scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 19:07:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: coreos images to allow image signing

Browse Source
This commit is contained in:
qoijjj
2024-01-08 01:25:09 -08:00
committed by GitHub
parent e511f85c6b
commit e768d4a0f6
9 changed files with 116 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
config/common/server-files.yml Normal file
View File

@@ -0,0 +1,6 @@
type: files
files:
- server/usr: /usr # copy static configurations
# configuration you wish to end up in /etc/ on the booted system should be
# added into /usr/etc/ (under /config/files) as that is the proper "distro"
# config directory on ostree read more in the files module's README

95
config/files/usr/server/usr/etc/containers/policy.json Normal file
View File

@@ -0,0 +1,95 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"atomic": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"dir": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"tarball": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}

3
config/files/usr/server/usr/etc/containers/registries.d/ublue-os.yaml Normal file
View File

@@ -0,0 +1,3 @@
docker:
ghcr.io/ublue-os:
use-sigstore-attachments: true

4
config/files/usr/server/usr/etc/pki/containers/ublue-os.pub Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
-----END PUBLIC KEY-----

3
config/recipes/server/recipe-server-main-userns.yml
View File

@@ -1,7 +1,7 @@
# image will be published to ghcr.io/<user>/<name>
name: server-main-userns-hardened
# description will be included in the image's metadata
description: "base with some hardening applied"
description: "coreos with some hardening applied"
# the base image to build on top of (FROM) and the version tag to use
base-image: ghcr.io/ublue-os/fedora-coreos
@@ -11,6 +11,7 @@ image-version: stable-zfs
# you can include multiple instances of the same module
modules:
- from-file: common/common-files.yml
- from-file: common/server-files.yml
- from-file: common/server-scripts.yml
- from-file: common/common-packages.yml
- from-file: common/common-bling.yml

3
config/recipes/server/recipe-server-main.yml
View File

@@ -1,7 +1,7 @@
# image will be published to ghcr.io/<user>/<name>
name: server-main-hardened
# description will be included in the image's metadata
description: "base with some hardening applied"
description: "coreos with some hardening applied"
# the base image to build on top of (FROM) and the version tag to use
base-image: ghcr.io/ublue-os/fedora-coreos
@@ -11,6 +11,7 @@ image-version: stable-zfs
# you can include multiple instances of the same module
modules:
- from-file: common/common-files.yml
- from-file: common/server-files.yml
- from-file: common/server-scripts.yml
- from-file: common/common-packages.yml
- from-file: common/common-bling.yml

3
config/recipes/server/recipe-server-nvidia-userns.yml
View File

@@ -1,7 +1,7 @@
# image will be published to ghcr.io/<user>/<name>
name: server-nvidia-userns-hardened
# description will be included in the image's metadata
description: "base nvidia with some hardening applied"
description: "coreos nvidia with some hardening applied"
# the base image to build on top of (FROM) and the version tag to use
base-image: ghcr.io/ublue-os/fedora-coreos
@@ -11,6 +11,7 @@ image-version: stable-nvidia-zfs
# you can include multiple instances of the same module
modules:
- from-file: common/common-files.yml
- from-file: common/server-files.yml
- from-file: common/server-scripts.yml
- from-file: common/common-packages.yml
- from-file: common/common-bling.yml

3
config/recipes/server/recipe-server-nvidia.yml
View File

@@ -1,7 +1,7 @@
# image will be published to ghcr.io/<user>/<name>
name: server-nvidia-hardened
# description will be included in the image's metadata
description: "base nvidia with some hardening applied"
description: "coreos nvidia with some hardening applied"
# the base image to build on top of (FROM) and the version tag to use
base-image: ghcr.io/ublue-os/fedora-coreos
@@ -11,6 +11,7 @@ image-version: stable-nvidia-zfs
# you can include multiple instances of the same module
modules:
- from-file: common/common-files.yml
- from-file: common/server-files.yml
- from-file: common/server-scripts.yml
- from-file: common/common-packages.yml
- from-file: common/common-bling.yml

3
config/scripts/signing.sh
View File

@@ -6,11 +6,8 @@ set -oue pipefail
echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
echo "Registry to write: $IMAGE_REGISTRY"
mkdir -p /usr/etc/pki/containers/registries.d
cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$IMAGE_NAME".pub
mkdir -p /usr/etc/containers
touch /usr/etc/containers/policy.json
FILE=/usr/etc/containers/policy.json
yq -i -o=j '.transports.docker |=