This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
use docker login #50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Validate SecureSign Ansible | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: ["main", "release*"] | |
| tags: ["*"] | |
| pull_request: | |
| branches: ["main", "release*"] | |
| env: | |
| GO_VERSION: 1.21 | |
| AWS_REGION: us-east-2 | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| BASE_HOSTNAME: ${{ secrets.BASE_DOMAIN }} | |
| FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }} | |
| TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }} | |
| KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }} | |
| KEYCLOAK_REALM: trusted-artifact-signer | |
| KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/trusted-artifact-signer | |
| REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }} | |
| TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }} | |
| TF_VAR_vpc_id: ${{ secrets.VPC_ID }} | |
| TF_VAR_rh_username: ${{ secrets.RH_USERNAME }} | |
| TF_VAR_rh_password: ${{ secrets.RH_PASSWORD }} | |
| IMAGE: ttl.sh/sigstore-test:15m | |
| jobs: | |
| deploy-and-test: | |
| name: Deploy using terraform then tag, push, sign and verify | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: hashicorp/setup-terraform@v3 | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: sshkeygen for ansible | |
| run: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" | |
| - name: docker login registry.redhat.io | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.RH_USERNAME }} | |
| password: ${{ secrets.RH_PASSWORD }} | |
| registry: registry.redhat.io | |
| - name: build push sign and tag | |
| run: | | |
| buildah pull alpine:latest | |
| buildah tag alpine:latest ${{ env.IMAGE }} | |
| buildah push ${{ env.IMAGE }} | |
| - name: Terraform Init | |
| run: terraform init | |
| - name: Terraform Apply | |
| run: terraform apply -auto-approve | |
| - name: install cosign | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.2' # optional | |
| - name: Grab the certificate and trust it | |
| run: export ESCAPED_URL=sigstore_octo-emerging_redhataicoe_com && rm -rf ./*.pem && openssl s_client -showcerts -verify 5 -connect rekor.$BASE_HOSTNAME:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' && for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}" ; done && sudo mv $ESCAPED_URL.pem /etc/ssl/certs/ && sudo update-ca-certificates && cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json | |
| - name: sign and verify | |
| run: | | |
| TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=trusted-artifact-signer" https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/') | |
| cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN --oidc-client-id=${{ secrets.KEYCLOAK_REALM }} ${{ env.IMAGE }} | |
| cosign verify --rekor-url=${{ env.REKOR_URL}} --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ${{ env.IMAGE }} | |
| - name: Terraform Destroy | |
| if: always() | |
| run: terraform destroy -auto-approve |