Support Gatekeeper v3.11 External Data Beta API

[bdun1013]

trafficstars

Description

The provider is not compatible with Gatekeeper v3.11+:

$ k apply -f https://raw.githubusercontent.com/sigstore/cosign-gatekeeper-provider/main/manifest/provider.yaml
Warning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead.
Error from server: error when creating "https://raw.githubusercontent.com/sigstore/cosign-gatekeeper-provider/main/manifest/provider.yaml": admission webhook "validation.gatekeeper.sh" denied the request: only HTTPS scheme is supported for Providers

From here:

starting with Gatekeeper v3.11.0, TLS or mutual TLS (mTLS) via HTTPS protocol are required between Gatekeeper and external data providers with a minimum TLS version of 1.3.

Would need to figure out the best way to supply the provider with rotating certs. They could just be mounted from a Secret. The caBundle field in the Provider spec will also need to updated with the CA cert chain that signed the provider's server cert.

From here:

To verify the authenticity of the Gatekeeper certificate, the external data provider must have access to Gatekeeper's CA certificate.

It should be the recommendation to run the provider in the gatekeeper-system namespace so the provider can access the Gatekeeper CA in the gatekeeper-webhook-server-cert Secret.

[Dentrax]

Hey @bdun1013, thanks for the issue.

Would need to figure out the best way to supply the provider with rotating certs. They could just be mounted from a Secret.

Yes. Maybe we can use secrets resource to support hot-reloading feature by using SharedInformers. Or just calling an external endpoint to fetch cert and cache into internal memory would solve the problem.

It should be the recommendation to run the provider in the gatekeeper-system namespace so the provider can access the Gatekeeper CA in the gatekeeper-webhook-server-cert Secret.

Definitely.

We should also update all the go.mod dependencies to sync with latest version of sigstore packages.

Would you like to submit a PR for this?

/cc @developer-guy

[bdun1013]

Hey @Dentrax, what about potentially using the cert-controller library, which is used by Gatekeeper?

I opened up https://github.com/open-policy-agent/cert-controller/issues/54 to add support for injecting the caBundle into Provider resources.

[mathieu-benoit]

Hi @bdun1013, out of curiosity, now that https://github.com/open-policy-agent/cert-controller/pull/55 is implemented, what are the next steps here?

Also, is the planned implementation you mentioned earlier in this thread close to what Ratify does? Not asking to do the same, but curious to know the differences if any as they are using the same external data feature of Gatekeeper.

[cpanato]

@Dentrax what is the next steps here?

[gals-ma]

any updates about this?

[rajatrj16]

Is there a set example and documentation for gatekeeper where it resolves this error {"errors": null, "responses": null, "status_code": 500, "system_error": "failed to send external data request: Post \"https://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090/validate\": http: server gave HTTP response to HTTPS client"}

[4c74356b41]

hey, any updates on the above? thanks!

[4c74356b41]

Is there a set example and documentation for gatekeeper where it resolves this error {"errors": null, "responses": null, "status_code": 500, "system_error": "failed to send external data request: Post \"https://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090/validate\": http: server gave HTTP response to HTTPS client"}

read the first post in this thread