cosign
cosign copied to clipboard
Published
20 hours ago •
sigstore
sigstore
manifest: introduce new `resolve` sub command
Description
It would be great to have a new resolve as a sub command of manifest. What I want to achieve is that ability to do kbld -f deployment.yml but in cosign itself:
# BEFORE
image: index.docker.io/*username*/foo:v0.1.0
# AFTER
image: index.docker.io/*username*/foo@SHA256-REPLACED
Support list:
| KIND | IMAGE PATH |
|---|---|
| Deployment | spec.template.spec.containers[*].image |
| DaemonSet | spec.template.spec.containers[*].image |
| ReplicaSet | spec.template.spec.containers[*].image |
| StatefulSet | spec.template.spec.containers[*].image |
| CronJob | spec.spec.template.spec.containers[*].image |
manifest verify command firstly introduced in issue https://github.com/sigstore/cosign/issues/437 by @developer-guy. This is something part 2 to extend abilities of manifest command.
UX:
Single file:
$ cosign manifest resolve -f deployment.yaml -o resolved.yaml
You can give folder directly and apply:
$ cosign manifest resolve -f ./manifests | k apply -f -
Implementation
There are possible two ways to handle this:
-
Use kbld resolve as a library.
-
Integrate custom resolver as we did for Dockerfile: https://github.com/sigstore/cosign/pull/1120
I think this idea have been discussed somewhere else but I couldn't find where so opening this.
