Skip to content
This repository has been archived by the owner on Jul 28, 2023. It is now read-only.

Commit

Permalink
Merge pull request #58 from toshiyamamoto/51-ImageSigningOperator
Browse files Browse the repository at this point in the history 
Initial sample image signing operator
  • Loading branch information
@toshiyamamoto
toshiyamamoto authored Feb 5, 2020
2 parents b2b916f + 33220b2 commit e3822fa
Show file tree
Hide file tree
Showing 31 changed files with 2,526 additions and 0 deletions.
77 changes: 77 additions & 0 deletions pipelines/samples/signing-operator/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Temporary Build Files
build/_output
build/_test
# Created by https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
### Emacs ###
# -*- mode: gitignore; -*-
*~
\#*\#
/.emacs.desktop
/.emacs.desktop.lock
*.elc
auto-save-list
tramp
.\#*
# Org-mode
.org-id-locations
*_archive
# flymake-mode
*_flymake.*
# eshell files
/eshell/history
/eshell/lastdir
# elpa packages
/elpa/
# reftex files
*.rel
# AUCTeX auto folder
/auto/
# cask packages
.cask/
dist/
# Flycheck
flycheck_*.el
# server auth directory
/server/
# projectiles files
.projectile
projectile-bookmarks.eld
# directory configuration
.dir-locals.el
# saveplace
places
# url cache
url/cache/
# cedet
ede-projects.el
# smex
smex-items
# company-statistics
company-statistics-cache.el
# anaconda-mode
anaconda-mode/
### Go ###
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, build with 'go test -c'
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
### Vim ###
# swap
.sw[a-p]
.*.sw[a-p]
# session
Session.vim
# temporary
.netrwhist
# auto-generated tag files
tags
### VisualStudioCode ###
.vscode/*
.history
# End of https://www.gitignore.io/api/go,vim,emacs,visualstudiocode
47 changes: 47 additions & 0 deletions pipelines/samples/signing-operator/Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# The Docker image in format repository:tag. Repository may contain a remote reference.
# Override in order to customize
IMAGE ?= imagesigning-operator:latest
REPO ?= SET_YOUR_REPOSITORY
ifneq "$(REPO)" "SET_YOUR_REPOSITORY"
IMAGE =${REPO}/imagesigning-operator:v0.1.0
endif

# Current release (used for CSV management)

.PHONY: build deploy build-image push-image undeploy

build: generate
GO111MODULE=on go install ./cmd/manager

build-image: generate
operator-sdk build ${IMAGE}

push-image:
ifneq "$(IMAGE)" "imagesigning-operator:latest"
docker push $(IMAGE)
endif

test:
GO111MODULE=on go test ./cmd/... ./pkg/...

format:
GO111MODULE=on go fmt ./cmd/... ./pkg/...

generate:
GO111MODULE=on operator-sdk generate k8s
GO111MODULE=on operator-sdk generate openapi

deploy:

ifneq "$(IMAGE)" "imagesigning-operator:latest"
cp deploy/operator.yaml deploy/operator.yaml.bak || true
sed -i 's|REPLACE_IMAGE|$(IMAGE)|g' deploy/operator.yaml
oc create namespace kabanero || true
oc apply -f deploy/crds/security.kabanero.io_imagesignings_crd.yaml
oc apply -f deploy/ -n kabanero
endif

undeploy:
oc delete -f deploy/ -n kabanero || true
oc delete -f deploy/crds/security.kabanero.io_imagesignings_crd.yaml
cp deploy/operator.yaml.bak deploy/operator.yaml
174 changes: 174 additions & 0 deletions pipelines/samples/signing-operator/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
# Sample image signing operator
The kabanero-security image signing operator is a sample operator for image signing which is capable to generate or import a keypair for image signing and create a secret resource which the image signing task consumes in the Kabanero pipeline.

# About image signing operator

The image signing operator is for automating various configurations which are required enabling the image signing by the Tekton pipeline in Kabanero.
The current code does following:
- Generate or import RSA keypair for the image signing based on the values of ImageSigning custom resource instance.
- Create the signature-secret-key secret resource from the RSA keypair. This secret is consumed by the image signing task of Tekton pipeline.
- When the ImageSignig custom resource is deleted, the corresponding signature-secret-key resource is also deleted.
- If the generated signature-secret-key resource is deleted, the same secret will be created by the image signing operator.

# Build and install the image signing operator

## Prerequisite

The image signing operator is developed using Operator SDK version 0.11.0.

In order to build and deploy the operator, the following prerequisite packages need to be installed:
- go version 1.13 or later
- Operator SDK version 0.11.0
- Openshift Container Platform 4.2 CLI

## Building the sample operator

### Clone the image signing operator

```
git clone https://github.com/kabanero-io/kabanero-security/pipelines/samples/signing-operator
cd signing-operator
```

You will need to examine the Makefile and set any necessary variables to push your container images to the correct repository. Especially, make sure that the variable of REPO is pointing to the correct repository, otherwise, the image will not be pushed.

### Login to OCP
(example)
```
oc login -u admin -p admin https://openshift.my.com:8443/
```

### Build image and push the image to the specified image repository

```
make build-image
make push-image
```

### Deploy the operator and sets required resources.

```
make deploy
```

Make sure that the image signing operator is running.

```
oc get pods -n kabanero
```
(example command output)
```
[admin@openshift signing-operator]# oc get pods -n kabanero
NAME READY STATUS RESTARTS AGE
signing-operator-77b489cf7f-n4d9z 1/1 Running 0 49s
```

### Create a image signing custom resource instance for generating a keypair.

If you have installed the image signing sample, please delete existing signature-secret-key secret, because the image signing operator will not create a secret if it already exists. To delete the secret, run
```
oc delete secret/signature-secret-key -n kabanero
```
If the image signing sample has not been installed, install it by using
kabanero-security/pipelines/samples/signing/create-resources-for-signing-operator-4.sh
This script is the same as the original script which configures image signing sample pipeline, but it skips generating a keypair. Make sure that the file is modified to set required parameters for your environment prior to running it.

Modify signing-operator/deploy/crds/security.kabanero.io_v1alpha1_imagesigning_generate_sample_cr.yaml to configure the identity of the keypair.
(example)
```
apiVersion: security.kabanero.io/v1alpha1
kind: ImageSigning
metadata:
name: default
spec:
identity:
name: ImageSigning
email: security@example.com
```

If there is existing keypair which you want to use for image signing, place armored secret (private) key and public key to the image signing custom resource. Refer to the example of signing-operator/deploy/crds/security.kabanero.io_v1alpha1_imagesigning_import_sample_cr.yaml
(example)
```
apiVersion: security.kabanero.io/v1alpha1
kind: ImageSigning
metadata:
name: default
spec:
keypair:
secretKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
xcLYBF4pvTUBCACjpPW2rx20Dzd4i/6CBxc6csvk328dfp8WdR4b21lX5vRIoEN6
lJLMU6+Z6faCpqGF8p2S2sl8AyigqbCJXE2U194INxCHuAR6VrnFASQATVyqfURA
AtU33lWrEXFnzpEJuEyZ6VdTUsp0mECbJoA+YkgW3h48Ed11gRQs4biGtb7ZP1F0
taRx6/eB0DdarPpbO8e/pWyp9Afi8gqkC86ZcXMSz5LEaifIdBW/qrPvOYRI6e5m
sgwzPz7Cezqyz/hTnjZhDXFd+3bBxSG8q6T9raC7Qt0TSW6N9BVpgIcmIiLApEvE
s5ibuptev842ypG9KreiyPSORRY+GGshuMJ1ABEBAAEAB/9T/u0cawA9Fv5rAriN
N2SF3LypasJXClJQLadZtxpB00saKCDav34mIOJmhz+/yhXociLNaT24SMrGxLLX
nqg3uSG/Z7w1XY/216Mc6rv2576jyA6LKKkWtymT2C00kkPCEHZJHgtzunAurqOi
v31eCAZmrnYocScSFEIt02JqyfaMTbnPhE3A71Nj/ZaTBbJmSgsLUeXlc1tSv1fG
ZwgbdswdTdmwMY2DjOGn0gqH5sgyPe8wwh/sNw3m/IKvxzqMWGteXmBWl5gRQ6Xn
mTupCz3Ldeks74aeX3vSvwIS5S91hjSVLXO9Bn49UCMMDK3GVGlNAGfLSm0yfvm4
nHOBBADYeK4YhPXcQ/G/qgAlWdQ3jk0Hw51t5yOqprW51atWzQ0LjJ5FBWHxO1G6
hOToO47XPmEejWJtbFX3kbvnZrzH6stAoibpFQ58tkb78n28ewpzktdzif5PWAAt
QRDiJ25U0G9fvYADKojfbwMm/mnUwVCP7/jNth52gRD9RuKaVQQAwYbKknYTf/bm
1RsOicx0uLG6965O/Tx94PmUjVb5WnEpY/BiwzWkntVSWjg9oY6QhNYRkG18sqzU
yl4MPoq7Ac7JNLD/pARINehtU+fhhcX1RtBuubf8AH001+SnOSivmdVYYI2FgiOX
VgmEeMvnauJ+VzS2zb0YSkySUk0n56EEAISwSw2xxAGxqKU/06jkj8KTCsqr/vF/
BvJWba14ug+VN2nwnWgnskL7cPJWUbx4k+MR9o7rnm4mcdS1cSXG5HuargdiS0L/
w+QXZL1ZbxIz0LPJ+hgwKgRM2ZeIFqAa9D7FuETjmVnitG9XP6hjs99uNT2DB3Ci
/vpbHi5KSPxXQ4bNI0ltYWdlU2lnbmluZyA8c2VjdXJpdHlAZXhhbXBsZS5jb20+
wsBiBBMBCAAWBQJeKb01CRC2CeQNsEvIwQIbAwIZAQAArOgIACg/OMgZcDCjHH7L
o1kVl/ti+EjwUSVXKV1nDF5hOvc4WqDMkUaudCmQaqlNA5qLA5kcR98xh4m+eP72
52zsXchgrRbssHyW6x275GwEGdm/oVb3WpWAOU8gxrkHSm0+PUs75G0Tzsl42XpW
nhLhxxrBCPn1IN6xuQwHECQZHAMxQgKE/QhziOsetUfVPebAKUE9mlRIxCiZUIhk
mKDgA/YmrRys27pp/RnwLa6jOduynETWhLvCyyP7Y1TPX9vDn/LLL4l8OkA6I1xy
QzMIAfMzovHcPVfmnXYtzYvJly0E6ZOb4u5oW8sFiW3bDz8Vwf+vvxIqFg5gnXU0
SXXClok=
=MVTl
-----END PGP PRIVATE KEY BLOCK-----
publicKey: |-
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBF4pvTUBCACjpPW2rx20Dzd4i/6CBxc6csvk328dfp8WdR4b21lX5vRIoEN6
lJLMU6+Z6faCpqGF8p2S2sl8AyigqbCJXE2U194INxCHuAR6VrnFASQATVyqfURA
AtU33lWrEXFnzpEJuEyZ6VdTUsp0mECbJoA+YkgW3h48Ed11gRQs4biGtb7ZP1F0
taRx6/eB0DdarPpbO8e/pWyp9Afi8gqkC86ZcXMSz5LEaifIdBW/qrPvOYRI6e5m
sgwzPz7Cezqyz/hTnjZhDXFd+3bBxSG8q6T9raC7Qt0TSW6N9BVpgIcmIiLApEvE
s5ibuptev842ypG9KreiyPSORRY+GGshuMJ1ABEBAAHNI0ltYWdlU2lnbmluZyA8
c2VjdXJpdHlAZXhhbXBsZS5jb20+wsBiBBMBCAAWBQJeKb01CRC2CeQNsEvIwQIb
AwIZAQAArOgIACg/OMgZcDCjHH7Lo1kVl/ti+EjwUSVXKV1nDF5hOvc4WqDMkUau
dCmQaqlNA5qLA5kcR98xh4m+eP7252zsXchgrRbssHyW6x275GwEGdm/oVb3WpWA
OU8gxrkHSm0+PUs75G0Tzsl42XpWnhLhxxrBCPn1IN6xuQwHECQZHAMxQgKE/Qhz
iOsetUfVPebAKUE9mlRIxCiZUIhkmKDgA/YmrRys27pp/RnwLa6jOduynETWhLvC
yyP7Y1TPX9vDn/LLL4l8OkA6I1xyQzMIAfMzovHcPVfmnXYtzYvJly0E6ZOb4u5o
W8sFiW3bDz8Vwf+vvxIqFg5gnXU0SXXClok=
=D/n0
-----END PGP PUBLIC KEY BLOCK-----
```
After modifying the file, create the resource

(example)
```
oc apply -f deploy/crds/security.kabanero.io_v1alpha1_imagesigning_generate_sample_cr.yaml
```

### Verify a secret is generated.

To verify that the secret run the following command.
```
oc get secret signature-secret-key -n kabanero
```
(example output)
```
[admin@openshift signing-operator]# oc get secret signature-secret-key -n kabanero
NAME TYPE DATA AGE
signature-secret-key Opaque 1 4m6s
```

## Uninstall the image signing operator and it's resources

```
make undeploy
```

15 changes: 15 additions & 0 deletions pipelines/samples/signing-operator/build/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest

ENV OPERATOR=/usr/local/bin/signing-operator \
USER_UID=1001 \
USER_NAME=signing-operator

# install operator binary
COPY build/_output/bin/signing-operator ${OPERATOR}

COPY build/bin /usr/local/bin
RUN /usr/local/bin/user_setup

ENTRYPOINT ["/usr/local/bin/entrypoint"]

USER ${USER_UID}
12 changes: 12 additions & 0 deletions pipelines/samples/signing-operator/build/bin/entrypoint
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/sh -e

# This is documented here:
# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines

if ! whoami &>/dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-signing-operator}:x:$(id -u):$(id -g):${USER_NAME:-signing-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi

exec ${OPERATOR} $@
13 changes: 13 additions & 0 deletions pipelines/samples/signing-operator/build/bin/user_setup
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/sh
set -x

# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
mkdir -p ${HOME}
chown ${USER_UID}:0 ${HOME}
chmod ug+rwx ${HOME}

# runtime user will need to be able to self-insert in /etc/passwd
chmod g+rw /etc/passwd

# no need for this script to remain in the image after running
rm $0
Loading

0 comments on commit e3822fa

Please sign in to comment.