Skip to content

Commit

Permalink
refactor release job (sigstore#1710)
Browse files Browse the repository at this point in the history
* refactor release job

Signed-off-by: cpanato <[email protected]>

* add kustomize

Signed-off-by: cpanato <[email protected]>

* fix env var

Signed-off-by: cpanato <[email protected]>

* disable push to github release for now

Signed-off-by: cpanato <[email protected]>
  • Loading branch information
cpanato authored Apr 5, 2022
1 parent d8c5ffe commit 2b93597
Show file tree
Hide file tree
Showing 13 changed files with 187 additions and 96 deletions.
10 changes: 8 additions & 2 deletions .github/workflows/kind-cluster-image-policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ jobs:
# will use the latest release available for ko
- uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4

- uses: imranismail/setup-kustomize@8fa954828ed3cfa7a487a2ba9f7104899bb48b2f # v1.6.1

- name: Install yq
uses: mikefarah/yq@bc2118736bca883de2e2c345bb7f7ef52c994920 # v4.16.2

Expand All @@ -73,11 +75,15 @@ jobs:

- name: Install cosigned
env:
GIT_HASH: $GITHUB_SHA
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
COSIGNED_YAML: cosigned-e2e.yaml
KO_PREFIX: registry.local:5000/cosigned
COSIGNED_ARCHS: linux/amd64
run: |
ko apply -Bf config/
make ko-cosigned
kubectl apply -f cosigned-e2e.yaml
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/kind-e2e-cosigned.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ jobs:

- uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4

- uses: imranismail/setup-kustomize@8fa954828ed3cfa7a487a2ba9f7104899bb48b2f # v1.6.1

- name: Install yq
uses: mikefarah/yq@bc2118736bca883de2e2c345bb7f7ef52c994920 # v4.16.2

Expand Down Expand Up @@ -96,11 +98,15 @@ jobs:
- name: Install cosigned
env:
GIT_HASH: $GITHUB_SHA
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
COSIGNED_YAML: cosigned-e2e.yaml
KO_PREFIX: registry.local:5000/cosigned
COSIGNED_ARCHS: linux/amd64
run: |
ko apply -Bf config/
make ko-cosigned
kubectl apply -f cosigned-e2e.yaml
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/validate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
statuses: none

env:
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.8-0@sha256:b5b14c6a61099af5a69864f242766a0dca978d2aea97e311d051ee4f4b7d19ba
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.6.0@sha256:b667002156c4bf9fedd9273f689b800bb5c341660e710e3bbac981c9795423d9

steps:
Expand Down Expand Up @@ -70,5 +70,4 @@ jobs:
- name: check binaries
run: |
./dist/cosign-linux-amd64 version
./dist/cosigned-linux-amd64 --help
./dist/sget-linux-amd64 version
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,9 @@

bin*
dist/
cosignImagerefs
cosignedImagerefs
sgetImagerefs
policyImagerefs

**verify-experimental*
40 changes: 2 additions & 38 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ before:
# if running a release we will generate the images in this step
# if running in the CI the CI env va is set and we dont run the ko steps
# this is needed because we are generating files that goreleaser was not aware to push to GH project release
- /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi'
- /bin/bash -c 'if [ -z "$CI" ]; then make sign-release-images; fi'

gomod:
proxy: true
Expand Down Expand Up @@ -128,28 +128,6 @@ builds:
- pivkey
- pkcs11key

- id: linux-cosigned
binary: cosigned-linux-{{ .Arch }}
no_unique_dist_dir: true
main: ./cmd/cosign/webhook
mod_timestamp: '{{ .CommitTimestamp }}'
flags:
- -trimpath
goos:
- linux
goarch:
- amd64
- arm64
- arm
- s390x
- ppc64le
goarm:
- 7
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CGO_ENABLED=0

- id: sget
binary: sget-{{ .Os }}-{{ .Arch }}
no_unique_dist_dir: true
Expand Down Expand Up @@ -189,13 +167,6 @@ signs:
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
- id: cosigned
signature: "${artifact}.sig"
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
ids:
- linux-cosigned
- id: sget
signature: "${artifact}.sig"
cmd: ./dist/cosign-linux-amd64
Expand All @@ -210,14 +181,6 @@ signs:
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: binary
- id: cosigned-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: binary
ids:
- linux-cosigned
- id: sget-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
Expand Down Expand Up @@ -273,6 +236,7 @@ snapshot:
name_template: SNAPSHOT-{{ .ShortCommit }}

release:
disable: true ## not pushing to GitHub release due issues (context https://sigstore.slack.com/archives/C01PZKDL4DP/p1649162659703169?thread_ts=1649089777.081249&cid=C01PZKDL4DP)
prerelease: allow # remove this when we start publishing non-prerelease or set to auto
draft: true # allow for manual edits
github:
Expand Down
15 changes: 15 additions & 0 deletions .ko.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,21 @@ builds:
- -extldflags "-static"
- "{{ .Env.LDFLAGS }}"

- id: policy_webhook
dir: .
main: ./cmd/cosign/policy_webhook
env:
- CGO_ENABLED=0
flags:
- -trimpath
- --tags
- "{{ .Env.GIT_HASH }}"
- --tags
- "{{ .Env.GIT_VERSION }}"
ldflags:
- -extldflags "-static"
- "{{ .Env.LDFLAGS }}"

- id: sget
dir: .
main: ./cmd/sget
Expand Down
48 changes: 37 additions & 11 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ ifeq ($(DIFF), 1)
endif
PLATFORMS=darwin linux windows
ARCHITECTURES=amd64
COSIGNED_ARCHS?=all

LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION) \
-X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \
Expand Down Expand Up @@ -132,38 +133,58 @@ clean:


KOCACHE_PATH=/tmp/ko
ARTIFACT_HUB_LABELS=--image-label io.artifacthub.package.readme-url=https://raw.githubusercontent.com/sigstore/cosign/main/README.md --image-label io.artifacthub.package.logo-url=https://raw.githubusercontent.com/sigstore/cosign/main/images/logo.svg --image-label io.artifacthub.package.license=Apache-2.0 --image-label io.artifacthub.package.vendor=sigstore --image-label io.artifacthub.package.version=0.1.0 --image-label io.artifacthub.package.name=cosign --image-label org.opencontainers.image.created=$(BUILD_DATE) --image-label org.opencontainers.image.description='Container signing verification and storage in an OCI registry' --image-label io.artifacthub.package.alternative-locations="oci://ghcr.io/sigstore/cosign/cosign"
ARTIFACT_HUB_LABELS=--image-label io.artifacthub.package.readme-url="https://raw.githubusercontent.com/sigstore/cosign/main/README.md" \
--image-label io.artifacthub.package.logo-url=https://raw.githubusercontent.com/sigstore/cosign/main/images/logo.svg \
--image-label io.artifacthub.package.license=Apache-2.0 --image-label io.artifacthub.package.vendor=sigstore \
--image-label io.artifacthub.package.version=0.1.0 \
--image-label io.artifacthub.package.name=cosign \
--image-label org.opencontainers.image.created=$(BUILD_DATE) \
--image-label org.opencontainers.image.description="Container signing verification and storage in an OCI registry" \
--image-label io.artifacthub.package.alternative-locations="oci://ghcr.io/sigstore/cosign/cosign"

define create_kocache_path
mkdir -p $(KOCACHE_PATH)
endef


##########
# ko build
##########
.PHONY: ko
ko:
ko: ko-cosign ko-sget ko-cosigned

.PHONY: ko-cosign
ko-cosign:
$(create_kocache_path)
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \
--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
$(ARTIFACT_HUB_LABELS) \
$(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \
github.com/sigstore/cosign/cmd/cosign

# cosigned
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \
--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
--filename config/ > $(COSIGNED_YAML)

.PHONY: ko-sget
ko-sget:
# sget
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \
--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
$(ARTIFACT_HUB_LABELS) \
--image-refs sgetImagerefs \
github.com/sigstore/cosign/cmd/sget

.PHONY: ko-cosigned
ko-cosigned: kustomize-cosigned ko-policy-webhook
# cosigned
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \
--platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
--image-refs cosignedImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML)

ko-policy-webhook:
# policy_webhook
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-webhook ko resolve --bare \
--platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
--image-refs policyImagerefs --filename config/policy-webhook.yaml >> $(COSIGNED_YAML)

.PHONY: ko-local
ko-local:
$(create_kocache_path)
Expand All @@ -189,6 +210,11 @@ ko-local:
ko-apply:
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/


.PHONY: kustomize-cosigned
kustomize-cosigned:
kustomize build config/ > $(COSIGNED_YAML)

##################
# help
##################
Expand Down
32 changes: 32 additions & 0 deletions config/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- 100-namespace.yaml
- 200-serviceaccount.yaml
- 200-role.yaml
- 200-clusterrole.yaml
- 201-rolebinding.yaml
- 201-clusterrolebinding.yaml
- 300-clusterimagepolicy.yaml
- 400-webhook-service.yaml
- 500-webhook-configuration.yaml
- 501-policy-webhook-configurations.yaml
- config-observability.yaml
- config-logging.yaml
- config-leader-election.yaml
- config-image-policies.yaml
2 changes: 2 additions & 0 deletions config/policy-webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.

---
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down
2 changes: 2 additions & 0 deletions config/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -108,3 +109,4 @@ metadata:
# stringData:
# cosign.pub: |
# <PEM encoded public key>
---
8 changes: 4 additions & 4 deletions release/cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,10 @@ steps:
- TUF_ROOT=/tmp
args:
- 'verify'
- 'ghcr.io/gythialy/golang-cross:v1.17.8-0@sha256:b5b14c6a61099af5a69864f242766a0dca978d2aea97e311d051ee4f4b7d19ba'
- 'ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3'

# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.17.8-0@sha256:b5b14c6a61099af5a69864f242766a0dca978d2aea97e311d051ee4f4b7d19ba
- name: ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
Expand All @@ -65,7 +65,7 @@ steps:
gcloud auth configure-docker \
&& make release
- name: gcr.io/cloud-builders/docker
- name: ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
Expand Down Expand Up @@ -103,7 +103,7 @@ artifacts:
- "go/src/sigstore/cosign/cosign*.yaml"

options:
machineType: E2_HIGHCPU_8
machineType: E2_HIGHCPU_32

tags:
- cosign-release
Expand Down
Loading

0 comments on commit 2b93597

Please sign in to comment.