feat(notation): add support for notation in HelmChart and OCIRepository configuration

[JasonTheDeveloper]

This PR introduces notation as an additional option to cosign as a provider to verify the signature of source helmchart/ocirepository deployment.

This PR is related to issue #1072.

Testing

To test the changes to helmchart and ocirepository I have included a couple example configuration deployments under config/testdata/helmchart-from-oci and /workspaces/source-controller/config/testdata/ocirepository. These manifests are also deployed when running make e2e.

These manifests deploy a forked version of stefanprodan's podinfo, singed using notation and stored in my ghcr found here: https://github.com/JasonTheDeveloper?tab=packages&repo_name=podinfo.

Sample trust store policy and public key needed for verification can also be found here: https://github.com/JasonTheDeveloper/podinfo/tree/feat/notation/.notation.

Todo

• Expand on unit tests
• Update documentation
• Add examples
• Update Flux CLI subcommand flux create secret to generate notation configuration

[makkes]

Thanks @JasonTheDeveloper for creating this PR! I'd be happy to help getting this over the line. Are you planning to add the missing tests and documentation anytime soon? Happy to chat on the CNCF Slack as well.

[JasonTheDeveloper]

Thanks @JasonTheDeveloper for creating this PR! I'd be happy to help getting this over the line. Are you planning to add the missing tests and documentation anytime soon? Happy to chat on the CNCF Slack as well.

@makkes - I have added the missing tests. I'll be adding the documentation later today. Apologies for taking so long to getting around to finishing off this PR. Originally, I was holding off until notation 1.0.0 was released to the public just in case there were any major changes prior to going public. Looks like that happened a couple months ago 😅

[souleb]

Thanks for this contribution @JasonTheDeveloper. I left some comments

[souleb]

can you put this in a separate PR?

[souleb]

can you also rebase your branch?

[JasonTheDeveloper]

We could check for skip and set trustStores/trustedIdentities to an empty string array + log so that notation doesn't complain.

Yes maybe this could be a function that take a trustPolicy and return a cleaned version that we can use for the verifier instantiation.

I've created a new func in 86e98fa and added unit tests in a4c93d9.

[darkowlzz]

I did some manual testing with OCIRepository, tried various things to break the implementation but so far everything looks good to me.
TestOCIRepository_reconcileSource_verifyOCISourceTrustPolicyNotation tests are great for confidence in the correctness.

I've left a few suggestions for minor improvements.

Will do final OCI HelmChart testing next.

[darkowlzz]

I did manual testing for OCI HelmChart verification and it also worked very well.
I'm confident with the results.

Going through the code, I found some potential bugs and inconsistencies, nothing major. Left comment for those. Please have a look.
Once these and the previous comments are addressed, I will approve this PR.

Thanks for all the work on this.

[darkowlzz]

LGTM!
Thanks for spending so much time on getting this right.

Would be great if you could squash all the commits to a few relevant commits if possible.

[JasonTheDeveloper]

@darkowlzz thank you so much for the approval! I tried to create separate squash commits to group things into "like" commits but it was taking too long so instead squashed everything into the one commit. Hope that's fine.

[souleb]

@JasonTheDeveloper do you mind rewriting the commit message. You may want to have a look at https://github.com/fluxcd/flux2/blob/main/CONTRIBUTING.md#format-of-the-commit-message

[stefanprodan]

LGTM

Awesome contribution! Thanks @JasonTheDeveloper and @jagpreetstamber 🥇

[JasonTheDeveloper]

@souleb something like this? Add verification support for notation signed artifacts

[souleb]

LGTM.

Thanks for your outstanding contribution and your willingness to accommodate and work through all the changes requested.