doc: add job-docs

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

README.md

@@ -18,7 +18,8 @@ The image contains versions of `k8s.io/client-go`. Kubernetes aims to provide fo
 
 | sbom-operator   | k8s.io/{api,apimachinery,client-go} | expected kubernetes compatibility |
 |-----------------|-------------------------------------|-----------------------------------|
-| main            | v0.23.5                             | 1.22.x, 1.23.x, 1.24.x            |
+| main            | v0.23.6                             | 1.22.x, 1.23.x, 1.24.x            |
+| 0.10.0          | v0.23.6                             | 1.22.x, 1.23.x, 1.24.x            |
 | 0.9.0           | v0.23.5                             | 1.22.x, 1.23.x, 1.24.x            |
 | 0.8.0           | v0.23.5                             | 1.22.x, 1.23.x, 1.24.x            |
 | 0.7.0           | v0.23.4                             | 1.22.x, 1.23.x, 1.24.x            |
@@ -83,7 +84,10 @@ All parameters are cli-flags.
 | `namespace-label-selector` | `false` | `""` | Kubernetes Label-Selector for namespaces. |
 | `dtrack-base-url` | `true` when `dtrack` target is used | `""` | Dependency-Track base URL, e.g. 'https://dtrack.example.com' |
 | `dtrack-api-key` | `true` when `dtrack` target is used | `""` | Dependency-Track API key |
-| `kubernetes-cluster-id` | `false` | `"default"` | Kubernetes Cluster ID (to be used in Dependency-Track)
+| `kubernetes-cluster-id` | `false` | `"default"` | Kubernetes Cluster ID (to be used in Dependency-Track or Job-Images) |
+| `job-image` | `false` | `""` | Job-Image to process images with instead of Syft |
+| `job-image-pull-secret` | `false` | `""` | Pre-existing pull-secret-name for private job-images |
+| `job-timeout` | `false` | `3600` | Job-Timeout in seconds (`activeDeadlineSeconds`) |
 
 The flags can be configured as args or as environment-variables prefixed with `SBOM_` to inject sensitive configs as secret values.
 
@@ -159,6 +163,26 @@ dev-cluster
                     │   sbom.json
 ```
 
+## Job-Images
+
+If you don't want to use Syft to analyze your images, you can give the Job-Image feature a try. The operator creates a Kubernetes-Job
+which does the analysis with any possible tool inside. There's no target-handling done by the operator, the tool from the job has to process
+the SBOMs on its own. Currently there are two possible integrations:
+
+| Tool | Description |
+| ---- | ----------- |
+| [Codenotary CAS](job-images/cas/README.md) | The Community Attestation Service from Codenotary can notarize your images in the Codenotary Cloud. (free) |
+| [Codenotary VCN](job-images/vcn/README.md) | The VCN-Tool from Codenotary can notarize your images in the Codenotary Cloud. (chargeable) |
+
+This feature is built as generic approach. Any image which follows [these specs](job-images/SPEC.md) can be used as job-image.
+
+Manifest:
+```yaml
+--job-image=ghcr.io/ckotzbauer/sbom-operator/cas:<TAG>
+```
+
+All operator-environment variables prefixed with `SBOM_JOB_` are passed to the Kubernetes job.
+
 
 ## Security
 

job-images/cas/README.md

@@ -0,0 +1,64 @@
+
+# Codenotary Community Attestation Service
+
+> Integrates Codenotary's "Community Attestation Service" (CAS) with the SBOM-Operator.
+
+This Job-Image notarizes your images with CAS.
+
+## Usage
+
+1. Visit [cas.codenotary.com](https://cas.codenotary.com/) and create an API-Key.
+2. Add the following flag to the operator-installation.
+
+Manifest:
+```yaml
+--job-image=ghcr.io/ckotzbauer/sbom-operator/cas:<TAG>
+```
+
+Helm:
+```yaml
+args:
+  job-image: ghcr.io/ckotzbauer/sbom-operator/cas:<TAG>
+```
+
+3. Add the API-Key as environment variable.
+
+Manifest:
+```yaml
+env:
+  - name: SBOM_JOB_CAS_API_KEY
+    value: "<KEY>"
+```
+
+Helm:
+```yaml
+envVars:
+  - name: SBOM_JOB_CAS_API_KEY
+    value: "<KEY>"
+```
+
+
+The job-images are always tagged with the same versions as the operator itself.
+The flag instructs the operator to not analyze the container-images with Syft, but create a Kubernetes Job instead with the given job-image.
+The job will notarize all images which are selected by the operator with CAS. When the job has finished it will be in state "Completed"
+when there were no errors during notarization. All pods from the analyzed images are annotated then. There's no target-handling from the operator
+for the analyze-result, as the Codenotary Attestation Service is doing this for us.
+
+## Notes
+
+- The Pod-Name, Pod-Namespace and the cluster-name are stored as notarization-attributes.
+- Environment variables from on the operator prefixed with `SBOM_JOB_` are passed to the job without the prefix.
+- Use the `SBOM_JOB_CAS_EXTRA_ARGS` env to pass custom flags to the `cas notarize` command.
+- The job-container needs to be privileged, as CAS needs the Docker-Daemon to read the images from.
+- CAS currently does not support distroless images and images where no package-manager is installed.
+- There's a bug in CAS, that some images could not be notarized (error-messages like `stream copy error: reading from a closed fifo` are appearing)
+- All bugs or behaviours from CAS which could not be handled by the operator or the `entrypoint.sh` are out-of-scope of this repo.
+
+## Verifying an notarized image (manually)
+
+```
+docker pull alpine:3.15
+cas authenticate --bom docker://alpine:3.15
+```
+
+See the official Codenotary docs for more infos.

job-images/vcn/README.md

@@ -0,0 +1,69 @@
+
+# Codenotary VCN
+
+> Integrates Codenotary's VCN with the SBOM-Operator.
+
+This Job-Image notarizes your images with VCN.
+
+## Usage
+
+1. Reach out to Codenotary to get an API-Key for the VCN tool. If you're searching for the free Attestation Service from Codenotary
+use the CAS-Image instead.
+2. Add the following flag to the operator-installation.
+
+Manifest:
+```yaml
+--job-image=ghcr.io/ckotzbauer/sbom-operator/vcn:<TAG>
+```
+
+Helm:
+```yaml
+args:
+  job-image: ghcr.io/ckotzbauer/sbom-operator/vcn:<TAG>
+```
+
+3. Add the API-Key and the VCN-Host as environment variables.
+
+Manifest:
+```yaml
+env:
+  - name: SBOM_JOB_VCN_LC_API_KEY
+    value: "<KEY>"
+  - name: SBOM_JOB_VCN_LC_HOST
+    value: "<HOST>"
+```
+
+Helm:
+```yaml
+envVars:
+  - name: SBOM_JOB_VCN_LC_API_KEY
+    value: "<KEY>"
+  - name: SBOM_JOB_VCN_LC_HOST
+    value: "<HOST>"
+```
+
+
+The job-images are always tagged with the same versions as the operator itself.
+The flag instructs the operator to not analyze the container-images with Syft, but create a Kubernetes Job instead with the given job-image.
+The job will notarize all images which are selected by the operator with VCN. When the job has finished it will be in state "Completed"
+when there were no errors during notarization. All pods from the analyzed images are annotated then. There's no target-handling from the operator
+for the analyze-result, as the Codenotary Cloud is doing this for us.
+
+## Notes
+
+- The Pod-Name, Pod-Namespace and the cluster-name are stored as notarization-attributes.
+- Environment variables from on the operator prefixed with `SBOM_JOB_` are passed to the job without the prefix.
+- Use the `SBOM_JOB_VCN_EXTRA_ARGS` env to pass custom flags to the `vcn notarize` command.
+- The job-container needs to be privileged, as VCN needs the Docker-Daemon to read the images from.
+- VCN currently does not support distroless images and images where no package-manager is installed.
+- There's a bug in VCN, that some images could not be notarized (error-messages like `stream copy error: reading from a closed fifo` are appearing)
+- All bugs or behaviours from VCN which could not be handled by the operator or the `entrypoint.sh` are out-of-scope of this repo.
+
+## Verifying an notarized image (manually)
+
+```
+docker pull alpine:3.15
+vcn authenticate --bom docker://alpine:3.15
+```
+
+See the official Codenotary docs for more infos.