feat: add support for trust config

Author: knrc

api/v1alpha1/modelvalidation_types.go

@@ -53,12 +53,25 @@ type PublicKeyConfig struct {
 	KeyPath string `json:"keyPath,omitempty"`
 }
 
+// ClientTrustConfig defines the configuration for client trust settings,
+// used when working with private rekor/fulcio instances.
+type ClientTrustConfig struct {
+	// TrustConfigPath is the path to the trust configuration file.
+	// This specifies the trust configuration needed for using private rekor/fulcio instances
+	// and should conform to the ClientTrustConfig message.
+	// +kubebuilder:validation:Required
+	TrustConfigPath string `json:"trustConfigPath,omitempty"`
+}
+
 // ValidationConfig defines the various methods available for validating model signatures.
 // At least one validation method must be specified.
 type ValidationConfig struct {
 	SigstoreConfig  *SigstoreConfig  `json:"sigstoreConfig,omitempty"`
 	PkiConfig       *PkiConfig       `json:"pkiConfig,omitempty"`
 	PublicKeyConfig *PublicKeyConfig `json:"publicKeyConfig,omitempty"`
+	// +kubebuilder:validation:Optional
+	// ClientTrustConfig is the configuration for client trust settings.
+	ClientTrustConfig *ClientTrustConfig `json:"clientTrustConfig,omitempty"`
 }
 
 // ModelValidationSpec defines the desired state of ModelValidation
@@ -172,6 +185,11 @@ func (vc *ValidationConfig) GetConfigHash() string {
 		hasher.Write([]byte(vc.PublicKeyConfig.KeyPath))
 	}
 
+	if vc.ClientTrustConfig != nil {
+		hasher.Write([]byte("clienttrust"))
+		hasher.Write([]byte(vc.ClientTrustConfig.TrustConfigPath))
+	}
+
 	return fmt.Sprintf("%x", hasher.Sum(nil))[:16] // Use first 16 chars for brevity
 }
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -58,6 +58,19 @@ spec:
               config:
                 description: Configuration for validation methods.
                 properties:
+                  clientTrustConfig:
+                    description: ClientTrustConfig is the configuration for client
+                      trust settings.
+                    properties:
+                      trustConfigPath:
+                        description: |-
+                          TrustConfigPath is the path to the trust configuration file.
+                          This specifies the trust configuration needed for using private rekor/fulcio instances
+                          and should conform to the ClientTrustConfig message.
+                        type: string
+                    required:
+                    - trustConfigPath
+                    type: object
                   pkiConfig:
                     description: |-
                       PkiConfig defines the PKI-based verification configuration

config/crd/bases/ml.sigstore.dev_modelvalidations.yaml

@@ -31,6 +31,7 @@ type TestModelValidationOptions struct {
 	CertificateCA     string
 	CertIdentity      string
 	CertOidcIssuer    string
+	TrustConfigPath   string
 }
 
 // TestPodOptions holds configuration for creating test Pod resources
@@ -102,6 +103,13 @@ func CreateTestModelValidation(opts TestModelValidationOptions) *v1alpha1.ModelV
 		}
 	}
 
+	// Add ClientTrustConfig if trust config path is provided
+	if opts.TrustConfigPath != "" {
+		mv.Spec.Config.ClientTrustConfig = &v1alpha1.ClientTrustConfig{
+			TrustConfigPath: opts.TrustConfigPath,
+		}
+	}
+
 	return mv
 }
 

internal/testutil/testutil.go

@@ -130,28 +130,27 @@ func validationConfigToArgs(logger logr.Logger, cfg v1alpha1.ValidationConfig, s
 			"--identity", cfg.SigstoreConfig.CertificateIdentity,
 			"--identity_provider", cfg.SigstoreConfig.CertificateOidcIssuer,
 		)
-		return res
-	}
-
-	if cfg.PublicKeyConfig != nil {
+	} else if cfg.PublicKeyConfig != nil {
 		logger.Info("found public-key config")
 		res = append(res,
 			"key",
 			fmt.Sprintf("--signature=%s", signaturePath),
 			"--public_key", cfg.PublicKeyConfig.KeyPath,
 		)
-		return res
-	}
-
-	if cfg.PkiConfig != nil {
+	} else if cfg.PkiConfig != nil {
 		logger.Info("found pki config")
 		res = append(res,
 			"certificate",
 			fmt.Sprintf("--signature=%s", signaturePath),
 			"--certificate_chain", cfg.PkiConfig.CertificateAuthority,
 		)
-		return res
+	} else {
+		logger.Info("missing validation config")
+		return []string{}
+	}
+
+	if cfg.ClientTrustConfig != nil {
+		res = append(res, "--trust_config", cfg.ClientTrustConfig.TrustConfigPath)
 	}
-	logger.Info("missing validation config")
-	return []string{}
+	return res
 }

internal/webhooks/pod_webhook.go

@@ -139,5 +139,69 @@ var _ = Describe("Pod webhook", func() {
 			}
 			Expect(foundTrackedPod).To(BeTrue(), "Pod should be tracked in status")
 		})
+
+		It("Should add trust_config argument when ClientTrustConfig is provided", func() {
+			trustConfigName := "trust-config-test"
+			trustConfigNamespace := fmt.Sprintf("trust-config-ns-%d", time.Now().UnixNano())
+
+			By("Creating the Namespace for trust config test")
+			trustConfigNs := &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: trustConfigNamespace,
+				},
+			}
+			err := k8sClient.Create(ctx, trustConfigNs)
+			Expect(err).To(Not(HaveOccurred()))
+
+			By("Create ModelValidation with ClientTrustConfig")
+			trustMv := testutil.CreateTestModelValidation(testutil.TestModelValidationOptions{
+				Name:            trustConfigName,
+				Namespace:       trustConfigNamespace,
+				ConfigType:      "sigstore",
+				CertIdentity:    "[email protected]",
+				CertOidcIssuer:  "https://accounts.google.com",
+				TrustConfigPath: "/path/to/trust-config.json",
+			})
+			err = k8sClient.Create(ctx, trustMv)
+			Expect(err).To(Not(HaveOccurred()))
+
+			statusTracker.AddModelValidation(ctx, trustMv)
+
+			By("create labeled pod with trust config")
+			trustPod := testutil.CreateTestPod(testutil.TestPodOptions{
+				Name:      "trust-config-pod",
+				Namespace: trustConfigNamespace,
+				Labels:    map[string]string{constants.ModelValidationLabel: trustConfigName},
+			})
+			err = k8sClient.Create(ctx, trustPod)
+			Expect(err).To(Not(HaveOccurred()))
+
+			By("Checking that validation sidecar was created with trust config")
+			foundTrustPod := &corev1.Pod{}
+			Eventually(ctx, func(ctx context.Context) []corev1.Container {
+				_ = k8sClient.Get(ctx, types.NamespacedName{Name: "trust-config-pod", Namespace: trustConfigNamespace}, foundTrustPod)
+				return foundTrustPod.Spec.InitContainers
+			}, 5*time.Second).Should(HaveLen(1))
+
+			By("Verifying trust_config argument is present")
+			initContainer := foundTrustPod.Spec.InitContainers[0]
+			args := initContainer.Args
+			Expect(args).To(ContainElement("--trust_config"))
+
+			// Find the index of --trust_config and verify the next element is the path
+			trustConfigIndex := -1
+			for i, arg := range args {
+				if arg == "--trust_config" {
+					trustConfigIndex = i
+					break
+				}
+			}
+			Expect(trustConfigIndex).To(BeNumerically(">=", 0), "trust_config argument should be present")
+			Expect(trustConfigIndex+1).To(BeNumerically("<", len(args)), "trust_config should have a value")
+			Expect(args[trustConfigIndex+1]).To(Equal("/path/to/trust-config.json"))
+
+			By("Cleanup trust config namespace")
+			_ = k8sClient.Delete(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: trustConfigNamespace}})
+		})
 	})
 })