kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cloudbuild: capture some hashes 

Aiming to create a "chain of trust"; from code to promotion PR.
Ideally we would get the promotion PRs output here, but we can start
by outputing the hashes needed.
This commit is contained in:
Justin SB 2021-03-29 10:00:10 -04:00
parent 50b89a0c25
commit 2b2fe2c584
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Makefile
View File

@ -927,3 +927,16 @@ kube-apiserver-healthcheck-manifest:
docker manifest create --amend ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}-amd64 docker manifest create --amend ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}-amd64
docker manifest create --amend ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}-arm64 docker manifest create --amend ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}-arm64
docker manifest push --purge ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG} docker manifest push --purge ${DOCKER_REGISTRY}/${DOCKER_IMAGE_PREFIX}kube-apiserver-healthcheck:${KUBE_APISERVER_HEALTHCHECK_PUSH_TAG}
#------------------------------------------------------
# CloudBuild artifacts
#
# We hash some artifacts, so that we have can know that they were not modified after being built.
.PHONY: cloudbuild-artifacts
cloudbuild-artifacts:
mkdir -p ${KOPS_ROOT}/cloudbuild/
cd ${BAZELUPLOAD}/kops/; find . -type f | sort | xargs sha256sum > ${KOPS_ROOT}/cloudbuild/files.sha256
cd ${KOPS_ROOT}/bazel-bin/; find . -name '*.digest' -type f | sort | xargs grep . > ${KOPS_ROOT}/cloudbuild/image-digests
# ${BUILDER_OUTPUT}/output is a special cloudbuild target; the first 4KB is captured securely
cd ${KOPS_ROOT}/cloudbuild/; find -type f | sort | xargs sha256sum > ${BUILDER_OUTPUT}/output

19
cloudbuild.yaml
View File

@ -49,6 +49,21 @@ steps:
- kops-controller-manifest - kops-controller-manifest
- dns-controller-manifest - dns-controller-manifest
- kube-apiserver-healthcheck-manifest - kube-apiserver-healthcheck-manifest
# Build cloudbuild artifacts (for attestation)
- name: 'gcr.io/k8s-testimages/kubekins-e2e:v20210113-cc576af-experimental'
id: cloudbuild-artifacts
entrypoint: make
env:
# _GIT_TAG is not a valid semver, we use CI=1 instead
# - VERSION=$_GIT_TAG
- CI=$_CI
- PULL_BASE_REF=$_PULL_BASE_REF
- DOCKER_REGISTRY=$_DOCKER_REGISTRY
- DOCKER_IMAGE_PREFIX=$_DOCKER_IMAGE_PREFIX
- GCS_LOCATION=$_GCS_LOCATION
- LATEST_FILE=markers/${_PULL_BASE_REF}/latest-ci.txt
args:
- cloudbuild-artifacts
substitutions: substitutions:
# _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and
# can be used as a substitution # can be used as a substitution
@ -58,3 +73,7 @@ substitutions:
_DOCKER_REGISTRY: 'gcr.io' _DOCKER_REGISTRY: 'gcr.io'
_DOCKER_IMAGE_PREFIX: 'k8s-staging-kops/' _DOCKER_IMAGE_PREFIX: 'k8s-staging-kops/'
_GCS_LOCATION: 'gs://k8s-staging-kops/kops/releases/' _GCS_LOCATION: 'gs://k8s-staging-kops/kops/releases/'
artifacts:
objects:
location: '$_GCS_LOCATION/$_GIT_TAG/cloudbuild/'
paths: ["cloudbuild/*"]