mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
feat: shift sigs and sbom
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
This commit is contained in:
ShubhamPalriwala
parent
9aad9cdb43
commit
5417b9d3c1
4 changed files with 44 additions and 2 deletions
4
.github/workflows/image.yaml
vendored
4
.github/workflows/image.yaml
vendored
|
|
@ -34,10 +34,12 @@ jobs:
|
|||
|
||||
- name: docker images publish
|
||||
run: |
|
||||
make docker-publish-sigs
|
||||
make docker-publish-initContainer
|
||||
|
||||
- name: Sign image
|
||||
run: |
|
||||
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
|
||||
|
||||
|
|
@ -75,6 +77,7 @@ jobs:
|
|||
|
||||
- name: Sign image
|
||||
run: |
|
||||
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
|
||||
|
||||
|
|
@ -112,5 +115,6 @@ jobs:
|
|||
|
||||
- name: Sign image
|
||||
run: |
|
||||
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_IMAGE_VERSION}
|
||||
|
|
|
|||
9
.github/workflows/release.yaml
vendored
9
.github/workflows/release.yaml
vendored
|
|
@ -51,10 +51,12 @@ jobs:
|
|||
|
||||
- name : docker images publish
|
||||
run: |
|
||||
make docker-publish-sigs
|
||||
make docker-publish-initContainer
|
||||
|
||||
- name: Sign image
|
||||
run: |
|
||||
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
|
||||
|
||||
release-kyverno:
|
||||
|
|
@ -116,13 +118,15 @@ jobs:
|
|||
|
||||
- name : docker images publish
|
||||
run: |
|
||||
make docker-publish-sbom
|
||||
make docker-publish-kyverno
|
||||
|
||||
- name: Sign image and SBOM
|
||||
run: |
|
||||
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
|
||||
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/kyverno:latest
|
||||
|
||||
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
|
||||
|
||||
- name: Trivy Scan Image
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
|
|
@ -184,6 +188,7 @@ jobs:
|
|||
|
||||
- name: Sign image
|
||||
run: |
|
||||
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
|
||||
|
||||
create-release:
|
||||
|
|
|
|||
32
Makefile
32
Makefile
|
|
@ -40,6 +40,38 @@ KYVERNO_PATH:= cmd/kyverno
|
|||
build: kyverno
|
||||
PWD := $(CURDIR)
|
||||
|
||||
##################################
|
||||
# SIGNATURE CONTAINER
|
||||
##################################
|
||||
ALPINE_PATH := cmd/alpineBase
|
||||
SIG_IMAGE := signatures
|
||||
.PHONY: docker-build-signature docker-push-signature
|
||||
|
||||
docker-publish-sigs: docker-build-signature docker-push-signature
|
||||
|
||||
docker-build-signature:
|
||||
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
|
||||
|
||||
docker-push-signature:
|
||||
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
|
||||
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):latest .
|
||||
|
||||
##################################
|
||||
# SBOM CONTAINER
|
||||
##################################
|
||||
ALPINE_PATH := cmd/alpineBase
|
||||
SBOM_IMAGE := sbom
|
||||
.PHONY: docker-build-sbom docker-push-sbom
|
||||
|
||||
docker-publish-sbom: docker-build-sbom docker-push-sbom
|
||||
|
||||
docker-build-sbom:
|
||||
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
|
||||
|
||||
docker-push-signature:
|
||||
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
|
||||
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):latest .
|
||||
|
||||
##################################
|
||||
# INIT CONTAINER
|
||||
##################################
|
||||
|
|
|
|||
1
cmd/alpineBase/Dockerfile
Normal file
1
cmd/alpineBase/Dockerfile
Normal file
|
|
@ -0,0 +1 @@
|
|||
FROM alpine:3.14
|
||||
Loading…
Reference in a new issue