Golang switch 🐹

[phbelitz]

Hello, everyone!

Big news: We are switching programming languages from Python to Golang! 🎉💯

Why are we doing this? For multiple reasons: The project began with Python, as it was the language everyone involved was familiar with. This approach worked for quite some time, but we continuously faced compromises. For example, our support for Cosign functions only by including a Cosign binary inside our project and calling it via an external process. While this enabled quick integration of the validation framework, it also made working with it inside our codebase cumbersome. This would apply to future support for Notation as well. With Golang, we can use the frameworks natively by importing them as packages (they are also written in Go), which allows us not only to integrate them more easily but also to extend them with extra functionalities. In addition, the usage of a compilable language results in a slimmed-down container image since there is no longer a need for an interpreter. This opens up the option to use scratch containers, thereby reducing the attack surface against Connaisseur itself and gaining us more security points, which we are so desperately aching for 🤡. At the end of the day, among other reasons not worth noting, we committed to the switch!

What does that mean for you? Hopefully, not much, aside from a faster and more reliable runtime! We've attempted to ensure everything is non-breaking, so your previous configuration should be compatible. However, if that’s not the case, feel free to open an issue. 🤞

We've also added some new features:

• The policy rules now support a with.mode option that can be set to mutate or insecureValidateOnly, allowing the mutation of the image reference to be toggled on and off (the default is mutate, meaning references will be mutated; the alternative is considered insecure since it implies that while a trusted image is available, its use is not guaranteed 🤷).
• A caching mechanism in the form of a Redis key-value store now stores the results of a validation for 30 seconds.
• A new feature flag, resourceValidationMode, with supported values all and podsOnly. all is the default, causing Connaisseur to block all resources if they fail validation and mutate them if they pass. podsOnly will still validate all resources but only block and mutate Pod resources, while others are passed through with a warning (similar to PSA). This enhances compatibility with GitOps solutions like ArgoCD by preventing diffs on each reconciliation.
• Notary now supports all TUF compliant keys.
• Setting the with.trustRoot to * for a policy is now supported across all validators, allowing OR conjunctions for all defined trust roots within a validator.

Lastly, we want to outline some future plans for the project. Immediately following the Golang switch, we'll aim to support keyless validation for Cosign and full Notation support, covering all major validation frameworks. We will likely also explore OpenPubkey, enabling the validation of Docker Official Images using Connaisseur, although given the experimental nature of this, it may take some time. Your support is appreciated! 🤗

A preview of the Golang switch can be seen here. You can also try out the new version by using the ghcr.io/sse-secure-systems/connaisseur-test:pr-1509 container image. 🧪

Cheers, everyone.

[phbelitz]

The Go version now has been released and is available here!

[phbelitz]

There was a breaking change that did go unnoticed 😞 When using Kubernetes secrets for authentication to private registries, these can be referenced as secretName in the validators. These secrets need a specific format as documented here (see auth.secretName). Unfortunately the file name changed from auth.yaml to secret.yaml.

Should you be affected, please recreate the Kubernetes secret with the new format 🤗