refactor release job (sigstore#1710)

* refactor release job Signed-off-by: cpanato <ctadeu@gmail.com> * add kustomize Signed-off-by: cpanato <ctadeu@gmail.com> * fix env var Signed-off-by: cpanato <ctadeu@gmail.com> * disable push to github release for now Signed-off-by: cpanato <ctadeu@gmail.com>
ybelMekk · Apr 5, 2022 · 2b93597 · 2b93597
1 parent d8c5ffe
commit 2b93597
Show file tree

Hide file tree

Showing 13 changed files with 187 additions and 96 deletions.
diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml
@@ -56,6 +56,8 @@ jobs:
     # will use the latest release available for ko
     - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
 
+    - uses: imranismail/setup-kustomize@8fa954828ed3cfa7a487a2ba9f7104899bb48b2f # v1.6.1
+
     - name: Install yq
       uses: mikefarah/yq@bc2118736bca883de2e2c345bb7f7ef52c994920 # v4.16.2
 
@@ -73,11 +75,15 @@ jobs:
 
     - name: Install cosigned
       env:
-        GIT_HASH: $GITHUB_SHA
+        GIT_HASH: ${{ github.sha }}
         GIT_VERSION: ci
         LDFLAGS: ""
+        COSIGNED_YAML: cosigned-e2e.yaml
+        KO_PREFIX: registry.local:5000/cosigned
+        COSIGNED_ARCHS: linux/amd64
       run: |
-        ko apply -Bf config/
+        make ko-cosigned
+        kubectl apply -f cosigned-e2e.yaml
 
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook

diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
@@ -50,6 +50,8 @@ jobs:
 
     - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
 
+    - uses: imranismail/setup-kustomize@8fa954828ed3cfa7a487a2ba9f7104899bb48b2f # v1.6.1
+
     - name: Install yq
       uses: mikefarah/yq@bc2118736bca883de2e2c345bb7f7ef52c994920 # v4.16.2
 
@@ -96,11 +98,15 @@ jobs:
 
     - name: Install cosigned
       env:
-        GIT_HASH: $GITHUB_SHA
+        GIT_HASH: ${{ github.sha }}
         GIT_VERSION: ci
         LDFLAGS: ""
+        COSIGNED_YAML: cosigned-e2e.yaml
+        KO_PREFIX: registry.local:5000/cosigned
+        COSIGNED_ARCHS: linux/amd64
       run: |
-        ko apply -Bf config/
+        make ko-cosigned
+        kubectl apply -f cosigned-e2e.yaml
 
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook

diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -39,7 +39,7 @@ jobs:
       statuses: none
 
     env:
-      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.8-0@sha256:b5b14c6a61099af5a69864f242766a0dca978d2aea97e311d051ee4f4b7d19ba
+      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3
       COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.6.0@sha256:b667002156c4bf9fedd9273f689b800bb5c341660e710e3bbac981c9795423d9
 
     steps:
@@ -70,5 +70,4 @@ jobs:
       - name: check binaries
         run: |
           ./dist/cosign-linux-amd64 version
-          ./dist/cosigned-linux-amd64 --help
           ./dist/sget-linux-amd64 version
diff --git a/.gitignore b/.gitignore
@@ -27,5 +27,9 @@
 
 bin*
 dist/
+cosignImagerefs
+cosignedImagerefs
+sgetImagerefs
+policyImagerefs
 
 **verify-experimental*
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -15,7 +15,7 @@ before:
 # if running a release we will generate the images in this step
 # if running in the CI the CI env va is set and we dont run the ko steps
 # this is needed because we are generating files that goreleaser was not aware to push to GH project release
-  - /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi'
+  - /bin/bash -c 'if [ -z "$CI" ]; then make sign-release-images; fi'
 
 gomod:
   proxy: true
@@ -128,28 +128,6 @@ builds:
     - pivkey
     - pkcs11key
 
-- id: linux-cosigned
-  binary: cosigned-linux-{{ .Arch }}
-  no_unique_dist_dir: true
-  main: ./cmd/cosign/webhook
-  mod_timestamp: '{{ .CommitTimestamp }}'
-  flags:
-    - -trimpath
-  goos:
-    - linux
-  goarch:
-    - amd64
-    - arm64
-    - arm
-    - s390x
-    - ppc64le
-  goarm:
-    - 7
-  ldflags:
-    - "{{ .Env.LDFLAGS }}"
-  env:
-    - CGO_ENABLED=0
-
 - id: sget
   binary: sget-{{ .Os }}-{{ .Arch }}
   no_unique_dist_dir: true
@@ -189,13 +167,6 @@ signs:
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
-  - id: cosigned
-    signature: "${artifact}.sig"
-    cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
-    artifacts: binary
-    ids:
-      - linux-cosigned
   - id: sget
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
@@ -210,14 +181,6 @@ signs:
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
     artifacts: binary
-  - id: cosigned-keyless
-    signature: "${artifact}-keyless.sig"
-    certificate: "${artifact}-keyless.pem"
-    cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
-    artifacts: binary
-    ids:
-      - linux-cosigned
   - id: sget-keyless
     signature: "${artifact}-keyless.sig"
     certificate: "${artifact}-keyless.pem"
@@ -273,6 +236,7 @@ snapshot:
   name_template: SNAPSHOT-{{ .ShortCommit }}
 
 release:
+  disable: true ## not pushing to GitHub release due issues (context https://sigstore.slack.com/archives/C01PZKDL4DP/p1649162659703169?thread_ts=1649089777.081249&cid=C01PZKDL4DP)
   prerelease: allow # remove this when we start publishing non-prerelease or set to auto
   draft: true # allow for manual edits
   github:

diff --git a/.ko.yaml b/.ko.yaml
@@ -47,6 +47,21 @@ builds:
   - -extldflags "-static"
   - "{{ .Env.LDFLAGS }}"
 
+- id: policy_webhook
+  dir: .
+  main: ./cmd/cosign/policy_webhook
+  env:
+  - CGO_ENABLED=0
+  flags:
+  - -trimpath
+  - --tags
+  - "{{ .Env.GIT_HASH }}"
+  - --tags
+  - "{{ .Env.GIT_VERSION }}"
+  ldflags:
+  - -extldflags "-static"
+  - "{{ .Env.LDFLAGS }}"
+
 - id: sget
   dir: .
   main: ./cmd/sget

diff --git a/Makefile b/Makefile
@@ -42,6 +42,7 @@ ifeq ($(DIFF), 1)
 endif
 PLATFORMS=darwin linux windows
 ARCHITECTURES=amd64
+COSIGNED_ARCHS?=all
 
 LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION) \
         -X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \
@@ -132,38 +133,58 @@ clean:
 
 
 KOCACHE_PATH=/tmp/ko
-ARTIFACT_HUB_LABELS=--image-label io.artifacthub.package.readme-url=https://raw.githubusercontent.com/sigstore/cosign/main/README.md --image-label io.artifacthub.package.logo-url=https://raw.githubusercontent.com/sigstore/cosign/main/images/logo.svg --image-label io.artifacthub.package.license=Apache-2.0 --image-label io.artifacthub.package.vendor=sigstore --image-label io.artifacthub.package.version=0.1.0 --image-label io.artifacthub.package.name=cosign --image-label org.opencontainers.image.created=$(BUILD_DATE) --image-label org.opencontainers.image.description='Container signing verification and storage in an OCI registry' --image-label io.artifacthub.package.alternative-locations="oci://ghcr.io/sigstore/cosign/cosign"
+ARTIFACT_HUB_LABELS=--image-label io.artifacthub.package.readme-url="https://raw.githubusercontent.com/sigstore/cosign/main/README.md" \
+                    --image-label io.artifacthub.package.logo-url=https://raw.githubusercontent.com/sigstore/cosign/main/images/logo.svg \
+                    --image-label io.artifacthub.package.license=Apache-2.0 --image-label io.artifacthub.package.vendor=sigstore \
+                    --image-label io.artifacthub.package.version=0.1.0 \
+                    --image-label io.artifacthub.package.name=cosign \
+                    --image-label org.opencontainers.image.created=$(BUILD_DATE) \
+                    --image-label org.opencontainers.image.description="Container signing verification and storage in an OCI registry" \
+                    --image-label io.artifacthub.package.alternative-locations="oci://ghcr.io/sigstore/cosign/cosign"
 
 define create_kocache_path
   mkdir -p $(KOCACHE_PATH)
 endef
 
-
 ##########
 # ko build
 ##########
 .PHONY: ko
-ko:
+ko: ko-cosign ko-sget ko-cosigned
+
+.PHONY: ko-cosign
+ko-cosign:
 	$(create_kocache_path)
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
-		$(ARTIFACT_HUB_LABELS) \
+		$(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \
 		github.com/sigstore/cosign/cmd/cosign
 
-	# cosigned
-	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \
-		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
-		--filename config/ > $(COSIGNED_YAML)
-
+.PHONY: ko-sget
+ko-sget:
 	# sget
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
-		$(ARTIFACT_HUB_LABELS) \
+		--image-refs sgetImagerefs \
 		github.com/sigstore/cosign/cmd/sget
 
+.PHONY: ko-cosigned
+ko-cosigned: kustomize-cosigned ko-policy-webhook
+	# cosigned
+	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \
+		--platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
+		--image-refs cosignedImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML)
+
+ko-policy-webhook:
+	# policy_webhook
+	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-webhook ko resolve --bare \
+		--platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
+		--image-refs policyImagerefs --filename config/policy-webhook.yaml >> $(COSIGNED_YAML)
+
 .PHONY: ko-local
 ko-local:
 	$(create_kocache_path)
@@ -189,6 +210,11 @@ ko-local:
 ko-apply:
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/
 
+
+.PHONY: kustomize-cosigned
+kustomize-cosigned:
+	kustomize build config/ > $(COSIGNED_YAML)
+
 ##################
 # help
 ##################

diff --git a/config/kustomization.yaml b/config/kustomization.yaml
@@ -0,0 +1,32 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - 100-namespace.yaml
+  - 200-serviceaccount.yaml
+  - 200-role.yaml
+  - 200-clusterrole.yaml
+  - 201-rolebinding.yaml
+  - 201-clusterrolebinding.yaml
+  - 300-clusterimagepolicy.yaml
+  - 400-webhook-service.yaml
+  - 500-webhook-configuration.yaml
+  - 501-policy-webhook-configurations.yaml
+  - config-observability.yaml
+  - config-logging.yaml
+  - config-leader-election.yaml
+  - config-image-policies.yaml
diff --git a/config/policy-webhook.yaml b/config/policy-webhook.yaml
@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -108,3 +109,4 @@ metadata:
 # stringData:
 #   cosign.pub: |
 #     <PEM encoded public key>
+---
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -39,10 +39,10 @@ steps:
   - TUF_ROOT=/tmp
   args:
   - 'verify'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.8-0@sha256:b5b14c6a61099af5a69864f242766a0dca978d2aea97e311d051ee4f4b7d19ba'
+  - 'ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3'
 
 # maybe we can build our own image and use that to be more in a safe side
-- name: ghcr.io/gythialy/golang-cross:v1.17.8-0@sha256:b5b14c6a61099af5a69864f242766a0dca978d2aea97e311d051ee4f4b7d19ba
+- name: ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3
   entrypoint: /bin/sh
   dir: "go/src/sigstore/cosign"
   env:
@@ -65,7 +65,7 @@ steps:
       gcloud auth configure-docker \
       && make release
 
-- name: gcr.io/cloud-builders/docker
+- name: ghcr.io/gythialy/golang-cross:v1.17.8-1@sha256:38effe76e69a728f6c2e76b290c0d5e09fdff439926e3bbe7e69978c84c185f3
   entrypoint: 'bash'
   dir: "go/src/sigstore/cosign"
   env:
@@ -103,7 +103,7 @@ artifacts:
     - "go/src/sigstore/cosign/cosign*.yaml"
 
 options:
-  machineType: E2_HIGHCPU_8
+  machineType: E2_HIGHCPU_32
 
 tags:
 - cosign-release