diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc9d88e..2e9e2c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,7 @@ jobs: - name: Generate SLSA metadata id: slsa run: | - image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} + image_url=ghcr.io/controlplaneio-fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} echo "image_url=$image_url" >> $GITHUB_OUTPUT image_digest=${{ steps.build-push.outputs.digest }} @@ -114,7 +114,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: - image: ghcr.io/${{ needs.release.outputs.image_url }} + image: ${{ needs.release.outputs.image_url }} digest: ${{ needs.release.outputs.image_digest }} registry-username: ${{ github.actor }} secrets: diff --git a/README.md b/README.md index c4982fc..12b0647 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![release](https://img.shields.io/github/release/controlplaneio-fluxcd/flux-operator/all.svg)](https://github.com/controlplaneio-fluxcd/flux-operator/releases) [![e2e](https://github.com/controlplaneio-fluxcd/flux-operator/actions/workflows/e2e.yaml/badge.svg)](https://github.com/controlplaneio-fluxcd/flux-operator/actions/workflows/e2e.yaml) [![license](https://img.shields.io/github/license/controlplaneio-fluxcd/flux-operator.svg)](https://github.com/controlplaneio-fluxcd/flux-operator/blob/main/LICENSE) +[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](#supply-chain-security) The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of the [Flux CD](https://fluxcd.io) distribution. @@ -73,3 +74,63 @@ spec: path: /spec/template/spec/containers/0/args/- value: --requeue-dependency=5s ``` + +## Supply Chain Security + +The build, release and provenance portions of the ControlPlane distribution supply chain meet +[SLSA Build Level 3](https://slsa.dev/spec/v1.0/levels). + +### Software Bill of Materials + +The ControlPlane images come with SBOMs in SPDX format for each CPU architecture. + +Example of extracting the SBOM from the flux-operator image: + +```shell +docker buildx imagetools inspect \ + ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 \ + --format "{{ json (index .SBOM \"linux/amd64\").SPDX}}" +``` + +### Signature Verification + +The ControlPlane images are signed using Sigstore Cosign and GitHub OIDC. + +Example of verifying the signature of the flux-operator image: + +```shell +cosign verify ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 \ + --certificate-identity-regexp=^https://github\\.com/controlplaneio-fluxcd/.*$ \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` + +### SLSA Provenance Verification + +The provenance attestations are generated at build time with Docker Buildkit and +include facts about the build process such as: + +- Build timestamps +- Build parameters and environment +- Version control metadata +- Source code details +- Materials (files, scripts) consumed during the build + +Example of extracting the SLSA provenance JSON for the flux-operator image: + +```shell +docker buildx imagetools inspect \ + ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 \ + --format "{{ json (index .Provenance \"linux/amd64\").SLSA}}" +``` + +The provenance of the build artifacts is generated with the official +[SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator). + +Example of verifying the provenance of the flux-operator image: + +```shell +cosign verify-attestation --type slsaprovenance \ + --certificate-identity-regexp=^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml.*$ \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 +``` diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 555b942..3b8a094 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -7,4 +7,4 @@ resources: images: - name: flux-operator newName: ghcr.io/controlplaneio-fluxcd/flux-operator - newTag: v0.0.1 + newTag: v0.0.2