Running pods in OpenShift with AWS IAM Roles for service accounts (IRSA)
Documentation about the components that comprise a keyless Sigstore system is available in the sigstore documentation.
This describes how to launch a Sigstore stack in OpenShift. AWS STS is used to create workload identity tokens for service accounts. Sigstore is configured to use the service account OIDC Identity Token to pass to Fulcio to authenticate requests.
You must have cluster-admin privileges to deploy the Sigstore stack.
The Sigstore helm-charts will be used to deploy Sigstore components in OpenShift.
Open fulcio-create-CA script to check out the commands before running it.
The openssl commands are interactive.
./fulcio-create-root-ca-openssl.sh
oc create ns fulcio-system
oc -n fulcio-system create secret generic fulcio-secret-rh --from-file=private=file_ca_key.pem --from-file=public=file_ca_pub.pem --from-file=cert=fulcio-root.pem --from-literal=password=secure --dry-run=client -o yaml | oc apply -f-Edit the local values.yaml file
Run something like the following to view your cluster's cluster-domain
oc get dnsrecords -o yaml -n openshift-ingress-operator | grep dnsNameEdit the values.yaml file accordingly.
Rather than use custom charts with added necessary SCCs, use this script
helm upgrade -i scaffolding sigstore/scaffold -f values.yaml && ./anyuid-scc.shWatch as the stack rolls out.
You might follow the logs from the fulcio-server deployment in -n fulcio-system.
oc new-project sigstore-test
# If using keyless signing, you do not need to generate a signing key, but the pod.yaml expects this secret so update accordingly
# For the signing key, I use the password 'secure', and COSIGN_PASSWORD is hard-coded in pod.yaml so update accordingly
cosign generate-key-pair k8s://sigstore-test/cosign-keypair
# To push signatures to registries, cosign requires push access
oc create secret generic -n sigstore-test --from-file /path/to/your/registry/auth/config.json cosign-login
# Inspect the pod.yaml and make any necessary changes
oc apply -f ROSA/sts-sa.yaml -n sigstore-test
oc apply -f ROSA/pod.yaml -n sigstore-testFinally, cosign can be used in the pod to sign and verify artifacts.
As a PoC, here we will exec into signer-identity -n sigstore-test pod and running the following:
oc exec -it signer-identity -n sigstore-test -- shEither use a cosign signing key or leverage fulcio's ability to generate ephemeral keys
cosign sign \
--fulcio-url=$FULCIO_URL \
--identity-token=$(cat $AWS_WEB_IDENTITY_TOKEN_FILE) \
--rekor-url=$REKOR_URL quay.io/your/imagecosign sign --rekor-url=$REKOR_URL --key /cosign/key/cosign.key quay.io/your/imagecosign sign \
--fulcio-url=$FULCIO_URL \
--identity-token=$(cat $AWS_WEB_IDENTITY_TOKEN_FILE) \
--rekor-url=$REKOR_URL \
--issue-certificate \
--key /cosign/key/cosign.key quay.io/your/imageNote If a self-managed key was passed to fulcio to issue a digital certificate, either of the following will verify the signing
# To verify against the cosign signing key (if not using keyless signing), extract the public key
oc extract --keys cosign.pub secret/cosign-keypair -n sigstore-test
# Verify with public key
cosign verify quay.io/your/image --key ./cosign.pub
# If a fulcio certificate was issued, either with ephemeral keys or a self-managed cosign-keypair
cosign verify quay.io/your/image \
--certificate-oidc-issuer https://rh-oidc.s3.us-east-1.amazonaws.com/21o4ml1f5kchd6ee9nmh5dhc6efqba38 \
--certificate-identity-regexp sigstore-testTODO:
- Document plugging into a cluster build pipeline
- Integrate with a controller