sign kaniko image

2022-01-03 12:57:23 -06:00 · 2022-01-03 12:57:23 -06:00 · 112e932c33
commit 112e932c33
parent 778866f39c
1 changed files with 31 additions and 3 deletions
--- a/build-kaniko.jenkins
+++ b/build-kaniko.jenkins
@ -2,6 +2,8 @@ def label = "jenkins-${UUID.randomUUID().toString()}"

 def repository = "registry.c.test-chamber-13.lan"
 def repositoryCreds = "harbor-repository-creds"
+def dockerKey = "docker-image-signing-key"
+def dockerKeyPass = "docker-image-signing-pass"

 podTemplate(
    label: label,
@ -15,15 +17,27 @@ spec:
  containers:
  - name: kaniko
    imagePullPolicy: Always
-    image: gcr.io/kaniko-project/executor:debug
+    image: ${repository}/google/kaniko-project/executor:debug
+    tty: true
+  - name: alpine
+    imagePullPolicy: Always
+    image: ${repository}/libary/alpine:latest
    tty: true
-    command:
-    - /busybox/cat
 """,
 ) {
    node (label) {
        def workspace = pwd()

+        stage("Get Cosign") {
+            container("alpine") {
+                sh """
+                    apk add --no-cache curl jq
+                    curl --silent --location "https://github.com/sigstore/cosign/releases/download/\$(curl --silent "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')/cosign-linux-amd64" --output "${workspace}/cosign"
+                    chmod +x "${workspace}/cosign"
+                """
+            }
+        }
+
        stage ("Prepare Kaniko") {
            container ("kaniko") {
                withCredentials([usernameColonPassword(
@ -62,11 +76,25 @@ spec:
        stage("Build Alpine with CA") {
            container("kaniko") {
                def DF = """FROM ${repository}/google/kaniko-project/executor:debug
+COPY ./cosign /usr/local/bin/cosign
 COPY ./kaniko-chain.crt /kaniko/ssl/certs/ca-certificates.crt
 """
                sh "cp /kaniko/ssl/certs/ca-certificates.crt \"${workspace}/kaniko-chain.crt\""
                writeFile(file: workspace + "/Dockerfile", text: DF)
                sh "/kaniko/executor --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${repository}/library/kaniko:latest\""
+
+                withCredentials([
+                    string(
+                        credentialsId: dockerKeyPass,
+                        variable: "signPass"
+                    ),
+                    file(
+                        credentialsId: dockerKey,
+                        variable: "signKey"
+                    )
+                ]) {
+                    sh "COSIGN_PASSWORD=\"${signPass}\" \"${workspace}/cosign\" sign --key \"${signKey}\" \"${repository}/library/kaniko:latest\""
+                }
            }
        }
    }