Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign bundle manifest excluding certain fields and add the signature as an annotation #9150

Merged
merged 4 commits into from
Jan 23, 2025
Merged

Sign bundle manifest excluding certain fields and add the signature as an annotation #9150

merged 4 commits into from
Jan 23, 2025

Conversation

sp1999
Copy link
Member

@sp1999 sp1999 commented Jan 10, 2025
edited
Loading

Issue #, if available:
#2855

Description of changes:
This PR adds bundle manifest signing to the EKS-A release CLI to prevent tampering for extended kubernetes version support and also adds the signature as an annotation to the bundle so that it can be fetched by the controller for signature verification.

This PR also fixes all the lint errors in the release folder. Following are the most common lint errors:

1. api/v1alpha1/bundle_types.go:330:6: exported: exported type TinkerbellBundle should have comment or be unexported (revive)
type TinkerbellBundle struct {
     ^

2. api/v1alpha1/release_types.go:85:2: var-naming: struct field BundleManifestUrl should be BundleManifestURL (revive)
        BundleManifestUrl string `json:"bundleManifestUrl"`
        ^

3. api/v1alpha1/bundle_types_test.go:20:2: dot-imports: should not use dot imports (revive)
        . "github.com/onsi/gomega"
        ^

The second and third errors have been ignored by using //nolint:revive comment.

Testing (if applicable):
Ran the following commands from the root folder:

make -C release build
make -C release lint
make -C release unit-test
CGO_ENABLED=0 make -C release dev-release

Verified that the generated bundle manifest has the expected annotations:

apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: Bundles
metadata:
  annotations:
    anywhere.eks.amazonaws.com/excludes: LnNwZWMudmVyc2lvbnNCdW5kbGVzW10uYm9vdHN0cmFwCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmJvdHRsZXJvY2tldEhvc3RDb250YWluZXJzCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmNlcnRNYW5hZ2VyCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmNpbGl1bQouc3BlYy52ZXJzaW9uc0J1bmRsZXNbXS5jbG91ZFN0YWNrCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmNsdXN0ZXJBUEkKLnNwZWMudmVyc2lvbnNCdW5kbGVzW10uY29udHJvbFBsYW5lCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmRvY2tlcgouc3BlYy52ZXJzaW9uc0J1bmRsZXNbXS5la3NhCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmV0Y2RhZG1Cb290c3RyYXAKLnNwZWMudmVyc2lvbnNCdW5kbGVzW10uZXRjZGFkbUNvbnRyb2xsZXIKLnNwZWMudmVyc2lvbnNCdW5kbGVzW10uZmx1eAouc3BlYy52ZXJzaW9uc0J1bmRsZXNbXS5oYXByb3h5Ci5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLmtpbmRuZXRkCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLm51dGFuaXgKLnNwZWMudmVyc2lvbnNCdW5kbGVzW10ucGFja2FnZUNvbnRyb2xsZXIKLnNwZWMudmVyc2lvbnNCdW5kbGVzW10uc25vdwouc3BlYy52ZXJzaW9uc0J1bmRsZXNbXS50aW5rZXJiZWxsCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLnVwZ3JhZGVyCi5zcGVjLnZlcnNpb25zQnVuZGxlc1tdLnZTcGhlcmU=
    anywhere.eks.amazonaws.com/signature: MEQCIHpe9cu3f6RJJI9PWcPh4ioVl5sXr4sPxUPH/dDESRoWAiBvcL8SAYXxnFqYQ4yYgsXoQc/IJemG1dejaJJOhiwQmg==
  creationTimestamp: "2025-01-12T19:07:26Z"
  name: bundles-0
spec:
  cliMaxVersion: v0.0.0
  cliMinVersion: v0.0.0
  number: 0
  versionsBundles:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@eks-distro-bot eks-distro-bot added do-not-merge/work-in-progress size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 10, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 72.37%. Comparing base (3711d8f) to head (81410a5).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #9150   +/-   ##
=======================================
  Coverage   72.37%   72.37%           
=======================================
  Files         585      585           
  Lines       45708    45708           
=======================================
  Hits        33082    33082           
  Misses      10888    10888           
  Partials     1738     1738

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@sp1999 sp1999 force-pushed the sign-bundle-manifest branch from 29c8ecf to c159791 Compare January 10, 2025 07:42
@sp1999
Copy link
Member Author

sp1999 commented Jan 10, 2025

/hold
/approve

@eks-distro-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sp1999

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sp1999 sp1999 changed the title [WIP] Sign bundle manifest excluding certain fields and add the signature as an annotation Sign bundle manifest excluding certain fields and add the signature as an annotation Jan 10, 2025
@sp1999 sp1999 force-pushed the sign-bundle-manifest branch from c159791 to 85a7667 Compare January 12, 2025 19:00
@eks-distro-bot eks-distro-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 12, 2025
@sp1999
Copy link
Member Author

sp1999 commented Jan 12, 2025

/unhold

@sp1999 sp1999 requested a review from abhay-krishna January 12, 2025 19:12
@sp1999 sp1999 force-pushed the sign-bundle-manifest branch from 85a7667 to 63ccf56 Compare January 12, 2025 19:17
abhay-krishna
abhay-krishna reviewed Jan 23, 2025
View reviewed changes
release/cli/pkg/signature/manifest.go Outdated Show resolved Hide resolved
.golangci.yml Show resolved Hide resolved
release/cli/pkg/constants/constants.go
@@ -54,6 +54,6 @@ const (
// (January 2, 15:04:05, 2006, in time zone seven hours west of GMT).
YYYYMMDD = "2006-01-02"

MAX_IMAGES_PER_REPOSITORY = 10000
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this just to make the Go code idiomatic?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

release/cli/pkg/operations/bundle_release.go Show resolved Hide resolved
release/cli/pkg/signature/manifest.go Outdated Show resolved Hide resolved
@sp1999 sp1999 force-pushed the sign-bundle-manifest branch from 63ccf56 to 81410a5 Compare January 23, 2025 05:08
@eks-distro-bot eks-distro-bot merged commit 00b042f into aws:main Jan 23, 2025
10 of 11 checks passed
@sp1999 sp1999 deleted the sign-bundle-manifest branch January 23, 2025 05:28
This was referenced Jan 24, 2025
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhay-krishna abhay-krishna abhay-krishna approved these changes

Assignees

@abhay-krishna abhay-krishna

Labels
approved lgtm size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sp1999 @eks-distro-bot @abhay-krishna