diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index b5edd66..dcbcf60 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -11,18 +11,21 @@ env: GO_VERSION: 1.21 AWS_REGION: us-east-2 AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} BASE_HOSTNAME: ${{ secrets.BASE_DOMAIN }} FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }} TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }} KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }} - KEYCLOAK_REALM: sigstore - KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/sigstore + KEYCLOAK_REALM: trusted-artifact-signer + KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/trusted-artifact-signer REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }} TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }} TF_VAR_vpc_id: ${{ secrets.VPC_ID }} TF_VAR_rh_username: ${{ secrets.RH_USERNAME }} TF_VAR_rh_password: ${{ secrets.RH_PASSWORD }} + TF_VAR_aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }} + TF_VAR_aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} IMAGE: ttl.sh/sigstore-test:15m jobs: @@ -31,6 +34,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.8.1 - name: Checkout code uses: actions/checkout@v2 @@ -38,23 +43,27 @@ jobs: - name: sshkeygen for ansible run: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" - - - name: docker login registry.redhat.io - run: echo ${{ secrets.RH_PASSWORD }} | docker login -u ${{ secrets.RH_USERNAME }} --password-stdin registry.redhat.io - - name: build push sign and tag run: | buildah pull alpine:latest buildah tag alpine:latest ${{ env.IMAGE }} buildah push ${{ env.IMAGE }} + - name: configure AWS credential files + run: | + mkdir -p ~/.aws + echo "[default]" > ~/.aws/credentials + echo "aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}" >> ~/.aws/credentials + echo "aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> ~/.aws/credentials + echo "[default]" > ~/.aws/config + echo "region = ${{ env.AWS_REGION }}" >> ~/.aws/config + - name: Terraform Init run: terraform init - name: Terraform Apply run: terraform apply -auto-approve - - name: install cosign uses: sigstore/cosign-installer@v3.3.0 with: @@ -65,8 +74,8 @@ jobs: - name: sign and verify run: | - TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/') - cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN ${{ env.IMAGE }} + TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" ${{ env.KEYCLOAK_OIDC_ISSUER }}/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/') + cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN --oidc-client-id=${{ secrets.KEYCLOAK_REALM }} ${{ env.IMAGE }} cosign verify --rekor-url=${{ env.REKOR_URL}} --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ${{ env.IMAGE }} - name: Terraform Destroy diff --git a/main.tf b/main.tf index 9d1f5b5..6cc7bb0 100644 --- a/main.tf +++ b/main.tf @@ -36,7 +36,6 @@ variable "rh_password" { type = string } - // generate a new security group to allow ssh and https traffic resource "aws_security_group" "sigstore-access" { name = "sigstore-access" diff --git a/provider.tf b/provider.tf new file mode 100644 index 0000000..d564e99 --- /dev/null +++ b/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = "us-east-2" + profile = "default" +} \ No newline at end of file diff --git a/roles/sigstore_scaffolding/defaults/main.yml b/roles/sigstore_scaffolding/defaults/main.yml index e4de627..5214df8 100644 --- a/roles/sigstore_scaffolding/defaults/main.yml +++ b/roles/sigstore_scaffolding/defaults/main.yml @@ -98,9 +98,9 @@ ct_logprefix: sigstoreansible scaffolding_utils_image: quay.io/ablock/sigstore-scaffolding-helper:latest -oidc_issuers: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore -sigstore_client_id: sigstore -issuer_url: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore +oidc_issuers: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer +sigstore_client_id: trusted-artifact-signer +issuer_url: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer oidc_issuers_type: email # Sigstore Images diff --git a/terraform.tf b/terraform.tf new file mode 100644 index 0000000..07b0879 --- /dev/null +++ b/terraform.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + null = { + source = "hashicorp/null" + version = "~> 3.2.1" + } + } + required_version = ">= 0.14.9" +} \ No newline at end of file