From 17f829aec8611ac0c6da3f096e21a519b27dd977 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Wed, 31 Jul 2024 13:58:49 -0700 Subject: [PATCH] build: add image signing for dev images and add release sbom (#1629) --- .github/workflows/build-pr.yml | 12 ++---- .github/workflows/e2e-aks.yml | 13 ++----- .github/workflows/publish-dev-assets.yml | 38 +++++++++++++++++++ .github/workflows/release.yml | 8 +++- .github/workflows/run-full-validation.yml | 12 ++---- .goreleaser.yml | 11 +++--- .../pki-validation/ratify-verification.crt | 33 ++++++++++++++++ 7 files changed, 95 insertions(+), 32 deletions(-) create mode 100644 .well-known/pki-validation/ratify-verification.crt diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index daedaf40d..702212c82 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -60,10 +60,6 @@ jobs: secrets: inherit aks-test-cleanup: - env: - AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79 - AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500 - AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47 needs: ['build_test_aks_e2e_conditional'] runs-on: ubuntu-latest permissions: @@ -86,10 +82,10 @@ jobs: - name: Az CLI login uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 with: - client-id: ${{ env.AZURE_CLIENT_ID }} - tenant-id: ${{ env.AZURE_TENANT_ID }} - subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: clean up run: | - make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }} \ No newline at end of file + make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }} \ No newline at end of file diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml index b3c8c3da4..60b705cc9 100644 --- a/.github/workflows/e2e-aks.yml +++ b/.github/workflows/e2e-aks.yml @@ -20,11 +20,6 @@ on: jobs: build_test_aks_e2e: name: "Build and run e2e Test on AKS" - env: - AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500 - AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47 - AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79 - AZURE_SP_OBJECT_ID: fd917b28-cdc0-4828-92c9-1ca8203842a3 runs-on: ubuntu-latest timeout-minutes: 30 environment: azure-test @@ -46,9 +41,9 @@ jobs: - name: Az CLI login uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 with: - client-id: ${{ env.AZURE_CLIENT_ID }} - tenant-id: ${{ env.AZURE_TENANT_ID }} - subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Cache AAD tokens run: | az version @@ -66,7 +61,7 @@ jobs: - name: Run e2e on Azure run: | - make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ env.AZURE_SP_OBJECT_ID }} + make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ secrets.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ secrets.AZURE_SP_OBJECT_ID }} - name: Upload artifacts uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index febca49ba..e1334406e 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -13,6 +13,8 @@ jobs: permissions: packages: write contents: read + id-token: write + environment: azure-publish steps: - name: Harden Runner uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 @@ -20,6 +22,21 @@ jobs: egress-policy: audit - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - name: Install Notation + uses: notaryproject/notation-action/setup@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0 + - name: Install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: Az CLI login + uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Cache AAD tokens + run: | + az version + # Key Vault: + az account get-access-token --scope https://vault.azure.net/.default --output none - name: prepare id: prepare run: | @@ -100,6 +117,27 @@ jobs: run: | helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} + - name: Sign with Notation + uses: notaryproject/notation-action/sign@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0 + with: + plugin_name: azure-kv + plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }} + plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }} + key_id: ${{ secrets.AZURE_KV_KEY_ID }} + target_artifact_reference: |- + ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} + ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} + ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} + ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} + ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} + signature_format: cose + - name: Sign with Cosign + run: | + cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} + cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} + cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} + cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} + cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} - name: clear if: always() run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5a299a089..c9fef6370 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,6 +24,9 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=3.0.2 with: fetch-depth: 0 + + - name: Install Syft + uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 @@ -31,10 +34,11 @@ jobs: go-version: '1.22' - name: Goreleaser + id: goreleaser uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: - version: '1.18.0' - args: release --rm-dist + version: '2.0.1' + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml index 945dd0798..017944f75 100644 --- a/.github/workflows/run-full-validation.yml +++ b/.github/workflows/run-full-validation.yml @@ -48,10 +48,6 @@ jobs: secrets: inherit aks-test-cleanup: - env: - AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79 - AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500 - AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47 needs: ['build_test_aks_e2e'] runs-on: ubuntu-latest permissions: @@ -74,10 +70,10 @@ jobs: - name: Az CLI login uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 with: - client-id: ${{ env.AZURE_CLIENT_ID }} - tenant-id: ${{ env.AZURE_TENANT_ID }} - subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: clean up run: | - make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }} \ No newline at end of file + make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }} \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml index 4d7daf6c7..73aead7f3 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,4 +1,5 @@ # Check the documentation at https://goreleaser.com for more options +version: 2 before: hooks: - go mod tidy @@ -57,15 +58,15 @@ release: prerelease: auto draft: true archives: - - replacements: - darwin: Darwin - linux: Linux - windows: Windows - format_overrides: + - format_overrides: - goos: windows format: zip checksum: name_template: 'checksums.txt' +sboms: + - artifacts: archive + - id: source + artifacts: source snapshot: name_template: '{{ incpatch .Version }}-next' changelog: diff --git a/.well-known/pki-validation/ratify-verification.crt b/.well-known/pki-validation/ratify-verification.crt new file mode 100644 index 000000000..065c274bf --- /dev/null +++ b/.well-known/pki-validation/ratify-verification.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIQbZCNsoQpQC+/hsEf/FdjDjANBgkqhkiG9w0BAQsFADBa +MQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxFzAV +BgNVBAoTDnJhdGlmeS1wcm9qZWN0MRMwEQYDVQQDEwpyYXRpZnkuZGV2MB4XDTI0 +MDYxMDIyNDQ1OVoXDTI1MDYxMDIyNTQ1OVowWjELMAkGA1UEBhMCVVMxCzAJBgNV +BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRcwFQYDVQQKEw5yYXRpZnktcHJvamVj +dDETMBEGA1UEAxMKcmF0aWZ5LmRldjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBAM6wAPQhVoIA7qbckyk8qYYiTnKjlUXaThXn8RYe6+dYQjBypxciAyyJ +NLbM675gXTc26rZDm29ldsych6G6VSP0wkziqZHIYKTSZ/kSzw0mm/KLRgHQPKsj +PdhVYnLbg4keyKvSRBDmKl6I04VMNXERezJWpcK0F+6wtt6BKZOJRSPCbTPhHIVY +U5iwqwMt9lOzNgWKsFUfTW+eZ2sPOJzpu78h/0JaOGgsms80Btm5UBjeJCWAOQDS +VzurUk8Q5EX5X4faNbUiKLREY4210ELVZq8xU1yixkzO2reh9Sw6maG2YLW3W0rc +bn1PTxz5ddvTF1r/J+A9JSQUhVCM7sEfh9oXW6az4OeZVCD1beG1mX5mtE/kzZqN +9KfzvBSwdFx4D4t0KBG4/f2/k2pwZuTy3qqA+R9cd434jJpdY4/dQi0JTAG7XmuG +HMpEM/1TQmXV3Nccwbyy5W2D07/y4fDVSxh2czumK8C7hWs0EX3CQ0C4mi0o3GjD +1meir2GYKDqQUyVQx0gcDgOVDQRsyA2zQ3gUy7/7RGDbtaGN0XVT0kBMU66aS6Mj +z69YEu+Yj3QNqVQL/Ms4A2G+mPXoqVTikQxbDI5Bi3d5U0Xu6zQ7/Wx+li1pO2TV +3tNSyy5Tj/IT5Mou5e5oDt81yIfrXtb6Mye5zJ6uiqq5RwK9+b2BAgMBAAGjcjBw +MA4GA1UdDwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMD +MB8GA1UdIwQYMBaAFO4kXbjSuXzopPxrB1tKZ5g4oZQ/MB0GA1UdDgQWBBTuJF24 +0rl86KT8awdbSmeYOKGUPzANBgkqhkiG9w0BAQsFAAOCAgEASs8iFwuuh1lB1eM7 +cDM2rZfExb0RFXkcHWdF6+dEwuchn9rjKKXFLXU4k5sARKj+rTzxKGKNbymCLUto +DzaJwwWygZu7HoG5DHGcj5StlBXNELMCoRwFW/MjRTv4Sfkiakw03PUBeiZeg8Xb +SB3WuZreD0c/DPiONuXGSdx5cPgf0NkMTY8hiOoENP9eBCqcMhCUGMYRf1sIXr4m +YWuS5KTB93DsWLjdw+X9FDi0irFa1uP01IM+iSsPtoGoT1tV8fnYl5anvBCLsh8U +Y9vAXwJvZM6XlfA5XX4fzq82KuLASMBktyhXrYWeGBUOYOpQa4M3c/KiJyYjtm08 +pFRBdbzUwK1GF2mDfO/8oyyqPMhdkD3dO6/iToOklSLcNS4AVoTBE+S62QHHluBD +zlmeVabCB/TGLRm5wlKKm7YRI7DJXF0HVQ5KS8vXjbT1MzN7WB+Iey2lelH3U+CR +V50lbGJhvs8WiSojzcl1xJAvhRaWXZ/h8TCBI8srQzBlZ+/8o2zhs4nlEFrgurzq +Vd+m0s1lM1iGHrE//AxlU7NVh2yCjrhPumQ53Sv53LG3Kl5RD86Pvhd01ORvKKNR +zS27F63BGy6basxXtHR8ibCPNs1gbT24YLfaPiXmhy0j8dwPhEFGwQEIL8peSG56 +6OcrwcZ4J28hTXOl4EIJ2Prp9mQ= +-----END CERTIFICATE-----