From a1e9eb775545318e3ae69a008dbea5ee23e9cd8c Mon Sep 17 00:00:00 2001 From: Zbynek Roubalik <726523+zroubalik@users.noreply.github.com> Date: Fri, 21 Jan 2022 16:00:39 +0100 Subject: [PATCH] Sign KEDA images published on GitHub Container Registry (#2501) Signed-off-by: Zbynek Roubalik --- .github/workflows/release-build.yml | 13 +++++++++++++ CHANGELOG.md | 1 + Makefile | 6 ++++++ 3 files changed, 20 insertions(+) diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 046917eb25e..8f54c3fe6a4 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -65,6 +65,19 @@ jobs: env: VERSION: ${{ steps.get_version.outputs.VERSION }} + # https://github.com/sigstore/cosign-installer + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.4.1' + - name: Check Cosign install! + run: cosign version + + - name: Sign KEDA images published on GitHub Container Registry + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: make sign-images + - name: Publish KEDA images on Docker Hub run: make publish-dockerhub env: diff --git a/CHANGELOG.md b/CHANGELOG.md index c57edd55f3a..73fa202bdf2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ - **General:** `keda-operator` Cluster Role: add `list` and `watch` access to service accounts ([#2406](https://github.com/kedacore/keda/pull/2406))|([#2410](https://github.com/kedacore/keda/pull/2410)) - **General:** Delete the cache entry when a ScaledObject is deleted ([#2408](https://github.com/kedacore/keda/pull/2408)) +- **General:** Sign KEDA images published on GitHub Container Registry ([#2501](https://github.com/kedacore/keda/pull/2501)) - **Azure Pipelines Scaler:** support `poolName` or `poolID` validation ([#2370](https://github.com/kedacore/keda/pull/2370)) - **Graphite Scaler:** use the latest datapoint returned, not the earliest ([#2365](https://github.com/kedacore/keda/pull/2365)) - **Kubernetes Workload Scaler:** ignore terminated pods ([#2384](https://github.com/kedacore/keda/pull/2384)) diff --git a/Makefile b/Makefile index 4700f180e82..51289e99cd0 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,8 @@ endif GO_BUILD_VARS= GO111MODULE=on CGO_ENABLED=$(CGO) GOOS=$(TARGET_OS) GOARCH=$(ARCH) GO_LDFLAGS="-X=github.com/kedacore/keda/v2/version.GitCommit=$(GIT_COMMIT) -X=github.com/kedacore/keda/v2/version.Version=$(VERSION)" +COSIGN_FLAGS ?= -a GIT_HASH=${GIT_COMMIT} -a GIT_VERSION=${VERSION} -a BUILD_DATE=${DATE} + # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.22 @@ -191,6 +193,10 @@ release: manifests kustomize set-version ## Produce new KEDA release in keda-$(V rm -rf config/default/kustomize-config/metadataLabelTransformer.yaml.out $(KUSTOMIZE) build config/default > keda-$(VERSION).yaml +sign-images: ## Sign KEDA images published on GitHub Container Registry + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_CONTROLLER) + COSIGN_EXPERIMENTAL=1 cosign sign ${COSIGN_FLAGS} $(IMAGE_ADAPTER) + .PHONY: set-version set-version: @sed -i".out" -e 's@Version[ ]*=.*@Version = "$(VERSION)"@g' ./version/version.go;