build-containers/build-cosign.jenkins

def label = "jenkins-${UUID.randomUUID().toString()}"

def localRegistry = "registry.cluster.test-chamber-13.lan"
def gcrRegistry = "gcr.io"

def kanikoRepository = "${localRegistry}/library/kaniko"
def kanikoTag = "latest"

def cosignRepository = "${gcrRegistry}/projectsigstore/cosign"
def cosignTag = "v0.4.0"

def repositoryCreds = "harbor-repository-creds"

podTemplate(
	label: label,
	name: "pipeline-worker",
	yaml: """---
apiVersion: v1
kind: Pod
metadata:
  name: pipeline-worker
spec:
  containers:
  - name: kaniko
    imagePullPolicy: Always
    image: "${kanikoRepository}:${kanikoTag}"
    tty: true
    command:
    - /busybox/cat
""",
) {
	node (label) {
		def workspace = pwd()

		stage ("Prepare Kaniko") {
			container ("kaniko") {
				withCredentials([usernameColonPassword(
					credentialsId: repositoryCreds,
					variable: "dCreds",
				)]) {
					def dockerJSON = """{
						"auths": {
							"${localRegistry}": {
								"auth": "${dcreds.bytes.encodeBase64().toString()}"
							}
						}
					}"""
					sh """
						set +x
						echo '${dockerJSON}' > /kaniko/.docker/config.json
					"""
				}
			}
		}

		stage("Build Latest Alpine with CA") {
			container("kaniko") {
				def DF = """FROM ${localRegistry}/library/alpine:latest as CERT_STORE
FROM ${cosignRepository}:${cosignTag}

COPY --from=CERT_STORE /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
"""
				writeFile(file: workspace + "/Dockerfile", text: DF)
				sh "/kaniko/executor --cleanup --context \"${workspace}\" -f \"${workspace}/Dockerfile\" --destination \"${localRegistry}/library/cosign:latest\""
			}
		}
	}
}