-
Notifications
You must be signed in to change notification settings - Fork 216
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(cd): sign released container images and Helm chart (#160)
# Description Sign released container images with Cosign and Helm chart with `helm package --sign` ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. Closes #141 ## Checklist - [x] I have read the [contributing documantation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`) - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) N/A ## Additional Notes In order for testing this change, please create a GPG private key and a Cosign private key and deposit as GH secrets for this repo --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: hainenber <[email protected]> Signed-off-by: Đỗ Trọng Hải <[email protected]> Signed-off-by: Evan Baker <[email protected]> Co-authored-by: Evan Baker <[email protected]>
- Loading branch information
Showing
5 changed files
with
100 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,9 @@ on: | |
permissions: | ||
contents: read | ||
packages: write | ||
# This is used to complete the identity challenge | ||
# with sigstore/fulcio when running outside of PRs. | ||
id-token: write | ||
|
||
jobs: | ||
push-retina-charts: | ||
|
@@ -22,15 +25,24 @@ jobs: | |
|
||
- uses: azure/[email protected] | ||
id: install | ||
|
||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
|
||
- name: Log in to registry | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u $ --password-stdin | ||
|
||
- name: Build/Push Chart | ||
- name: Log in to registry (Helm for pushing chart, Docker for signing and push signature) | ||
run: | | ||
echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u $ --password-stdin | ||
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | ||
- name: Build, Push and Sign chart | ||
id: build_chart | ||
shell: bash | ||
run: | | ||
set -euo pipefail | ||
export TAG=$(make version) | ||
echo $TAG | ||
helm package ./deploy/manifests/controller/helm/retina --version $TAG | ||
helm push retina-$TAG.tgz oci://ghcr.io/${{ github.repository }}/charts | ||
# Get Helm chart's SHA digest from helm push cmd output | ||
helm push retina-$TAG.tgz oci://ghcr.io/${{ github.repository }}/charts >> helm_push_result.txt 2>&1 | ||
cat helm_push_result.txt | ||
cosign sign --yes ghcr.io/${{ github.repository }}/charts/retina@$(tail -n 1 helm_push_result.txt | awk '{ print $2 }') | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,9 @@ on: | |
permissions: | ||
contents: read | ||
packages: write | ||
# This is used to complete the identity challenge | ||
# with sigstore/fulcio when running outside of PRs. | ||
id-token: write | ||
|
||
jobs: | ||
retina-images: | ||
|
@@ -27,6 +30,9 @@ jobs: | |
with: | ||
go-version: ">=1.21.0" | ||
- run: go version | ||
|
||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
@@ -43,6 +49,15 @@ jobs: | |
IMAGE_NAMESPACE=${{ github.repository }} \ | ||
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | ||
BUILDX_ACTION=--push | ||
- name: Sign container image | ||
run: | | ||
for image in retina-agent retina-init; do | ||
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | ||
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | ||
cosign sign --yes ${IMAGE_PATH}@${DIGEST} | ||
done | ||
retina-win-images: | ||
name: Build Agent Windows Images | ||
|
@@ -62,6 +77,9 @@ jobs: | |
go-version: ">=1.21.0" | ||
- run: go version | ||
|
||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
|
@@ -78,6 +96,16 @@ jobs: | |
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | ||
BUILDX_ACTION=--push | ||
- name: Sign container image | ||
run: | | ||
for year in 2019 2022; do | ||
for image in retina-agent ; do | ||
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-windows-ltsc$year-${{ matrix.arch }}" | ||
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-windows-ltsc$year-${{ matrix.arch }}.json) | ||
cosign sign --yes ${IMAGE_PATH}@${DIGEST} | ||
done | ||
done | ||
operator-images: | ||
name: Build Operator Images | ||
runs-on: ubuntu-latest | ||
|
@@ -95,6 +123,9 @@ jobs: | |
with: | ||
go-version: ">=1.21.0" | ||
- run: go version | ||
|
||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
@@ -111,6 +142,15 @@ jobs: | |
IMAGE_NAMESPACE=${{ github.repository }} \ | ||
PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \ | ||
BUILDX_ACTION=--push | ||
- name: Sign container image | ||
run: | | ||
for image in retina-operator ; do | ||
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}" | ||
DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) | ||
cosign sign --yes ${IMAGE_PATH}@${DIGEST} | ||
done | ||
manifests: | ||
name: Generate Manifests | ||
|
@@ -127,6 +167,9 @@ jobs: | |
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
|
||
- name: Log in to registry | ||
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | ||
|
@@ -138,3 +181,16 @@ jobs: | |
make manifest \ | ||
IMAGE_NAMESPACE=${{ github.repository }} \ | ||
COMPONENT=${{ matrix.component }} | ||
- name: Sign manifest | ||
run: | | ||
export TAG="$(make version)" | ||
images=("retina-agent" "retina-init") | ||
if [[ ${{ matrix.component }} == "operator" ]]; then | ||
images=("retina-operator") | ||
fi | ||
for image in "${images[@]}"; do | ||
IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG" | ||
DIGEST=$(docker buildx imagetools inspect $IMAGE_PATH --format "{{json .Manifest}}" | jq -r .digest) | ||
cosign sign --yes ${IMAGE_PATH}@${DIGEST} | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -118,6 +118,17 @@ contact [[email protected]](mailto:[email protected]) with any additio | |
|
||
[Read more about how to begin contributing here.](https://retina.sh/docs/contributing) | ||
|
||
### Verify signed images | ||
|
||
Retina images published to GHCR are cryptographically signed. You can verify their provenance with [`sigstore/cosign`](https://github.com/sigstore/cosign): | ||
|
||
```shell | ||
REPO=microsoft/retina # or your repo | ||
IMAGE=retina-operator # or other image to verify | ||
TAG=v0.0.6 # or other tag to verify OR replace with the image SHA256 | ||
cosign verify ghcr.io/$REPO/$IMAGE:$TAG --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/$REPO" -o text | ||
``` | ||
|
||
### Office Hours and Community Meetings | ||
|
||
We host a periodic open community meeting. [Find the details here.](https://retina.sh/docs/contributing/#office-hours-and-community-meetings) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Verify signed images | ||
|
||
Retina images published to GHCR are cryptographically signed. You can verify their provenance with [`sigstore/cosign`](https://github.com/sigstore/cosign): | ||
|
||
```shell | ||
REPO=microsoft/retina # or your repo | ||
IMAGE=retina-operator # or other image to verify | ||
TAG=v0.0.6 # or other tag to verify OR replace with the image SHA256 | ||
cosign verify ghcr.io/$REPO/$IMAGE:$TAG --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/$REPO" -o text | ||
``` |