From 562e7384f7c3ddd60c16cf0d87da904274775951 Mon Sep 17 00:00:00 2001 From: Serge Logvinov Date: Mon, 7 Aug 2023 20:43:10 +0300 Subject: [PATCH] feat: sign images Helm chart and image signed by Cosign. Now you can verify that images were built GitHub Actions. Signed-off-by: Serge Logvinov --- .github/dependabot.yml | 12 ++++++ .github/workflows/build-edge.yaml | 9 ++++ .github/workflows/charts.yaml | 1 + .github/workflows/release-charts.yaml | 42 +++++++++++++++++++ .github/workflows/release.yaml | 7 ++++ Makefile | 22 ++++++++++ README.md | 2 +- .../talos-cloud-controller-manager/Chart.yaml | 2 +- .../talos-cloud-controller-manager/README.md | 2 +- docs/cosign.md | 23 ++++++++++ .../cloud-controller-manager-daemonset.yml | 12 +++--- docs/deploy/cloud-controller-manager-edge.yml | 12 +++--- docs/deploy/cloud-controller-manager.yml | 12 +++--- 13 files changed, 137 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/release-charts.yaml create mode 100644 docs/cosign.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f75dad3..0df4719 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,18 @@ version: 2 updates: + - package-ecosystem: "github-actions" + directory: "/" + commit-message: + prefix: "chore:" + open-pull-requests-limit: 5 + rebase-strategy: disabled + schedule: + interval: "weekly" + day: "monday" + time: "07:30" + timezone: "UTC" + - package-ecosystem: "gomod" directory: "/" commit-message: diff --git a/.github/workflows/build-edge.yaml b/.github/workflows/build-edge.yaml index dbc940f..6131328 100644 --- a/.github/workflows/build-edge.yaml +++ b/.github/workflows/build-edge.yaml @@ -18,14 +18,18 @@ jobs: permissions: contents: read packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow + - name: Install Cosign + uses: sigstore/cosign-installer@v3.1.1 - name: Set up docker buildx run: make docker-init + - name: Github registry login uses: docker/login-action@v2 with: @@ -39,3 +43,8 @@ jobs: USERNAME: ${{ github.repository_owner }} PUSH: "true" TAG: "edge" + - name: Sign images + run: make images-cosign + env: + USERNAME: ${{ github.repository_owner }} + TAG: "edge" diff --git a/.github/workflows/charts.yaml b/.github/workflows/charts.yaml index 2824ff2..2cd14a4 100644 --- a/.github/workflows/charts.yaml +++ b/.github/workflows/charts.yaml @@ -10,6 +10,7 @@ on: jobs: helm-lint: name: Helm chart check + timeout-minutes: 5 runs-on: ubuntu-22.04 steps: - name: Checkout diff --git a/.github/workflows/release-charts.yaml b/.github/workflows/release-charts.yaml new file mode 100644 index 0000000..91efec6 --- /dev/null +++ b/.github/workflows/release-charts.yaml @@ -0,0 +1,42 @@ +name: Release Helm Chart + +on: + push: + branches: + - main + paths: + - 'charts/**' + +jobs: + build-publish: + name: "Publish helm chart" + timeout-minutes: 10 + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.12.2 + - name: Install Cosign + uses: sigstore/cosign-installer@v3.1.1 + + - name: Github registry login + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Helm release + run: make helm-login helm-release + env: + HELM_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c2e2d34..212bf2b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,18 +8,23 @@ on: jobs: build-publish: name: "Build image and publish" + timeout-minutes: 15 runs-on: ubuntu-22.04 permissions: contents: read packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow + - name: Install Cosign + uses: sigstore/cosign-installer@v3.1.1 - name: Set up docker buildx run: make docker-init + - name: Github registry login uses: docker/login-action@v2 with: @@ -31,3 +36,5 @@ jobs: run: make images env: PUSH: "true" + - name: Sign images + run: make images-cosign diff --git a/Makefile b/Makefile index c829930..ce0b34b 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,7 @@ REGISTRY ?= ghcr.io USERNAME ?= siderolabs PROJECT ?= talos-cloud-controller-manager IMAGE ?= $(REGISTRY)/$(USERNAME)/$(PROJECT) +HELMREPO ?= $(REGISTRY)/$(USERNAME)/charts PLATFORM ?= linux/arm64,linux/amd64 PUSH ?= false @@ -25,6 +26,8 @@ else BUILD_ARGS += --output type=docker endif +COSING_ARGS ?= + ###### # Help Menu @@ -43,6 +46,7 @@ endef export HELP_MENU_HEADER +.PHONY: help help: ## This help menu. @echo "$$HELP_MENU_HEADER" @grep -E '^[a-zA-Z0-9%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' @@ -86,6 +90,19 @@ helm-unit: ## Helm Unit Tests @helm template -f charts/talos-cloud-controller-manager/ci/values.yaml \ talos-cloud-controller-manager charts/talos-cloud-controller-manager >/dev/null +.PHONY: helm-login +helm-login: ## Helm Login + @echo "${HELM_TOKEN}" | helm registry login $(REGISTRY) --username $(USERNAME) --password-stdin + +.PHONY: helm-release +helm-release: ## Helm Release + @rm -rf dist/ + @helm package charts/talos-cloud-controller-manager -d dist + @helm push dist/talos-cloud-controller-manager-*.tgz oci://$(HELMREPO) 2>&1 | tee dist/.digest + @cosign sign --yes $(COSING_ARGS) $(HELMREPO)/talos-cloud-controller-manager@$$(cat dist/.digest | awk -F "[, ]+" '/Digest/{print $$NF}') + +############ + .PHONY: docs docs: helm template -n kube-system talos-cloud-controller-manager \ @@ -117,6 +134,11 @@ docker-init: docker context use multiarch docker buildx inspect --bootstrap multiarch +.PHONY: images-cosign +images-cosign: + @cosign sign --yes $(COSING_ARGS) --recursive $(IMAGE):$(TAG) + +.PHONY: images images: @docker buildx build $(BUILD_ARGS) \ --build-arg VERSION="$(VERSION)" \ diff --git a/README.md b/README.md index ebd31b5..0187c3b 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ kubectl apply -f https://raw.githubusercontent.com/siderolabs/talos-cloud-contro ### Method 3: helm chart ```shell -helm upgrade -i -n kube-system talos-cloud-controller-manager charts/talos-cloud-controller-manager +helm upgrade -i -n kube-system talos-cloud-controller-manager oci://ghcr.io/siderolabs/charts/talos-cloud-controller-manager ``` ## Community diff --git a/charts/talos-cloud-controller-manager/Chart.yaml b/charts/talos-cloud-controller-manager/Chart.yaml index 54ce4a6..c3ecf30 100644 --- a/charts/talos-cloud-controller-manager/Chart.yaml +++ b/charts/talos-cloud-controller-manager/Chart.yaml @@ -12,5 +12,5 @@ maintainers: - name: sergelogvinov url: https://github.com/sergelogvinov -version: 0.2.0 +version: 0.2.1 appVersion: "1.4.0" diff --git a/charts/talos-cloud-controller-manager/README.md b/charts/talos-cloud-controller-manager/README.md index 5e4876f..f9cbfd5 100644 --- a/charts/talos-cloud-controller-manager/README.md +++ b/charts/talos-cloud-controller-manager/README.md @@ -1,6 +1,6 @@ # talos-cloud-controller-manager -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) +![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) Talos Cloud Controller Manager Helm Chart diff --git a/docs/cosign.md b/docs/cosign.md new file mode 100644 index 0000000..ac1d926 --- /dev/null +++ b/docs/cosign.md @@ -0,0 +1,23 @@ +# Verify images + +We'll be employing [Cosing's](https://github.com/sigstore/cosign) keyless verifications to ensure that images were built in Github Actions. + +## Verify Helm chart + +We will verify the keyless signature using the Cosign protocol. + +```shell +cosign verify ghcr.io/siderolabs/charts/talos-cloud-controller-manager:0.2.1 --certificate-identity https://github.com/siderolabs/talos-cloud-controller-manager/.github/workflows/release-charts.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com +``` + +## Verify containers + +We will verify the keyless signature using the Cosign protocol. + +```shell +# Edge version +cosign verify ghcr.io/siderolabs/talos-cloud-controller-manager:edge --certificate-identity https://github.com/siderolabs/talos-cloud-controller-manager/.github/workflows/build-edge.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com + +# Releases +cosign verify ghcr.io/siderolabs/talos-cloud-controller-manager:v1.4.1 --certificate-identity https://github.com/siderolabs/talos-cloud-controller-manager/.github/workflows/release.yaml@refs/tags/v1.4.1 --certificate-oidc-issuer https://token.actions.githubusercontent.com +``` diff --git a/docs/deploy/cloud-controller-manager-daemonset.yml b/docs/deploy/cloud-controller-manager-daemonset.yml index 842e883..a7baf71 100644 --- a/docs/deploy/cloud-controller-manager-daemonset.yml +++ b/docs/deploy/cloud-controller-manager-daemonset.yml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -18,7 +18,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager-talos-secrets labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -34,7 +34,7 @@ kind: ConfigMap metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -51,7 +51,7 @@ kind: ClusterRole metadata: name: system:talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -159,7 +159,7 @@ kind: Service metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -183,7 +183,7 @@ kind: DaemonSet metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" diff --git a/docs/deploy/cloud-controller-manager-edge.yml b/docs/deploy/cloud-controller-manager-edge.yml index 8ef2aa9..4a93c69 100644 --- a/docs/deploy/cloud-controller-manager-edge.yml +++ b/docs/deploy/cloud-controller-manager-edge.yml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -18,7 +18,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager-talos-secrets labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -34,7 +34,7 @@ kind: ConfigMap metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -51,7 +51,7 @@ kind: ClusterRole metadata: name: system:talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -159,7 +159,7 @@ kind: Service metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -183,7 +183,7 @@ kind: Deployment metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" diff --git a/docs/deploy/cloud-controller-manager.yml b/docs/deploy/cloud-controller-manager.yml index 58a23e5..7173f07 100644 --- a/docs/deploy/cloud-controller-manager.yml +++ b/docs/deploy/cloud-controller-manager.yml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -18,7 +18,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager-talos-secrets labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -34,7 +34,7 @@ kind: ConfigMap metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -51,7 +51,7 @@ kind: ClusterRole metadata: name: system:talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -159,7 +159,7 @@ kind: Service metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0" @@ -183,7 +183,7 @@ kind: Deployment metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.2.0 + helm.sh/chart: talos-cloud-controller-manager-0.2.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "1.4.0"