Merge branch 'feat/cosign-conteriner' into 'main'

feat: add cosign component

See merge request hegerdes/gitlab-actions!15

.gitlab-ci.yml

@@ -14,7 +14,10 @@ default:
 include:
   - local: .gitlab/ci/snippets.yml
   - local: .gitlab/ci/rules.yml
-  - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/trivy-container-scan@$CI_COMMIT_SHA
+  - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/pre-commit@$CI_COMMIT_SHA
+    inputs:
+      autofix: true
+      access_token: $PRE_COMMIT_ACCESS_TOKEN
   - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/kaniko-build@$CI_COMMIT_SHA
     inputs:
       context: $CI_PROJECT_DIR/tests
@@ -25,25 +28,19 @@ include:
       context: $CI_PROJECT_DIR/tests
       dockerfile: $CI_PROJECT_DIR/tests/Dockerfile
   - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/container-manifest-merge@$CI_COMMIT_SHA
-    inputs:
-      stage: package
-      image_tags:
-        - $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
-  - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/pre-commit@$CI_COMMIT_SHA
-    inputs:
-      autofix: true
-      access_token: $PRE_COMMIT_ACCESS_TOKEN
+  - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/trivy-container-scan@$CI_COMMIT_SHA
+  - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/cosign-container@$CI_COMMIT_SHA
   - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/helm-package@$CI_COMMIT_SHA
     inputs:
       chart: tests/charts/demo
   - component: $CI_SERVER_HOST/$CI_PROJECT_PATH/helm-install@$CI_COMMIT_SHA
     inputs:
       release_name: nginx-ingress
-      helm_extra_args: --atomic --wait --create-namespace --namespace test --dry-run --kube-apiserver https://kubernetes:6443 --kube-token $KUBE_TOKEN --kube-insecure-skip-tls-verify
+      helm_extra_args: --create-namespace --namespace ci-test --kube-apiserver https://kubernetes:6443 --kube-token $KUBE_TOKEN --kube-insecure-skip-tls-verify
       chart: tests/charts/demo
-  # Alternative:
-  # chart: ingress-nginx
-  # repo: https://kubernetes.github.io/ingress-nginx/
+      # # Alternative:
+      # chart: ingress-nginx
+      # repo: https://kubernetes.github.io/ingress-nginx/
 
 # The above is all you need. But for testing the pipelines are run for amd64 and arm64.
 # So we override the jobs to use a matrix build. Again not needed by default.
@@ -53,6 +50,13 @@ variables:
   GL_K8S_CONTEXT: gitlab-ci
   GL_K8S_AGENT_ID: 1103496
 
+pre-commit:
+  tags: [$RUNNER]
+  parallel:
+    matrix:
+      - RUNNER: saas-linux-small-amd64
+      - RUNNER: hegerdes-linux-arm64
+
 snippets:
   image: $IMAGE
   tags: [$RUNNER]
@@ -94,13 +98,6 @@ snippets:
     - !reference [.rules, default-branch-only-rules]
     - !reference [.rules, default-merge-rules]
 
-pre-commit:
-  tags: [$RUNNER]
-  parallel:
-    matrix:
-      - RUNNER: saas-linux-small-amd64
-      - RUNNER: hegerdes-linux-arm64
-
 BUILDAH:build:
   tags: [$RUNNER]
   # Multiple pushes may cause race condition. Retry twice
@@ -131,6 +128,13 @@ TRIVY:container-scan:
       - RUNNER: saas-linux-small-amd64
       - RUNNER: hegerdes-linux-arm64
 
+COSIGN:container-sign:
+  tags: [$RUNNER]
+  parallel:
+    matrix:
+      - RUNNER: saas-linux-small-amd64
+      - RUNNER: hegerdes-linux-arm64
+
 merge-image-manifests:
   tags: [$RUNNER]
   parallel:

README.md

@@ -7,10 +7,11 @@ This repo contains a collection of different [GitLab CI/CD Components](https://a
 Currently supported components are:
  * [Code Quality: pre-commit](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/pre-commit.md)
  * [Build: Helm package](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/helm-package.md)
- * [Security: Trivy container scan](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/trivy-container-scan.md)
  * [Container Build: Kaniko](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/kaniko-build.md)
  * [Container Build: Buildah](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/buildash-build.md)
  * [Container Build: Merge-Manifests](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/container-manifest-merge.md)
+ * [Security: Trivy container scan](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/trivy-container-scan.md)
+ * [Security: Cosign container sign](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/cosign-container.md)
  * [Deployment: Helm install/upgrade](https://gitlab.com/hegerdes/gitlab-actions/-/tree/main/templates/helm-install.md)
 
 Currently supported snippets are:

templates/container-manifest-merge.md

@@ -1,4 +1,4 @@
-## Container Build: Merge-Manifests
+# Container Build: Merge-Manifests
 
 ### Usage
 

templates/cosign-container.md

@@ -0,0 +1,35 @@
+# Security: Cosign Container Sign
+
+### Usage
+
+Use this component to sign container images with [cosign](https://www.sigstore.dev/) project to allow safe image operations. It uses the sigstore project and by default uses keyless-signing using the identity if the gitlab CI job. In the future you may also pass keys to the component to sign with traditional public/private keys.
+You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
+keyword.
+
+```yaml
+include:
+  - component: gitlab.com/hegerdes/gitlab-actions/cosign-container@<VERSION>
+```
+
+where `<VERSION>` is the latest released tag or `main`. This will add a `COSIGN:container-sign` job to the pipeline.  
+*NOTE:* By default the latest version of cosign is used. For a more predictable outcome you should pin the version to a specific tag via the `image` input.
+
+You can customize the template settings.
+### Inputs
+
+| Input        | Default value                              | Description                                                                  |
+| ------------ | ------------------------------------------ | ---------------------------------------------------------------------------- |
+| `as_job`     | COSIGN:container-sign`                     | The name of the job that gets imported. Use ".my_job" to include as template |
+| `stage`      | `package`                                  | The stage where you want the job to be added                                 |
+| `image`      | `chainguard/cosign:latest`                 | The Docker image of kaniko                                                   |
+| `image_tags` | [`$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG`] | Array of the image tags manifests to push.                                   |
+| `extra_args` | ``                                         | Extra args passed to cosign.                                                 |
+| `rules`      | *Default MR rules + Tags*                  | The rules when the job runs                                                  |
+
+### Variables
+
+| Variable                   | Description                                                        |
+| -------------------------- | ------------------------------------------------------------------ |
+| `COSIGN_REGISTRY_USERNAME` | The container registry username. Default is `CI_REGISTRY_USER`     |
+| `COSIGN_REGISTRY_PASSWORD` | The container registry username. Default is `CI_REGISTRY_PASSWORD` |
+| `DOCKER_AUTH_CONFIG`       | Docker Auth Config. Tool wil try to extract token from there.      |

templates/cosign-container.yml

@@ -0,0 +1,67 @@
+spec:
+  inputs:
+    as_job:
+      type: string
+      default: COSIGN:container-sign
+    stage:
+      type: string
+      default: package
+    image:
+      type: string
+      default: chainguard/cosign:latest
+    image_tags:
+      type: array
+      default:
+        - "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
+    extra_args:
+      type: string
+      default: ""
+    rules:
+      type: array
+      default:
+        # Add the job to merge request pipelines if there's an open merge request.
+        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
+        - if: $CI_OPEN_MERGE_REQUESTS
+          when: never
+        # Add the job to main branch pipelines.
+        - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+        - if: $CI_COMMIT_TAG
+---
+$[[ inputs.as_job ]]:
+  stage: $[[ inputs.stage ]]
+  image:
+    name: "$[[ inputs.image ]]"
+    entrypoint: [""]
+  variables:
+    COSIGN_YES: "true"
+    COSIGN_EXTRA_ARGS: $[[ inputs.extra_args ]]
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  script:
+    - cosign version
+    - |
+      # Signing images...
+      export IMAGE_TAGS="$[[ inputs.image_tags ]]"
+      IMAGE_TAGS="${IMAGE_TAGS#[}"
+      IMAGE_TAGS="${IMAGE_TAGS%]}"
+
+      if [ -z ${COSIGN_REGISTRY_USERNAME+x} ]; then
+        export COSIGN_REGISTRY_USERNAME=$CI_REGISTRY_USER
+      fi
+      if [ -z ${COSIGN_REGISTRY_PASSWORD+x} ]; then
+        export COSIGN_REGISTRY_PASSWORD=$CI_REGISTRY_PASSWORD
+      fi
+
+      # Read the cleaned-up string into an array, splitting by commas
+      IFS=","
+      for IMAGE_TAG in ${IMAGE_TAGS}; do
+          # Ensure to strip any whitespace and send a curl request to each URL
+          echo "Signing image ${IMAGE_TAG}"
+          cosign sign --recursive $COSIGN_EXTRA_ARGS \
+            --registry-password=$COSIGN_REGISTRY_PASSWORD \
+            --registry-username=$COSIGN_REGISTRY_USERNAME \
+            $IMAGE_TAG
+      done
+  rules: $[[ inputs.rules ]]

templates/helm-install.md

@@ -1,5 +1,4 @@
-
-## Deployment: Helm install
+# Deployment: Helm install
 
 ### Usage
 

templates/helm-package.md

@@ -1,4 +1,4 @@
-# GitLab CI/CD Components: helm-deploy
+# Build: Helm package
 
 ## Usage
 

templates/kaniko-build.md

@@ -1,5 +1,4 @@
-
-## Container Build: Kaniko
+# Container Build: Kaniko
 
 ### Usage
 

templates/pre-commit.md

@@ -1,4 +1,4 @@
-## Code Quality: pre-commit
+# Code Quality: pre-commit
 
 ### Usage
 

templates/trivy-container-scan.md

@@ -1,4 +1,4 @@
-# GitLab CI/CD Components: trivy-scan
+# Security: Trivy container scan
 
 ## Usage