Add a simple knative service for fetch oidc tokens off the cluster

for testing external access with fulcio as well.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>

.github/workflows/fulcio-rekor-kind.yaml

@@ -7,7 +7,7 @@ on:
 defaults:
   run:
     shell: bash
-    working-directory: ./src/github.com/vaikas/sigstore-scaffolding
+    working-directory: ./src/github.com/sigstore/scaffolding
 
 concurrency:
   group: fulcio-rekor-kind-${{ github.head_ref }}
@@ -76,15 +76,15 @@ jobs:
     - name: Check out our repo
       uses: actions/checkout@v3
       with:
-        path: ./src/github.com/vaikas/sigstore-scaffolding
+        path: ./src/github.com/sigstore/scaffolding
 
     - name: Install cosign
       uses: sigstore/cosign-installer@main
       with:
         cosign-release: 'v1.6.0'
 
     - name: Setup Cluster
-      working-directory: ./src/github.com/vaikas/sigstore-scaffolding
+      working-directory: ./src/github.com/sigstore/scaffolding
       run: |
         ./hack/setup-kind.sh \
           --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \
@@ -108,12 +108,8 @@ jobs:
         echo Created image $demoimage
         popd
 
-    - name: Sign with public cosign
-      run: |
-        cosign sign --force --allow-insecure-registry ${{ env.demoimage }}
-
     - name: Install all the everythings
-      working-directory: ./src/github.com//vaikas/sigstore-scaffolding
+      working-directory: ./src/github.com/sigstore/scaffolding
       timeout-minutes: 20
       run: |
         ko apply -BRf ./config/
@@ -133,8 +129,8 @@ jobs:
           kubectl wait --timeout 10m -n ${ns} --for=condition=Ready pod --all
         done
 
-    - name: Run signing job
-      working-directory: ./src/github.com/vaikas/sigstore-scaffolding
+    - name: Run signing job in k8s using kubernetes tokens in the cluster
+      working-directory: ./src/github.com/sigstore/scaffolding
       run: |
         # Grab the secret from the ctlog-system namespace and make a copy
         # in our namespace so we can get access to the CT Log public key
@@ -146,14 +142,14 @@ jobs:
         kubectl wait --for=condition=Complete --timeout=90s job/sign-job
 
     - name: Check that an entry was created in Rekor
-      working-directory: ./src/github.com/vaikas/sigstore-scaffolding
+      working-directory: ./src/github.com/sigstore/scaffolding
       run: |
         ko apply -f ./testdata/config/checktree
 
         kubectl wait --for=condition=Complete --timeout=90s job/checktree
 
-    - name: Verify the image with cosign
-      working-directory: ./src/github.com/vaikas/sigstore-scaffolding
+    - name: Verify the image with cosign using kubernetes tokens in the cluster
+      working-directory: ./src/github.com/sigstore/scaffolding
       run: |
         # Grab the secret from the fulcio-system namespace and make a copy
         # in our namespace so we can get access to the Fulcio public key
@@ -163,6 +159,13 @@ jobs:
 
         kubectl wait --for=condition=Complete --timeout=180s job/verify-job
 
+    # TODO(vaikas): There should be a fake issuer on the cluster
+    - name: Install a Knative service for fetch tokens off the cluster
+      run: |
+        ko apply -f ./testdata/config/gettoken
+        sleep 2
+        kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken
+
     - name: Set the endpoints on the cluster and grab secrets
       run: |
         REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
@@ -172,17 +175,21 @@ jobs:
         CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4`
         echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
 
+        ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4`
+        echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
+        OIDC_TOKEN=`curl -s $ISSUER_URL`
+
         kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
         echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV
 
         kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
         echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV
 
-    - name: Sign with cosign
+    - name: Sign with cosign from the job using Github token
       run: |
-        cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }}
+        cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
 
-    - name: Verify with cosign
+    - name: Verify with cosign from the job using Github token
       run: |
         SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1 cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
 

cmd/getoidctoken/main.go

@@ -0,0 +1,62 @@
+// Copyright 2022 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+
+	"github.com/kelseyhightower/envconfig"
+)
+
+type envConfig struct {
+	FileName string `envconfig:"OIDC_FILE" default:"/var/run/sigstore/cosign/oidc-token" required:"true"`
+}
+
+// tokenFile is where we mount the oidc token from k8s.
+//const tokenFile = "/var/run/sigstore/cosign/oidc-token"
+const tokenFile = "/Users/vaikas/projects/go/src/github.com/sigstore/scaffolding/ctlog-public.pem"
+
+func tokenWriter(filename string) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, req *http.Request) {
+		getToken(filename, w, req)
+	}
+}
+func getToken(tokenFile string, w http.ResponseWriter, req *http.Request) {
+	content, err := ioutil.ReadFile(tokenFile)
+	if err != nil {
+		log.Print("failed to read token file", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	_, err = fmt.Fprint(w, string(content))
+	if err != nil {
+		log.Print("failed to write token file to response", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}
+
+func main() {
+	var env envConfig
+	if err := envconfig.Process("", &env); err != nil {
+		log.Fatalf("failed to process env var: %s", err)
+	}
+	http.HandleFunc("/", tokenWriter(env.FileName))
+	if err := http.ListenAndServe(":8080", nil); err != nil {
+		panic(err)
+	}
+}

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/hashicorp/hcl v1.0.0
+	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/pkg/errors v0.9.1
 	github.com/sigstore/fulcio v0.1.2-0.20220110181937-d890471d8047
 	github.com/sigstore/rekor v0.5.0

go.sum

@@ -1118,6 +1118,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
 github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
+github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=

testdata/config/gettoken/gettoken.yaml

@@ -0,0 +1,24 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: gettoken
+spec:
+  template:
+    spec:
+      containers:
+      - name: gettoken
+        image: ko://github.com/sigstore/scaffolding/cmd/getoidctoken
+        env:
+        - name: OIDC_FILE
+          value: "/var/run/sigstore/cosign/oidc-token"
+        volumeMounts:
+        - name: oidc-info
+          mountPath: /var/run/sigstore/cosign
+      volumes:
+        - name: oidc-info
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: oidc-token
+                  expirationSeconds: 600
+                  audience: sigstore

third_party/VENDOR-LICENSE/github.com/kelseyhightower/envconfig/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2013 Kelsey Hightower
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.