Verify bundle signature is valid and is not modified

[panktishah26]

Issue #, if available:
#6793

Description of changes:
Validate the EKS-A bundle has not been modified by verifying the signature in the bundle annotation. We sign the bundle by adding signature annotation on the bundle field. To verify the bundle, we have used ecdsa.VerifyASN1 method to support air gapped environment scenario. The validation is only added for controller for now.

Testing (if applicable):

Documentation added/planned (if applicable):

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[panktishah26]

I have moved these constants to eks-anywhere constants package since these are used for both signing and verification purpose and to keep a single source of truth.

[codecov]

Codecov Report

Attention: Patch coverage is 74.60317% with 32 lines in your changes missing coverage. Please review.

Project coverage is 72.38%. Comparing base (5583d64) to head (fe12c2c).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/signature/manifest.go	68.47%	20 Missing and 9 partials ⚠️
pkg/validations/extendedversion.go	80.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #9209    +/-   ##
========================================
  Coverage   72.37%   72.38%            
========================================
  Files         585      587     +2     
  Lines       45710    45836   +126     
========================================
+ Hits        33084    33178    +94     
- Misses      10888    10910    +22     
- Partials     1738     1748    +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[panktishah26]

I am not using context, cluster and client field in this PR but I will need those for further extended support related validations.

[jacobweinstock]

from where did this value come? how is it produced?

[panktishah26]

This is the public key of the KMS key that we use to sign the bundle.

[vivek-koppuru]

I know public keys are meant to be public, but should we be putting this out in the open?

[sp1999]

https://github.com/aws/eks-anywhere-packages/blob/main/charts/eks-anywhere-packages/values.yaml#L93

We have it in our packages repo too for verifying package bundle signature in the webhook.

[jacobweinstock]

might think about this: %v -> %w.

"Wrap an error to expose it to callers. Do not wrap an error when doing so would expose implementation details."
reference: https://go.dev/blog/go1.13-errors#wrapping-errors-with-w

[jacobweinstock]

i recommend not logging in a function in a package like this. I recommend letting consumers/callers of the function do the logging. Also, this this looks like a global logger. Where is it even defined?

[panktishah26]

Agree, I added it as a part of my debugging and forgot to remove. I have removed this log.

[vivek-koppuru]

We generally want to avoid saying error or failed again right?

Suggested change

	return fmt.Errorf("failed to get bundle for cluster: %w", err)
	return fmt.Errorf("getting bundle for cluster: %w", err)

[vivek-koppuru]

How did we determine what to remove here?

[sp1999]

https://quip-amazon.com/cUORAQaTboBZ/Extended-Kubernetes-version-support-for-EKS-Anywhere#temp:C:ceKc799977659fd44e0916fb1899

We are only concerned with the tampering of the above fields for extended support. In the future, if we need to include more fields in the bundle signature for particular usecase, it can be easily added by removing it from the Excludes annotation here.

[vivek-koppuru]

Yea these should be phrased as such right?

Suggested change

	return false, fmt.Errorf("unable to decode the public key (not base 64): %w", err)
	return false, fmt.Errorf("decoding the public key as string: %w", err)

[vivek-koppuru]

Yea this is a right error message

[vivek-koppuru]

Are we planning to update the cluster status in any way, or this will just be reflected as an error in the controller logs?

[panktishah26]

I have updated the status fields with error.

[panktishah26]

/test eks-anywhere-release-tooling-test-presubmit

[vivek-koppuru]

Suggested change

	K8sVersionNotSupportedReason FailureReasonType = "ExtendedKubernetesVersionNotSupported"
	ExtendedK8sVersionSupportNotSupportedReason FailureReasonType = "ExtendedKubernetesVersionSupportNotSupported"

[vivek-koppuru]

Can you rename this file to fix spelling?

[sp1999]

/lgtm

[eks-distro-bot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment