Avoid keeping private key and password in the cluster secret

Question

Avoid keeping private key and password in the cluster secret

adubey8 opened this issue 2 years ago · comments

This is related to the open bug: #24

As a workaround for secretKeyRef not resolving, one has to provide following parameters:
--set cosign.cosignKey=‘base64 encode’ --set cosign.cosignPassword='base64 encode' --set cosign.cosignPub='base64 encode'

Even if the secretkeyRef works, I do not want to keep my private key and password in the cluster.
So why in this chart cosignKey and cosignPassword are required. Currently this command complain if all 3 parameters are not provided.

$k get secrets cosigned-cosign-key -o yaml
 data: 
  cosign.key: <>
  cosign.password: <>
  cosign.pub: <>

Ideally shouldn't the webhook only look for public key to validate the signed images?

Hector Fernandez · Answer 1 · Wed Jun 22 2022 00:46:06 GMT+0800 (China Standard Time)

@adubey8 I believe we missed this issue, but it has been solved. Even though you don't need to store the private key to validate a signed image.