{"id":13788026,"url":"https://github.com/sigstore/cosign-gatekeeper-provider","last_synced_at":"2025-05-12T02:30:55.610Z","repository":{"id":37979100,"uuid":"430023305","full_name":"sigstore/cosign-gatekeeper-provider","owner":"sigstore","description":"🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures","archived":false,"fork":false,"pushed_at":"2024-04-02T21:10:25.000Z","size":636,"stargazers_count":76,"open_issues_count":24,"forks_count":23,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-11-14T23:05:57.406Z","etag":null,"topics":["cosign","fulcio","gatekeeper","keyless","opa","rekor","sigstore"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sigstore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-20T06:06:10.000Z","updated_at":"2024-10-03T11:57:10.000Z","dependencies_parsed_at":"2024-08-03T21:01:41.639Z","dependency_job_id":"daeb34c2-0750-4da3-83c2-0adc554e688e","html_url":"https://github.com/sigstore/cosign-gatekeeper-provider","commit_stats":null,"previous_names":["developer-guy/cosign-gatekeeper-provider"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fcosign-gatekeeper-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fcosign-gatekeeper-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fcosign-gatekeeper-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Fcosign-gatekeeper-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sigstore","download_url":"https://codeload.github.com/sigstore/cosign-gatekeeper-provider/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225112973,"owners_count":17422834,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosign","fulcio","gatekeeper","keyless","opa","rekor","sigstore"],"created_at":"2024-08-03T21:00:34.698Z","updated_at":"2024-11-18T01:31:37.225Z","avatar_url":"https://github.com/sigstore.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cosign-gatekeeper-provider\nTo integrate [OPA Gatekeeper's new ExternalData feature](https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata) with [cosign](https://github.com/sigstore/cosign) to determine whether the images are valid by verifying its signatures.\n\n\u003e This repo is meant for testing Gatekeeper external data feature. Do not use for production.\n\n## Installation\n\n- Deploy Gatekeeper with external data enabled (`--enable-external-data`)\n```sh\nhelm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts\nhelm install gatekeeper/gatekeeper  \\\n    --name-template=gatekeeper \\\n    --namespace gatekeeper-system --create-namespace \\\n    --set enableExternalData=true \\\n    --set controllerManager.dnsPolicy=ClusterFirst,audit.dnsPolicy=ClusterFirst \\\n    --version 3.10.0\n```\n_Note: This repository is currently only working with Gatekeeper 3.10 and the `externalData` feature in `alpha`. There is an open issue to track the support of Gatekeeper 3.11 and `externalData` feature in `beta`: https://github.com/sigstore/cosign-gatekeeper-provider/issues/20._\n\nLet's install the `cosign-gatekeeper-provider`:\n\n- `kubectl apply -f manifest`\n\n- `kubectl apply -f manifest/provider.yaml`\n  \u003e Update `url` if it's not `http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090` (default)\n\n- `kubectl apply -f policy/template.yaml`\n\n- `kubectl apply -f policy/constraint.yaml`\n\n## Verification\n\nTo test this successfully, we should sign one of our images with [cosign](https://github.com/sigstore/cosign#installation) tool. So, let's do this first:\n\nGenerate key pair\n```shell\n$ cosign generate-key-pair\n```\n\nWe have two files under `policy/examples`, one for valid manifest that contains signed image, the other is invalid. To do the same you should sign your image as I did:\n\n```shell\n$ crane copy alpine:latest devopps/alpine:signed\n$ crane copy alpine:3.14 devopps/alpine:unsigned\n$ cosign sign --key cosign.key devopps/signed:latest\n```\n\nSo, once you are ready, let's apply these manifests one by one. It should allow deploying Pod for valid.yaml, and deny for the other one.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fcosign-gatekeeper-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsigstore%2Fcosign-gatekeeper-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Fcosign-gatekeeper-provider/lists"}