Refactor internal OCI package

Signed-off-by: Stefan Prodan <[email protected]>

controllers/ocirepository_controller.go

@@ -311,7 +311,7 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 	}
 	options = append(options, crane.WithAuthFromKeychain(keychain))
 
-	if _, ok := keychain.(util.Anonymous); obj.Spec.Provider != sourcev1.GenericOCIProvider && ok {
+	if _, ok := keychain.(soci.Anonymous); obj.Spec.Provider != sourcev1.GenericOCIProvider && ok {
 		auth, authErr := oidcAuth(ctxTimeout, obj.Spec.URL, obj.Spec.Provider)
 		if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
 			e := serror.NewGeneric(
@@ -424,7 +424,11 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 			}
 
 			conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, meta.SucceededReason, "OCI image %s with digest %s verified.", url, revision)
+		} else {
+			// Remove old observations if verification was disabled
+			conditions.Delete(obj, sourcev1.SourceVerifiedCondition)
 		}
+
 		layers, err := img.Layers()
 		if err != nil {
 			e := serror.NewGeneric(
@@ -512,7 +516,6 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
 	case "cosign":
 		defaultCosignOciOpts := []soci.Options{
 			soci.WithAuthnKeychain(keychain),
-			soci.WithContext(ctxTimeout),
 		}
 
 		ref, err := name.ParseReference(url)
@@ -536,12 +539,12 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
 			for k, data := range pubSecret.Data {
 				// search for public keys in the secret
 				if strings.HasSuffix(k, ".pub") {
-					verifier, err := soci.New(append(defaultCosignOciOpts, soci.WithPublicKey(data))...)
+					verifier, err := soci.NewVerifier(ctxTimeout, append(defaultCosignOciOpts, soci.WithPublicKey(data))...)
 					if err != nil {
 						return err
 					}
 
-					signatures, _, err := verifier.VerifyImageSignatures(ref)
+					signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
 					if err != nil {
 						continue
 					}
@@ -562,12 +565,12 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
 
 		// if no secret is provided, try keyless verification
 		ctrl.LoggerFrom(ctx).Info("no secret reference is provided, trying to verify the image using keyless approach")
-		verifier, err := soci.New(defaultCosignOciOpts...)
+		verifier, err := soci.NewVerifier(ctxTimeout, defaultCosignOciOpts...)
 		if err != nil {
 			return err
 		}
 
-		signatures, _, err := verifier.VerifyImageSignatures(ref)
+		signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
 		if err != nil {
 			return err
 		}
@@ -689,7 +692,7 @@ func (r *OCIRepositoryReconciler) keychain(ctx context.Context, obj *sourcev1.OC
 
 	// if no pullsecrets available return an AnonymousKeychain
 	if len(pullSecretNames) == 0 {
-		return util.Anonymous{}, nil
+		return soci.Anonymous{}, nil
 	}
 
 	// lookup image pull secrets

controllers/ocirepository_controller_test.go

@@ -1046,7 +1046,7 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature(t *testing.T) {
 			},
 		},
 		{
-			name: "not signed image should not pass verification",
+			name: "unsigned image should not pass verification",
 			reference: &sourcev1.OCIRepositoryRef{
 				Tag: "6.1.5",
 			},

docs/spec/v1beta2/ocirepositories.md

@@ -482,7 +482,7 @@ The controller verifies the signatures using the Fulcio root CA and the Rekor
 instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
 
 Note that keyless verification is an **experimental feature**, using
-custom root CAs or self-hosted Rekor instances are not currency supported.
+custom root CAs or self-hosted Rekor instances are not currently supported.
 
 ### Suspend
 

internal/util/auth.go → internal/oci/auth.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package util
+package oci
 
 import "github.com/google/go-containerregistry/pkg/authn"
 

internal/oci/oci.go → internal/oci/verifier.go

@@ -38,7 +38,6 @@ import (
 type options struct {
 	PublicKey []byte
 	Keychain  authn.Keychain
-	Context   context.Context
 }
 
 // Options is a function that configures the options applied to a Verifier.
@@ -57,20 +56,13 @@ func WithAuthnKeychain(keychain authn.Keychain) Options {
 	}
 }
 
-func WithContext(ctx context.Context) Options {
-	return func(opts *options) {
-		opts.Context = ctx
-	}
-}
-
 // Verifier is a struct which is responsible for executing verification logic.
 type Verifier struct {
-	opts    *cosign.CheckOpts
-	context context.Context
+	opts *cosign.CheckOpts
 }
 
-// New initializes a new Verifier.
-func New(opts ...Options) (*Verifier, error) {
+// NewVerifier initializes a new Verifier.
+func NewVerifier(ctx context.Context, opts ...Options) (*Verifier, error) {
 	o := options{}
 	for _, opt := range opts {
 		opt(&o)
@@ -79,7 +71,7 @@ func New(opts ...Options) (*Verifier, error) {
 	checkOpts := &cosign.CheckOpts{}
 
 	ro := coptions.RegistryOptions{}
-	co, err := ro.ClientOpts(o.Context)
+	co, err := ro.ClientOpts(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -124,12 +116,11 @@ func New(opts ...Options) (*Verifier, error) {
 	}
 
 	return &Verifier{
-		opts:    checkOpts,
-		context: o.Context,
+		opts: checkOpts,
 	}, nil
 }
 
 // VerifyImageSignatures verify the authenticity of the given ref OCI image.
-func (v *Verifier) VerifyImageSignatures(ref name.Reference) ([]oci.Signature, bool, error) {
-	return cosign.VerifyImageSignatures(v.context, ref, v.opts)
+func (v *Verifier) VerifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
+	return cosign.VerifyImageSignatures(ctx, ref, v.opts)
 }