This repository is currently undergoing active development. Functionality may be in flux

$ oc new-project image-management

$ oc apply -f deploy/crds/imagesigningrequests.cop.redhat.com_imagesigningrequests_crd.yaml
$ oc apply -f deploy/service_account.yaml
$ oc apply -f deploy/role.yaml
$ oc apply -f deploy/role_binding.yaml
$ oc apply -f deploy/scc.yaml
$ oc apply -f deploy/secret.yaml

Apply the operator to the image-management namespace

$ oc apply -f deploy/operator.yaml

This operator supports a wide range of registry types when declaring an image to sign. The type and location of the image to sign are found within the containerImage attribute of the ImageSigningRequest CR.

Traditional format for utalizing a remote container, either by specifying a tag or digest. These are of kind ContainerRepository under the containerImage attribute.

containerImage:
  kind: ContainerRepository
  name: quay.io/redhat-cop/image-scanning-signing-service:latest

containerImage:
  kind: ContainerRepository
  name: quay.io/redhat-cop/image-scanning-signing-service&sha256:a47ae897b964f1e543452c31a24bbd3d46ed5830f4a6d9992be97d0ce61ceb6b

Sepcify an OCP ImageStream along with the corresponding tag of the desired image to sign. These are of kind ImageStreamTag under the containerImage attribute.

containerImage:
  kind: ImageStreamTag
  name: image-scanning-signing-service:latest

A pull secret can be included in the ImageSigningRequest for when needing to access a private repository to sign images.

spec:
  containerImage:
    kind: ContainerRepository
    name: quay.io/redhat-cop/image-scanning-signing-service:latest
  pullSecret
    name: quay

There are two options to create the secret needed for accessing a private repository.

If using docker login locally you can use your existing config.json file to create a secret with your tokens needed for remote login.

⚠️ Security Risk: This will upload the tokens for all remote repositories that you have logged into locally.

 oc secrets new <pull_secret_name> \
     .dockerconfigjson=path/to/.docker/config.json

Create a new secret by including your repository's credentials within the oc cli secrets command.

oc secrets new-dockercfg <pull_secret_name> \
    --docker-server=<registry_server> --docker-username=<user_name> \
    --docker-password=<password> --docker-email=<email>

To facilitate Image Signing, the image signer makes use of a ImageSigningRequest Custom Resource Definition which allows users to declare their intent to have an image signed. This section will walk through the process of signing an image after a new image has been built.

OpenShift provides a number of quickstart templates. One of these templates contains a simple .NET Core web application application. This is an ideal use case to showcase image signing in action. Build an Application

First, create a new project called dotnet-example

$ oc new-project dotnet-example

Instantiate the dotnet-example template within the project using the default values specified in the template

$ oc new-app --template=dotnet-example

To declare your intent to sign the previously built image, a new ImageSigningRequest can be created within the project. A typical request is shown below

apiVersion: imagesigningrequests.cop.redhat.com/v1alpha1
kind: ImageSigningRequest
metadata:
  name: dotnet-app
spec:
  containerImage:
    kind: ImageStreamTag
    name: dotnet-example:latest

The above example can be applied to the cluster by running

$ oc apply -f deploy/examples/imagestreamtag.yaml

The signing pod will launch in the image-management namespace and handle the signing of the specified image. the ImageSigningRequest in the dotnet-example namespace will be updated and contain the name of the signed image in the Status section. Confirm this by running

$ oc get imagesigningrequest/dotnet-app -o yaml

Finally, the newly created Image will contain the signatures associated with the signing action. This can be confirmed by running the following command:

$ oc get image $(oc get imagesigningrequest dotnet-app --template='{{ .status.signedImage }}') -o yaml