This repository has been archived by the owner on Jul 28, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #58 from toshiyamamoto/51-ImageSigningOperator
Initial sample image signing operator
- Loading branch information
Showing
31 changed files
with
2,526 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Temporary Build Files | ||
build/_output | ||
build/_test | ||
# Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode | ||
### Emacs ### | ||
# -*- mode: gitignore; -*- | ||
*~ | ||
\#*\# | ||
/.emacs.desktop | ||
/.emacs.desktop.lock | ||
*.elc | ||
auto-save-list | ||
tramp | ||
.\#* | ||
# Org-mode | ||
.org-id-locations | ||
*_archive | ||
# flymake-mode | ||
*_flymake.* | ||
# eshell files | ||
/eshell/history | ||
/eshell/lastdir | ||
# elpa packages | ||
/elpa/ | ||
# reftex files | ||
*.rel | ||
# AUCTeX auto folder | ||
/auto/ | ||
# cask packages | ||
.cask/ | ||
dist/ | ||
# Flycheck | ||
flycheck_*.el | ||
# server auth directory | ||
/server/ | ||
# projectiles files | ||
.projectile | ||
projectile-bookmarks.eld | ||
# directory configuration | ||
.dir-locals.el | ||
# saveplace | ||
places | ||
# url cache | ||
url/cache/ | ||
# cedet | ||
ede-projects.el | ||
# smex | ||
smex-items | ||
# company-statistics | ||
company-statistics-cache.el | ||
# anaconda-mode | ||
anaconda-mode/ | ||
### Go ### | ||
# Binaries for programs and plugins | ||
*.exe | ||
*.exe~ | ||
*.dll | ||
*.so | ||
*.dylib | ||
# Test binary, build with 'go test -c' | ||
*.test | ||
# Output of the go coverage tool, specifically when used with LiteIDE | ||
*.out | ||
### Vim ### | ||
# swap | ||
.sw[a-p] | ||
.*.sw[a-p] | ||
# session | ||
Session.vim | ||
# temporary | ||
.netrwhist | ||
# auto-generated tag files | ||
tags | ||
### VisualStudioCode ### | ||
.vscode/* | ||
.history | ||
# End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# The Docker image in format repository:tag. Repository may contain a remote reference. | ||
# Override in order to customize | ||
IMAGE ?= imagesigning-operator:latest | ||
REPO ?= SET_YOUR_REPOSITORY | ||
ifneq "$(REPO)" "SET_YOUR_REPOSITORY" | ||
IMAGE =${REPO}/imagesigning-operator:v0.1.0 | ||
endif | ||
|
||
# Current release (used for CSV management) | ||
|
||
.PHONY: build deploy build-image push-image undeploy | ||
|
||
build: generate | ||
GO111MODULE=on go install ./cmd/manager | ||
|
||
build-image: generate | ||
operator-sdk build ${IMAGE} | ||
|
||
push-image: | ||
ifneq "$(IMAGE)" "imagesigning-operator:latest" | ||
docker push $(IMAGE) | ||
endif | ||
|
||
test: | ||
GO111MODULE=on go test ./cmd/... ./pkg/... | ||
|
||
format: | ||
GO111MODULE=on go fmt ./cmd/... ./pkg/... | ||
|
||
generate: | ||
GO111MODULE=on operator-sdk generate k8s | ||
GO111MODULE=on operator-sdk generate openapi | ||
|
||
deploy: | ||
|
||
ifneq "$(IMAGE)" "imagesigning-operator:latest" | ||
cp deploy/operator.yaml deploy/operator.yaml.bak || true | ||
sed -i 's|REPLACE_IMAGE|$(IMAGE)|g' deploy/operator.yaml | ||
oc create namespace kabanero || true | ||
oc apply -f deploy/crds/security.kabanero.io_imagesignings_crd.yaml | ||
oc apply -f deploy/ -n kabanero | ||
endif | ||
|
||
undeploy: | ||
oc delete -f deploy/ -n kabanero || true | ||
oc delete -f deploy/crds/security.kabanero.io_imagesignings_crd.yaml | ||
cp deploy/operator.yaml.bak deploy/operator.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
# Sample image signing operator | ||
The kabanero-security image signing operator is a sample operator for image signing which is capable to generate or import a keypair for image signing and create a secret resource which the image signing task consumes in the Kabanero pipeline. | ||
|
||
# About image signing operator | ||
|
||
The image signing operator is for automating various configurations which are required enabling the image signing by the Tekton pipeline in Kabanero. | ||
The current code does following: | ||
- Generate or import RSA keypair for the image signing based on the values of ImageSigning custom resource instance. | ||
- Create the signature-secret-key secret resource from the RSA keypair. This secret is consumed by the image signing task of Tekton pipeline. | ||
- When the ImageSignig custom resource is deleted, the corresponding signature-secret-key resource is also deleted. | ||
- If the generated signature-secret-key resource is deleted, the same secret will be created by the image signing operator. | ||
|
||
# Build and install the image signing operator | ||
|
||
## Prerequisite | ||
|
||
The image signing operator is developed using Operator SDK version 0.11.0. | ||
|
||
In order to build and deploy the operator, the following prerequisite packages need to be installed: | ||
- go version 1.13 or later | ||
- Operator SDK version 0.11.0 | ||
- Openshift Container Platform 4.2 CLI | ||
|
||
## Building the sample operator | ||
|
||
### Clone the image signing operator | ||
|
||
``` | ||
git clone https://github.com/kabanero-io/kabanero-security/pipelines/samples/signing-operator | ||
cd signing-operator | ||
``` | ||
|
||
You will need to examine the Makefile and set any necessary variables to push your container images to the correct repository. Especially, make sure that the variable of REPO is pointing to the correct repository, otherwise, the image will not be pushed. | ||
|
||
### Login to OCP | ||
(example) | ||
``` | ||
oc login -u admin -p admin https://openshift.my.com:8443/ | ||
``` | ||
|
||
### Build image and push the image to the specified image repository | ||
|
||
``` | ||
make build-image | ||
make push-image | ||
``` | ||
|
||
### Deploy the operator and sets required resources. | ||
|
||
``` | ||
make deploy | ||
``` | ||
|
||
Make sure that the image signing operator is running. | ||
|
||
``` | ||
oc get pods -n kabanero | ||
``` | ||
(example command output) | ||
``` | ||
[admin@openshift signing-operator]# oc get pods -n kabanero | ||
NAME READY STATUS RESTARTS AGE | ||
signing-operator-77b489cf7f-n4d9z 1/1 Running 0 49s | ||
``` | ||
|
||
### Create a image signing custom resource instance for generating a keypair. | ||
|
||
If you have installed the image signing sample, please delete existing signature-secret-key secret, because the image signing operator will not create a secret if it already exists. To delete the secret, run | ||
``` | ||
oc delete secret/signature-secret-key -n kabanero | ||
``` | ||
If the image signing sample has not been installed, install it by using | ||
kabanero-security/pipelines/samples/signing/create-resources-for-signing-operator-4.sh | ||
This script is the same as the original script which configures image signing sample pipeline, but it skips generating a keypair. Make sure that the file is modified to set required parameters for your environment prior to running it. | ||
|
||
Modify signing-operator/deploy/crds/security.kabanero.io_v1alpha1_imagesigning_generate_sample_cr.yaml to configure the identity of the keypair. | ||
(example) | ||
``` | ||
apiVersion: security.kabanero.io/v1alpha1 | ||
kind: ImageSigning | ||
metadata: | ||
name: default | ||
spec: | ||
identity: | ||
name: ImageSigning | ||
email: security@example.com | ||
``` | ||
|
||
If there is existing keypair which you want to use for image signing, place armored secret (private) key and public key to the image signing custom resource. Refer to the example of signing-operator/deploy/crds/security.kabanero.io_v1alpha1_imagesigning_import_sample_cr.yaml | ||
(example) | ||
``` | ||
apiVersion: security.kabanero.io/v1alpha1 | ||
kind: ImageSigning | ||
metadata: | ||
name: default | ||
spec: | ||
keypair: | ||
secretKey: |- | ||
-----BEGIN PGP PRIVATE KEY BLOCK----- | ||
xcLYBF4pvTUBCACjpPW2rx20Dzd4i/6CBxc6csvk328dfp8WdR4b21lX5vRIoEN6 | ||
lJLMU6+Z6faCpqGF8p2S2sl8AyigqbCJXE2U194INxCHuAR6VrnFASQATVyqfURA | ||
AtU33lWrEXFnzpEJuEyZ6VdTUsp0mECbJoA+YkgW3h48Ed11gRQs4biGtb7ZP1F0 | ||
taRx6/eB0DdarPpbO8e/pWyp9Afi8gqkC86ZcXMSz5LEaifIdBW/qrPvOYRI6e5m | ||
sgwzPz7Cezqyz/hTnjZhDXFd+3bBxSG8q6T9raC7Qt0TSW6N9BVpgIcmIiLApEvE | ||
s5ibuptev842ypG9KreiyPSORRY+GGshuMJ1ABEBAAEAB/9T/u0cawA9Fv5rAriN | ||
N2SF3LypasJXClJQLadZtxpB00saKCDav34mIOJmhz+/yhXociLNaT24SMrGxLLX | ||
nqg3uSG/Z7w1XY/216Mc6rv2576jyA6LKKkWtymT2C00kkPCEHZJHgtzunAurqOi | ||
v31eCAZmrnYocScSFEIt02JqyfaMTbnPhE3A71Nj/ZaTBbJmSgsLUeXlc1tSv1fG | ||
ZwgbdswdTdmwMY2DjOGn0gqH5sgyPe8wwh/sNw3m/IKvxzqMWGteXmBWl5gRQ6Xn | ||
mTupCz3Ldeks74aeX3vSvwIS5S91hjSVLXO9Bn49UCMMDK3GVGlNAGfLSm0yfvm4 | ||
nHOBBADYeK4YhPXcQ/G/qgAlWdQ3jk0Hw51t5yOqprW51atWzQ0LjJ5FBWHxO1G6 | ||
hOToO47XPmEejWJtbFX3kbvnZrzH6stAoibpFQ58tkb78n28ewpzktdzif5PWAAt | ||
QRDiJ25U0G9fvYADKojfbwMm/mnUwVCP7/jNth52gRD9RuKaVQQAwYbKknYTf/bm | ||
1RsOicx0uLG6965O/Tx94PmUjVb5WnEpY/BiwzWkntVSWjg9oY6QhNYRkG18sqzU | ||
yl4MPoq7Ac7JNLD/pARINehtU+fhhcX1RtBuubf8AH001+SnOSivmdVYYI2FgiOX | ||
VgmEeMvnauJ+VzS2zb0YSkySUk0n56EEAISwSw2xxAGxqKU/06jkj8KTCsqr/vF/ | ||
BvJWba14ug+VN2nwnWgnskL7cPJWUbx4k+MR9o7rnm4mcdS1cSXG5HuargdiS0L/ | ||
w+QXZL1ZbxIz0LPJ+hgwKgRM2ZeIFqAa9D7FuETjmVnitG9XP6hjs99uNT2DB3Ci | ||
/vpbHi5KSPxXQ4bNI0ltYWdlU2lnbmluZyA8c2VjdXJpdHlAZXhhbXBsZS5jb20+ | ||
wsBiBBMBCAAWBQJeKb01CRC2CeQNsEvIwQIbAwIZAQAArOgIACg/OMgZcDCjHH7L | ||
o1kVl/ti+EjwUSVXKV1nDF5hOvc4WqDMkUaudCmQaqlNA5qLA5kcR98xh4m+eP72 | ||
52zsXchgrRbssHyW6x275GwEGdm/oVb3WpWAOU8gxrkHSm0+PUs75G0Tzsl42XpW | ||
nhLhxxrBCPn1IN6xuQwHECQZHAMxQgKE/QhziOsetUfVPebAKUE9mlRIxCiZUIhk | ||
mKDgA/YmrRys27pp/RnwLa6jOduynETWhLvCyyP7Y1TPX9vDn/LLL4l8OkA6I1xy | ||
QzMIAfMzovHcPVfmnXYtzYvJly0E6ZOb4u5oW8sFiW3bDz8Vwf+vvxIqFg5gnXU0 | ||
SXXClok= | ||
=MVTl | ||
-----END PGP PRIVATE KEY BLOCK----- | ||
publicKey: |- | ||
-----BEGIN PGP PUBLIC KEY BLOCK----- | ||
xsBNBF4pvTUBCACjpPW2rx20Dzd4i/6CBxc6csvk328dfp8WdR4b21lX5vRIoEN6 | ||
lJLMU6+Z6faCpqGF8p2S2sl8AyigqbCJXE2U194INxCHuAR6VrnFASQATVyqfURA | ||
AtU33lWrEXFnzpEJuEyZ6VdTUsp0mECbJoA+YkgW3h48Ed11gRQs4biGtb7ZP1F0 | ||
taRx6/eB0DdarPpbO8e/pWyp9Afi8gqkC86ZcXMSz5LEaifIdBW/qrPvOYRI6e5m | ||
sgwzPz7Cezqyz/hTnjZhDXFd+3bBxSG8q6T9raC7Qt0TSW6N9BVpgIcmIiLApEvE | ||
s5ibuptev842ypG9KreiyPSORRY+GGshuMJ1ABEBAAHNI0ltYWdlU2lnbmluZyA8 | ||
c2VjdXJpdHlAZXhhbXBsZS5jb20+wsBiBBMBCAAWBQJeKb01CRC2CeQNsEvIwQIb | ||
AwIZAQAArOgIACg/OMgZcDCjHH7Lo1kVl/ti+EjwUSVXKV1nDF5hOvc4WqDMkUau | ||
dCmQaqlNA5qLA5kcR98xh4m+eP7252zsXchgrRbssHyW6x275GwEGdm/oVb3WpWA | ||
OU8gxrkHSm0+PUs75G0Tzsl42XpWnhLhxxrBCPn1IN6xuQwHECQZHAMxQgKE/Qhz | ||
iOsetUfVPebAKUE9mlRIxCiZUIhkmKDgA/YmrRys27pp/RnwLa6jOduynETWhLvC | ||
yyP7Y1TPX9vDn/LLL4l8OkA6I1xyQzMIAfMzovHcPVfmnXYtzYvJly0E6ZOb4u5o | ||
W8sFiW3bDz8Vwf+vvxIqFg5gnXU0SXXClok= | ||
=D/n0 | ||
-----END PGP PUBLIC KEY BLOCK----- | ||
``` | ||
After modifying the file, create the resource | ||
|
||
(example) | ||
``` | ||
oc apply -f deploy/crds/security.kabanero.io_v1alpha1_imagesigning_generate_sample_cr.yaml | ||
``` | ||
|
||
### Verify a secret is generated. | ||
|
||
To verify that the secret run the following command. | ||
``` | ||
oc get secret signature-secret-key -n kabanero | ||
``` | ||
(example output) | ||
``` | ||
[admin@openshift signing-operator]# oc get secret signature-secret-key -n kabanero | ||
NAME TYPE DATA AGE | ||
signature-secret-key Opaque 1 4m6s | ||
``` | ||
|
||
## Uninstall the image signing operator and it's resources | ||
|
||
``` | ||
make undeploy | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest | ||
|
||
ENV OPERATOR=/usr/local/bin/signing-operator \ | ||
USER_UID=1001 \ | ||
USER_NAME=signing-operator | ||
|
||
# install operator binary | ||
COPY build/_output/bin/signing-operator ${OPERATOR} | ||
|
||
COPY build/bin /usr/local/bin | ||
RUN /usr/local/bin/user_setup | ||
|
||
ENTRYPOINT ["/usr/local/bin/entrypoint"] | ||
|
||
USER ${USER_UID} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
#!/bin/sh -e | ||
|
||
# This is documented here: | ||
# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines | ||
|
||
if ! whoami &>/dev/null; then | ||
if [ -w /etc/passwd ]; then | ||
echo "${USER_NAME:-signing-operator}:x:$(id -u):$(id -g):${USER_NAME:-signing-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd | ||
fi | ||
fi | ||
|
||
exec ${OPERATOR} $@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/sh | ||
set -x | ||
|
||
# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be) | ||
mkdir -p ${HOME} | ||
chown ${USER_UID}:0 ${HOME} | ||
chmod ug+rwx ${HOME} | ||
|
||
# runtime user will need to be able to self-insert in /etc/passwd | ||
chmod g+rw /etc/passwd | ||
|
||
# no need for this script to remain in the image after running | ||
rm $0 |
Oops, something went wrong.