mattmoor/drop.yaml

## drop.yaml
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: cosign-system
  labels:
    cosigned.sigstore.dev/include: "false"

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cosigned-rbac
rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
  # Allow the reconciliation of exactly our validating and mutating webhooks.
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "update"]
    resourceNames: ["cosigned.sigstore.dev"]
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get"]
    # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
    # which requires we can Get the system namespace.
    resourceNames: ["cosign-system"]
  # This is needed by k8schain to support fetching pull secrets attached to pod specs
  # or their service accounts.  If pull secrets aren't used, the "secrets" below can
  # be safely dropped, but the logic will fetch the service account to check for pull
  # secrets.
  - apiGroups: [""]
    resources: ["serviceaccounts", "secrets"]
    verbs: ["get"]

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cosigned-namespace-rbac
  namespace: cosign-system
rules:
  # Needed to watch and load configuration and secret data.
  - apiGroups: [""]
    resources: ["configmaps", "secrets"]
    verbs: ["get", "list", "update", "watch"]
  # Needed for leader election
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: webhook
  namespace: cosign-system

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cosigned-webhook
subjects:
  - kind: ServiceAccount
    name: webhook
    namespace: cosign-system
roleRef:
  kind: ClusterRole
  name: cosigned-rbac
  apiGroup: rbac.authorization.k8s.io

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cosigned-webhook
  namespace: cosign-system
subjects:
  - kind: ServiceAccount
    name: webhook
    namespace: cosign-system
roleRef:
  kind: Role
  name: cosigned-namespace-rbac
  apiGroup: rbac.authorization.k8s.io

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Service
metadata:
  name: webhook
  namespace: cosign-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    role: webhook

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: cosigned.sigstore.dev
webhooks:
  - name: cosigned.sigstore.dev
    namespaceSelector:
      # The webhook should only apply to things that opt-in
      matchExpressions:
        - key: cosigned.sigstore.dev/include
          operator: In
          values: ["true"]
    admissionReviewVersions: [v1]
    clientConfig:
      service:
        name: webhook
        namespace: cosign-system
    failurePolicy: Fail
    sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: cosigned.sigstore.dev
webhooks:
  - name: cosigned.sigstore.dev
    namespaceSelector:
      # The webhook should only apply to things that opt-in
      matchExpressions:
        - key: cosigned.sigstore.dev/include
          operator: In
          values: ["true"]
    admissionReviewVersions: [v1]
    clientConfig:
      service:
        name: webhook
        namespace: cosign-system
    failurePolicy: Fail
    sideEffects: None
---
apiVersion: v1
kind: Secret
metadata:
  name: webhook-certs
  namespace: cosign-system
# The data is populated at install time.

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-leader-election
  namespace: cosign-system
data:
  _example: |
    ################################
    #                              #
    #    EXAMPLE CONFIGURATION     #
    #                              #
    ################################

    # This block is not actually functional configuration,
    # but serves to illustrate the available configuration
    # options and document them in a way that is accessible
    # to users that `kubectl edit` this config map.
    #
    # These sample configuration options may be copied out of
    # this example block and unindented to be in the data block
    # to actually change the configuration.

    # leaseDuration is how long non-leaders will wait to try to acquire the
    # lock; 15 seconds is the value used by core kubernetes controllers.
    leaseDuration: "15s"

    # renewDeadline is how long a leader will try to renew the lease before
    # giving up; 10 seconds is the value used by core kubernetes controllers.
    renewDeadline: "10s"

    # retryPeriod is how long the leader election client waits between tries of
    # actions; 2 seconds is the value used by core kubernetes controllers.
    retryPeriod: "2s"

    # buckets is the number of buckets used to partition key space of each
    # Reconciler. If this number is M and the replica number of the controller
    # is N, the N replicas will compete for the M buckets. The owner of a
    # bucket will take care of the reconciling for the keys partitioned into
    # that bucket.
    buckets: "1"

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-logging
  namespace: cosign-system
data:
  _example: |
    ################################
    #                              #
    #    EXAMPLE CONFIGURATION     #
    #                              #
    ################################

    # This block is not actually functional configuration,
    # but serves to illustrate the available configuration
    # options and document them in a way that is accessible
    # to users that `kubectl edit` this config map.
    #
    # These sample configuration options may be copied out of
    # this example block and unindented to be in the data block
    # to actually change the configuration.

    zap-logger-config: |
      {
        "level": "info",
        "development": false,
        "outputPaths": ["stdout"],
        "errorOutputPaths": ["stderr"],
        "encoding": "json",
        "encoderConfig": {
          "timeKey": "ts",
          "levelKey": "level",
          "nameKey": "logger",
          "callerKey": "caller",
          "messageKey": "msg",
          "stacktraceKey": "stacktrace",
          "lineEnding": "",
          "levelEncoder": "",
          "timeEncoder": "iso8601",
          "durationEncoder": "",
          "callerEncoder": ""
        }
      }

    # Log level overrides
    # Changes are be picked up immediately.
    loglevel.controller: "info"
    loglevel.webhook: "info"

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-observability
  namespace: cosign-system
data:
  _example: |
    ################################
    #                              #
    #    EXAMPLE CONFIGURATION     #
    #                              #
    ################################

    # This block is not actually functional configuration,
    # but serves to illustrate the available configuration
    # options and document them in a way that is accessible
    # to users that `kubectl edit` this config map.
    #
    # These sample configuration options may be copied out of
    # this example block and unindented to be in the data block
    # to actually change the configuration.

    # metrics.backend-destination field specifies the system metrics destination.
    # It supports either prometheus (the default) or stackdriver.
    # Note: Using stackdriver will incur additional charges
    metrics.backend-destination: prometheus

    # metrics.request-metrics-backend-destination specifies the request metrics
    # destination. If non-empty, it enables queue proxy to send request metrics.
    # Currently supported values: prometheus, stackdriver.
    metrics.request-metrics-backend-destination: prometheus

    # metrics.stackdriver-project-id field specifies the stackdriver project ID. This
    # field is optional. When running on GCE, application default credentials will be
    # used if this field is not provided.
    metrics.stackdriver-project-id: "<your stackdriver project id>"

---
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webhook
  namespace: cosign-system
spec:
  selector:
    matchLabels:
      role: webhook
  template:
    metadata:
      labels:
        role: webhook
    spec:
      # To avoid node becoming SPOF, spread our replicas to different nodes.
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app: webhook
                topologyKey: kubernetes.io/hostname
              weight: 100
      serviceAccountName: webhook
      containers:
        - name: webhook
          # This is the Go import path for the binary that is containerized
          # and substituted here.
          image: ghcr.io/mattmoor/webhook@sha256:18eb429c5e680405746c90653ad0a7ed67989e4a5773605b73ecf18d7086fa61
          args: ["-secret-name=verification-key"]
          resources:
            requests:
              cpu: 20m
              memory: 20Mi
            limits:
              cpu: 200m
              memory: 200Mi
          env:
            - name: SYSTEM_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CONFIG_LOGGING_NAME
              value: config-logging
            - name: METRICS_DOMAIN
              value: sigstore.dev/cosigned
            - name: WEBHOOK_NAME
              value: webhook
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            capabilities:
              drop:
                - all
          readinessProbe: &probe
            failureThreshold: 6
            initialDelaySeconds: 20
            periodSeconds: 1
            httpGet:
              scheme: HTTPS
              port: 8443
              httpHeaders:
                - name: k-kubelet-probe
                  value: "webhook"
          livenessProbe: *probe
      # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently
      # high value that we respect whatever value it has configured for the lame duck grace period.
      terminationGracePeriodSeconds: 300
---
apiVersion: v1
kind: Secret
metadata:
  name: verification-key
  namespace: cosign-system
  # stringData:
  #   cosign.pub: |
  #     <PEM encoded public key>

---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: v1
	kind: Namespace
	metadata:
	name: cosign-system
	labels:
	cosigned.sigstore.dev/include: "false"

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: cosigned-rbac
	rules:
	- apiGroups: [""]
	resources: ["events"]
	verbs: ["create"]
	# Allow the reconciliation of exactly our validating and mutating webhooks.
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
	verbs: ["list", "watch"]
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
	verbs: ["get", "update"]
	resourceNames: ["cosigned.sigstore.dev"]
	- apiGroups: [""]
	resources: ["namespaces"]
	verbs: ["get"]
	# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
	# which requires we can Get the system namespace.
	resourceNames: ["cosign-system"]
	# This is needed by k8schain to support fetching pull secrets attached to pod specs
	# or their service accounts. If pull secrets aren't used, the "secrets" below can
	# be safely dropped, but the logic will fetch the service account to check for pull
	# secrets.
	- apiGroups: [""]
	resources: ["serviceaccounts", "secrets"]
	verbs: ["get"]

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: cosigned-namespace-rbac
	namespace: cosign-system
	rules:
	# Needed to watch and load configuration and secret data.
	- apiGroups: [""]
	resources: ["configmaps", "secrets"]
	verbs: ["get", "list", "update", "watch"]
	# Needed for leader election
	- apiGroups: ["coordination.k8s.io"]
	resources: ["leases"]
	verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: webhook
	namespace: cosign-system

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: cosigned-webhook
	subjects:
	- kind: ServiceAccount
	name: webhook
	namespace: cosign-system
	roleRef:
	kind: ClusterRole
	name: cosigned-rbac
	apiGroup: rbac.authorization.k8s.io

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: cosigned-webhook
	namespace: cosign-system
	subjects:
	- kind: ServiceAccount
	name: webhook
	namespace: cosign-system
	roleRef:
	kind: Role
	name: cosigned-namespace-rbac
	apiGroup: rbac.authorization.k8s.io

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: v1
	kind: Service
	metadata:
	name: webhook
	namespace: cosign-system
	spec:
	ports:
	- port: 443
	targetPort: 8443
	selector:
	role: webhook

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: admissionregistration.k8s.io/v1
	kind: ValidatingWebhookConfiguration
	metadata:
	name: cosigned.sigstore.dev
	webhooks:
	- name: cosigned.sigstore.dev
	namespaceSelector:
	# The webhook should only apply to things that opt-in
	matchExpressions:
	- key: cosigned.sigstore.dev/include
	operator: In
	values: ["true"]
	admissionReviewVersions: [v1]
	clientConfig:
	service:
	name: webhook
	namespace: cosign-system
	failurePolicy: Fail
	sideEffects: None
	---
	apiVersion: admissionregistration.k8s.io/v1
	kind: MutatingWebhookConfiguration
	metadata:
	name: cosigned.sigstore.dev
	webhooks:
	- name: cosigned.sigstore.dev
	namespaceSelector:
	# The webhook should only apply to things that opt-in
	matchExpressions:
	- key: cosigned.sigstore.dev/include
	operator: In
	values: ["true"]
	admissionReviewVersions: [v1]
	clientConfig:
	service:
	name: webhook
	namespace: cosign-system
	failurePolicy: Fail
	sideEffects: None
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: webhook-certs
	namespace: cosign-system
	# The data is populated at install time.

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: config-leader-election
	namespace: cosign-system
	data:
	_example: \|
	################################
	# #
	# EXAMPLE CONFIGURATION #
	# #
	################################

	# This block is not actually functional configuration,
	# but serves to illustrate the available configuration
	# options and document them in a way that is accessible
	# to users that `kubectl edit` this config map.
	#
	# These sample configuration options may be copied out of
	# this example block and unindented to be in the data block
	# to actually change the configuration.

	# leaseDuration is how long non-leaders will wait to try to acquire the
	# lock; 15 seconds is the value used by core kubernetes controllers.
	leaseDuration: "15s"

	# renewDeadline is how long a leader will try to renew the lease before
	# giving up; 10 seconds is the value used by core kubernetes controllers.
	renewDeadline: "10s"

	# retryPeriod is how long the leader election client waits between tries of
	# actions; 2 seconds is the value used by core kubernetes controllers.
	retryPeriod: "2s"

	# buckets is the number of buckets used to partition key space of each
	# Reconciler. If this number is M and the replica number of the controller
	# is N, the N replicas will compete for the M buckets. The owner of a
	# bucket will take care of the reconciling for the keys partitioned into
	# that bucket.
	buckets: "1"

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: config-logging
	namespace: cosign-system
	data:
	_example: \|
	################################
	# #
	# EXAMPLE CONFIGURATION #
	# #
	################################

	# This block is not actually functional configuration,
	# but serves to illustrate the available configuration
	# options and document them in a way that is accessible
	# to users that `kubectl edit` this config map.
	#
	# These sample configuration options may be copied out of
	# this example block and unindented to be in the data block
	# to actually change the configuration.

	zap-logger-config: \|
	{
	"level": "info",
	"development": false,
	"outputPaths": ["stdout"],
	"errorOutputPaths": ["stderr"],
	"encoding": "json",
	"encoderConfig": {
	"timeKey": "ts",
	"levelKey": "level",
	"nameKey": "logger",
	"callerKey": "caller",
	"messageKey": "msg",
	"stacktraceKey": "stacktrace",
	"lineEnding": "",
	"levelEncoder": "",
	"timeEncoder": "iso8601",
	"durationEncoder": "",
	"callerEncoder": ""
	}
	}

	# Log level overrides
	# Changes are be picked up immediately.
	loglevel.controller: "info"
	loglevel.webhook: "info"

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: config-observability
	namespace: cosign-system
	data:
	_example: \|
	################################
	# #
	# EXAMPLE CONFIGURATION #
	# #
	################################

	# This block is not actually functional configuration,
	# but serves to illustrate the available configuration
	# options and document them in a way that is accessible
	# to users that `kubectl edit` this config map.
	#
	# These sample configuration options may be copied out of
	# this example block and unindented to be in the data block
	# to actually change the configuration.

	# metrics.backend-destination field specifies the system metrics destination.
	# It supports either prometheus (the default) or stackdriver.
	# Note: Using stackdriver will incur additional charges
	metrics.backend-destination: prometheus

	# metrics.request-metrics-backend-destination specifies the request metrics
	# destination. If non-empty, it enables queue proxy to send request metrics.
	# Currently supported values: prometheus, stackdriver.
	metrics.request-metrics-backend-destination: prometheus

	# metrics.stackdriver-project-id field specifies the stackdriver project ID. This
	# field is optional. When running on GCE, application default credentials will be
	# used if this field is not provided.
	metrics.stackdriver-project-id: "<your stackdriver project id>"

	---
	# Copyright 2021 The Sigstore Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: webhook
	namespace: cosign-system
	spec:
	selector:
	matchLabels:
	role: webhook
	template:
	metadata:
	labels:
	role: webhook
	spec:
	# To avoid node becoming SPOF, spread our replicas to different nodes.
	affinity:
	podAntiAffinity:
	preferredDuringSchedulingIgnoredDuringExecution:
	- podAffinityTerm:
	labelSelector:
	matchLabels:
	app: webhook
	topologyKey: kubernetes.io/hostname
	weight: 100
	serviceAccountName: webhook
	containers:
	- name: webhook
	# This is the Go import path for the binary that is containerized
	# and substituted here.
	image: ghcr.io/mattmoor/webhook@sha256:18eb429c5e680405746c90653ad0a7ed67989e4a5773605b73ecf18d7086fa61
	args: ["-secret-name=verification-key"]
	resources:
	requests:
	cpu: 20m
	memory: 20Mi
	limits:
	cpu: 200m
	memory: 200Mi
	env:
	- name: SYSTEM_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	- name: CONFIG_LOGGING_NAME
	value: config-logging
	- name: METRICS_DOMAIN
	value: sigstore.dev/cosigned
	- name: WEBHOOK_NAME
	value: webhook
	securityContext:
	allowPrivilegeEscalation: false
	readOnlyRootFilesystem: true
	runAsNonRoot: true
	capabilities:
	drop:
	- all
	readinessProbe: &probe
	failureThreshold: 6
	initialDelaySeconds: 20
	periodSeconds: 1
	httpGet:
	scheme: HTTPS
	port: 8443
	httpHeaders:
	- name: k-kubelet-probe
	value: "webhook"
	livenessProbe: *probe
	# Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently
	# high value that we respect whatever value it has configured for the lame duck grace period.
	terminationGracePeriodSeconds: 300
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: verification-key
	namespace: cosign-system
	# stringData:
	# cosign.pub: \|
	# <PEM encoded public key>

	---