Add command for creating notation configuration secrets

Signed-off-by: Jason <jagoodse@microsoft.com>

cmd/flux/create_secret_notation.go

@@ -0,0 +1,161 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretNotationCmd = &cobra.Command{
+	Use:   "notation [name]",
+	Short: "Create or update a Kubernetes secret for verifications of artifacts signed by Notation",
+	Long:  withPreviewNote(`The create secret notation command generates a Kubernetes secret with root ca certificates and trust policy.`),
+	Example: ` # Create a Notation configuration secret on disk and encrypt it with Mozilla SOPS
+  flux create secret notation my-notation-cert \
+    --namespace=my-namespace \
+    --trust-policy-file=./my-trust-policy.json \
+    --ca-cert-file=./my-cert.crt \
+    --export > my-notation-cert.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place my-notation-cert.yaml`,
+
+	RunE: createSecretNotationCmdRun,
+}
+
+type secretNotationFlags struct {
+	trustPolicyFile string
+	caCrtFile       []string
+}
+
+var secretNotationArgs secretNotationFlags
+
+func init() {
+	createSecretNotationCmd.Flags().StringVar(&secretNotationArgs.trustPolicyFile, "trust-policy-file", "", "notation trust policy file path")
+	createSecretNotationCmd.Flags().StringSliceVar(&secretNotationArgs.caCrtFile, "ca-cert-file", []string{}, "root ca cert file path")
+
+	createSecretCmd.AddCommand(createSecretNotationCmd)
+}
+
+func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	if secretNotationArgs.caCrtFile == nil || len(secretNotationArgs.caCrtFile) == 0 {
+		return fmt.Errorf("--ca-cert-file is required")
+	}
+
+	if secretNotationArgs.trustPolicyFile == "" {
+		return fmt.Errorf("--trust-policy-file is required")
+	}
+
+	name := args[0]
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	policy, err := os.ReadFile(secretNotationArgs.trustPolicyFile)
+	if err != nil {
+		return fmt.Errorf("unable to read trust policy file: %w", err)
+	}
+
+	var doc trustpolicy.Document
+
+	if err := json.Unmarshal(policy, &doc); err != nil {
+		return fmt.Errorf("failed to unmarshal trust policy %s: %w", secretNotationArgs.trustPolicyFile, err)
+	}
+
+	if err := doc.Validate(); err != nil {
+		return fmt.Errorf("invalid trust policy: %w", err)
+	}
+
+	var (
+		caCerts []sourcesecret.VerificationCrt
+		fileErr error
+	)
+	for _, caCrtFile := range secretNotationArgs.caCrtFile {
+		fileName := filepath.Base(caCrtFile)
+		if !strings.HasSuffix(fileName, ".crt") && !strings.HasSuffix(fileName, ".pem") {
+			fileErr = errors.Join(fileErr, fmt.Errorf("%s must end with either .crt or .pem", fileName))
+			continue
+		}
+		caBundle, err := os.ReadFile(caCrtFile)
+		if err != nil {
+			fileErr = errors.Join(fileErr, fmt.Errorf("unable to read TLS CA file: %w", err))
+			continue
+		}
+		caCerts = append(caCerts, sourcesecret.VerificationCrt{Name: fileName, CACrt: caBundle})
+	}
+
+	if fileErr != nil {
+		return fileErr
+	}
+
+	if len(caCerts) == 0 {
+		return fmt.Errorf("no CA certs found")
+	}
+
+	opts := sourcesecret.Options{
+		Name:             name,
+		Namespace:        *kubeconfigArgs.Namespace,
+		Labels:           labels,
+		VerificationCrts: caCerts,
+		TrustPolicy:      policy,
+	}
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("notation configuration secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}

cmd/flux/create_secret_notation_test.go

@@ -0,0 +1,124 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const (
+	trustPolicy        = "./testdata/create_secret/notation/test-trust-policy.json"
+	invalidTrustPolicy = "./testdata/create_secret/notation/invalid-trust-policy.json"
+	invalidJson        = "./testdata/create_secret/notation/invalid.json"
+	testCertFolder     = "./testdata/create_secret/notation"
+)
+
+func TestCreateNotationSecret(t *testing.T) {
+	crt, err := os.Create(filepath.Join(t.TempDir(), "ca.crt"))
+	if err != nil {
+		t.Fatal("could not create ca.crt file")
+	}
+
+	pem, err := os.Create(filepath.Join(t.TempDir(), "ca.pem"))
+	if err != nil {
+		t.Fatal("could not create ca.pem file")
+	}
+
+	invalidCert, err := os.Create(filepath.Join(t.TempDir(), "ca.p12"))
+	if err != nil {
+		t.Fatal("could not create ca.p12 file")
+	}
+
+	_, err = crt.Write([]byte("ca-data-crt"))
+	if err != nil {
+		t.Fatal("could not write to crt certificate file")
+	}
+
+	_, err = pem.Write([]byte("ca-data-pem"))
+	if err != nil {
+		t.Fatal("could not write to pem certificate file")
+	}
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create secret notation",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no trust policy",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s", testCertFolder),
+			assert: assertError("--trust-policy-file is required"),
+		},
+		{
+			name:   "no cert",
+			args:   fmt.Sprintf("create secret notation notation-config --trust-policy-file=%s", trustPolicy),
+			assert: assertError("--ca-cert-file is required"),
+		},
+		{
+			name:   "non pem and crt cert",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", invalidCert.Name(), trustPolicy),
+			assert: assertError("ca.p12 must end with either .crt or .pem"),
+		},
+		{
+			name:   "invalid trust policy",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
+			assert: assertError("invalid trust policy: a trust policy statement is missing a name, every statement requires a name"),
+		},
+		{
+			name:   "invalid trust policy json",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidJson),
+			assert: assertError(fmt.Sprintf("failed to unmarshal trust policy %s: json: cannot unmarshal string into Go value of type trustpolicy.Document", invalidJson)),
+		},
+		{
+			name:   "crt secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-crt.yaml"),
+		},
+		{
+			name:   "pem secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", pem.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-pem.yaml"),
+		},
+		{
+			name:   "multi secret",
+			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --ca-cert-file=%s --trust-policy-file=%s --namespace=my-namespace --export", crt.Name(), pem.Name(), trustPolicy),
+			assert: assertGoldenFile("./testdata/create_secret/notation/secret-ca-multi.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defer func() {
+				secretNotationArgs = secretNotationFlags{}
+			}()
+
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/testdata/create_secret/notation/invalid-trust-policy.json

@@ -0,0 +1,4 @@
+{
+    "version": "1.0",
+    "trustPolicies": [{}]
+}

cmd/flux/testdata/create_secret/notation/invalid.json

@@ -0,0 +1 @@
+""

cmd/flux/testdata/create_secret/notation/secret-ca-crt.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+  namespace: my-namespace
+stringData:
+  ca.crt: ca-data-crt
+  trustpolicy.json: |
+    {
+        "version": "1.0",
+        "trustPolicies": [
+            {
+                "name": "fluxcd.io",
+                "registryScopes": [
+                    "*"
+                ],
+                "signatureVerification": {
+                    "level" : "strict"
+                },
+                "trustStores": [ "ca:fluxcd.io" ],
+                "trustedIdentities": [
+                    "*"
+                ]
+            }
+        ]
+    }
+

cmd/flux/testdata/create_secret/notation/secret-ca-multi.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+  namespace: my-namespace
+stringData:
+  ca.crt: ca-data-crt
+  ca.pem: ca-data-pem
+  trustpolicy.json: |
+    {
+        "version": "1.0",
+        "trustPolicies": [
+            {
+                "name": "fluxcd.io",
+                "registryScopes": [
+                    "*"
+                ],
+                "signatureVerification": {
+                    "level" : "strict"
+                },
+                "trustStores": [ "ca:fluxcd.io" ],
+                "trustedIdentities": [
+                    "*"
+                ]
+            }
+        ]
+    }
+

cmd/flux/testdata/create_secret/notation/secret-ca-pem.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+  namespace: my-namespace
+stringData:
+  ca.pem: ca-data-pem
+  trustpolicy.json: |
+    {
+        "version": "1.0",
+        "trustPolicies": [
+            {
+                "name": "fluxcd.io",
+                "registryScopes": [
+                    "*"
+                ],
+                "signatureVerification": {
+                    "level" : "strict"
+                },
+                "trustStores": [ "ca:fluxcd.io" ],
+                "trustedIdentities": [
+                    "*"
+                ]
+            }
+        ]
+    }
+

cmd/flux/testdata/create_secret/notation/test-ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
+-----END CERTIFICATE-----

cmd/flux/testdata/create_secret/notation/test-ca2.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
+-----END CERTIFICATE-----

cmd/flux/testdata/create_secret/notation/test-trust-policy.json

@@ -0,0 +1,18 @@
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "fluxcd.io",
+            "registryScopes": [
+                "*"
+            ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:fluxcd.io" ],
+            "trustedIdentities": [
+                "*"
+            ]
+        }
+    ]
+}