diff --git a/charts/trust-policies/Chart.yaml b/charts/trust-policies/Chart.yaml index eade830..7dcfe3a 100644 --- a/charts/trust-policies/Chart.yaml +++ b/charts/trust-policies/Chart.yaml @@ -8,8 +8,8 @@ sources: type: application name: trust-policies -version: "v0.2.0" -appVersion: "v0.2.0" +version: "v0.3.0" +appVersion: "v0.3.0" maintainers: - name: codysoyland diff --git a/charts/trust-policies/templates/clusterimagepolicy-github.yaml b/charts/trust-policies/templates/clusterimagepolicy-github.yaml index be9b414..1439738 100644 --- a/charts/trust-policies/templates/clusterimagepolicy-github.yaml +++ b/charts/trust-policies/templates/clusterimagepolicy-github.yaml @@ -7,7 +7,9 @@ spec: images: - glob: "**" authorities: - - keyless: +{{ if .Values.policy.trust.github }} + - name: github + keyless: trustRootRef: github identities: - issuer: https://token.actions.githubusercontent.com @@ -18,4 +20,17 @@ spec: attestations: - name: require-attestation predicateType: {{ .Values.policy.predicateType }} +{{ end }}{{ if .Values.policy.trust.sigstorePublic }} + - name: public-good + keyless: + identities: + - issuer: https://token.actions.githubusercontent.com + subjectRegExp: https://github.com/{{ .Values.policy.organization }}/{{ .Values.policy.repo }}/\.github/workflows/.* + ctlog: + url: https://rekor.sigstore.dev + signatureFormat: bundle + attestations: + - name: require-attestation + predicateType: {{ .Values.policy.predicateType }} +{{ end }} {{- end }} diff --git a/charts/trust-policies/values.yaml b/charts/trust-policies/values.yaml index 43c7eb7..bf262c2 100644 --- a/charts/trust-policies/values.yaml +++ b/charts/trust-policies/values.yaml @@ -8,3 +8,9 @@ policy: enabled: false # predicateType is the type of predicate to expect in the default policy predicateType: https://slsa.dev/provenance/v1 + # Identify which signing authorities should be trusted as part of the policy + trust: + # trust the GitHub signing authority + github: true + # trust the Sigstore public-good signing authority + sigstorePublic: true