Merge pull request #1 from projectsyn/initial-implementation

Initial implementation

.cruft.json

@@ -7,7 +7,7 @@
       "name": "sigstore-policy-controller",
       "slug": "sigstore-policy-controller",
       "parameter_key": "sigstore_policy_controller",
-      "test_cases": "defaults",
+      "test_cases": "defaults component-prometheus",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",

.github/workflows/test.yaml

@@ -33,6 +33,7 @@ jobs:
       matrix:
         instance:
           - defaults
+          - component-prometheus
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -48,6 +49,7 @@ jobs:
       matrix:
         instance:
           - defaults
+          - component-prometheus
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

Makefile.vars.mk

@@ -50,4 +50,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml
+test_instances = tests/defaults.yml tests/component-prometheus.yml

class/defaults.yml

@@ -2,3 +2,16 @@ parameters:
   sigstore_policy_controller:
     =_metadata: {}
     namespace: syn-sigstore-policy-controller
+
+    charts:
+      policy-controller:
+        source: https://sigstore.github.io/helm-charts
+        version: 0.6.5
+
+    cluster_policies: {}
+
+    helm_values:
+      webhook:
+        replicaCount: 2
+      serviceMonitor:
+        enabled: true

class/sigstore-policy-controller.yml

@@ -1,5 +1,11 @@
 parameters:
   kapitan:
+    dependencies:
+      - type: helm
+        source: ${sigstore_policy_controller:charts:policy-controller:source}
+        chart_name: policy-controller
+        version: ${sigstore_policy_controller:charts:policy-controller:version}
+        output_path: ${_base_directory}/helmcharts/policy-controller/${sigstore_policy_controller:charts:policy-controller:version}
     compile:
       - input_paths:
           - ${_base_directory}/component/app.jsonnet
@@ -9,3 +15,18 @@ parameters:
           - ${_base_directory}/component/main.jsonnet
         input_type: jsonnet
         output_path: sigstore-policy-controller/
+      - input_paths:
+          - ${_base_directory}/helmcharts/policy-controller/${sigstore_policy_controller:charts:policy-controller:version}
+        input_type: helm
+        output_type: yaml
+        output_path: sigstore-policy-controller/01_helm_chart
+        helm_values: ${sigstore_policy_controller:helm_values}
+        helm_params:
+          name: syn-sigstore-policy-controller
+          namespace: ${sigstore_policy_controller:namespace}
+  commodore:
+    postprocess:
+      filters:
+        - type: jsonnet
+          path: sigstore-policy-controller/01_helm_chart/policy-controller/templates/webhook
+          filter: postprocess/clean_helm_output.jsonnet

component/app.jsonnet

@@ -3,7 +3,26 @@ local inv = kap.inventory();
 local params = inv.parameters.sigstore_policy_controller;
 local argocd = import 'lib/argocd.libjsonnet';
 
-local app = argocd.App('sigstore-policy-controller', params.namespace);
+local app = argocd.App('sigstore-policy-controller', params.namespace) {
+  spec+: {
+    ignoreDifferences: [
+      {
+        group: 'admissionregistration.k8s.io',
+        kind: 'MutatingWebhookConfiguration',
+        jqPathExpressions: [
+          '.webhooks[]?.namespaceSelector.matchExpressions',
+        ],
+      },
+      {
+        group: 'admissionregistration.k8s.io',
+        kind: 'ValidatingWebhookConfiguration',
+        jqPathExpressions: [
+          '.webhooks[]?.namespaceSelector.matchExpressions',
+        ],
+      },
+    ],
+  },
+};
 
 {
   'sigstore-policy-controller': app,

component/main.jsonnet

@@ -1,10 +1,54 @@
-// main template for sigstore-policy-controller
+local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
+
+local prometheus = import 'lib/prometheus.libsonnet';
+
 local inv = kap.inventory();
-// The hiera parameters for the component
 local params = inv.parameters.sigstore_policy_controller;
 
-// Define outputs below
+// NOTE(sg): SkipDryRunOnMissingResource isn't required, since the Helm chart
+// renders the CRDs, so ArgoCD will know not to do dry-run on first apply.
+local ClusterPolicy(name) =
+  kube._Object('policy.sigstore.dev/v1beta1', 'ClusterImagePolicy', name);
+
+local policies = com.generateResources(
+  params.cluster_policies,
+  ClusterPolicy,
+);
+
+local aggregated_rbac =
+  kube.ClusterRole('syn:sigstore-policy-controller:cluster-reader') {
+    metadata+: {
+      labels+: {
+        'rbac.authorization.k8s.io/aggregate-to-cluster-reader': 'true',
+      },
+    },
+    rules: [
+      {
+        apiGroups: [ 'policy.sigstore.dev' ],
+        resources: [ '*' ],
+        verbs: [ 'get', 'list', 'watch' ],
+      },
+    ],
+  };
+
+local namespace =
+  local ns = kube.Namespace(params.namespace) {
+    metadata+: {
+      labels+: {
+        // Scrape metrics through cluster-monitoring stack on OCP4
+        'openshift.io/cluster-monitoring': 'true',
+      },
+    },
+  };
+  if std.member(inv.applications, 'prometheus') then
+    prometheus.RegisterNamespace(ns)
+  else
+    ns;
+
 {
+  '00_namespace': namespace,
+  '02_aggregated_rbac': aggregated_rbac,
+  [if std.length(policies) > 0 then '10_clusterpolicies']: policies,
 }

docs/modules/ROOT/pages/index.adoc

@@ -1,5 +1,5 @@
 = sigstore-policy-controller
 
-sigstore-policy-controller is a Commodore component to manage sigstore-policy-controller.
+sigstore-policy-controller is a Commodore component to manage the https://docs.sigstore.dev/policy-controller/overview/[sigstore Kubernetes policy controller^].
 
 See the xref:references/parameters.adoc[parameters] reference for further details.

docs/modules/ROOT/pages/references/parameters.adoc

@@ -10,10 +10,97 @@ default:: `syn-sigstore-policy-controller`
 
 The namespace in which to deploy this component.
 
+The component configures appropriate labels to ensure OpenShift 4's cluster monitoring or component-prometheus monitoring stacks pick up the policy controller's metrics.
 
-== Example
+== `charts`
 
+[horizontal]
+type:: dict
+default:: see https://github.com/projectsyn/component-sigstore-policy-controller/blob/master/class/defaults.yml[`class/defaults.yml`]
+
+This parameter contains the Helm chart source and version for the policy controller.
+
+== `cluster_policies`
+
+[horizontal]
+type:: dict
+default:: `{}`
+
+This parameter allows users to configure `ClusterImagePolicy` resources that should be deployed.
+
+Each key-value pair in this parameter is translated into a `ClusterImagePolicy` resource.
+The key is used as `metadata.name` of the resulting resource.
+The value is used verbatim as a partial `ClusterImagePolicy` resource.
+The component doesn't perform any validation on the provided configuration.
+
+Setting a key-value pair's value to `null` allows users to remove policies from the configuration.
+
+NOTE: When defining multiple policies, pods must satisfy all policies to be admitted to the cluster.
+NOTE: By default, policies are only applied to namespaces which are labeled `policy.sigstore.dev/include=true`.
+
+See https://docs.sigstore.dev/policy-controller/overview/#configuring-policy-controller-clusterimagepolicy[the policy controller documentation] for details on supported configurations.
+
+=== Example
+
+Below we show an example component configuration and the resulting `ClusterImagePolicy` resource:
+
+.Component configuration
+[source,yaml]
+----
+parameters:
+  sigstore_policy_controller:
+    cluster_policies:
+      image-policy:
+        metadata:
+          annotations:
+            sigstore-policy-controller.syn.tools/description: |
+              Example policy
+        spec:
+          images:
+            - glob: "**"
+          authorities:
+            - key:
+                hashAlgorithm: sha256
+                data: |-
+                  -----BEGIN PUBLIC KEY-----
+                  ...
+                  -----END PUBLIC KEY-----
+----
+
+.Resulting `ClusterImagePolicy`
 [source,yaml]
 ----
-namespace: example-namespace
+apiVersion: policy.sigstore.dev/v1beta1
+kind: ClusterImagePolicy
+metadata:
+  annotations:
+    sigstore-policy-controller.syn.tools/description: |
+      Example policy
+  labels:
+    name: image-policy
+  name: image-policy
+spec:
+  authorities:
+    - data: |-
+        -----BEGIN PUBLIC KEY-----
+        ....
+        -----END PUBLIC KEY-----
+      hashAlgorithm: sha256
+      key: null
+  images:
+    - glob: '**'
 ----
+
+== `helm_values`
+
+[horizontal]
+type:: dict
+default:: see https://github.com/projectsyn/component-sigstore-policy-controller/blob/master/class/defaults.yml[`class/defaults.yml`]
+
+The Helm values used to render the policy controller Helm chart.
+
+[NOTE]
+====
+The component doesn't expose the policy controller container image in a dedicated parameter.
+Please adjust the container image directly through parameter `helm_values` if necessary.
+====

postprocess/clean_helm_output.jsonnet

@@ -0,0 +1,18 @@
+local com = import 'lib/commodore.libjsonnet';
+
+local dir = std.extVar('output_path');
+
+local stem(elem) =
+  local elems = std.split(elem, '.');
+  std.join('.', elems[:std.length(elems) - 1]);
+
+local filepath(file) = dir + '/' + file;
+
+local fixup(file) =
+  local contents = com.yaml_load_all(filepath(file));
+  std.filter(function(it) it != null, contents);
+
+{
+  [stem(file)]: fixup(file)
+  for file in com.list_dir(dir)
+}

tests/component-prometheus.yml

@@ -0,0 +1,13 @@
+# Test integration with component-prometheus
+applications:
+  - prometheus
+
+parameters:
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-prometheus/master/lib/prometheus.libsonnet
+        output_path: vendor/lib/prometheus.libsonnet
+
+  prometheus:
+    defaultInstance: infra

tests/defaults.yml

@@ -1,3 +1,18 @@
-# Overwrite parameters here
-
-# parameters: {...}
+parameters:
+  sigstore_policy_controller:
+    cluster_policies:
+      test-policy:
+        metadata:
+          annotations:
+            sigstore-policy-controller.syn.tools/description: |
+              Verify signature of all images against the provided public key.
+        spec:
+          images:
+            - glob: "**"
+          authorities:
+            - key:
+              hashAlgorithm: sha256
+              data: |-
+                -----BEGIN PUBLIC KEY-----
+                ....
+                -----END PUBLIC KEY-----

tests/golden/component-prometheus/sigstore-policy-controller/apps/sigstore-policy-controller.yaml

@@ -0,0 +1,10 @@
+spec:
+  ignoreDifferences:
+    - group: admissionregistration.k8s.io
+      jqPathExpressions:
+        - .webhooks[]?.namespaceSelector.matchExpressions
+      kind: MutatingWebhookConfiguration
+    - group: admissionregistration.k8s.io
+      jqPathExpressions:
+        - .webhooks[]?.namespaceSelector.matchExpressions
+      kind: ValidatingWebhookConfiguration

tests/golden/component-prometheus/sigstore-policy-controller/sigstore-policy-controller/00_namespace.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    monitoring.syn.tools/infra: 'true'
+    name: syn-sigstore-policy-controller
+    openshift.io/cluster-monitoring: 'true'
+  name: syn-sigstore-policy-controller