Avoid keeping private key and password in the cluster secret
adubey8 opened this issue · comments
This is related to the open bug: #24
As a workaround for secretKeyRef not resolving, one has to provide following parameters:
--set cosign.cosignKey=‘base64 encode’ --set cosign.cosignPassword='base64 encode' --set cosign.cosignPub='base64 encode'
Even if the secretkeyRef works, I do not want to keep my private key and password in the cluster.
So why in this chart cosignKey and cosignPassword are required. Currently this command complain if all 3 parameters are not provided.
$k get secrets cosigned-cosign-key -o yaml
data:
cosign.key: <>
cosign.password: <>
cosign.pub: <>
Ideally shouldn't the webhook only look for public key to validate the signed images?
@adubey8 I believe we missed this issue, but it has been solved. Even though you don't need to store the private key to validate a signed image.