Uploaded image for project: 'Hybrid Cloud Infrastructure Documentation'
  1. Hybrid Cloud Infrastructure Documentation
  2. HCIDOCS-530

Signed image support for peer pods VM image

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • OSC 1.8.0
    • None
    • Sandboxed Containers
    • None
    • HCIDOCS 2024#10, HCIDOCS 2024#11
    • 2

      Tentative update, IIUC:

      • Signing key is optional. Needs new procedure.
      • Container image signature verification policy is mandatory, even if images are not signed. If we can provide this policy as a default, we can keep it in the attestation policy module. This procedure is short but multistep, so it might make sense to break the signing key and verification policy to their own module.

      Add support for signed image support when creating pod VM image.

      Resources

      Update (Oct 29): This task will probably require the following changes:

      • Signing a container image with Cosign (new procedure module).
      • Adding public key to Trustee (update Trustee secret or not?)
      • Adding key to peer pods config map (Update Updating peer pods config map?)
      • Creating attestation policy (update Attestation policies)
      • Adding attestation policy to Trustee (update Trustee config map. (Might be a good idea to move Trustee config map so that it appears after the attestation policies)

      Background

      from parent epic:

      • Document how to sign a container image. I thinkĀ https://docs.sigstore.dev/cosign/signing/signing_with_containers/ has the best information (Jens to find out whether key is stored in Azure vault or elsewhere)
      • Document how to set the public Key used in the signing to Trustee (e.g. to `kbs:///default/cosign-public-key/osc`)
      • Document how to write the policy.json for the customer's use case and how to set it as a resource to `default/security-policy/osc` (or wherever) on trustee
      • OSC 1.8.0 changes

              rhn-support-jowilkin John Wilkins
              apinnick@redhat.com Avital Pinnick
              Julien ROPE
              Victor Voronkov Victor Voronkov
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: