cd
/
j7s-ci
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Try reenabling container signing.

This commit is contained in:
James Pace 2023-08-08 19:35:42 -04:00
parent 880a5911b2
commit 6cdf86ec80
2 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
generic-pipelines/simple-ros-pipeline.yaml
View File

@ -43,5 +43,7 @@ spec:
value: ./docker/Dockerfile value: ./docker/Dockerfile
- name: registry-login-secret-name - name: registry-login-secret-name
value: $(params.registry-login-secret-name) value: $(params.registry-login-secret-name)
- names: cosign-secret-name
value: container-signing-secret
taskRef: taskRef:
name: j7s-buildah name: j7s-buildah

24
generic-tasks/j7s-buildah.yaml
View File

@ -16,6 +16,8 @@ spec:
description: Path of the Containerfile relative to source. description: Path of the Containerfile relative to source.
- name: registry-login-secret-name - name: registry-login-secret-name
description: Name of the secret containing the credentials to push to the registry. description: Name of the secret containing the credentials to push to the registry.
- name: cosign-secret-name
description: Name of the secret container the credentials for cosign.
workspaces: workspaces:
- name: source - name: source
steps: steps:
@ -26,14 +28,26 @@ spec:
set -x set -x
# Login # Login
buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry) buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
# Setup cosign.
cp /etc/cosign-credentials/* ~/.sigstore
cat <<EOF > ~/.sigstore/param-file.yaml
privateKeyFile: "$HOME/.sigstore/cosign.key"
privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
EOF
mkdir -p /etc/containers/registries.d/
cat <<EOF > /etc/containers/registries.d/james-registry.yaml
docker:
$(params.registry):
use-sigstore-attachments: true
EOF
# Build # Build
buildah --storage-driver=overlay bud --tls-verify=false --no-cache \ buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
-f $(params.containerfile) -t $(params.name):$(params.version) . -f $(params.containerfile) -t $(params.name):$(params.version) .
# Push # Push
skopeo copy --debug --dest-tls-verify=false \ skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
containers-storage:localhost/$(params.name):$(params.version) \ containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):$(params.version) docker://$(params.registry)/$(params.name):$(params.version)
skopeo copy --debug --dest-tls-verify=false \ skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
containers-storage:localhost/$(params.name):$(params.version) \ containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):latest docker://$(params.registry)/$(params.name):latest
env: env:
@ -50,8 +64,14 @@ spec:
volumeMounts: volumeMounts:
- name: varlibcontainers - name: varlibcontainers
mountPath: /var/lib/containers mountPath: /var/lib/containers
- name: cosign-credentials
mountPath: /etc/cosign-credentials
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: varlibcontainers - name: varlibcontainers
emptyDir: {} emptyDir: {}
volumes:
- name: cosign-credentials
secret:
secretName: $(params.cosign-secret-name)