Skip to content

Commit

Permalink
Using ocm-controller for signature tracking (#97)
Browse files Browse the repository at this point in the history 
* named it back :D

* applying latest ocm controller
  • Loading branch information
@Skarlso
Skarlso authored Dec 5, 2023
1 parent 72c49af commit 2b84a6b
Show file tree
Hide file tree
Showing 9 changed files with 73 additions and 122 deletions.
34 changes: 7 additions & 27 deletions api/v1alpha1/componentsubscription_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"fmt"
"time"

"github.com/open-component-model/ocm-controller/api/v1alpha1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -49,28 +50,7 @@ type ComponentSubscriptionSpec struct {
// Verify specifies a list signatures that must be verified before a ComponentVersion
// is replicated.
// +optional
Verify []Signature `json:"verify,omitempty"`
}

// Signature defines the details of a signature to use for verification.
type Signature struct {
// Name specifies the name of the signature. An OCM component may have multiple
// signatures.
Name string `json:"name"`

// PublicKey provides a reference to a Kubernetes Secret that contains a public key
// which will be used to validate the named signature.
//+optional
PublicKey SecretRef `json:"publicKey,omitempty"`

// PublicKeyBlob defines an inlined public key.
//+optional
PublicKeyBlob []byte `json:"publicKeyBlob,omitempty"`
}

// SecretRef clearly denotes that the requested option is a Secret.
type SecretRef struct {
SecretRef v1.LocalObjectReference `json:"secretRef"`
Verify []v1alpha1.Signature `json:"verify,omitempty"`
}

// OCMRepository specifies access details for an OCI based OCM Repository.
Expand All @@ -89,24 +69,24 @@ type ComponentSubscriptionStatus struct {
// LastAttemptedVersion defines the latest version encountered while checking component versions.
// This might be different from last applied version which should be the latest applied/replicated version.
// The difference might be caused because of semver constraint or failures during replication.
//+optional
// +optional
LastAttemptedVersion string `json:"lastAttemptedVersion,omitempty"`

// ObservedGeneration is the last reconciled generation.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty"`

// LastAppliedVersion defines the final version that has been applied to the destination component version.
//+optional
// +optional
LastAppliedVersion string `json:"lastAppliedVersion,omitempty"`

// ReplicatedRepositoryURL defines the final location of the reconciled Component.
//+optional
// +optional
ReplicatedRepositoryURL string `json:"replicatedRepositoryURL,omitempty"`

// Signature defines a set of internal keys that were used to sign the Component once transferred to the Destination.
//+optional
Signature []Signature `json:"signature,omitempty"`
// +optional
Signature []v1alpha1.Signature `json:"signature,omitempty"`

// Digest contains the digest of the subscription's spec.
Digest uint64 `json:"specDigest,omitempty"`
Expand Down
42 changes: 3 additions & 39 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

42 changes: 20 additions & 22 deletions config/crd/bases/delivery.ocm.software_componentsubscriptions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,29 +114,28 @@ spec:
type: string
publicKey:
description: PublicKey provides a reference to a Kubernetes
Secret that contains a public key which will be used to validate
the named signature.
Secret of contain a blob of a public key that which will be
used to validate the named signature.
properties:
secretRef:
description: LocalObjectReference contains enough information
to let you locate the referenced object inside the same
namespace.
description: SecretRef is a reference to a Secret that contains
a public key.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
value:
description: Value defines a PEM/base64 encoded public key
value.
format: byte
type: string
type: object
publicKeyBlob:
description: PublicKeyBlob defines an inlined public key.
format: byte
type: string
required:
- name
- publicKey
type: object
type: array
required:
Expand Down Expand Up @@ -248,29 +247,28 @@ spec:
type: string
publicKey:
description: PublicKey provides a reference to a Kubernetes
Secret that contains a public key which will be used to validate
the named signature.
Secret of contain a blob of a public key that which will be
used to validate the named signature.
properties:
secretRef:
description: LocalObjectReference contains enough information
to let you locate the referenced object inside the same
namespace.
description: SecretRef is a reference to a Secret that contains
a public key.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
value:
description: Value defines a PEM/base64 encoded public key
value.
format: byte
type: string
type: object
publicKeyBlob:
description: PublicKeyBlob defines an inlined public key.
format: byte
type: string
required:
- name
- publicKey
type: object
type: array
specDigest:
Expand Down
9 changes: 6 additions & 3 deletions controllers/componentsubscription_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"github.com/fluxcd/pkg/runtime/patch"
rreconcile "github.com/fluxcd/pkg/runtime/reconcile"
"github.com/mitchellh/hashstructure/v2"
ocmv1alpha1 "github.com/open-component-model/ocm-controller/api/v1alpha1"
"github.com/open-component-model/ocm-controller/pkg/status"
ocm2 "github.com/open-component-model/ocm/pkg/contexts/ocm"
"github.com/open-component-model/ocm/pkg/contexts/ocm/compdesc"
Expand Down Expand Up @@ -318,10 +319,12 @@ func (r *ComponentSubscriptionReconciler) signMpasComponent(
return fmt.Errorf("failed to sign destination component: %w", err)
}

obj.Status.Signature = []v1alpha1.Signature{
obj.Status.Signature = []ocmv1alpha1.Signature{
{
Name: v1alpha1.InternalSignatureName,
PublicKeyBlob: pub,
Name: v1alpha1.InternalSignatureName,
PublicKey: ocmv1alpha1.PublicKey{
Value: pub,
},
},
}

Expand Down
3 changes: 3 additions & 0 deletions docs/release_notes/v0.12.0.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Release 0.12.0

- Using ocm-controller for signature tracking (#97)
16 changes: 8 additions & 8 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ require (
github.com/go-logr/logr v1.3.0
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/open-component-model/ocm v0.4.0
github.com/open-component-model/ocm-controller v0.16.1
github.com/open-component-model/ocm-controller v0.18.0
github.com/stretchr/testify v1.8.4
k8s.io/api v0.28.1
k8s.io/apimachinery v0.28.1
Expand Down Expand Up @@ -135,7 +135,7 @@ require (
github.com/ghodss/yaml v1.0.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-jose/go-jose/v3 v3.0.0 // indirect
github.com/go-jose/go-jose/v3 v3.0.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-logr/zapr v1.2.4 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
Expand All @@ -159,7 +159,7 @@ require (
github.com/google/btree v1.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.6 // indirect
github.com/google/gnostic v0.6.9 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-containerregistry v0.16.1 // indirect
github.com/google/go-github/v45 v45.2.0 // indirect
github.com/google/go-github/v50 v50.2.0 // indirect
Expand Down Expand Up @@ -212,9 +212,9 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/onsi/gomega v1.27.10 // indirect
github.com/onsi/gomega v1.30.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pborman/uuid v1.2.1 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
Expand Down Expand Up @@ -274,15 +274,15 @@ require (
go.uber.org/zap v1.25.0 // indirect
golang.org/x/crypto v0.15.0 // indirect
golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
golang.org/x/mod v0.11.0 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/net v0.18.0 // indirect
golang.org/x/oauth2 v0.14.0 // indirect
golang.org/x/sync v0.3.0 // indirect
golang.org/x/sys v0.14.0 // indirect
golang.org/x/term v0.14.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.9.3 // indirect
golang.org/x/tools v0.12.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/api v0.138.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
Expand All @@ -307,5 +307,5 @@ require (
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/release-utils v0.7.4 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
Loading

0 comments on commit 2b84a6b

Please sign in to comment.