mirror of
https://github.com/outbackdingo/talos-cloud-controller-manager.git
synced 2026-01-27 10:20:27 +00:00
feat: sign images
Helm chart and image signed by Cosign. Now you can verify that images were built GitHub Actions. Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
This commit is contained in:
Serge Logvinov
12
.github/dependabot.yml
vendored
12
.github/dependabot.yml
vendored
@@ -4,6 +4,18 @@
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
commit-message:
|
||||
prefix: "chore:"
|
||||
open-pull-requests-limit: 5
|
||||
rebase-strategy: disabled
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
day: "monday"
|
||||
time: "07:30"
|
||||
timezone: "UTC"
|
||||
|
||||
- package-ecosystem: "gomod"
|
||||
directory: "/"
|
||||
commit-message:
|
||||
|
||||
9
.github/workflows/build-edge.yaml
vendored
9
.github/workflows/build-edge.yaml
vendored
@@ -18,14 +18,18 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name: Unshallow
|
||||
run: git fetch --prune --unshallow
|
||||
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@v3.1.1
|
||||
- name: Set up docker buildx
|
||||
run: make docker-init
|
||||
|
||||
- name: Github registry login
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
@@ -39,3 +43,8 @@ jobs:
|
||||
USERNAME: ${{ github.repository_owner }}
|
||||
PUSH: "true"
|
||||
TAG: "edge"
|
||||
- name: Sign images
|
||||
run: make images-cosign
|
||||
env:
|
||||
USERNAME: ${{ github.repository_owner }}
|
||||
TAG: "edge"
|
||||
|
||||
1
.github/workflows/charts.yaml
vendored
1
.github/workflows/charts.yaml
vendored
@@ -10,6 +10,7 @@ on:
|
||||
jobs:
|
||||
helm-lint:
|
||||
name: Helm chart check
|
||||
timeout-minutes: 5
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
|
||||
42
.github/workflows/release-charts.yaml
vendored
Normal file
42
.github/workflows/release-charts.yaml
vendored
Normal file
@@ -0,0 +1,42 @@
|
||||
name: Release Helm Chart
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- 'charts/**'
|
||||
|
||||
jobs:
|
||||
build-publish:
|
||||
name: "Publish helm chart"
|
||||
timeout-minutes: 10
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Install Helm
|
||||
uses: azure/setup-helm@v3
|
||||
with:
|
||||
version: v3.12.2
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@v3.1.1
|
||||
|
||||
- name: Github registry login
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Helm release
|
||||
run: make helm-login helm-release
|
||||
env:
|
||||
HELM_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
7
.github/workflows/release.yaml
vendored
7
.github/workflows/release.yaml
vendored
@@ -8,18 +8,23 @@ on:
|
||||
jobs:
|
||||
build-publish:
|
||||
name: "Build image and publish"
|
||||
timeout-minutes: 15
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name: Unshallow
|
||||
run: git fetch --prune --unshallow
|
||||
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@v3.1.1
|
||||
- name: Set up docker buildx
|
||||
run: make docker-init
|
||||
|
||||
- name: Github registry login
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
@@ -31,3 +36,5 @@ jobs:
|
||||
run: make images
|
||||
env:
|
||||
PUSH: "true"
|
||||
- name: Sign images
|
||||
run: make images-cosign
|
||||
|
||||
22
Makefile
22
Makefile
@@ -2,6 +2,7 @@ REGISTRY ?= ghcr.io
|
||||
USERNAME ?= siderolabs
|
||||
PROJECT ?= talos-cloud-controller-manager
|
||||
IMAGE ?= $(REGISTRY)/$(USERNAME)/$(PROJECT)
|
||||
HELMREPO ?= $(REGISTRY)/$(USERNAME)/charts
|
||||
PLATFORM ?= linux/arm64,linux/amd64
|
||||
PUSH ?= false
|
||||
|
||||
@@ -25,6 +26,8 @@ else
|
||||
BUILD_ARGS += --output type=docker
|
||||
endif
|
||||
|
||||
COSING_ARGS ?=
|
||||
|
||||
######
|
||||
|
||||
# Help Menu
|
||||
@@ -43,6 +46,7 @@ endef
|
||||
|
||||
export HELP_MENU_HEADER
|
||||
|
||||
.PHONY: help
|
||||
help: ## This help menu.
|
||||
@echo "$$HELP_MENU_HEADER"
|
||||
@grep -E '^[a-zA-Z0-9%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
|
||||
@@ -86,6 +90,19 @@ helm-unit: ## Helm Unit Tests
|
||||
@helm template -f charts/talos-cloud-controller-manager/ci/values.yaml \
|
||||
talos-cloud-controller-manager charts/talos-cloud-controller-manager >/dev/null
|
||||
|
||||
.PHONY: helm-login
|
||||
helm-login: ## Helm Login
|
||||
@echo "${HELM_TOKEN}" | helm registry login $(REGISTRY) --username $(USERNAME) --password-stdin
|
||||
|
||||
.PHONY: helm-release
|
||||
helm-release: ## Helm Release
|
||||
@rm -rf dist/
|
||||
@helm package charts/talos-cloud-controller-manager -d dist
|
||||
@helm push dist/talos-cloud-controller-manager-*.tgz oci://$(HELMREPO) 2>&1 | tee dist/.digest
|
||||
@cosign sign --yes $(COSING_ARGS) $(HELMREPO)/talos-cloud-controller-manager@$$(cat dist/.digest | awk -F "[, ]+" '/Digest/{print $$NF}')
|
||||
|
||||
############
|
||||
|
||||
.PHONY: docs
|
||||
docs:
|
||||
helm template -n kube-system talos-cloud-controller-manager \
|
||||
@@ -117,6 +134,11 @@ docker-init:
|
||||
docker context use multiarch
|
||||
docker buildx inspect --bootstrap multiarch
|
||||
|
||||
.PHONY: images-cosign
|
||||
images-cosign:
|
||||
@cosign sign --yes $(COSING_ARGS) --recursive $(IMAGE):$(TAG)
|
||||
|
||||
.PHONY: images
|
||||
images:
|
||||
@docker buildx build $(BUILD_ARGS) \
|
||||
--build-arg VERSION="$(VERSION)" \
|
||||
|
||||
@@ -133,7 +133,7 @@ kubectl apply -f https://raw.githubusercontent.com/siderolabs/talos-cloud-contro
|
||||
### Method 3: helm chart
|
||||
|
||||
```shell
|
||||
helm upgrade -i -n kube-system talos-cloud-controller-manager charts/talos-cloud-controller-manager
|
||||
helm upgrade -i -n kube-system talos-cloud-controller-manager oci://ghcr.io/siderolabs/charts/talos-cloud-controller-manager
|
||||
```
|
||||
|
||||
## Community
|
||||
|
||||
@@ -12,5 +12,5 @@ maintainers:
|
||||
- name: sergelogvinov
|
||||
url: https://github.com/sergelogvinov
|
||||
|
||||
version: 0.2.0
|
||||
version: 0.2.1
|
||||
appVersion: "1.4.0"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# talos-cloud-controller-manager
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
Talos Cloud Controller Manager Helm Chart
|
||||
|
||||
|
||||
23
docs/cosign.md
Normal file
23
docs/cosign.md
Normal file
@@ -0,0 +1,23 @@
|
||||
# Verify images
|
||||
|
||||
We'll be employing [Cosing's](https://github.com/sigstore/cosign) keyless verifications to ensure that images were built in Github Actions.
|
||||
|
||||
## Verify Helm chart
|
||||
|
||||
We will verify the keyless signature using the Cosign protocol.
|
||||
|
||||
```shell
|
||||
cosign verify ghcr.io/siderolabs/charts/talos-cloud-controller-manager:0.2.1 --certificate-identity https://github.com/siderolabs/talos-cloud-controller-manager/.github/workflows/release-charts.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
|
||||
```
|
||||
|
||||
## Verify containers
|
||||
|
||||
We will verify the keyless signature using the Cosign protocol.
|
||||
|
||||
```shell
|
||||
# Edge version
|
||||
cosign verify ghcr.io/siderolabs/talos-cloud-controller-manager:edge --certificate-identity https://github.com/siderolabs/talos-cloud-controller-manager/.github/workflows/build-edge.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
|
||||
|
||||
# Releases
|
||||
cosign verify ghcr.io/siderolabs/talos-cloud-controller-manager:v1.4.1 --certificate-identity https://github.com/siderolabs/talos-cloud-controller-manager/.github/workflows/release.yaml@refs/tags/v1.4.1 --certificate-oidc-issuer https://token.actions.githubusercontent.com
|
||||
```
|
||||
@@ -5,7 +5,7 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -18,7 +18,7 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager-talos-secrets
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -34,7 +34,7 @@ kind: ConfigMap
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -51,7 +51,7 @@ kind: ClusterRole
|
||||
metadata:
|
||||
name: system:talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -159,7 +159,7 @@ kind: Service
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -183,7 +183,7 @@ kind: DaemonSet
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
|
||||
@@ -5,7 +5,7 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -18,7 +18,7 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager-talos-secrets
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -34,7 +34,7 @@ kind: ConfigMap
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -51,7 +51,7 @@ kind: ClusterRole
|
||||
metadata:
|
||||
name: system:talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -159,7 +159,7 @@ kind: Service
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -183,7 +183,7 @@ kind: Deployment
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
|
||||
@@ -5,7 +5,7 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -18,7 +18,7 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager-talos-secrets
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -34,7 +34,7 @@ kind: ConfigMap
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -51,7 +51,7 @@ kind: ClusterRole
|
||||
metadata:
|
||||
name: system:talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -159,7 +159,7 @@ kind: Service
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
@@ -183,7 +183,7 @@ kind: Deployment
|
||||
metadata:
|
||||
name: talos-cloud-controller-manager
|
||||
labels:
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.0
|
||||
helm.sh/chart: talos-cloud-controller-manager-0.2.1
|
||||
app.kubernetes.io/name: talos-cloud-controller-manager
|
||||
app.kubernetes.io/instance: talos-cloud-controller-manager
|
||||
app.kubernetes.io/version: "1.4.0"
|
||||
|
||||
Reference in New Issue
Block a user