Skip to content

Commit

Permalink
Merge pull request #2207 from ningziwen/compose-keyless
Browse files Browse the repository at this point in the history 
Add Cosign keyless mode required args for nerdctl compose
  • Loading branch information
@AkihiroSuda
AkihiroSuda committed May 9, 2023
2 parents 3bf0bd4 + 5205495 commit 6deaad8
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 4 deletions.
20 changes: 20 additions & 0 deletions docs/cosign.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,26 @@ services:
- 8081:80
```

For keyless mode, the `docker-compose.yaml` will be:
```
$ cat docker-compose.yml
services:
svc0:
build: .
image: ${REGISTRY}/svc1_image # replace with your registry
x-nerdctl-verify: cosign
x-nerdctl-sign: cosign
x-nerdctl-cosign-certificate-identity: name@example.com # or x-nerdctl-cosign-certificate-identity-regexp
x-nerdctl-cosign-certificate-oidc-issuer: https://accounts.example.com # or x-nerdctl-cosign-certificate-oidc-issuer-regexp
ports:
- 8080:80
svc1:
build: .
image: ${REGISTRY}/svc1_image # replace with your registry
ports:
- 8081:80
```

> The `env "COSIGN_PASSWORD="$COSIGN_PASSWORD""` part in the below commands is a walkaround to use rootful nerdctl and make the env variable visible to root (in sudo). You don't need this part if (1) you're using rootless, or (2) your `COSIGN_PASSWORD` is visible in root.
First let's `build` and `push` the two services:
Expand Down
12 changes: 12 additions & 0 deletions pkg/cmd/compose/compose.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,5 +155,17 @@ func imageVerifyOptionsFromCompose(ps *serviceparser.Service) types.ImageVerifyO
if keyVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignPublicKey]; ok {
opt.CosignKey = keyVal.(string)
}
if ciVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentity]; ok {
opt.CosignCertificateIdentity = ciVal.(string)
}
if cirVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentityRegexp]; ok {
opt.CosignCertificateIdentityRegexp = cirVal.(string)
}
if coiVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuer]; ok {
opt.CosignCertificateOidcIssuer = coiVal.(string)
}
if coirVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuerRegexp]; ok {
opt.CosignCertificateOidcIssuerRegexp = coirVal.(string)
}
return opt
}
13 changes: 13 additions & 0 deletions pkg/composer/pull.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,19 @@ func (c *Composer) pullServiceImage(ctx context.Context, image string, platform
if publicKey, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignPublicKey]; ok {
args = append(args, "--cosign-key="+publicKey.(string))
}
if certificateIdentity, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentity]; ok {
args = append(args, "--cosign-certificate-identity="+certificateIdentity.(string))
}
if certificateIdentityRegexp, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentityRegexp]; ok {
args = append(args, "--cosign-certificate-identity-regexp="+certificateIdentityRegexp.(string))
}
if certificateOidcIssuer, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuer]; ok {
args = append(args, "--cosign-certificate-oidc-issuer="+certificateOidcIssuer.(string))
}
if certificateOidcIssuerRegexp, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuerRegexp]; ok {
args = append(args, "--cosign-certificate-oidc-issuer-regexp="+certificateOidcIssuerRegexp.(string))
}

if c.Options.Experimental {
args = append(args, "--experimental")
}
Expand Down
12 changes: 8 additions & 4 deletions pkg/composer/serviceparser/serviceparser.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,14 @@ import (

// ComposeExtensionKey defines fields used to implement extension features.
const (
ComposeVerify = "x-nerdctl-verify"
ComposeCosignPublicKey = "x-nerdctl-cosign-public-key"
ComposeSign = "x-nerdctl-sign"
ComposeCosignPrivateKey = "x-nerdctl-cosign-private-key"
ComposeVerify = "x-nerdctl-verify"
ComposeCosignPublicKey = "x-nerdctl-cosign-public-key"
ComposeSign = "x-nerdctl-sign"
ComposeCosignPrivateKey = "x-nerdctl-cosign-private-key"
ComposeCosignCertificateIdentity = "x-nerdctl-cosign-certificate-identity"
ComposeCosignCertificateIdentityRegexp = "x-nerdctl-cosign-certificate-identity-regexp"
ComposeCosignCertificateOidcIssuer = "x-nerdctl-cosign-certificate-oidc-issuer"
ComposeCosignCertificateOidcIssuerRegexp = "x-nerdctl-cosign-certificate-oidc-issuer-regexp"
)

func warnUnknownFields(svc types.ServiceConfig) {
Expand Down

0 comments on commit 6deaad8

Please sign in to comment.