docs(repo): add security and contribution

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

DEVELOPMENT.md

@@ -0,0 +1,85 @@
+# How to
+
+## Chart Development
+
+### Chart Linting
+
+The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:
+
+```
+make helm-lint
+```
+
+### Documentation
+
+The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
+
+```
+make helm-docs
+```
+
+## Run locally for test and debug
+
+This guide helps new contributors to locally debug in _out or cluster_ mode the project.
+
+1. You need to run a kind cluster and find the endpoint port of `kind-control-plane` using `docker ps`:
+
+```bash
+> docker ps
+CONTAINER ID   IMAGE                  COMMAND                  CREATED          STATUS          PORTS                       NAMES
+88432e392adb   kindest/node:v1.20.2   "/usr/local/bin/entr…"   32 seconds ago   Up 28 seconds   127.0.0.1:64582->6443/tcp   kind-control-plane
+```
+
+2. You need to generate TLS cert keys for localhost, you can use [mkcert](https://github.com/FiloSottile/mkcert):
+
+```bash
+> cd /tmp
+> mkcert localhost
+> ls
+localhost-key.pem localhost.pem
+```
+
+3. Run the proxy with the following options
+
+```bash
+# Set KUBECONFIG environment variable with the Kubernetes configuration file if you are not currently using it.
+# export KUBECONFIG=<YOUR KUBERNETES CONFIGURATION FILE> or just type it before the command, i.e. `KUBECONFIG=<YOUR KUBERNETES CONFIGURATION FILE> go run main.go ...`
+$ go run main.go --ssl-cert-path=/tmp/localhost.pem --ssl-key-path=/tmp/localhost-key.pem  --enable-ssl=true
+```
+
+4. Edit the `KUBECONFIG` file (you should make a copy and work on it) as follows:
+- Find the section of your cluster
+- replace the server path with `https://localhost:9001`
+- replace the certificate-authority-data path with the content of your rootCA.pem file. (if you use mkcert, you'll find with `cat "$(mkcert -CAROOT)/rootCA.pem"|base64|tr -d '\n'`)
+
+5. Now you should be able to run kubectl using the proxy!
+
+## Debug in a remote Kubernetes cluster
+
+In some cases, you would need to debug the in-cluster mode and [`delve`](https://github.com/go-delve/delve) plays a big role here.
+
+1. build the Docker image with `delve` issuing `make dlv-build`
+2. with the `clastix/capsule-proxy:dlv` produced Docker image, publish it or load it to your [KinD](https://github.com/kubernetes-sigs/kind) instance (`kind load docker-image --name capsule --nodes capsule-control-plane clastix/capsule-proxy:dlv`)
+3. change the Deployment image using `kubectl edit` or `kubectl set image deployment/capsule-proxy capsule-proxy=clastix/capsule-proxy:dlv`
+4. wait for the image rollout (`kubectl -n capsule-system rollout status deployment/capsule-proxy`)
+5. perform the port-forwarding with `kubectl -n capsule-system port-forward $(kubectl -n capsule-system get pods -l app.kubernetes.io/name=capsule-proxy --output name) 2345:2345`
+6. connect using your `delve` options
+
+> _Nota Bene_: the application could be killed by the Liveness Probe since delve will wait for the debugger connection before starting it.
+> Feel free to edit and remove the probes to avoid this kind of issue.
+
+## HTTP support
+
+Capsule proxy supports `https` and `http`, although the latter is not recommended, we understand that it can be useful for some use cases (i.e. development, working behind a TLS-terminated reverse proxy and so on).
+
+As the default behaviour is to work with `https`, we need to use the flag `--enable-ssl=false` if we really want to work under `http`.
+
+After having **Capsule-Proxy** working under `http`, requests must provide *authentication* using an allowed Bearer Token. Example:
+
+```bash
+$ TOKEN=<type your TOKEN>
+$ curl -H "Authorization: Bearer $TOKEN" http://localhost:9001/api/v1/namespaces
+```
+
+> **NOTE**: `kubectl` will not work against a http server.
+

SECURITY.md

@@ -0,0 +1,115 @@
+# Security Policy
+
+The Capsule community has adopted this security disclosures and response policy to ensure we responsibly handle critical issues.
+
+## Bulletins
+
+For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
+
+
+## Covered Repositories and Issues
+
+When we say "a security vulnerability in capsule" we mean a security issue
+in any repository under the [projectcapsule GitHub organization](https://github.com/projectcapsule/).
+
+This reporting process is intended only for security issues in the capsule
+project itself, and doesn't apply to applications _using_ capsule or to
+issues which do not affect security.
+
+Don't use this process if:
+
+  * You have issues with your capsule installation or configuration
+  * Your issue is not security related
+
+
+### Explicitly Not Covered: Vulnerability Scanner Reports
+
+We do not accept reports which amount to copy and pasted output from a vulnerability
+scanning tool **unless** work has specifically been done to confirm that a vulnerability
+reported by the tool _actually exists_ in capsule.
+
+## Reporting a Vulnerability
+
+To report a security issue or vulnerability, [submit a private vulnerability report via GitHub](https://github.com/projectcapsule/capsule-proxy/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule-proxy, if that's not obvious. should contain the following:
+
+     * description of the problem
+     * precise and detailed steps (include screenshots) 
+     * the affected version(s). This may also include environment relevant versions.
+     * any possible mitigations
+
+If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it.
+
+## Reponse
+
+Response times could be affected by weekends, holidays, breaks or time zone differences. That said, the security response team will endeavour to reply as soon as possible, ideally within 5 working days.
+
+## Security Contacts
+
+[Maintainers](./github/maintainers.yaml) of this project are responsible for the security of the project as outlined in this policy.
+
+# Release Artifacts
+
+[See all the available artifacts](https://github.com/orgs/projectcapsule/packages?repo_name=capsule-proxy)
+
+## Verifing
+
+To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
+
+To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule-proxy/pkgs/container/capsule-proxy):
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule-proxy:<release_tag> \
+      --certificate-identity-regexp="https://github.com/projectcapsule/capsule-proxy/.github/workflows/docker-publish.yml@refs/tags/*" \
+      --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
+
+To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule-proxy:<release_tag> \
+      --certificate-identity-regexp="https://github.com/projectcapsule/capsule-proxy/.github/workflows/helm-publish.yml@refs/tags/*" \
+      --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
+
+
+## Verifying Provenance
+
+Capsule creates and attests to the provenance of its builds using the [SLSA standard](https://slsa.dev/spec/v0.2/provenance) and meets the [SLSA Level 3](https://slsa.dev/spec/v0.1/levels) specification. The attested provenance may be verified using the cosign tool.
+
+Verify the provenance of the docker image. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule-proxy/pkgs/container/capsule-proxy)
+
+```bash
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/projectcapsule/capsule-proxy:<release_tag> | jq .payload -r | base64 --decode | jq
+```
+
+Verify the provenance of the helm image. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule-proxy/pkgs/container/charts%2Fcapsule-proxy)
+
+```bash
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/projectcapsule/charts/capsule-proxy:<release_tag> | jq .payload -r | base64 --decode | jq
+```
+
+## Software Bill of Materials (SBOM)
+
+An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
+
+To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule-proxy/pkgs/container/capsule-proxy):
+
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule-proxy:<release_tag>
+    
+To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule-proxy/pkgs/container/charts%2Fcapsule-proxy):
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule-proxy:<release_tag>
+
+
+# Credits
+
+Our Security Policy and Workflows are based on the work of the [Kyverno](https://github.com/kyverno) and [Cert-Manager](https://github.com/cert-manager) community.