Merge pull request kurator-dev#588 from LiZhenCheng9527/image-sign

sign kurator images
LiZhenCheng9527 · Jan 29, 2024 · 6cae035 · 6cae035
2 parents 33e5fcc + 9075db3
commit 6cae035
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml
@@ -7,6 +7,8 @@ on:
 
 jobs:
   build-push:
+    permissions:
+      id-token: write # To be able to get OIDC ID token to sign images.
     runs-on: ubuntu-latest
     steps:
       - name: Get image version
@@ -21,12 +23,24 @@ jobs:
         with:
           go-version: 1.20.x
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.3
+        with:
+          cosign-release: 'v1.13.1'
+
       - name: Compile
         run: make build
 
       - name: Build Docker Image
         run: VERSION=${{ env.image_version }} make docker
 
+      - name: Sign Image
+        env:
+          VERSION: ${{ env.image_version }}
+          COSIGN_EXPERIMENTAL: 1
+          SIGN_IMAGE: 1
+        run: make sign-image
+
       - name: Login to ghcr.io
         # This is where you will update the PAT to GITHUB_TOKEN
         run: echo "${{ secrets.GH_PAT }}" | docker login ghcr.io -u $ --password-stdin

diff --git a/Makefile b/Makefile
@@ -75,6 +75,10 @@ docker-push: docker
 	docker push ${IMAGE_HUB}/cluster-operator:${IMAGE_TAG}
 	docker push ${IMAGE_HUB}/fleet-manager:${IMAGE_TAG}
 
+.PHONY: sign-image 
+sign-image:
+	./hack/image-sign.sh
+
 .PHONY: lint
 lint: golangci-lint lint-copyright lint-markdown lint-shellcheck
 

diff --git a/hack/image-sign.sh b/hack/image-sign.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+IMAGE_HUB=${IMAGE_HUB:-"ghcr.io/kurator-dev"}
+IMAGE_TAG=${VERSION:-"$(VERSION)"}
+SIGN_IMAGE=${SIGN_IMAGE:-"0"}
+
+CLUSTER_OPERATOR_IMAGE=${CLUSTER_OPERATOR_IMAGE:-"${IMAGE_HUB}/cluster-operator:${IMAGE_TAG}"}
+FLEET_MANAGER_IMAGE=${FLEET_MANAGER_IMAGE:-"${IMAGE_HUB}/fleet-manager:${IMAGE_TAG}"}
+
+if [ "$SIGN_IMAGE" = "1" ]; then
+    echo "Sign image: ""${CLUSTER_OPERATOR_IMAGE}"
+    cosign sign --yes "${CLUSTER_OPERATOR_IMAGE}"
+    echo "Sign image: ""${FLEET_MANAGER_IMAGE}"
+    cosign sign --yes "${FLEET_MANAGER_IMAGE}"
+else
+    echo "Warning: The build image is not signed"
+fi
+