From 47c75e80059ce5b0772a9194068dc4923ec472f2 Mon Sep 17 00:00:00 2001
From: chgl <chgl@users.noreply.github.com>
Date: Wed, 25 Oct 2023 21:06:39 +0200
Subject: [PATCH] chore: added kyverno validation and updated deps

---
 .github/workflows/ci.yaml             | 25 +++++++++++
 .renovaterc.json                      |  4 ++
 charts/fhir-gateway/Chart.yaml        |  8 +---
 charts/fhir-gateway/values.yaml       |  2 +-
 charts/fhir-pseudonymizer/Chart.yaml  |  6 +--
 charts/fhir-pseudonymizer/values.yaml |  2 +-
 policies/verify-images.yaml           | 62 +++++++++++++++++++++++++++
 7 files changed, 97 insertions(+), 12 deletions(-)
 create mode 100644 policies/verify-images.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index db380e60..574b9b81 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -54,6 +54,31 @@ jobs:
       - name: Generate changelogs (test)
         run: generate-chart-changelog.sh
 
+  test-kyverno:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Add workspace as safe directory
+        run: |
+          git config --global --add safe.directory /__w/charts/charts
+
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          fetch-depth: 0
+
+      - name: Update dependencies
+        run: find charts/ ! -path charts/ -maxdepth 1 -type d -exec helm dependency update {} \;
+
+      - name: Test chart against Kyverno policies
+        uses: ckotzbauer/kyverno-test-action@0d96bdb966a134a9062c23284ac5585e44b7dc0b # main
+        with:
+          # for testing
+          chart-dir: charts/fhir-gateway
+          policy-files: |
+            policies/verify-images.yaml
+          kyverno-version: 1.10.3
+          debug: true
+
   test:
     runs-on: ubuntu-22.04
     needs:
diff --git a/.renovaterc.json b/.renovaterc.json
index a0471d80..0991f369 100644
--- a/.renovaterc.json
+++ b/.renovaterc.json
@@ -30,6 +30,10 @@
     {
       "matchPackageNames": ["postgresql", "ghcr.io/chgl/kube-powertools"],
       "extends": ["schedule:monthly"]
+    },
+    {
+      "matchPackagePatterns": ["^ghcr.io\\/miracum\\/"],
+      "pinDigests": false
     }
   ],
   "ignorePaths": [
diff --git a/charts/fhir-gateway/Chart.yaml b/charts/fhir-gateway/Chart.yaml
index 4e236e13..51236b61 100644
--- a/charts/fhir-gateway/Chart.yaml
+++ b/charts/fhir-gateway/Chart.yaml
@@ -14,14 +14,10 @@ dependencies:
     condition: fhir-pseudonymizer.enabled
     version: 0.5.6
     repository: oci://ghcr.io/miracum/charts
-version: 6.0.19
+version: 6.0.20
 annotations:
   # When using the list of objects option the valid supported kinds are
   # added, changed, deprecated, removed, fixed and security.
   artifacthub.io/changes: |
     - kind: changed
-      description: update docker.io/curlimages/curl docker tag to v8.4.0
-    - kind: changed
-      description: refreshed docs with latest helm-docs
-    - kind: changed
-      description: fixed missing seccompProfile in initContainer
+      description: updated ghcr.io/miracum/fhir-gateway image tag to v3.12.4
diff --git a/charts/fhir-gateway/values.yaml b/charts/fhir-gateway/values.yaml
index 7c99798f..dc60a766 100644
--- a/charts/fhir-gateway/values.yaml
+++ b/charts/fhir-gateway/values.yaml
@@ -15,7 +15,7 @@ replicaCount: 1
 image: # +doc-gen:ignore
   registry: ghcr.io
   repository: miracum/fhir-gateway
-  tag: v3.12.4@sha256:865dccda7ebf958bf655ce0e4fefbfddcb6479f111db31a7a500e2a7c59d26e8
+  tag: v3.12.4
   pullPolicy: IfNotPresent
 
 # image pull secrets for the pod
diff --git a/charts/fhir-pseudonymizer/Chart.yaml b/charts/fhir-pseudonymizer/Chart.yaml
index 9791a6a1..7c2e6783 100644
--- a/charts/fhir-pseudonymizer/Chart.yaml
+++ b/charts/fhir-pseudonymizer/Chart.yaml
@@ -10,7 +10,7 @@ dependencies:
     version: 1.2.7
     repository: oci://ghcr.io/miracum/charts
     condition: vfps.enabled
-version: 0.5.7
+version: 0.5.8
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/containsSecurityUpdates: "false"
@@ -22,6 +22,4 @@ annotations:
   # added, changed, deprecated, removed, fixed and security.
   artifacthub.io/changes: |
     - kind: changed
-      description: update docker.io/curlimages/curl docker tag to v8.4.0
-    - kind: changed
-      description: refreshed docs with latest helm-docs
+      description: updated ghcr.io/miracum/fhir-pseudonymizer image tag to v2.21.1
diff --git a/charts/fhir-pseudonymizer/values.yaml b/charts/fhir-pseudonymizer/values.yaml
index 4619e25b..1dd491ca 100644
--- a/charts/fhir-pseudonymizer/values.yaml
+++ b/charts/fhir-pseudonymizer/values.yaml
@@ -34,7 +34,7 @@ gpas:
 image: # +doc-gen:ignore
   registry: ghcr.io
   repository: miracum/fhir-pseudonymizer
-  tag: v2.21.0@sha256:42a49e389f52f52ea8edad38ea276038681b4a317eca628c58f96894805d6a94
+  tag: v2.21.1
   pullPolicy: IfNotPresent
 
 metrics:
diff --git a/policies/verify-images.yaml b/policies/verify-images.yaml
new file mode 100644
index 00000000..a4c6ff0b
--- /dev/null
+++ b/policies/verify-images.yaml
@@ -0,0 +1,62 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: verify-miracum-images
+  annotations:
+    policies.kyverno.io/title: >-
+      Verify signatures and SLSA Provenance for ghcr.io/miracum container images
+    policies.kyverno.io/category: Software Supply Chain Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.9.2
+    kyverno.io/kyverno-version: 1.9.2
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      Provenance is used to identify how an artifact was produced
+      and from where it originated. SLSA provenance is an industry-standard
+      method of representing that provenance. This policy verifies that an
+      image has SLSA provenance and was signed by the expected subject and issuer
+      when produced through GitHub Actions.
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: verify-miracum-images
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      verifyImages:
+        - imageReferences:
+            - "ghcr.io/miracum/*"
+          attestors:
+            - entries:
+                - keyless:
+                    subject: "https://github.com/miracum/.github/.github/workflows/standard-build.yaml@*"
+                    issuer: "https://token.actions.githubusercontent.com"
+                    rekor:
+                      url: https://rekor.sigstore.dev
+                    additionalExtensions:
+                      githubWorkflowTrigger: release
+                      githubWorkflowName: ci
+                      githubWorkflowRepository: miracum/*
+          attestations:
+            # SLSA attestations
+            - predicateType: https://slsa.dev/provenance/v0.2
+              attestors:
+                - count: 1
+                  entries:
+                    - keyless:
+                        subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v*"
+                        issuer: "https://token.actions.githubusercontent.com"
+                        rekor:
+                          url: https://rekor.sigstore.dev
+              conditions:
+                - all:
+                    # This expression uses a regex pattern to ensure the builder.id in the attestation is equal to the official
+                    # SLSA provenance generator workflow and uses a tagged release in semver format. If using a specific SLSA
+                    # provenance generation workflow, you may need to adjust the first input as necessary.
+                    - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$', '{{ builder.id }}') }}"
+                      operator: Equals
+                      value: true