id: ${{ vars.DOCKER_READ_APP_ID }}
|
||||
private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
|
||||
@@ -74,7 +74,7 @@ jobs:
|
||||
|
||||
- name: Generate GitHub App Token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
|
||||
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
|
||||
with:
|
||||
app-id: ${{ vars.DOCKER_READ_APP_ID }}
|
||||
private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
apiVersion: v2
|
||||
description: A Helm chart for attest external data provider
|
||||
name: attest-provider
|
||||
version: 0.0.3
|
||||
version: 0.0.6
|
||||
home: https://github.com/docker/attest-provider
|
||||
sources:
|
||||
- https://github.com/docker/attest-provider.git
|
||||
appVersion: 0.0.3
|
||||
appVersion: 0.0.6
|
||||
|
||||
@@ -4,7 +4,7 @@ metadata:
|
||||
name: attest-provider
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
replicas: {{ .Values.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
run: attest-provider
|
||||
@@ -40,6 +40,12 @@ spec:
|
||||
{{- if .Values.policyCacheDir }}
|
||||
- --policy-cache-dir={{ .Values.policyCacheDir }}
|
||||
{{- end }}
|
||||
{{- if .Values.attestationStyle }}
|
||||
- --attestation-style={{ .Values.attestationStyle }}
|
||||
{{- end }}
|
||||
{{- if .Values.referrersRepo }}
|
||||
- --referrers-source={{ .Values.referrersRepo }}
|
||||
{{- end }}
|
||||
|
||||
ports:
|
||||
- containerPort: {{ .Values.port }}
|
||||
@@ -47,6 +53,11 @@ spec:
|
||||
volumeMounts:
|
||||
- name: tuf-temp
|
||||
mountPath: /tuf_temp
|
||||
{{- if .Values.localPolicyDir }}
|
||||
- name: local-policy
|
||||
mountPath: {{ .Values.localPolicyDir }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.clientCAFile }}
|
||||
- name: gatekeeper-ca-cert
|
||||
mountPath: /tmp/gatekeeper
|
||||
@@ -63,6 +74,11 @@ spec:
|
||||
volumes:
|
||||
- name: tuf-temp
|
||||
emptyDir: {}
|
||||
{{- if .Values.localPolicyDir }}
|
||||
- name: local-policy
|
||||
configMap:
|
||||
name: {{ .Values.localPolicyConfigMap }}
|
||||
{{- end }}
|
||||
{{- if .Values.clientCAFile }}
|
||||
- name: gatekeeper-ca-cert
|
||||
secret:
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
image: "docker/attest-provider:0.0.3@sha256:7a86f674235cae3f7fa0691ae56d385b2b13951c3cf4cb04356d486a6698d354"
|
||||
image: "docker/attest-provider:0.0.6@sha256:1403ff1d17ffb9d330e90817ed05d080dec2bd4c9f7e611be07788111040342f"
|
||||
|
||||
certDir: /certs
|
||||
clientCAFile: /tmp/gatekeeper/ca.crt
|
||||
port: 8090
|
||||
replicas: 1
|
||||
|
||||
# uncomment these lines to use the dev TUF root
|
||||
# tufRoot: dev
|
||||
@@ -12,6 +13,8 @@ port: 8090
|
||||
tufMetadataSource: https://docker.github.io/tuf-staging/metadata
|
||||
tufTargetsSource: https://docker.github.io/tuf-staging/targets
|
||||
|
||||
attestationStyle: referrers
|
||||
|
||||
provider:
|
||||
timeout: 30
|
||||
tls:
|
||||
|
||||
20
main.go
20
main.go
@@ -40,6 +40,9 @@ var (
|
||||
|
||||
policyDir string
|
||||
policyCacheDir string
|
||||
|
||||
attestationStyle string
|
||||
referrersRepo string
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -73,6 +76,9 @@ func init() {
|
||||
flag.StringVar(&policyDir, "local-policy-dir", "", "path to local policy directory (overrides TUF policy)")
|
||||
flag.StringVar(&policyCacheDir, "policy-cache-dir", defaultPolicyCacheDir, "path to store policy downloaded from TUF")
|
||||
|
||||
flag.StringVar(&attestationStyle, "attestation-style", "referrers", "attestation style [referrers, attached]")
|
||||
flag.StringVar(&referrersRepo, "referrers-source", "", "repo from which to fetch Referrers for attestation lookup")
|
||||
|
||||
flag.Parse()
|
||||
}
|
||||
|
||||
@@ -80,12 +86,14 @@ func main() {
|
||||
mux := http.NewServeMux()
|
||||
|
||||
validateHandler, err := handler.NewValidateHandler(&handler.ValidateHandlerOptions{
|
||||
TUFRoot: tufRoot,
|
||||
TUFOutputPath: tufoutputPath,
|
||||
TUFMetadataURL: metadataURL,
|
||||
TUFTargetsURL: targetsURL,
|
||||
PolicyDir: policyDir,
|
||||
PolicyCacheDir: policyCacheDir,
|
||||
TUFRoot: tufRoot,
|
||||
TUFOutputPath: tufoutputPath,
|
||||
TUFMetadataURL: metadataURL,
|
||||
TUFTargetsURL: targetsURL,
|
||||
PolicyDir: policyDir,
|
||||
PolicyCacheDir: policyCacheDir,
|
||||
AttestationStyle: attestationStyle,
|
||||
ReferrersRepo: referrersRepo,
|
||||
})
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "unable to create validate handler")
|
||||
|
||||
@@ -10,6 +10,7 @@ import (
|
||||
"github.com/docker/attest-provider/internal/embed"
|
||||
"github.com/docker/attest-provider/pkg/utils"
|
||||
"github.com/docker/attest/pkg/attest"
|
||||
"github.com/docker/attest/pkg/config"
|
||||
"github.com/docker/attest/pkg/oci"
|
||||
"github.com/docker/attest/pkg/policy"
|
||||
"github.com/docker/attest/pkg/tuf"
|
||||
@@ -33,6 +34,9 @@ type ValidateHandlerOptions struct {
|
||||
|
||||
PolicyDir string
|
||||
PolicyCacheDir string
|
||||
|
||||
AttestationStyle string
|
||||
ReferrersRepo string
|
||||
}
|
||||
|
||||
type validateHandler struct {
|
||||
@@ -104,9 +108,11 @@ func (h *validateHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
||||
}
|
||||
|
||||
policyOpts := &policy.PolicyOptions{
|
||||
TufClient: tufClient,
|
||||
LocalTargetsDir: h.opts.PolicyCacheDir,
|
||||
LocalPolicyDir: h.opts.PolicyDir,
|
||||
TufClient: tufClient,
|
||||
LocalTargetsDir: h.opts.PolicyCacheDir,
|
||||
LocalPolicyDir: h.opts.PolicyDir,
|
||||
AttestationStyle: config.AttestationStyle(h.opts.AttestationStyle),
|
||||
ReferrersRepo: h.opts.ReferrersRepo,
|
||||
}
|
||||
|
||||
results := make([]externaldata.Item, 0)
|
||||
|
||||
Reference in New Issue
Block a user