-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Runtime validation of container images using sigstore signatures
-
BU Product Work
-
11
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-1347 - [GA release] Next-gen OLM (OLM v1)
-
-
100% To Do, 0% In Progress, 0% Done
NOTE: All features will be tech-preview in the first release and then will graduate to GA in the next release or when it is ready for GA.
Epic Goal
- Runtime validation of container images using sigstore signatures.
Why is this important?
- The Red Hat-sponsored Sigstore project is gaining traction in the Kubernetes community, aiming to simplify the signing of cloud-native artifacts. OpenShift leverages Sigstore tooling to enable scalable and flexible signature validation, including support for disconnected environments. This functionality will be available as a Tech Preview in 4.17 and is targeted for General Availability (GA) in the upcoming 4.18 release. To fully support this integration, the (cluster)extension lifecycle management needs to (be prepared to) handle runtime validation of Sigstore signatures for container images.
Scenarios
- ...
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- ...
Dependencies (internal and external)
- ...
Previous Work (Optional):
- …
Open questions::
- Very high level intro questions:
- What is sigstore?
- How does it work?
- Where is it already integrated?
- Are there Go libraries available that abstract its core functionality?
- Which OLM-related images do users expect to be subject to image signature verification?
- How are users of OLM expected to interact with sigstore-related features?
- Will any OLM user want to enable or disable image signature verification separately from any defaults? If so, how is that expected to work for each of the following classes of images.
- For Catalogs
- For Bundles
- For operator and related images
- Will any OLM user want to be able to define specific verification configurations for catalog, bundle, operator, or operand images (e.g. a separate CA for verification)?
- If so, what sorts of things should be configurable?
- If an image is not signed, what is OLM expected to do?
- If an image signature is invalid, what is OLM expected to do?
- Will any OLM user want to enable or disable image signature verification separately from any defaults? If so, how is that expected to work for each of the following classes of images.
- Does this feature preclude OLM from using other distribution mechanisms and protocols?
- Do all image registry clients need to perform image signature verification? If only a subset, why that particular subset? (Thinking of opm, kubectl-operator, etc.)
- For the OLM content distribution persona, how can OLM facilitate signing of their OLM artifacts?
- Is it sufficient to delegate all image signature verification functionality to an underlying CRI?
- If so, how will OLM users know if the underlying CRI implements image signature verification?
- If so, how will image signature verification work for non-runnable images
- helm OCI artifacts
- potential future for OLM-specific OCI artifacts for catalogs and bundles.
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- relates to
-
-
- Testing
-
-
-
- Testing
-