cosigned: update to release v1.3.0

sigstore · Nov 11, 2021 · a8bbda6 · a8bbda6
2 parents 72bac9e + ee32cd4
commit a8bbda6
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 11 deletions.
diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml
@@ -8,8 +8,8 @@ sources:
 type: application
 
 name: cosigned
-version: v0.0.6
-appVersion: v1.2.1
+version: v0.1.0
+appVersion: v1.3.0
 
 maintainers:
   - name: dlorenc
@@ -19,4 +19,4 @@ annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/images: |
     - name: cosigned
-      image: gcr.io/projectsigstore/cosigned:v1.2.1@sha256:44c89910a4a480fe3d9ab1733d09a357e7fd681cfc1d964752ffe1b83600cb9f
+      image: gcr.io/projectsigstore/cosigned:1.3.0@sha256:9fe107b183d6c6badaca52e380720c0549db09b645d055f00601797f48060aa2
diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md
@@ -33,7 +33,7 @@ helm repo update
 helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret
 ```
 
-### Enabling Admission control 
+### Enabling Admission control
 
 To enable the `cosigned admission webhook` to check for signed images, you will need to add the following annotation in each namespace that you would want the webhook triggered:
 
@@ -52,9 +52,9 @@ spec:
   - kubernetes
 ```
 
-### Testing the webhook 
+### Testing the webhook
 
-1. Using Unsigned Images: 
+1. Using Unsigned Images:
 Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:
 
     ```shell

diff --git a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml
@@ -11,11 +11,11 @@ rules:
     verbs: ["create"]
   # Allow the reconciliation of exactly our validating webhook.
   - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["list", "watch"]
 
   - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["get", "update"]
     resourceNames: ["cosigned.sigstore.dev"]
 

diff --git a/charts/cosigned/templates/webhook/webhook_mutating.yaml b/charts/cosigned/templates/webhook/webhook_mutating.yaml
@@ -0,0 +1,19 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cosigned.sigstore.dev
+webhooks:
+- name: cosigned.sigstore.dev
+  namespaceSelector:
+    # The webhook should only apply to things that opt-in
+    matchExpressions:
+    - key: cosigned.sigstore.dev/include
+      operator: In
+      values: ["true"]
+  admissionReviewVersions: [v1]
+  clientConfig:
+    service:
+      name: webhook
+      namespace: {{ .Release.Namespace }}
+  failurePolicy: Fail
+  sideEffects: None
diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml
@@ -8,8 +8,8 @@ webhook:
   name: webhook
   image:
     repository: gcr.io/projectsigstore/cosigned
-    # crane digest gcr.io/projectsigstore/cosigned:v1.2.1
-    version: sha256:44c89910a4a480fe3d9ab1733d09a357e7fd681cfc1d964752ffe1b83600cb9f
+    # crane digest gcr.io/projectsigstore/cosigned:1.3.0
+    version: sha256:9fe107b183d6c6badaca52e380720c0549db09b645d055f00601797f48060aa2
     pullPolicy: IfNotPresent
   env: {}
   extraArgs: {}
@@ -26,7 +26,7 @@ webhook:
   podSecurityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
-    runAsNonRoot: true
+    runAsUser: 1000
     capabilities:
       drop:
       - all