Implement file signing step

[puerco]

Background

As part of the Signing Release Artifacts KEP, we need to build file signing into our release pipeline. Up to now, we had considered building signing capabilities directly into krel. However, thinking a little bit more into the architecture of the pipeline it is possible we may end up not needing to work on it and instead could use standard cosign to sign the files.

Up to now, we had not considered that we need to sign our artifacts outside of krel stage. We do not only need to build a new step in the pipeline to sign files after they are built and staged, but we also need to move the current signing image signing logic out of krel (see #2611 for a more broad explanation of why).

Our choice: krel sign or vanilla cosign

This means we have two choices to implement the file signing step:

1. Build file signing into krel, eg a krel sign subcommand
2. Use a standard cosign release to sign the files

We should only work on # 1 if there is a compelling reason to do it and, frankly, I'm failing to see one.

Architecture

In order to better understand how the signing step fits into the release process, let's take a look at how we sign images today:

flowchart TB
  subgraph krel["<h2>krel (today)</h2>"]
    direction TB
    style krel fill:#eee,stroke:#ccc,stroke-width:2px,font-weight:bold,font-size:120%

    subgraph staging["<h3>staging</h3>"]
      s1[build]-->s2["sign container images"]
    end
    subgraph promotion["<h3>image promotion</h3>"]
      ip1["k8s-org signature"]-->ip2
      ip2["signature replication"]
    end
    subgraph release["<h3>release</h3>"]
      r1["check image signatures"]-->r2["release"]
    end
    staging-->promotion
    promotion-->release
end

Loading

The full proposal to sign files (and ultimately images too) would look like the following. This introduces a new signing step to handle the internal RelEng signatures. Initially would handle files but we should move the signing logic from krel to this new step too to restrict access to the signing account:

flowchart TB
  subgraph krel["<h2>krel (new)</h2>"]
    direction TB
    style krel fill:#eee,stroke:#ccc,stroke-width:2px,font-weight:bold,font-size:120%
    style fpromotion fill:#eee,stroke:#ccc,color:ccc,stroke-width:2px,font-weight:bold,font-size:120%
    style a fill:#B3D5FF,stroke:#ccc,color:003C84,stroke-width:2px,font-weight:bold,font-size:120%
    style fp1 fill:#eee,stroke:#ccc,color:ccc,stroke-width:2px,font-weight:bold,font-size:120%

    subgraph staging["<h3>staging</h3>"]
      s1[build]-->s2["stage images and files"]
    end
    subgraph signing["<h3>signing</h3>"]
      sign1["read staging SBOM<br>to get artifacts that<br>need to be signed"]
      sign1-->sign2["sign files"]
      sign1-->sign3["sign images"]
    end
    subgraph ipromotion["<h3>image promotion</h3>"]
      ip1["k8s-org signature"]-->ip2
      ip2["signature replication"]
    end
    subgraph fpromotion["<h3>file promotion</h3><br>(in an indeterminate future)"]
      a["File promotion is out of scope<br>for now but this is<br>where we should fit it"]
      fp1["k8s-org signature on files"]
    end
    subgraph release["<h3>release</h3>"]
      r1["check image signatures"]
      r2["check file signatures"]
      r1 & r2 --> r3["release"]
    end
    staging-->signing
    signing-->ipromotion
    signing-->fpromotion
    ipromotion & fpromotion -->release
end

Loading

Should we cancel the development of our file signing codebase?

Short answer: No.

By no means this plan means we need to stop working on our file signing libraries. In the near future, kpromo should sign files just as it signs container images today. File signing in the release process should be seen as the Release Engineering stamp of origin of our artifacts and we should strive to get files stamped with a Kubernetes-wide signature.

[palnabarun]

Until we decide on this, should development on #2600 be paused?

[puerco]

@palnabarun Let's disucss it in the Jul 26 meeting (already added it to the agenda!)

[palnabarun]

I have a work conflict with Jul 26 meeting. I will try to make it to the meeting, but for sure will catch up on the recording and notes.

And, thanks for driving this conversation!

[puerco]

NP, if you have any ideas or thoughts about this be sure to dump it here and I'll relay them to the rest of the team!

[saschagrunert]

Proposed KEP update incoming in kubernetes/enhancements#3451

[puerco]

Update: After the Jul 26 '22 RelEng meeting we chose to go via # 2: build file signing into krel via a new krel sign step

[palnabarun]

/assign

[saschagrunert]

@palnabarun are you planning to work on this? :)

[palnabarun]

Yes, I am exploring this right now. I had a call with @puerco sometime back on some implementation details. I hope to start a WIP PR by next week for others to have a look at.

[saschagrunert]

@palnabarun do you need help on this topic from us? (cc @kubernetes/release-managers)

[cpanato]

I will take this issue, already discussed with @puerco