nhyatt/build-containers
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sign kaniko image

Browse Source
This commit is contained in:
Hyatt 2022-01-03 12:57:23 -06:00
parent 778866f39c
commit 112e932c33
Signed by: nhyatt
GPG Key ID: C50D0BBB5BC40BEA
1 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
build-kaniko.jenkins
View File

@ -2,6 +2,8 @@ def label = "jenkins-${UUID.randomUUID().toString()}"
def repository = "registry.c.test-chamber-13.lan" def repository = "registry.c.test-chamber-13.lan"
def repositoryCreds = "harbor-repository-creds" def repositoryCreds = "harbor-repository-creds"
def dockerKey = "docker-image-signing-key"
def dockerKeyPass = "docker-image-signing-pass"
podTemplate( podTemplate(
label: label, label: label,
@ -15,15 +17,27 @@ spec:
containers: containers:
- name: kaniko - name: kaniko
imagePullPolicy: Always imagePullPolicy: Always
image: gcr.io/kaniko-project/executor:debug image: ${repository}/google/kaniko-project/executor:debug
tty: true
- name: alpine
imagePullPolicy: Always
image: ${repository}/libary/alpine:latest
tty: true tty: true
command:
- /busybox/cat
""", """,
) { ) {
node (label) { node (label) {
def workspace = pwd() def workspace = pwd()
stage("Get Cosign") {
container("alpine") {
sh """
apk add --no-cache curl jq
curl --silent --location "https://github.com/sigstore/cosign/releases/download/\$(curl --silent "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')/cosign-linux-amd64" --output "${workspace}/cosign"
chmod +x "${workspace}/cosign"
"""
}
}
stage ("Prepare Kaniko") { stage ("Prepare Kaniko") {
container ("kaniko") { container ("kaniko") {
withCredentials([usernameColonPassword( withCredentials([usernameColonPassword(
@ -62,11 +76,25 @@ spec:
stage("Build Alpine with CA") { stage("Build Alpine with CA") {
container("kaniko") { container("kaniko") {
def DF = """FROM ${repository}/google/kaniko-project/executor:debug def DF = """FROM ${repository}/google/kaniko-project/executor:debug
COPY ./cosign /usr/local/bin/cosign
COPY ./kaniko-chain.crt /kaniko/ssl/certs/ca-certificates.crt COPY ./kaniko-chain.crt /kaniko/ssl/certs/ca-certificates.crt
""" """
sh "cp /kaniko/ssl/certs/ca-certificates.crt \"${workspace}/kaniko-chain.crt\"" sh "cp /kaniko/ssl/certs/ca-certificates.crt \"${workspace}/kaniko-chain.crt\""
writeFile(file: workspace + "/Dockerfile", text: DF) writeFile(file: workspace + "/Dockerfile", text: DF)
sh "/kaniko/executor --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${repository}/library/kaniko:latest\"" sh "/kaniko/executor --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${repository}/library/kaniko:latest\""
withCredentials([
string(
credentialsId: dockerKeyPass,
variable: "signPass"
),
file(
credentialsId: dockerKey,
variable: "signKey"
)
]) {
sh "COSIGN_PASSWORD=\"${signPass}\" \"${workspace}/cosign\" sign --key \"${signKey}\" \"${repository}/library/kaniko:latest\""
}
} }
} }
} }