Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Flagger container images with cosign #983

Merged
merged 3 commits into from
Aug 25, 2021
Merged

Sign Flagger container images with cosign #983

merged 3 commits into from
Aug 25, 2021

Conversation

stefanprodan
Copy link
Member

This PR adds container image signing to the release workflow. After the next release, users will be able to verify Flagger images using cosign and Kyverno, e.g.:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-flagger-image
  annotations:
    policies.kyverno.io/title: Verify Flagger Image
    policies.kyverno.io/category: Cosign
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.4.2
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: verify-image
      match:
        resources:
          kinds:
            - Pod
      verifyImages:
      - image: "ghcr.io/fluxcd/flagger:*"
        key: |-
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
          iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
          -----END PUBLIC KEY-----

The cosign keys are stored in Git, the private key password is stored as a GitHub secret and in FluxCD 1Password.

@stefanprodan
Add cosign keys
33528b0 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan
Sign Flagger container images with cosign
f0fa2aa 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan
Add docs on how to verify Flagger containers with cosign
8b2839d 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan stefanprodan added the kind/build Issues related to CI label Aug 24, 2021
@stefanprodan stefanprodan merged commit eb12e3b into main Aug 25, 2021
@stefanprodan stefanprodan deleted the cosign branch August 25, 2021 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind/build Issues related to CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@stefanprodan