From d1262801841fb19958ae9591c72a36d2109ce610 Mon Sep 17 00:00:00 2001 From: Naman Lakhwani Date: Tue, 4 Jan 2022 21:38:28 +0530 Subject: [PATCH] keyless signing kyverno images with digest (#2896) * signing with digest Signed-off-by: Namanl2001 * keyless signing Signed-off-by: Namanl2001 * adding annotations Signed-off-by: Namanl2001 * keyless image signing with digest in release workflow Signed-off-by: Namanl2001 --- .github/workflows/image.yaml | 36 ++++++++++++++++++++++------------ .github/workflows/release.yaml | 33 ++++++++++++++++++++++--------- 2 files changed, 48 insertions(+), 21 deletions(-) diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 3692aef5c1..4ed35080cb 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -34,15 +34,19 @@ jobs: install: true - name: docker images publish + id: push-step run: | make docker-publish-sigs make docker-publish-initContainer-dev - name: Sign image - run: | - export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures - KYVERNO_IMAGE_VERSION=$(git describe --match "[0-9].[0-9]-dev*") - echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }} push-kyverno: runs-on: ubuntu-latest @@ -73,14 +77,18 @@ jobs: install: true - name: docker images publish + id: push-step run: | make docker-publish-kyverno-dev - name: Sign image - run: | - export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures - KYVERNO_IMAGE_VERSION=$(git describe --match "[0-9].[0-9]-dev*") - echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }} push-kyverno-cli: runs-on: ubuntu-latest @@ -111,11 +119,15 @@ jobs: install: true - name: docker images publish + id: push-step run: | make docker-publish-cli-dev - name: Sign image - run: | - export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures - KYVERNO_IMAGE_VERSION=$(git describe --match "[0-9].[0-9]-dev*") - echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_IMAGE_VERSION} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e1a160f9c5..7fbf339e96 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -50,14 +50,19 @@ jobs: echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name : docker images publish + id: push-step run: | make docker-publish-sigs make docker-publish-initContainer - name: Sign image - run: | - export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures - echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_VERSION} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/kyverno/kyvernopre@${{ steps.push-step.outputs.digest }} release-kyverno: runs-on: ubuntu-latest @@ -117,14 +122,19 @@ jobs: path: kyverno-v*-bom.cdx.json - name : docker images publish + id: push-step run: | make docker-publish-sbom make docker-publish-kyverno - name: Sign image and SBOM - run: | - export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures - echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_VERSION} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/kyverno/kyverno@${{ steps.push-step.outputs.digest }} cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx ghcr.io/kyverno/sbom:latest - name: Trivy Scan Image @@ -183,13 +193,18 @@ jobs: echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*")" - name : docker images publish + id: push-step run: | make docker-publish-cli - name: Sign image - run: | - export COSIGN_REPOSITORY=ghcr.io/kyverno/signatures - echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno-cli:${KYVERNO_VERSION} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/kyverno/kyverno-cli@${{ steps.push-step.outputs.digest }} create-release: runs-on: ubuntu-latest