This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
forked from sabre1041/sigstore-ansible
-
Notifications
You must be signed in to change notification settings - Fork 3
68 lines (57 loc) · 3.14 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: Validate SecureSign Ansible
on:
workflow_dispatch:
push:
branches: ["main", "release*"]
tags: ["*"]
pull_request:
branches: ["main", "release*"]
env:
GO_VERSION: 1.21
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
BASE_HOSTNAME: ${{ secrets.BASE_DOMAIN }}
FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }}
TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }}
KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }}
KEYCLOAK_REALM: sigstore
KEYCLOAK_OIDC_ISSUER: ${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}
REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }}
TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }}
TF_VAR_vpc_id: ${{ secrets.VPC_ID }}
TF_VAR_rh_username: ${{ secrets.RH_USERNAME }}
TF_VAR_rh_password: ${{ secrets.RH_PASSWORD }}
jobs:
deploy-and-test:
name: Deploy using terraform then tag, push, sign and verify
runs-on: ubuntu-latest
steps:
- uses: hashicorp/setup-terraform@v3
- name: Checkout code
uses: actions/checkout@v2
- name: sshkeygen for ansible
run: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""
- name: Terraform Init
run: terraform init
- name: Terraform Apply
run: terraform apply -auto-approve
- name: install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2' # optional
- name: Grab the certificate and trust it
run: export ESCAPED_URL=octo-emerging_redhataicoe_com && rm -rf ./*.pem && openssl s_client -showcerts -verify 5 -connect rekor.$BASE_HOSTNAME:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' && for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}" ; done && sudo mv $ESCAPED_URL.pem /usr/local/share/ca-certificates/ && sudo update-ca-certificates && cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
- name: pull and tag alpine
run: |
docker pull alpine:latest
docker tag alpine:latest ttl.sh/alpine:10m
- name: push and sign alpine
run: |
docker push ttl.sh/alpine:10m
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" https://${{ env.KEYCLOAK_URL }}/auth/realms/${{ env.KEYCLOAK_OIDC_ISSUER}}/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/')
cosign sign sign -y --fulcio-url=$FULCIO_URL --rekor-url=$REKOR_URL --oidc-issuer=$OIDC_ISSUER_URL --identity-token=$TOKEN ttl.sh/alpine:10m
cosign verify --rekor-url=\$REKOR_URL --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ttl.sh/alpine:10m
- name: Terraform Destroy
if: always()
run: terraform destroy -auto-approve