Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Sign Atlantis containers before release (bonus points: speed up x86 builds) #5207

Merged
merged 23 commits into from
Dec 31, 2024
Merged

feat: Sign Atlantis containers before release (bonus points: speed up x86 builds) #5207

merged 23 commits into from
Dec 31, 2024
+33 −4

Conversation

notdurson
Copy link
Contributor

what

This change accomplishes the following:

  • Signs containers before they're released using cosign. In feat: add image attestation workflow step #5158 , I made an error; this PR implemented container attestation, but didn't sign containers before releasing them. This PR implements actual signatures, which live on the Sigstore trust chain.
  • Speeds up x86 image builds by 1000% (2 minutes vs 20 minutes) by performing one build per (image / platform) tuple. Previously, each image build (alpine or debian) build for all 3 platforms supported by Atlantis, which resulted in builds taking 20 minutes per iteration. This change uses the setup-go action to implement dependency caching.

why

  • As documented in Sign container images #5185 , signing images provides an additional layer of security by validating where a container image came from. We (and others) can use the signatures as part of Kyverno policies, or similar, to prevent malicious containers from entering our envronment.

tests

Successfully pulled a signature from the Sigstore CT log and validated it:

rekor-cli get --uuid 108e9186e8c5677abb0a1b630114f50ff15433afbe448513b800ab87a8d5283d3cdd01ac49c06062 --format=json | jq -r .Body.HashedRekordObj.signature.publicKey.content | base64 -D | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:51:50:24:34:8a:69:00:82:af:1e:8a:5f:c1:70:9c:9f:86:8a:43
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O=sigstore.dev, CN=sigstore-intermediate
        Validity
            Not Before: Dec 30 21:21:32 2024 GMT
            Not After : Dec 30 21:31:32 2024 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:31:c0:26:9b:d7:fd:30:b9:52:79:68:b6:c0:48:
                    57:55:d5:fc:2a:a6:11:34:f7:7d:fd:10:3c:64:a2:
                    80:3f:c3:7b:b6:bc:63:97:a9:f1:d0:b6:c2:92:5c:
                    d4:f7:ab:a3:1e:b9:61:ba:5a:1c:82:a5:33:c7:90:
                    9d:0e:e5:91:c1
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Subject Key Identifier: 
                AB:1B:38:BC:6C:A8:F5:C9:CB:FE:E0:D5:02:D9:CE:BD:FD:5E:35:3E
            X509v3 Authority Key Identifier: 
                DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
            X509v3 Subject Alternative Name: critical
                URI:https://github.com/notdurson/atlantis/.github/workflows/atlantis-image.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.1: 
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.2: 
                push
            1.3.6.1.4.1.57264.1.3: 
                6ec9c85f8b5c54b88c89267690f16fd77c33003b
            1.3.6.1.4.1.57264.1.4: 
                atlantis-image
            1.3.6.1.4.1.57264.1.5: 
                notdurson/atlantis
            1.3.6.1.4.1.57264.1.6: 
                refs/heads/main
            1.3.6.1.4.1.57264.1.8: 
                .+https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.9: 
                .Zhttps://github.com/notdurson/atlantis/.github/workflows/atlantis-image.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.10: 
                .(6ec9c85f8b5c54b88c89267690f16fd77c33003b
            1.3.6.1.4.1.57264.1.11: 
github-hosted   .
            1.3.6.1.4.1.57264.1.12: 
                .%https://github.com/notdurson/atlantis
            1.3.6.1.4.1.57264.1.13: 
                .(6ec9c85f8b5c54b88c89267690f16fd77c33003b
            1.3.6.1.4.1.57264.1.14: 
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15: 
                ..902567519
            1.3.6.1.4.1.57264.1.16: 
                ..https://github.com/notdurson
            1.3.6.1.4.1.57264.1.17: 
                ..188086827
            1.3.6.1.4.1.57264.1.18: 
                .Zhttps://github.com/notdurson/atlantis/.github/workflows/atlantis-image.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.19: 
                .(6ec9c85f8b5c54b88c89267690f16fd77c33003b
            1.3.6.1.4.1.57264.1.20: 
                ..push
            1.3.6.1.4.1.57264.1.21: 
                .Ihttps://github.com/notdurson/atlantis/actions/runs/12552039999/attempts/1
            1.3.6.1.4.1.57264.1.22: 
                ..public
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
                                A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
                    Timestamp : Dec 30 21:21:32.842 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:06:DD:8B:2B:D6:21:76:65:BF:1E:6F:E1:
                                8B:91:20:42:01:55:DD:CC:3C:EC:6D:44:44:24:93:D8:
                                60:3F:EF:01:02:21:00:B6:A0:B1:33:8F:60:60:06:DF:
                                8A:7F:FD:2C:03:0F:44:F8:F0:D3:5C:BA:7E:18:85:D8:
                                D4:AD:7F:D6:78:24:37
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:30:0e:a6:7e:4a:f8:b4:db:62:ee:71:be:5c:e4:a1:
        41:fe:81:26:dc:34:32:ac:4e:42:6c:f5:a9:ed:94:48:b6:70:
        4c:f0:7a:5e:88:60:e0:da:3e:0c:b4:d6:b0:d9:99:ad:02:31:
        00:e1:87:20:20:e3:3f:e4:36:b6:85:dd:d1:b0:bf:75:6a:d0:
        ab:47:4d:fd:3d:a8:da:8f:66:60:77:4c:2c:49:45:e3:c0:26:
        d2:f1:29:c4:2f:1e:e2:1c:b7:4a:f2:54:97

references

notdurson and others added 22 commits December 12, 2024 15:55
@notdurson
add image attestation workflow step
20916e8 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
feat: add image signing and attestation workflow
104ae93 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
Merge branch 'runatlantis:main' into main
8e51d50
@notdurson
add step to install cosign
7757507 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
rename attestation step
4664940 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
add step to sign images with cosign
827a51c 
uses github OIDC auth flow to get a cert
from Sigstore instead of a static key

Signed-off-by: Dan Urson <[email protected]>
@notdurson
add -r to recursively sign images
f7b020d 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
Update cosign command to use --recursive=true for signing images
1c1a119 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
update matrix strategy to execute parallel builds
2213103 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
only sign alpine/amd64
f3d1260 
recursion will take care of the others.

Signed-off-by: Dan Urson <[email protected]>
@renovate @notdurson
chore(deps): update ghcr.io/runatlantis/testing-env:latest docker dig…
594b7b6 
…est to 7999141 in .github/workflows/test.yml (main) (runatlantis#5201)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@chenrui333 @notdurson
chore: fix typos (runatlantis#5202)
f3a49c5 
Signed-off-by: Rui Chen <[email protected]>
@chenrui333 @notdurson
chore: fix typo pt2 (runatlantis#5203)
356c13a 
Signed-off-by: Rui Chen <[email protected]>
@renovate @notdurson
chore(deps): update actions/upload-artifact action to v4.5.0 in .gith…
2921c9b 
…ub/workflows/scorecard.yml (main) (runatlantis#5204)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate @notdurson
chore(deps): update github/codeql-action action to v3.28.0 in .github…
2e16741 
…/workflows/scorecard.yml (main) (runatlantis#5205)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate @notdurson
fix(deps): update module github.com/alicebob/miniredis/v2 to v2.34.0 …
07b6a4c 
…in go.mod (main) (runatlantis#5206)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@notdurson
use ubuntu-24.04 for all builds
fad1b2b 
we don't have arm runners at the moment

Signed-off-by: Dan Urson <[email protected]>
@notdurson
Sign dev tags, version tags, and latest tags
9444e3d 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
Merge branch 'runatlantis:main' into main
c405f76
@notdurson
Start using setup-go
71a35fe 
This provides dependency caching.

Signed-off-by: Dan Urson <[email protected]>
@notdurson
Actually use matrix platform input. Link to go.mod for version mgmt
ae8a7bf 
Signed-off-by: Dan Urson <[email protected]>
@notdurson
just sign all the tags for now
6ec9c85 
Signed-off-by: Dan Urson <[email protected]>
@notdurson notdurson requested review from a team as code owners December 30, 2024 22:11
@notdurson notdurson requested review from chenrui333, lukemassa and nitrocode and removed request for a team December 30, 2024 22:11
@dosubot dosubot bot added the docker Pull requests that update Docker code label Dec 30, 2024
@dosubot dosubot bot added feature New functionality/enhancement github-actions labels Dec 30, 2024
chenrui333
chenrui333 approved these changes Dec 31, 2024
View reviewed changes
Copy link
Member

@chenrui333 chenrui333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 31, 2024
@chenrui333 chenrui333 merged commit d2c5476 into runatlantis:main Dec 31, 2024
41 checks passed
@chenrui333
Copy link
Member

Thanks @notdurson!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamengual jamengual jamengual approved these changes

@chenrui333 chenrui333 chenrui333 approved these changes

@lukemassa lukemassa Awaiting requested review from lukemassa lukemassa is a code owner automatically assigned from runatlantis/core-contributors

@nitrocode nitrocode Awaiting requested review from nitrocode nitrocode is a code owner automatically assigned from runatlantis/core-contributors

Assignees
No one assigned
Labels
docker Pull requests that update Docker code feature New functionality/enhancement github-actions lgtm This PR has been approved by a maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign container images
3 participants
@notdurson @chenrui333 @jamengual