Auto-detect sigstore ClusterImagePolicy for EDPM signature verification

When a disconnected environment has a ClusterImagePolicy configured with
sigstore (cosign) signature verification for a mirror registry, the
openstack-operator now auto-detects it and passes the necessary ansible
variables to edpm-ansible for configuring signature verification on EDPM
data plane nodes.

if ClusterImagePolicy CRD is not installed or no relevant policy exists,
the operator continues without enabling signature verification.
This maintains backward compatibility.

Requires: OCP 4.20+ (sigstore GA) and oc-mirror v2.

There would be a follow-up edpm-ansible patch to use these ansible
vars.

jira: OSPRH-28852
Change-Id: I2cbc4e83884562bd17065ee7158e00e5c9b12160
Signed-off-by: rabi <ramishra@redhat.com>

Author: rabi

cmd/main.go

@@ -50,6 +50,7 @@ import (
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	k8s_networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
 	ocp_configv1 "github.com/openshift/api/config/v1"
+	ocp_configv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	machineconfig "github.com/openshift/api/machineconfiguration/v1"
 	ocp_image "github.com/openshift/api/operator/v1alpha1"
 	routev1 "github.com/openshift/api/route/v1"
@@ -124,6 +125,7 @@ func init() {
 	utilruntime.Must(certmgrv1.AddToScheme(scheme))
 	utilruntime.Must(barbicanv1.AddToScheme(scheme))
 	utilruntime.Must(ocp_configv1.AddToScheme(scheme))
+	utilruntime.Must(ocp_configv1alpha1.Install(scheme))
 	utilruntime.Must(ocp_image.AddToScheme(scheme))
 	utilruntime.Must(machineconfig.AddToScheme(scheme))
 	utilruntime.Must(k8s_networkv1.AddToScheme(scheme))

internal/dataplane/inventory.go

@@ -168,6 +168,24 @@ func GenerateNodeSetInventory(ctx context.Context, helper *helper.Helper,
 		}
 	}
 
+	// Propagate sigstore verification settings from ClusterImagePolicy to EDPM.
+	if hasMirrorRegistries {
+		sigstorePolicy, err := util.GetSigstoreImagePolicy(ctx, helper)
+		if err != nil {
+			return "", fmt.Errorf("failed to get ClusterImagePolicy for sigstore verification: %w", err)
+		} else if sigstorePolicy != nil {
+			nodeSetGroup.Vars["edpm_container_signature_verification"] = true
+			nodeSetGroup.Vars["edpm_container_signature_mirror_registry"] = sigstorePolicy.MirrorRegistry
+			nodeSetGroup.Vars["edpm_container_signature_cosign_key_data"] = sigstorePolicy.CosignKeyData
+			if sigstorePolicy.SignedPrefix != "" {
+				nodeSetGroup.Vars["edpm_container_signature_signed_prefix"] = sigstorePolicy.SignedPrefix
+			}
+		} else {
+			helper.GetLogger().Info("No sigstore ClusterImagePolicy found for mirror registries. " +
+				"Continuing without signature verification on dataplane nodes.")
+		}
+	}
+
 	// add TLS ansible variable
 	nodeSetGroup.Vars["edpm_tls_certs_enabled"] = instance.Spec.TLSEnabled
 	if instance.Spec.Tags != nil {

internal/dataplane/util/image_registry.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	ocpconfigv1 "github.com/openshift/api/config/v1"
+	ocpconfigv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	mc "github.com/openshift/api/machineconfiguration/v1"
 	ocpicsp "github.com/openshift/api/operator/v1alpha1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -151,6 +152,65 @@ func getMachineConfig(ctx context.Context, helper *helper.Helper) (mc.MachineCon
 	return masterMachineConfig, nil
 }
 
+// SigstorePolicyInfo contains the EDPM-relevant parts of a ClusterImagePolicy.
+type SigstorePolicyInfo struct {
+	MirrorRegistry string
+	CosignKeyData  string
+	SignedPrefix   string
+}
+
+// GetSigstoreImagePolicy checks if OCP has a ClusterImagePolicy configured
+// with sigstore signature verification for mirror registries.
+// Returns policy info if a relevant policy is found, nil if no policy exists.
+// Returns nil without error if the ClusterImagePolicy CRD is not installed.
+func GetSigstoreImagePolicy(ctx context.Context, helper *helper.Helper) (*SigstorePolicyInfo, error) {
+	policyList := &ocpconfigv1alpha1.ClusterImagePolicyList{}
+	if err := helper.GetClient().List(ctx, policyList); err != nil {
+		if IsNoMatchError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	for _, policy := range policyList.Items {
+		if policy.Name == "openshift" {
+			continue
+		}
+
+		if policy.Spec.Policy.RootOfTrust.PolicyType != ocpconfigv1alpha1.PublicKeyRootOfTrust {
+			continue
+		}
+
+		if policy.Spec.Policy.RootOfTrust.PublicKey == nil {
+			continue
+		}
+
+		keyData := policy.Spec.Policy.RootOfTrust.PublicKey.KeyData
+		if len(keyData) == 0 {
+			continue
+		}
+
+		if len(policy.Spec.Scopes) == 0 {
+			continue
+		}
+		mirrorRegistry := string(policy.Spec.Scopes[0])
+
+		signedPrefix := ""
+		if policy.Spec.Policy.SignedIdentity.MatchPolicy == ocpconfigv1alpha1.IdentityMatchPolicyRemapIdentity &&
+			policy.Spec.Policy.SignedIdentity.PolicyMatchRemapIdentity != nil {
+			signedPrefix = string(policy.Spec.Policy.SignedIdentity.PolicyMatchRemapIdentity.SignedPrefix)
+		}
+
+		return &SigstorePolicyInfo{
+			MirrorRegistry: mirrorRegistry,
+			CosignKeyData:  base64.StdEncoding.EncodeToString(keyData),
+			SignedPrefix:   signedPrefix,
+		}, nil
+	}
+
+	return nil, nil
+}
+
 // GetMirrorRegistryCACerts retrieves CA certificates from image.config.openshift.io/cluster.
 // Returns nil without error if:
 //   - not on OpenShift (Image CRD doesn't exist)

internal/dataplane/util/image_registry_test.go

@@ -25,6 +25,7 @@ import (
 	. "github.com/onsi/gomega" //revive:disable:dot-imports
 
 	ocpidms "github.com/openshift/api/config/v1"
+	ocpconfigv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	mc "github.com/openshift/api/machineconfiguration/v1"
 	ocpicsp "github.com/openshift/api/operator/v1alpha1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -50,6 +51,7 @@ func setupTestHelper(includeOpenShiftCRDs bool, objects ...client.Object) *helpe
 	if includeOpenShiftCRDs {
 		_ = ocpicsp.AddToScheme(s)
 		_ = ocpidms.AddToScheme(s)
+		_ = ocpconfigv1alpha1.Install(s)
 		_ = mc.AddToScheme(s)
 	}
 
@@ -544,3 +546,70 @@ func TestGetMirrorRegistryCACerts_ConfigMapNotFound(t *testing.T) {
 	g.Expect(err).ToNot(HaveOccurred())
 	g.Expect(caCerts).To(BeNil())
 }
+
+func TestGetSigstoreImagePolicy_WithRemapIdentity(t *testing.T) {
+	g := NewWithT(t)
+	ctx := context.Background()
+
+	policy := &ocpconfigv1alpha1.ClusterImagePolicy{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-policy"},
+		Spec: ocpconfigv1alpha1.ClusterImagePolicySpec{
+			Scopes: []ocpconfigv1alpha1.ImageScope{"local-registry.example.com:5000"},
+			Policy: ocpconfigv1alpha1.Policy{
+				RootOfTrust: ocpconfigv1alpha1.PolicyRootOfTrust{
+					PolicyType: ocpconfigv1alpha1.PublicKeyRootOfTrust,
+					PublicKey: &ocpconfigv1alpha1.PublicKey{
+						KeyData: []byte("test-public-key"),
+					},
+				},
+				SignedIdentity: ocpconfigv1alpha1.PolicyIdentity{
+					MatchPolicy: ocpconfigv1alpha1.IdentityMatchPolicyRemapIdentity,
+					PolicyMatchRemapIdentity: &ocpconfigv1alpha1.PolicyMatchRemapIdentity{
+						SignedPrefix: "registry.example.com/vendor",
+					},
+				},
+			},
+		},
+	}
+
+	h := setupTestHelper(true, policy)
+
+	result, err := GetSigstoreImagePolicy(ctx, h)
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(result).ToNot(BeNil())
+	g.Expect(result.MirrorRegistry).To(Equal("local-registry.example.com:5000"))
+	g.Expect(result.CosignKeyData).To(Equal(base64.StdEncoding.EncodeToString([]byte("test-public-key"))))
+	g.Expect(result.SignedPrefix).To(Equal("registry.example.com/vendor"))
+}
+
+func TestGetSigstoreImagePolicy(t *testing.T) {
+	g := NewWithT(t)
+	ctx := context.Background()
+
+	policy := &ocpconfigv1alpha1.ClusterImagePolicy{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-policy"},
+		Spec: ocpconfigv1alpha1.ClusterImagePolicySpec{
+			Scopes: []ocpconfigv1alpha1.ImageScope{"local-registry.example.com:5000"},
+			Policy: ocpconfigv1alpha1.Policy{
+				RootOfTrust: ocpconfigv1alpha1.PolicyRootOfTrust{
+					PolicyType: ocpconfigv1alpha1.PublicKeyRootOfTrust,
+					PublicKey: &ocpconfigv1alpha1.PublicKey{
+						KeyData: []byte("test-public-key"),
+					},
+				},
+				SignedIdentity: ocpconfigv1alpha1.PolicyIdentity{
+					MatchPolicy: ocpconfigv1alpha1.IdentityMatchPolicyMatchRepoDigestOrExact,
+				},
+			},
+		},
+	}
+
+	h := setupTestHelper(true, policy)
+
+	result, err := GetSigstoreImagePolicy(ctx, h)
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(result).ToNot(BeNil())
+	g.Expect(result.MirrorRegistry).To(Equal("local-registry.example.com:5000"))
+	g.Expect(result.CosignKeyData).To(Equal(base64.StdEncoding.EncodeToString([]byte("test-public-key"))))
+	g.Expect(result.SignedPrefix).To(BeEmpty())
+}