Skip to content

Commit

Permalink
Merge pull request #740 from alexander-demicev/signimage
Browse files Browse the repository at this point in the history
Sign published turtles manifest and all underlying images
  • Loading branch information
alexander-demicev authored Sep 16, 2024
2 parents e7198cd + c4d9f22 commit 2fb55ae
Show file tree
Hide file tree
Showing 15 changed files with 29 additions and 45 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/nightly-chart-and-image-publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image
- name: Build and push docker images
run: make docker-build-and-push TAG=${{ env.TAG }} ORG=${{ env.PROD_ORG }}

publish-helm-chart-ghcr:
Expand Down
11 changes: 5 additions & 6 deletions .github/workflows/release_build/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,11 @@ runs:
password: ${{ inputs.password }}
- name: Build & Push docker image
shell: bash
run: make docker-build-and-push TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }}
- name: Store image and digest
shell: bash
id: image_info
run: |
digest=$( docker images --digests --format "{{.Digest}}" | head -1 )
image=$( docker images --digests --format "{{.Repository}}" | head -1 )
IID_FILE=$(mktemp)
make docker-build-and-push TAG=${{ inputs.tag }} REGISTRY=${{ inputs.registry }} ORG=${{ inputs.org }} IID_FILE=${IID_FILE}
digest=$(head -n 1 ${IID_FILE})
image=${{ inputs.registry }}/${{ inputs.registry }}/turtles
echo "digest=${digest}" >> $GITHUB_OUTPUT
echo "image=${image}" >> $GITHUB_OUTPUT
9 changes: 2 additions & 7 deletions .github/workflows/release_sign/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,10 @@ runs:
username: ${{ inputs.username }}
password: ${{ inputs.password }}
- uses: sigstore/cosign-installer@v3.4.0
- name: Sign manifests
shell: bash
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ inputs.image }}@${{ inputs.digest }} --oidc-provider=${{ inputs.oidc-provider }}
- name: Verify pushed ghcr images
- name: Sign and verify manifests
shell: bash
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ inputs.image }}@${{ inputs.digest }} --oidc-provider=${{ inputs.oidc-provider }} --recursive
cosign verify ${{ inputs.image }}@${{ inputs.digest }} --certificate-identity=${{ inputs.identity }} --certificate-oidc-issuer=${{ inputs.oids-issuer }}
4 changes: 2 additions & 2 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ jobs:
uses: actions/checkout@v4.1.7
- name: Build an image
run: |
TAG=${{ github.sha }} ARCH=amd64 make docker-build
TAG=${{ github.sha }} make docker-build
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
with:
image-ref: 'ghcr.io/rancher/turtles-amd64:${{ github.sha }}'
image-ref: 'ghcr.io/rancher/turtles:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
Expand Down
16 changes: 8 additions & 8 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -159,16 +159,15 @@ NOTES := $(abspath $(TOOLS_BIN_DIR)/$(NOTES_BIN))

# Registry / images
TAG ?= dev
ARCH ?= $(shell go env GOARCH)
ALL_ARCH = amd64 arm64
ARCH ?= linux/$(shell go env GOARCH)
TARGET_PLATFORMS := linux/amd64,linux/arm64
MACHINE := rancher-turtles
REGISTRY ?= ghcr.io
ORG ?= rancher
CONTROLLER_IMAGE_NAME ?= turtles
CONTROLLER_IMG ?= $(REGISTRY)/$(ORG)/$(CONTROLLER_IMAGE_NAME)
MANIFEST_IMG ?= $(CONTROLLER_IMG)-$(ARCH)
CONTROLLER_IMAGE_VERSION ?= $(shell git describe --abbrev=0 2>/dev/null)
IID_FILE ?= $(shell mktemp)

# Release
RELEASE_TAG ?= $(shell git describe --abbrev=0 2>/dev/null)
Expand Down Expand Up @@ -348,22 +347,23 @@ docker-build: buildx-machine docker-pull-prerequisites ## Build docker image for
--build-arg builder_image=$(GO_CONTAINER_IMAGE) \
--build-arg goproxy=$(GOPROXY) \
--build-arg package=. \
--build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)
--build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG):$(TAG)

.PHONY: docker-build-and-push
docker-build-and-push: buildx-machine docker-pull-prerequisites ## Run docker-build-and-push targets for all architectures
DOCKER_BUILDKIT=1 BUILDX_BUILDER=$(MACHINE) docker buildx build \
--platform $(TARGET_PLATFORMS) \
--push \
--attest type=provenance \
--sbom=true \
--attest type=provenance,mode=max \
--iidfile=$(IID_FILE) \
--build-arg builder_image=$(GO_CONTAINER_IMAGE) \
--build-arg goproxy=$(GOPROXY) \
--build-arg package=. \
--build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)
--build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG):$(TAG)

docker-list-all:
@echo $(CONTROLLER_IMG):${TAG}
@for arch in $(ALL_ARCH); do echo $(CONTROLLER_IMG)-$${arch}:${TAG}; done

##@ Deployment

Expand Down Expand Up @@ -546,7 +546,7 @@ test-e2e: $(GINKGO) $(HELM) $(CLUSTERCTL) kubectl e2e-image ## Run the end-to-en
.PHONY: e2e-image
e2e-image: ## Build the image for e2e tests
TAG=v0.0.1 CONTROLLER_IMAGE_NAME=turtles-e2e $(MAKE) docker-build
RELEASE_TAG=v0.0.1 CONTROLLER_IMG=$(REGISTRY)/$(ORG)/turtles-e2e-$(ARCH) CONTROLLER_IMAGE_VERSION=v0.0.1 $(MAKE) build-chart
RELEASE_TAG=v0.0.1 CONTROLLER_IMG=$(REGISTRY)/$(ORG)/turtles-e2e CONTROLLER_IMAGE_VERSION=v0.0.1 $(MAKE) build-chart

.PHONY: e2e-image-push
e2e-image-push: e2e-image ## Push the image for e2e tests
Expand Down
2 changes: 1 addition & 1 deletion test/e2e/config/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ managementClusterName: rancher-turtles-e2e

images:
# Use local dev images built source tree;
- name: ghcr.io/rancher/turtles-e2e-{ARCH}:v0.0.1 # This should be substituted with operator image
- name: ghcr.io/rancher/turtles-e2e:v0.0.1 # This should be substituted with operator image
loadBehavior: tryLoad

intervals:
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/specs/migrate_gitops_provv1_mgmtv3.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (
"os"
"path"
"path/filepath"
"runtime"
"strconv"
"time"

Expand Down Expand Up @@ -362,7 +361,7 @@ func MigrateToV3UsingGitOpsSpec(ctx context.Context, inputGetter func() MigrateT
BootstrapClusterProxy: input.BootstrapClusterProxy,
HelmBinaryPath: input.HelmBinaryPath,
Namespace: turtlesframework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: input.E2EConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: input.E2EConfig.GetIntervals(input.BootstrapClusterProxy.GetName(), "wait-controllers"),
SkipCleanup: true,
Expand Down
4 changes: 1 addition & 3 deletions test/e2e/suites/chart-upgrade/chart_upgrade_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ package chart_upgrade

import (
_ "embed"
"fmt"
"runtime"

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
Expand Down Expand Up @@ -77,7 +75,7 @@ var _ = Describe("Chart upgrade functionality should work", Label(e2e.ShortTestL
BootstrapClusterProxy: setupClusterResult.BootstrapClusterProxy,
HelmBinaryPath: e2eConfig.GetVariable(e2e.HelmBinaryPathVar),
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: rtInput.AdditionalValues,
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/suites/embedded-capi-disabled-v3/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -161,7 +160,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/suites/embedded-capi-disabled/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -162,7 +161,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/suites/import-gitops-v3/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -162,7 +161,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{
Expand Down
5 changes: 2 additions & 3 deletions test/e2e/suites/import-gitops/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -170,7 +169,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{},
Expand Down Expand Up @@ -201,7 +200,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{},
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/suites/migrate-gitops/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -171,7 +170,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{},
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/suites/update-labels/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -158,7 +157,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: framework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{
Expand Down
3 changes: 1 addition & 2 deletions test/e2e/suites/v2prov/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"context"
"fmt"
"path/filepath"
"runtime"
"strconv"
"testing"

Expand Down Expand Up @@ -160,7 +159,7 @@ var _ = BeforeSuite(func() {
TurtlesChartPath: e2eConfig.GetVariable(e2e.TurtlesPathVar),
CAPIProvidersYAML: e2e.CapiProviders,
Namespace: turtlesframework.DefaultRancherTurtlesNamespace,
Image: fmt.Sprintf("ghcr.io/rancher/turtles-e2e-%s", runtime.GOARCH),
Image: "ghcr.io/rancher/turtles-e2e",
Tag: e2eConfig.GetVariable(e2e.TurtlesVersionVar),
WaitDeploymentsReadyInterval: e2eConfig.GetIntervals(setupClusterResult.BootstrapClusterProxy.GetName(), "wait-controllers"),
AdditionalValues: map[string]string{},
Expand Down

0 comments on commit 2fb55ae

Please sign in to comment.