Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Air gap support #2299

Merged
merged 3 commits into from
Nov 10, 2022
Merged

Air gap support #2299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
76f2435
document the initialize flag with air-gap use case.
vaikas Sep 24, 2022
8b12c4e
Add testing with air-gap TUF root.
vaikas Oct 21, 2022
0528e19
update to scaffold v0.4.13
vaikas Nov 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions .github/workflows/kind-verify-attestation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,13 @@ jobs:
matrix:
k8s-version:
- v1.24.x
tuf-root:
- remote
- air-gap

env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.4.12"
SCAFFOLDING_RELEASE_VERSION: "v0.4.13"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
Expand Down Expand Up @@ -83,11 +86,23 @@ jobs:
echo Created image $demoimage
popd

- name: Initialize with our custom TUF root
- name: Initialize with our custom TUF root pointing to remote root
if: ${{ matrix.tuf-root == 'remote' }}
run: |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
./cosign initialize --mirror $TUF_MIRROR --root ./root.json

- name: Initialize with custom TUF root pointing to local filesystem
if: ${{ matrix.tuf-root == 'air-gap' }}
run: |
# Grab the compressed repository for airgap testing.
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz
tar -zxvf ./repository.tar.gz
PWD=$(pwd)
ROOT=${PWD}/repository/1.root.json
REPOSITORY=${PWD}/repository
./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY}

- name: Sign demoimage with cosign
run: |
./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/options/initialize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ var _ Interface = (*InitializeOptions)(nil)
// AddFlags implements Interface
func (o *InitializeOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.Mirror, "mirror", tuf.DefaultRemoteRoot,
"GCS bucket to a SigStore TUF repository or HTTP(S) base URL")
"GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap)")

cmd.Flags().StringVar(&o.Root, "root", "",
"path to trusted initial root. defaults to embedded root")
Expand Down
2 changes: 1 addition & 1 deletion doc/cosign_initialize.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.