OSDOCS-13228: container image sig checks disconnected MicroShift

_topic_maps/_topic_map_ms.yml

@@ -46,6 +46,8 @@ Topics:
   File: microshift-fips
 - Name: Understanding system health checks
   File: microshift-greenboot
+- Name: Mirroring container images for disconnected installations
+  File: microshift-deploy-with-mirror-registry
 ---
 Name: Installing with an RPM package
 Dir: microshift_install_rpm
@@ -67,8 +69,6 @@ Distros: microshift
 Topics:
 - Name: Embedding in a RHEL for Edge image using image builder
   File: microshift-embed-in-rpm-ostree
-- Name: Mirroring container images for disconnected installations
-  File: microshift-deploy-with-mirror-registry
 - Name: Embedding in a RHEL for Edge image for offline use
   File: microshift-embed-in-rpm-ostree-offline-use
 ---
@@ -130,6 +130,8 @@ Topics:
     File: microshift-tls-config
   - Name: Configuring audit logging policies
     File: microshift-audit-logs-config
+  - Name: Verifying container signatures for supply chain security
+    File: microshift-verify-container-signatures
 - Name: Configuring low latency
   Dir: microshift_low_latency
   Topics:

microshift_configuring/microshift_auth_security/microshift-verify-container-signatures.adoc

@@ -0,0 +1,21 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="microshift-verify-container-signatures"]
+= Verifying container signatures for supply chain security
+include::_attributes/attributes-microshift.adoc[]
+:context: microshift-verify-container-signatures
+
+toc::[]
+
+You can enhance supply chain security by using the sigstore signing methodology.
+
+//TP in 4.19, expected to GA 4.20
+:FeatureName: sigstore support
+include::snippets/technology-preview.adoc[]
+
+include::modules/microshift-verify-container-signatures-sigstore-con.adoc[leveloffset=+1]
+
+include::modules/microshift-verify-container-signatures-sigstore.adoc[leveloffset=+1]
+
+include::modules/microshift-enable-sigstore-mirror-registries.adoc[leveloffset=+2]
+
+include::modules/microshift-wiping-local-container-storage.adoc[leveloffset=+2]

microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc

@@ -10,20 +10,20 @@ You can use a custom container registry when you deploy {microshift-short} in a
 
 include::modules/microshift-mirror-container-images.adoc[leveloffset=+1]
 
-[role="_additional-resources"]
-.Additional resources
-* link:https://docs.openshift.com/container-platform/{ocp-version}/installing/disconnected_install/installing-mirroring-creating-registry.html[Creating a mirror registry with mirror registry for Red Hat OpenShift]
-
 include::modules/microshift-get-mirror-reg-container-image-list.adoc[leveloffset=+1]
 
 include::modules/microshift-mirroring-prereqs.adoc[leveloffset=+1]
 
-[role="_additional-resources"]
-.Additional resources
-* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/{ocp-version}/html/installing/disconnected-installation-mirroring#installation-adding-registry-pull-secret_installing-mirroring-disconnected[Configuring credentials that allow images to be mirrored]
-
 include::modules/microshift-downloading-container-images.adoc[leveloffset=+1]
 
 include::modules/microshift-uploading-images-to-mirror.adoc[leveloffset=+1]
 
-include::modules/microshift-configuring-hosts-for-mirror.adoc[leveloffset=+1]
+include::modules/microshift-configuring-hosts-for-mirror.adoc[leveloffset=+1]
+
+[id="additional-resources_microshift-deploy-with-mirror-registry_{context}"]
+[role="_additional-resources"]
+== Additional resources
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/{ocp-version}/html/disconnected_environments/mirroring-in-disconnected-environments#installing-mirroring-creating-registry[Creating a mirror registry with mirror registry for Red Hat OpenShift]
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/{ocp-version}/html/disconnected_environments/mirroring-in-disconnected-environments#installation-adding-registry-pull-secret_about-installing-oc-mirror-v2[Configuring credentials that allow images to be mirrored]

microshift_running_apps/microshift_operators/microshift-operators-oc-mirror.adoc

@@ -16,9 +16,9 @@ You can filter and prune catalogs to get specific Operators and mirror them by u
 [role="_additional-resources"]
 .Additional resources
 * link:https://access.redhat.com/documentation/en-us/openshift_container_platform/{ocp-version}/html/operators/administrator-tasks#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks]
-* xref:../../microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc#microshift-configuring-hosts-for-mirror_microshift-deployment-mirror[Configuring hosts for mirror registry access]
+* xref:../../microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc#microshift-configuring-hosts-for-mirror_microshift-deployment-mirror[Configuring hosts for mirror registry access]
 * xref:../../microshift_networking/microshift-disconnected-network-config.adoc#microshift-disconnected-network-config[Configuring network settings for fully disconnected hosts]
-* xref:../../microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc#microshift-get-mirror-reg-container-image-list_microshift-deploy-with-mirror-registry[Getting the mirror registry container image list]
+* xref:../../microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc#microshift-get-mirror-reg-container-image-list_microshift-deploy-with-mirror-registry[Getting the mirror registry container image list]
 * xref:../../microshift_install_rpm_ostree/microshift-embed-in-rpm-ostree-offline-use.adoc#microshift-embed-in-rpm-ostree-offline-use[Embedding in a {op-system-ostree} image for offline use]
 
 include::modules/microshift-oc-mirror-about-con.adoc[leveloffset=+1]

modules/microshift-configuring-hosts-for-mirror.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * microshift/microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc
+// * microshift/microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-configuring-hosts-for-mirror_{context}"]
@@ -9,18 +9,20 @@
 To configure a {microshift-short} host to use a mirror registry, you must give the {microshift-short} host access to the registry by creating a configuration file that maps the Red Hat registry host names to the mirror.
 
 .Prerequisites
+
 * Your mirror host has access to the internet.
 * The mirror host can access the mirror registry.
 * You configured the mirror registry for use in your restricted network.
 * You downloaded the pull secret and modified it to include authentication to your mirror repository.
 
 .Procedure
-. Log into your {microshift-short} host.
+
+. Log in to your {microshift-short} host.
 
 . Enable the SSL certificate trust on any host accessing the mirror registry by completing the following steps:
 
 .. Copy the `rootCA.pem` file from the mirror registry, for example, `<registry_path>/quay-rootCA`, to the {microshift-short} host at the `/etc/pki/ca-trust/source/anchors` directory.
-.. Enable the certificate in the system-wide trust store configuration by running the following command:
+.. Enable the certificate in the system-wide truststore configuration by running the following command:
 +
 [source,terminal]
 ----
@@ -62,7 +64,7 @@ $ sudo update-ca-trust
     location = "<registry_host>:<port>"
     insecure = false
 ----
-<1> Replace `<registry_host>:<port>` with the host name and port of your mirror registry server, for example, `<microshift-quay:8443>`.
+<1> Replace `<registry_host>:<port>` with the hostname and port of your mirror registry server, for example, `<microshift-quay:8443>`.
 
 . Enable the {microshift-short} service by running the following command:
 +

modules/microshift-downloading-container-images.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * microshift/microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc
+// * microshift/microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-downloading-container-images_{context}"]
@@ -10,7 +10,7 @@ After you have located the container list and completed the mirroring prerequisi
 
 .Prerequisites
 
-* You are logged into a host with access to the internet.
+* You logged into a host with access to the internet.
 * The `.pull-secret-mirror.json` file and `microshift-containers` directory contents are available locally.
 
 .Procedure

modules/microshift-enable-sigstore-mirror-registries.adoc

@@ -0,0 +1,46 @@
+// Module included in the following assemblies:
+//
+// * microshift/microshift_auth_security/microshift-verify-container-signatures.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-enable-sigstore-mirror-registries_{context}"]
+= Enabling sigstore attachments for mirror registries
+
+If you are using mirror registries you must apply additional configuration to enable sigstore attachments and mirroring by digest.
+
+.Prerequisites
+
+* You have admin access to the {microshift-short} host.
+* You completed the steps in "Verifying container signatures using sigstore."
+
+.Procedure
+
+. Enable sigstore attachments by creating the `/etc/containers/registries.d/mirror.registry.local.yaml` file.
++
+[source,terminal,subs="+quotes"]
+----
+$ cat /etc/containers/registries.d/_<mirror.registry.local.yaml>_ <1>
+docker:
+   mirror.registry.local:
+        use-sigstore-attachments: true
+----
+<1> Name the `_<mirror.registry.local.yaml>_` file after your mirror registry URL.
+
+. Enable mirroring by digest by creating the `/etc/containers/registries.conf.d/999-microshift-mirror.conf` with the following contents:
++
+[source,terminal]
+----
+$ cat /etc/containers/registries.conf.d/999-microshift-mirror.conf
+[[registry]]
+    prefix = "quay.io/openshift-release-dev"
+    location = "mirror.registry.local"
+    mirror-by-digest-only = true
+
+[[registry]]
+    prefix = "registry.redhat.io"
+    location = "mirror.registry.local"
+    mirror-by-digest-only = true
+----
+
+.Next steps
+. Wipe the local container storage clean.

modules/microshift-get-mirror-reg-container-image-list.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * microshift/microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc
+// * microshift/microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-get-mirror-reg-container-image-list_{context}"]
@@ -10,7 +10,7 @@ To use a mirror registry, you must know which container image references are use
 
 [NOTE]
 ====
-To mirror the Operator Lifecycle Manager (OLM) in disconnected environments, add the references provided in the `release-olm-$ARCH.json` that is included in the `microshift-olm` RPM and follow the same procedure. Use `oc-mirror` for mirroring Operator catalogs and Operators.
+To mirror the Operator Lifecycle Manager (OLM) in disconnected environments, add the references provided in the `release-olm-$ARCH.json` that is included in the `microshift-olm` RPM and follow the same procedure. Use the `oc-mirror` CLI plugin for mirroring Operator catalogs and Operators.
 ====
 
 .Prerequisites
@@ -62,4 +62,4 @@ $ jq -r '.images | .[]' ${RELEASE_FILE} > microshift-container-refs.txt
 [NOTE]
 ====
 After the `microshift-container-refs.txt` file is created with the {microshift-short} container image list, you can append the file with other user-specific image references before running the mirroring procedure.
-====
+====

modules/microshift-mirror-container-images.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * microshift/microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc
+// * microshift/microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="microshift-mirror-container-images_{context}"]
@@ -11,7 +11,7 @@ Using a custom air-gapped container registry, or mirror, is necessary with certa
 To create an air-gapped mirror registry for {microshift-short} containers, you must complete the following steps:
 
 * Get the container image list to be mirrored.
-* Configure the mirroring prerequisites.
+* Configure the mirroring prerequisites, including secure signatures management.
 * Download images on a host with internet access.
 * Copy the downloaded image directory to an air-gapped site.
 * Upload images to a mirror registry in an air-gapped site.

modules/microshift-mirroring-prereqs.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * microshift/microshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc
+// * microshift/microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="microshift-configuring-mirroring-prereqs_{context}"]
@@ -11,7 +11,7 @@ You must create a container image registry credentials file that allows the mirr
 [id="microshift-example-mirror-pull-secret-entry_{context}"]
 == Example mirror registry pull secret entry
 
-For example, the following section is added to the pull secret file for the `microshift_quay:8443` mirror registry using `microshift:microshift` as username and password.
+In this example, the following section is added to the pull secret file for the `microshift_quay:8443` mirror registry by using `microshift:microshift` as username and password.
 
 .Example mirror registry section for pull secret file
 [source,terminal]
@@ -21,6 +21,6 @@ For example, the following section is added to the pull secret file for the `mic
     "email": "<microshift_quay@example.com>" <3>
 },
 ----
-<1> Replace the `<registry_host>:<port>` value `microshift_quay:8443` with the host name and port of your mirror registry server.
-<2> Replace the `<microshift_auth>` value with the user password.
-<3> Replace the `</microshift_quay@example.com>` value with the user email.
+<1> Replace the `<registry_host>:<port>` value `microshift_quay:8443` with the hostname and port of your mirror registry server.
+<2> Replace the `_<microshift_auth>_` value with the user password.
+<3> Replace the `_</microshift_quay@example.com>_` value with the user email.

modules/microshift-uploading-images-to-mirror.adoc

@@ -1,16 +1,16 @@
 // Module included in the following assemblies:
 //
-// * microshift/pmicroshift_install_rpm_ostree/microshift-deploy-with-mirror-registry.adoc
+// * microshift/microshift_install_get_ready/microshift-deploy-with-mirror-registry.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-uploading-container-images-to-mirror_{context}"]
 = Uploading container images to a mirror registry
 
-To use your container images at an air-gapped site, upload them to the mirror registry using the following procedure.
+To use your container images at an air-gapped site, upload them to the mirror registry by using the following procedure.
 
 .Prerequisites
 
-* You are logged into a host with access to `microshift-quay`.
+* You logged into a host with access to `microshift-quay`.
 * The `.pull-secret-mirror.json` file is available locally.
 * The `microshift-containers` directory contents are available locally.
 
@@ -43,7 +43,7 @@ $ IMAGE_LOCAL_DIR=~/microshift-containers
 ----
 $ TARGET_REGISTRY=_<registry_host>:<port>_ # <1>
 ----
-<1> Replace `_<registry_host>:<port>_` with the host name and port of your mirror registry server.
+<1> Replace `_<registry_host>:<port>_` with the hostname and port of your mirror registry server.
 
 . Run the following script to upload the container images to the `${TARGET_REGISTRY}` mirror registry:
 +

modules/microshift-verify-container-signatures-sigstore-con.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * microshift/microshift_auth_security/microshift-verify-container-signatures.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="microshift-verify-container-signatures-sigstore-con_{context}"]
+= Understanding how to use sigstore to verify container signatures
+
+You can configure the container runtime to verify image integrity by using the sigstore signing methodology. Configuring {microshift-short} container runtimes enables the verification of image integrity. With the sigstore project, developers can digitally sign what they build, creating a safer chain of custody that traces software back to the source. Administrators can then verify signatures and monitor workflows at scale. By using sigstore, you can store signatures in the same registry as the build images.
+
+* For user-specific images, you must update the configuration file to point to the appropriate public key, or disable signature verification for those image sources.
+
+[IMPORTANT]
+====
+For disconnected or offline configurations, you must embed the public key contents into the operating system image.
+====

modules/microshift-verify-container-signatures-sigstore.adoc

@@ -0,0 +1,88 @@
+// Module included in the following assemblies:
+//
+// * microshift/microshift_auth_security/microshift-verify-container-signatures.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-verify-container-signatures-sigstore_{context}"]
+= Verifying container signatures using sigstore
+
+Verify container signatures for {microshift-short} by configuring the container runtime to use sigstore. The container signature verification uses the public key from the Red Hat keypair when signing the images. To use sigstore, edit the default `/etc/containers/policy.json` file that is installed as part of the container runtime package.
+
+You can access Red Hat public keys at the following link:
+
+* link:https://access.redhat.com/security/team/key[Product Signing Keys]
+
+You must use the release key 3 for verifying {microshift-short} container signatures.
+
+.Prerequisites
+
+* You have admin access to the {microshift-short} host.
+* You installed {microshift-short}.
+
+.Procedure
+
+. Download the relevant public key and save it as `/etc/containers/RedHat_ReleaseKey3.pub` by running the following command:
++
+[source,terminal]
+----
+$ sudo curl -sL https://access.redhat.com/security/data/63405576.txt -o /etc/containers/RedHat_ReleaseKey3.pub
+----
+
+. To configure the container runtime to verify images from Red Hat sources, edit the `/etc/containers/policy.json` file to contain the following configuration:
++
+.Example policy JSON file
+[source,json]
+----
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "quay.io/openshift-release-dev": [{
+                "type": "sigstoreSigned",
+                "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub",
+                "signedIdentity": {
+                    "type": "matchRepoDigestOrExact"
+                }
+            }],
+            "registry.redhat.io": [{
+                "type": "sigstoreSigned",
+                "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub",
+                "signedIdentity": {
+                    "type": "matchRepoDigestOrExact"
+                }
+            }]
+        }
+    }
+}
+----
+
+. Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the `/etc/containers/registries.d/registry.redhat.io.yaml`` file to contain the following configuration:
++
+[source,terminal]
+----
+$ cat /etc/containers/registries.d/registry.redhat.io.yaml
+docker:
+     registry.redhat.io:
+         use-sigstore-attachments: true
+----
+
+. Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the `/etc/containers/registries.d/registry.quay.io.yaml` file to contain the following configuration:
++
+[source,terminal]
+----
+$ cat /etc/containers/registries.d/quay.io.yaml
+docker:
+  quay.io/openshift-release-dev:
+    use-sigstore-attachments: true
+----
+
+. Create user-specific registry configuration files if your use case requires signature verification for those image sources. You can use the example here to start with and add your own requirements.
+
+.Next steps
+
+. If you are using a mirror registry, enable sigstore attachments.
+. Otherwise, proceed to wiping the local container storage clean.

modules/microshift-wiping-local-container-storage.adoc

@@ -0,0 +1,43 @@
+// Module included in the following assemblies:
+//
+// * microshift/microshift_auth_security/microshift-verify-container-signatures.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-wiping-local-container-storage_{context}"]
+= Wiping local container storage clean
+
+When you apply the configuration to an existing system, you must wipe the local container storage clean. Cleaning the container storage ensures that container images with signatures are properly downloaded.
+
+.Prerequisites
+
+* You have administrator access to the {microshift-short} host.
+* You enabled sigstore on your mirror registries.
+
+.Procedure
+
+. Stop the CRI-O container runtime service and {microshift-short} by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl stop crio microshift
+----
+
+. Wipe the CRI-O container runtime storage clean by running the following command:
++
+[source,terminal]
+----
+$ sudo crio wipe --force
+----
+
+. Restart the CRI-O container runtime service and {microshift-short} by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl start crio microshift
+----
+
+.Verification
+
+Verify that all pods are running in a healthy state by entering the following command:
+
+include::snippets/microshift-healthy-pods-snip.adoc[leveloffset=+2]