Merge pull request #16293 from mfojtik/signature-controller

Automatic merge from submit-queue (batch tested with PRs 16293, 16455)

Controller for automatic image signature import

This controller watches all images and automatically imports the image signatures using `container/image` library. 

* Sync never remove/override existing imported signatures
* This needs a config file in `/etc/containers/registry.d` to work properly

cc @bparees

Author: openshift-merge-robot

Godeps/Godeps.json

@@ -48,8 +48,9 @@ type OpenshiftControllerConfig struct {
 	DeploymentConfigControllerConfig  DeploymentConfigControllerConfig
 	DeploymentTriggerControllerConfig DeploymentTriggerControllerConfig
 
-	ImageTriggerControllerConfig ImageTriggerControllerConfig
-	ImageImportControllerConfig  ImageImportControllerConfig
+	ImageTriggerControllerConfig         ImageTriggerControllerConfig
+	ImageSignatureImportControllerConfig ImageSignatureImportControllerConfig
+	ImageImportControllerConfig          ImageImportControllerConfig
 
 	ServiceServingCertsControllerOptions ServiceServingCertsControllerOptions
 
@@ -80,6 +81,7 @@ func (c *OpenshiftControllerConfig) GetControllerInitializers() (map[string]Init
 
 	ret["openshift.io/image-trigger"] = c.ImageTriggerControllerConfig.RunController
 	ret["openshift.io/image-import"] = c.ImageImportControllerConfig.RunController
+	ret["openshift.io/image-signature-import"] = c.ImageSignatureImportControllerConfig.RunController
 
 	ret["openshift.io/templateinstance"] = RunTemplateInstanceController
 
@@ -203,6 +205,11 @@ func BuildOpenshiftControllerConfig(options configapi.MasterConfig) (*OpenshiftC
 		DisableScheduledImport:                     options.ImagePolicyConfig.DisableScheduledImport,
 		ScheduledImageImportMinimumIntervalSeconds: options.ImagePolicyConfig.ScheduledImageImportMinimumIntervalSeconds,
 	}
+	ret.ImageSignatureImportControllerConfig = ImageSignatureImportControllerConfig{
+		ResyncPeriod:          10 * time.Minute,
+		SignatureFetchTimeout: 1 * time.Minute,
+		SignatureImportLimit:  3,
+	}
 
 	ret.ServiceServingCertsControllerOptions = ServiceServingCertsControllerOptions{
 		Signer: options.ControllerConfig.ServiceServingCert.Signer,

pkg/cmd/server/origin/controller/config.go

@@ -1,6 +1,7 @@
 package controller
 
 import (
+	"context"
 	"fmt"
 	"time"
 
@@ -18,6 +19,7 @@ import (
 	buildclient "github.com/openshift/origin/pkg/build/client"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	imagecontroller "github.com/openshift/origin/pkg/image/controller"
+	imagesignaturecontroller "github.com/openshift/origin/pkg/image/controller/signature"
 	imagetriggercontroller "github.com/openshift/origin/pkg/image/controller/trigger"
 	triggerannotations "github.com/openshift/origin/pkg/image/trigger/annotations"
 	triggerbuildconfigs "github.com/openshift/origin/pkg/image/trigger/buildconfigs"
@@ -147,6 +149,25 @@ func (u podSpecUpdater) Update(obj runtime.Object) error {
 	}
 }
 
+type ImageSignatureImportControllerConfig struct {
+	ResyncPeriod          time.Duration
+	SignatureFetchTimeout time.Duration
+	SignatureImportLimit  int
+}
+
+func (c *ImageSignatureImportControllerConfig) RunController(ctx ControllerContext) (bool, error) {
+	controller := imagesignaturecontroller.NewSignatureImportController(
+		context.Background(),
+		ctx.ClientBuilder.OpenshiftInternalImageClientOrDie(bootstrappolicy.InfraImageImportControllerServiceAccountName),
+		ctx.ImageInformers.Image().InternalVersion().Images(),
+		c.ResyncPeriod,
+		c.SignatureFetchTimeout,
+		c.SignatureImportLimit,
+	)
+	go controller.Run(5, ctx.Stop)
+	return true, nil
+}
+
 type ImageImportControllerConfig struct {
 	MaxScheduledImageImportsPerMinute          int
 	ScheduledImageImportMinimumIntervalSeconds int

pkg/cmd/server/origin/controller/image.go

@@ -0,0 +1,62 @@
+package signature
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"time"
+
+	"github.com/containers/image/docker"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	imageapi "github.com/openshift/origin/pkg/image/apis/image"
+)
+
+type containerImageSignatureDownloader struct {
+	ctx     context.Context
+	timeout time.Duration
+}
+
+func NewContainerImageSignatureDownloader(ctx context.Context, timeout time.Duration) SignatureDownloader {
+	return &containerImageSignatureDownloader{
+		ctx:     ctx,
+		timeout: timeout,
+	}
+}
+
+func (s *containerImageSignatureDownloader) DownloadImageSignatures(image *imageapi.Image) ([]imageapi.ImageSignature, error) {
+	reference, err := docker.ParseReference("//" + image.DockerImageReference)
+	if err != nil {
+		return nil, err
+	}
+	source, err := reference.NewImageSource(nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer source.Close()
+
+	ctx, cancel := context.WithTimeout(s.ctx, s.timeout)
+	defer cancel()
+
+	signatures, err := source.GetSignatures(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := []imageapi.ImageSignature{}
+	for _, blob := range signatures {
+		sig := imageapi.ImageSignature{Type: imageapi.ImageSignatureTypeAtomicImageV1}
+		// This will use the name of the image (sha256:xxxx) and the SHA256 of the
+		// signature itself as the signature name has to be unique for each
+		// signature.
+		sig.Name = imageapi.JoinImageStreamImage(image.Name, fmt.Sprintf("%x", sha256.Sum256(blob)))
+		sig.Content = blob
+		sig.Annotations = map[string]string{
+			SignatureManagedAnnotation: "true",
+		}
+		sig.CreationTimestamp = metav1.Now()
+		ret = append(ret, sig)
+	}
+	return ret, nil
+}