# Kyverno image-signature verification policy (audit CODE-L5).
#
# ──────────────────────────────────────────────────────────────────────────
# THIS MANIFEST IS NOT APPLIED BY 03-deploy.sh. It is intentionally outside
# the script's apply set. Applying it before the prerequisites are in place
# would block every honeydue Pod from scheduling. Operator steps:
#
#   1. Install Kyverno in the cluster (it is an admission controller):
#        kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
#   2. Generate a cosign key pair and keep the private key safe:
#        cosign generate-key-pair                 # -> cosign.key (PRIVATE) + cosign.pub
#      Set COSIGN_KEY=cosign.key in the deploy environment so 03-deploy.sh
#      signs images after pushing them (the signing step is already wired,
#      guarded, into 03-deploy.sh).
#   3. Paste the contents of cosign.pub into the publicKeys block below.
#   4. Apply this policy:  kubectl apply -f deploy-k3s/manifests/kyverno-verify-images.yaml
#   5. After confirming honeydue Pods still schedule, flip
#      validationFailureAction from Audit to Enforce.
#
# Until then it is a documented, ready-to-use template — not active config.
# ──────────────────────────────────────────────────────────────────────────
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-honeydue-images
  annotations:
    policies.kyverno.io/title: Verify honeyDue image signatures
    policies.kyverno.io/description: >-
      Requires that honeyDue application images pulled into the honeydue
      namespace carry a valid cosign signature made with the operator's key.
spec:
  # Audit first — logs violations without blocking. Switch to Enforce once
  # signing is confirmed working end to end.
  validationFailureAction: Audit
  background: false
  webhookTimeoutSeconds: 30
  rules:
    - name: verify-gitea-image-signatures
      match:
        any:
          - resources:
              kinds:
                - Pod
              namespaces:
                - honeydue
      verifyImages:
        # Only the images we build and sign. Public base images
        # (redis, vmagent) are pinned by digest instead — see their manifests.
        - imageReferences:
            - "gitea.treytartt.com/admin/honeydue-api*"
            - "gitea.treytartt.com/admin/honeydue-worker*"
            - "gitea.treytartt.com/admin/honeydue-admin*"
            - "gitea.treytartt.com/admin/honeydue-web*"
          attestors:
            - count: 1
              entries:
                - keys:
                    publicKeys: |-
                      -----BEGIN PUBLIC KEY-----
                      REPLACE_WITH_CONTENTS_OF_cosign.pub
                      -----END PUBLIC KEY-----