Add Cosign keyless mode required args for nerdctl compose

ningziwen · ningziwen · commit 5205495f49d3 · 2023-04-27T12:22:39.000-07:00
Signed-off-by: Ziwen Ning &lt;ningziwe@amazon.com&gt;
diff --git a/docs/cosign.md b/docs/cosign.md
@@ -154,6 +154,26 @@ services:
     - 8081:80
 ```
 
+For keyless mode, the `docker-compose.yaml` will be:
+```
+$ cat docker-compose.yml
+services:
+  svc0:
+    build: .
+    image: ${REGISTRY}/svc1_image # replace with your registry
+    x-nerdctl-verify: cosign
+    x-nerdctl-sign: cosign
+    x-nerdctl-cosign-certificate-identity: name@example.com # or x-nerdctl-cosign-certificate-identity-regexp
+    x-nerdctl-cosign-certificate-oidc-issuer: https://accounts.example.com # or x-nerdctl-cosign-certificate-oidc-issuer-regexp
+    ports:
+    - 8080:80
+  svc1:
+    build: .
+    image: ${REGISTRY}/svc1_image # replace with your registry
+    ports:
+    - 8081:80
+```
+
 > The `env "COSIGN_PASSWORD="$COSIGN_PASSWORD""` part in the below commands is a walkaround to use rootful nerdctl and make the env variable visible to root (in sudo). You don't need this part if (1) you're using rootless, or (2) your `COSIGN_PASSWORD` is visible in root.
 
 First let's `build` and `push` the two services:
diff --git a/pkg/cmd/compose/compose.go b/pkg/cmd/compose/compose.go
@@ -155,5 +155,17 @@ func imageVerifyOptionsFromCompose(ps *serviceparser.Service) types.ImageVerifyO
 	if keyVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignPublicKey]; ok {
 		opt.CosignKey = keyVal.(string)
 	}
+	if ciVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentity]; ok {
+		opt.CosignCertificateIdentity = ciVal.(string)
+	}
+	if cirVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentityRegexp]; ok {
+		opt.CosignCertificateIdentityRegexp = cirVal.(string)
+	}
+	if coiVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuer]; ok {
+		opt.CosignCertificateOidcIssuer = coiVal.(string)
+	}
+	if coirVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuerRegexp]; ok {
+		opt.CosignCertificateOidcIssuerRegexp = coirVal.(string)
+	}
 	return opt
 }
diff --git a/pkg/composer/pull.go b/pkg/composer/pull.go
@@ -57,6 +57,19 @@ func (c *Composer) pullServiceImage(ctx context.Context, image string, platform
 	if publicKey, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignPublicKey]; ok {
 		args = append(args, "--cosign-key="+publicKey.(string))
 	}
+	if certificateIdentity, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentity]; ok {
+		args = append(args, "--cosign-certificate-identity="+certificateIdentity.(string))
+	}
+	if certificateIdentityRegexp, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentityRegexp]; ok {
+		args = append(args, "--cosign-certificate-identity-regexp="+certificateIdentityRegexp.(string))
+	}
+	if certificateOidcIssuer, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuer]; ok {
+		args = append(args, "--cosign-certificate-oidc-issuer="+certificateOidcIssuer.(string))
+	}
+	if certificateOidcIssuerRegexp, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuerRegexp]; ok {
+		args = append(args, "--cosign-certificate-oidc-issuer-regexp="+certificateOidcIssuerRegexp.(string))
+	}
+
 	if c.Options.Experimental {
 		args = append(args, "--experimental")
 	}
diff --git a/pkg/composer/serviceparser/serviceparser.go b/pkg/composer/serviceparser/serviceparser.go
@@ -37,10 +37,14 @@ import (
 
 // ComposeExtensionKey defines fields used to implement extension features.
 const (
-	ComposeVerify           = "x-nerdctl-verify"
-	ComposeCosignPublicKey  = "x-nerdctl-cosign-public-key"
-	ComposeSign             = "x-nerdctl-sign"
-	ComposeCosignPrivateKey = "x-nerdctl-cosign-private-key"
+	ComposeVerify                            = "x-nerdctl-verify"
+	ComposeCosignPublicKey                   = "x-nerdctl-cosign-public-key"
+	ComposeSign                              = "x-nerdctl-sign"
+	ComposeCosignPrivateKey                  = "x-nerdctl-cosign-private-key"
+	ComposeCosignCertificateIdentity         = "x-nerdctl-cosign-certificate-identity"
+	ComposeCosignCertificateIdentityRegexp   = "x-nerdctl-cosign-certificate-identity-regexp"
+	ComposeCosignCertificateOidcIssuer       = "x-nerdctl-cosign-certificate-oidc-issuer"
+	ComposeCosignCertificateOidcIssuerRegexp = "x-nerdctl-cosign-certificate-oidc-issuer-regexp"
 )
 
 func warnUnknownFields(svc types.ServiceConfig) {
