From 853543c29d659451fb66134faf8ddbadcc190b90 Mon Sep 17 00:00:00 2001 From: LiZhenCheng9527 Date: Sat, 27 Jan 2024 16:22:34 +0800 Subject: [PATCH 1/2] sign kurator images Signed-off-by: LiZhenCheng9527 --- .github/workflows/release-image.yaml | 14 ++++++++++++++ Makefile | 4 ++++ hack/image-sign.sh | 18 ++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100755 hack/image-sign.sh diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml index a89d75042..98424394a 100644 --- a/.github/workflows/release-image.yaml +++ b/.github/workflows/release-image.yaml @@ -7,6 +7,8 @@ on: jobs: build-push: + permissions: + id-token: write # To be able to get OIDC ID token to sign images. runs-on: ubuntu-latest steps: - name: Get image version @@ -21,12 +23,24 @@ jobs: with: go-version: 1.20.x + - name: Install Cosign + uses: sigstore/cosign-installer@v3.0.3 + with: + cosign-release: 'v1.13.1' + - name: Compile run: make build - name: Build Docker Image run: VERSION=${{ env.image_version }} make docker + - name: Sign Image + env: + VERSION: ${{ env.image_version }} + COSIGN_EXPERIMENTAL: 1 + SIGN_IMAGE: 1 + run: make sign-image + - name: Login to ghcr.io # This is where you will update the PAT to GITHUB_TOKEN run: echo "${{ secrets.GH_PAT }}" | docker login ghcr.io -u $ --password-stdin diff --git a/Makefile b/Makefile index 4da070d12..3e2be66a5 100644 --- a/Makefile +++ b/Makefile @@ -75,6 +75,10 @@ docker-push: docker docker push ${IMAGE_HUB}/cluster-operator:${IMAGE_TAG} docker push ${IMAGE_HUB}/fleet-manager:${IMAGE_TAG} +.PHONY: sign-image +sign-image: + ./hack/image-sign.sh + .PHONY: lint lint: golangci-lint lint-copyright lint-markdown lint-shellcheck diff --git a/hack/image-sign.sh b/hack/image-sign.sh new file mode 100755 index 000000000..e96bf8b07 --- /dev/null +++ b/hack/image-sign.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +IMAGE_HUB=${IMAGE_HUB:-"ghcr.io/kurator-dev"} +IMAGE_TAG=${VERSION:-"$(VERSION)"} +SIGN_IMAGE=${SIGN_IMAGE:-"0"} + +CLUSTER_OPERATOR_IMAGE=${CLUSTER_OPERATOR_IMAGE:-"${IMAGE_HUB}/cluster-operator:${IMAGE_TAG}"} +FLEET_MANAGER_IMAGE=${FLEET_MANAGER_IMAGE:-"${IMAGE_HUB}/fleet-manager:${IMAGE_TAG}"} + +if [ $SIGN_IMAGE = "1" ]; then + echo "Sign image: "${CLUSTER_OPERATOR_IMAGE} + cosign sign --yes ${CLUSTER_OPERATOR_IMAGE} + echo "Sign image: "${FLEET_MANAGER_IMAGE} + cosign sign --yes ${FLEET_MANAGER_IMAGE} +else + echo "Warning: The build image is not signed" +fi + \ No newline at end of file From 9075db324e330cb7f09920f94471ebbde8ad0d8f Mon Sep 17 00:00:00 2001 From: LiZhenCheng9527 Date: Sat, 27 Jan 2024 17:14:00 +0800 Subject: [PATCH 2/2] add double quote in image-sign.sh to prevent globbing and word splitting Signed-off-by: LiZhenCheng9527 --- hack/image-sign.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hack/image-sign.sh b/hack/image-sign.sh index e96bf8b07..6913ad268 100755 --- a/hack/image-sign.sh +++ b/hack/image-sign.sh @@ -7,11 +7,11 @@ SIGN_IMAGE=${SIGN_IMAGE:-"0"} CLUSTER_OPERATOR_IMAGE=${CLUSTER_OPERATOR_IMAGE:-"${IMAGE_HUB}/cluster-operator:${IMAGE_TAG}"} FLEET_MANAGER_IMAGE=${FLEET_MANAGER_IMAGE:-"${IMAGE_HUB}/fleet-manager:${IMAGE_TAG}"} -if [ $SIGN_IMAGE = "1" ]; then - echo "Sign image: "${CLUSTER_OPERATOR_IMAGE} - cosign sign --yes ${CLUSTER_OPERATOR_IMAGE} - echo "Sign image: "${FLEET_MANAGER_IMAGE} - cosign sign --yes ${FLEET_MANAGER_IMAGE} +if [ "$SIGN_IMAGE" = "1" ]; then + echo "Sign image: ""${CLUSTER_OPERATOR_IMAGE}" + cosign sign --yes "${CLUSTER_OPERATOR_IMAGE}" + echo "Sign image: ""${FLEET_MANAGER_IMAGE}" + cosign sign --yes "${FLEET_MANAGER_IMAGE}" else echo "Warning: The build image is not signed" fi