From 27cedaa566f141a6027a2fbf124f9a0c07222f1b Mon Sep 17 00:00:00 2001 From: The_Spider Date: Mon, 3 Jan 2022 10:43:34 -0600 Subject: [PATCH] adds cosign to kaniko --- build-kaniko.jenkins | 112 ++++++++++++++++++++++++------------------- 1 file changed, 64 insertions(+), 48 deletions(-) diff --git a/build-kaniko.jenkins b/build-kaniko.jenkins index 4418477..3467812 100644 --- a/build-kaniko.jenkins +++ b/build-kaniko.jenkins @@ -4,9 +4,9 @@ def repository = "registry.c.test-chamber-13.lan" def repositoryCreds = "harbor-repository-creds" podTemplate( - label: label, - name: "pipeline-worker", - yaml: """--- + label: label, + name: "pipeline-worker", + yaml: """--- apiVersion: v1 kind: Pod metadata: @@ -19,56 +19,72 @@ spec: tty: true command: - /busybox/cat + - name: alpine + imagePullPolicy: Always + image: ${repository}/library/alpine:latest + tty: true + command: + - /bin/sh """, ) { - node (label) { - def workspace = pwd() + node (label) { + def workspace = pwd() - stage ("Prepare Kaniko") { - container ("kaniko") { - withCredentials([usernameColonPassword( - credentialsId: repositoryCreds, - variable: "dCreds", - )]) { - def dockerJSON = """{ - "auths": { - "${repository}": { - "auth": "${dcreds.bytes.encodeBase64().toString()}" - } - } - }""" - sh """ - set +x - echo '${dockerJSON}' > /kaniko/.docker/config.json - printf '%s\\n' "-----BEGIN CERTIFICATE-----" \\ - "MIICLTCCAbOgAwIBAgIDAYagMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAlVTMScw" \\ - "JQYDVQQKDB5UZXN0IENoYW1iZXIgMTMgVHJ1c3QgU2VydmljZXMxFTATBgNVBAMM" \\ - "DFRDMTMgUm9vdCBSMTAgFw0xOTAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFow" \\ - "TTELMAkGA1UEBhMCVVMxJzAlBgNVBAoMHlRlc3QgQ2hhbWJlciAxMyBUcnVzdCBT" \\ - "ZXJ2aWNlczEVMBMGA1UEAwwMVEMxMyBSb290IFIxMHYwEAYHKoZIzj0CAQYFK4EE" \\ - "ACIDYgAE8+/J1ECc0VHxTtGXFLnHJ3NGZ2SW38pp9wI58L5EQbHRLiezYuvkUbI/" \\ - "XGJjLnFdpgjo7W1FFlyhx5ITlCstUX5Sn9bLZiA0+mE0n6b8VwhXwkHlnIeRo7od" \\ - "Zu/OfSFjo2MwYTAdBgNVHQ4EFgQUrGqUJhyRp93wXF645VNtYatRk/AwHwYDVR0j" \\ - "BBgwFoAUrGqUJhyRp93wXF645VNtYatRk/AwDwYDVR0TAQH/BAUwAwEB/zAOBgNV" \\ - "HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIxAJdgskimDJkf/MGVRrKotmNC" \\ - "xdH/UVQfQppjIR9FAiGeFDr47thclYrzIL6yCkV7nwIwYjf3MbOm/yWblzqe3Uyw" \\ - "UOemMEg3PjcKNsN65W2WVon5HIZx2XVfGRPjf5ZTVWzZ" \\ - "-----END CERTIFICATE-----" >> /kaniko/ssl/certs/ca-certificates.crt - """ - } - } - } + stage ("Get CoSign") { + container ("alpine") { + sh """ + apk add --no-cache curl jq + curl --silent --location "\$(curl --silent "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.assets[0].browser_download_url')" -output "${workspace}/cosign" + chmod +x "${workspace}/cosign" + """ + } + } - stage("Build Alpine with CA") { - container("kaniko") { - def DF = """FROM gcr.io/kaniko-project/executor:debug + stage ("Prepare Kaniko") { + container ("kaniko") { + withCredentials([usernameColonPassword( + credentialsId: repositoryCreds, + variable: "dCreds", + )]) { + def dockerJSON = """{ + "auths": { + "${repository}": { + "auth": "${dcreds.bytes.encodeBase64().toString()}" + } + } + }""" + sh """ + set +x + echo '${dockerJSON}' > /kaniko/.docker/config.json + printf '%s\\n' "-----BEGIN CERTIFICATE-----" \\ + "MIICLTCCAbOgAwIBAgIDAYagMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAlVTMScw" \\ + "JQYDVQQKDB5UZXN0IENoYW1iZXIgMTMgVHJ1c3QgU2VydmljZXMxFTATBgNVBAMM" \\ + "DFRDMTMgUm9vdCBSMTAgFw0xOTAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFow" \\ + "TTELMAkGA1UEBhMCVVMxJzAlBgNVBAoMHlRlc3QgQ2hhbWJlciAxMyBUcnVzdCBT" \\ + "ZXJ2aWNlczEVMBMGA1UEAwwMVEMxMyBSb290IFIxMHYwEAYHKoZIzj0CAQYFK4EE" \\ + "ACIDYgAE8+/J1ECc0VHxTtGXFLnHJ3NGZ2SW38pp9wI58L5EQbHRLiezYuvkUbI/" \\ + "XGJjLnFdpgjo7W1FFlyhx5ITlCstUX5Sn9bLZiA0+mE0n6b8VwhXwkHlnIeRo7od" \\ + "Zu/OfSFjo2MwYTAdBgNVHQ4EFgQUrGqUJhyRp93wXF645VNtYatRk/AwHwYDVR0j" \\ + "BBgwFoAUrGqUJhyRp93wXF645VNtYatRk/AwDwYDVR0TAQH/BAUwAwEB/zAOBgNV" \\ + "HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIxAJdgskimDJkf/MGVRrKotmNC" \\ + "xdH/UVQfQppjIR9FAiGeFDr47thclYrzIL6yCkV7nwIwYjf3MbOm/yWblzqe3Uyw" \\ + "UOemMEg3PjcKNsN65W2WVon5HIZx2XVfGRPjf5ZTVWzZ" \\ + "-----END CERTIFICATE-----" >> /kaniko/ssl/certs/ca-certificates.crt + """ + } + } + } + stage("Build Alpine with CA") { + container("kaniko") { + def DF = """FROM gcr.io/kaniko-project/executor:debug +COPY ./cosign /busybox/cosign COPY kaniko-chain.crt /kaniko/ssl/certs/ca-certificates.crt """ - sh "cp /kaniko/ssl/certs/ca-certificates.crt \"${workspace}/kaniko-chain.crt\"" - writeFile(file: workspace + "/Dockerfile", text: DF) - sh "/kaniko/executor --cleanup --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${repository}/library/kaniko:latest\"" - } - } - } + sh "cp /kaniko/ssl/certs/ca-certificates.crt \"${workspace}/kaniko-chain.crt\"" + writeFile(file: workspace + "/Dockerfile", text: DF) + sh "/kaniko/executor --cleanup --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${repository}/library/kaniko:latest\" --single-snapshot" + } + } + } } \ No newline at end of file