Feature: Add base image verification and image signing. (#28)

🎁 This change incorporates the `cosign` TF provider to verify our base image and sign the image we build. /kind feature
chainguard-dev · Apr 27, 2023 · ab9b5a0 · ab9b5a0
1 parent df52760
commit ab9b5a0
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -101,6 +101,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
+| <a name="provider_cosign"></a> [cosign](#provider\_cosign) | n/a |
 | <a name="provider_google"></a> [google](#provider\_google) | n/a |
 | <a name="provider_ko"></a> [ko](#provider\_ko) | n/a |
 | <a name="provider_random"></a> [random](#provider\_random) | n/a |
@@ -113,6 +114,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [cosign_sign.image](https://registry.terraform.io/providers/chainguard-dev/cosign/latest/docs/resources/sign) | resource |
 | [google_cloud_run_service.probers](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service) | resource |
 | [google_cloud_run_service_iam_policy.noauths](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service_iam_policy) | resource |
 | [google_compute_backend_service.probers](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource |
@@ -127,13 +129,13 @@ No modules.
 | [google_monitoring_uptime_check_config.regional_uptime_check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_uptime_check_config) | resource |
 | [ko_build.image](https://registry.terraform.io/providers/ko-build/ko/latest/docs/resources/build) | resource |
 | [random_password.secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [cosign_verify.base-image](https://registry.terraform.io/providers/chainguard-dev/cosign/latest/docs/data-sources/verify) | data source |
 | [google_iam_policy.noauth](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_base_image"></a> [base\_image](#input\_base\_image) | The base image that will be used to build the container image. | `string` | `"cgr.dev/chainguard/static:latest-glibc"` | no |
 | <a name="input_dns_zone"></a> [dns\_zone](#input\_dns\_zone) | The managed DNS zone in which to create prober record sets (required for multiple locations). | `string` | `""` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | The domain of the environment to probe (required for multiple locations). | `string` | `""` | no |
 | <a name="input_env"></a> [env](#input\_env) | A map of custom environment variables (e.g. key=value) | `map` | `{}` | no |

diff --git a/main.tf b/main.tf
@@ -5,6 +5,9 @@ SPDX-License-Identifier: Apache-2.0
 
 terraform {
   required_providers {
+    cosign = {
+      source = "chainguard-dev/cosign"
+    }
     ko = {
       source = "ko-build/ko"
     }
@@ -18,14 +21,47 @@ locals {
   repo = var.repository != "" ? var.repository : "gcr.io/${var.project_id}/${var.name}"
 }
 
+data "cosign_verify" "base-image" {
+  image = "cgr.dev/chainguard/static:latest-glibc"
+
+  policy = jsonencode({
+    apiVersion = "policy.sigstore.dev/v1beta1"
+    kind       = "ClusterImagePolicy"
+    metadata = {
+      name = "chainguard-images-are-signed"
+    }
+    spec = {
+      images = [{
+        glob = "cgr.dev/**"
+      }]
+      authorities = [{
+        keyless = {
+          url = "https://fulcio.sigstore.dev"
+          identities = [{
+            issuer  = "https://token.actions.githubusercontent.com"
+            subject = "https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main"
+          }]
+        }
+        ctlog = {
+          url = "https://rekor.sigstore.dev"
+        }
+      }]
+    }
+  })
+}
+
 // Build the prober into an image we can run on Cloud Run.
 resource "ko_build" "image" {
   repo        = local.repo
-  base_image  = var.base_image
+  base_image  = data.cosign_verify.base-image.verified_ref
   importpath  = var.importpath
   working_dir = var.working_dir
 }
 
+resource "cosign_sign" "image" {
+  image = ko_build.image.image_ref
+}
+
 // Create a shared secret to have the uptime check pass to the
 // Cloud Run app as an "Authorization" header to keep ~anyone
 // from being able to use our prober endpoints to indirectly
@@ -49,7 +85,7 @@ resource "google_cloud_run_service" "probers" {
     spec {
       service_account_name = var.service_account
       containers {
-        image = ko_build.image.image_ref
+        image = cosign_sign.image.signed_ref
 
         // This is a shared secret with the uptime check, which must be
         // passed in an Authorization header for the probe to do work.

diff --git a/variables.tf b/variables.tf
@@ -12,12 +12,6 @@ variable "project_id" {
   description = "The project that will host the prober."
 }
 
-variable "base_image" {
-  type        = string
-  default     = "cgr.dev/chainguard/static:latest-glibc"
-  description = "The base image that will be used to build the container image."
-}
-
 variable "repository" {
   type        = string
   default     = ""