mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
feat: shift sigs and sbom
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
This commit is contained in:
ShubhamPalriwala
parent
9aad9cdb43
commit
5417b9d3c1
4 changed files with 44 additions and 2 deletions
4
.github/workflows/image.yaml
vendored
4
.github/workflows/image.yaml
vendored
|
|
@ -34,10 +34,12 @@ jobs:
|
||||||
|
|
||||||
- name: docker images publish
|
- name: docker images publish
|
||||||
run: |
|
run: |
|
||||||
|
make docker-publish-sigs
|
||||||
make docker-publish-initContainer
|
make docker-publish-initContainer
|
||||||
|
|
||||||
- name: Sign image
|
- name: Sign image
|
||||||
run: |
|
run: |
|
||||||
|
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||||
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
|
||||||
|
|
||||||
|
|
@ -75,6 +77,7 @@ jobs:
|
||||||
|
|
||||||
- name: Sign image
|
- name: Sign image
|
||||||
run: |
|
run: |
|
||||||
|
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||||
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
|
||||||
|
|
||||||
|
|
@ -112,5 +115,6 @@ jobs:
|
||||||
|
|
||||||
- name: Sign image
|
- name: Sign image
|
||||||
run: |
|
run: |
|
||||||
|
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||||
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
|
||||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_IMAGE_VERSION}
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_IMAGE_VERSION}
|
||||||
|
|
|
||||||
9
.github/workflows/release.yaml
vendored
9
.github/workflows/release.yaml
vendored
|
|
@ -51,10 +51,12 @@ jobs:
|
||||||
|
|
||||||
- name : docker images publish
|
- name : docker images publish
|
||||||
run: |
|
run: |
|
||||||
|
make docker-publish-sigs
|
||||||
make docker-publish-initContainer
|
make docker-publish-initContainer
|
||||||
|
|
||||||
- name: Sign image
|
- name: Sign image
|
||||||
run: |
|
run: |
|
||||||
|
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION}
|
||||||
|
|
||||||
release-kyverno:
|
release-kyverno:
|
||||||
|
|
@ -116,13 +118,15 @@ jobs:
|
||||||
|
|
||||||
- name : docker images publish
|
- name : docker images publish
|
||||||
run: |
|
run: |
|
||||||
|
make docker-publish-sbom
|
||||||
make docker-publish-kyverno
|
make docker-publish-kyverno
|
||||||
|
|
||||||
- name: Sign image and SBOM
|
- name: Sign image and SBOM
|
||||||
run: |
|
run: |
|
||||||
|
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION}
|
||||||
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/kyverno:latest
|
cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest
|
||||||
|
|
||||||
- name: Trivy Scan Image
|
- name: Trivy Scan Image
|
||||||
uses: aquasecurity/trivy-action@master
|
uses: aquasecurity/trivy-action@master
|
||||||
with:
|
with:
|
||||||
|
|
@ -184,6 +188,7 @@ jobs:
|
||||||
|
|
||||||
- name: Sign image
|
- name: Sign image
|
||||||
run: |
|
run: |
|
||||||
|
export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures
|
||||||
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
|
echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION}
|
||||||
|
|
||||||
create-release:
|
create-release:
|
||||||
|
|
|
||||||
32
Makefile
32
Makefile
|
|
@ -40,6 +40,38 @@ KYVERNO_PATH:= cmd/kyverno
|
||||||
build: kyverno
|
build: kyverno
|
||||||
PWD := $(CURDIR)
|
PWD := $(CURDIR)
|
||||||
|
|
||||||
|
##################################
|
||||||
|
# SIGNATURE CONTAINER
|
||||||
|
##################################
|
||||||
|
ALPINE_PATH := cmd/alpineBase
|
||||||
|
SIG_IMAGE := signatures
|
||||||
|
.PHONY: docker-build-signature docker-push-signature
|
||||||
|
|
||||||
|
docker-publish-sigs: docker-build-signature docker-push-signature
|
||||||
|
|
||||||
|
docker-build-signature:
|
||||||
|
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
|
||||||
|
|
||||||
|
docker-push-signature:
|
||||||
|
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):$(IMAGE_TAG) .
|
||||||
|
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SIG_IMAGE):latest .
|
||||||
|
|
||||||
|
##################################
|
||||||
|
# SBOM CONTAINER
|
||||||
|
##################################
|
||||||
|
ALPINE_PATH := cmd/alpineBase
|
||||||
|
SBOM_IMAGE := sbom
|
||||||
|
.PHONY: docker-build-sbom docker-push-sbom
|
||||||
|
|
||||||
|
docker-publish-sbom: docker-build-sbom docker-push-sbom
|
||||||
|
|
||||||
|
docker-build-sbom:
|
||||||
|
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
|
||||||
|
|
||||||
|
docker-push-signature:
|
||||||
|
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):$(IMAGE_TAG) .
|
||||||
|
@docker buildx build --file $(PWD)/$(ALPINE_PATH)/Dockerfile --push --tag $(REPO)/$(SBOM_IMAGE):latest .
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
# INIT CONTAINER
|
# INIT CONTAINER
|
||||||
##################################
|
##################################
|
||||||
|
|
|
||||||
1
cmd/alpineBase/Dockerfile
Normal file
1
cmd/alpineBase/Dockerfile
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
FROM alpine:3.14
|
||||||
Loading…
Add table
Reference in a new issue