From 1cb20432b2178d2656f9a4e8547dfb82545a093a Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 13:38:19 +0300 Subject: [PATCH 01/10] Add VEX attestation infrastructure for module builds. Enable cosign OpenVEX signing via base/vex image, giterminism secrets for registry and Vault, and CI build credentials. Signed-off-by: Maksim Khimchenko --- .github/workflows/dev_build_precache.yml | 2 +- .github/workflows/dev_build_svace.yml | 4 +- .../dev_module_build-and-registration.yml | 2 +- .github/workflows/dev_module_build.yml | 4 +- .github/workflows/e2e-test-releases.yml | 4 +- .../release_module_build-and-registration.yml | 16 +- .../release_module_release-channels.yml | 8 +- .gitlab-ci.yml | 2 + .werf/defines/vex.tmpl | 143 ++++++++++++++++++ werf-giterminism.yaml | 14 ++ 10 files changed, 186 insertions(+), 13 deletions(-) create mode 100644 .werf/defines/vex.tmpl diff --git a/.github/workflows/dev_build_precache.yml b/.github/workflows/dev_build_precache.yml index 6406ddbd5e..3049ebee5e 100644 --- a/.github/workflows/dev_build_precache.yml +++ b/.github/workflows/dev_build_precache.yml @@ -66,7 +66,7 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 env: WERF_EXPERIMENTAL_IMPORT_BY_SOURCE_IMAGE_TAG: "true" with: diff --git a/.github/workflows/dev_build_svace.yml b/.github/workflows/dev_build_svace.yml index c31fef6c1a..5e0a4da61a 100644 --- a/.github/workflows/dev_build_svace.yml +++ b/.github/workflows/dev_build_svace.yml @@ -111,11 +111,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: "true" diff --git a/.github/workflows/dev_module_build-and-registration.yml b/.github/workflows/dev_module_build-and-registration.yml index b251cedb82..bd78e812a2 100644 --- a/.github/workflows/dev_module_build-and-registration.yml +++ b/.github/workflows/dev_module_build-and-registration.yml @@ -112,7 +112,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ github.event.inputs.enableBuild == 'true' }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} diff --git a/.github/workflows/dev_module_build.yml b/.github/workflows/dev_module_build.yml index 93088ddcc7..f3ee59e7c9 100644 --- a/.github/workflows/dev_module_build.yml +++ b/.github/workflows/dev_module_build.yml @@ -418,11 +418,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: ${{ inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }} diff --git a/.github/workflows/e2e-test-releases.yml b/.github/workflows/e2e-test-releases.yml index 8404c029a7..e4ec3ff351 100644 --- a/.github/workflows/e2e-test-releases.yml +++ b/.github/workflows/e2e-test-releases.yml @@ -196,11 +196,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ matrix.module_tag }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{ secrets.SOURCE_REPO_GIT }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} diff --git a/.github/workflows/release_module_build-and-registration.yml b/.github/workflows/release_module_build-and-registration.yml index 8a2937c51f..dfeb005353 100644 --- a/.github/workflows/release_module_build-and-registration.yml +++ b/.github/workflows/release_module_build-and-registration.yml @@ -81,11 +81,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -134,11 +136,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -188,11 +192,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -242,11 +248,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" diff --git a/.github/workflows/release_module_release-channels.yml b/.github/workflows/release_module_release-channels.yml index f91ee80dea..fcbbd15080 100644 --- a/.github/workflows/release_module_release-channels.yml +++ b/.github/workflows/release_module_release-channels.yml @@ -205,7 +205,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -271,7 +271,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -330,7 +330,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -393,7 +393,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2ad3e5a2df..56b28affbb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -119,6 +119,8 @@ before_script: # Vars ================================================================================================================= variables: + REGISTRY_USER: ${MODULES_DEV_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_DEV_REGISTRY_PASSWORD} MODULES_MODULE_NAME: virtualization # DEV registry diff --git a/.werf/defines/vex.tmpl b/.werf/defines/vex.tmpl new file mode 100644 index 0000000000..f1571f99eb --- /dev/null +++ b/.werf/defines/vex.tmpl @@ -0,0 +1,143 @@ +# put image with vex mitigations to registry. +# Mitigations can be found in the known_vulnerabilities.vex file in the image directory +# input parameters: +# list of $ and image name. +# list ($ "common/kubernetes") +{{- define "vex mitigation" }} + {{- $context := index . 0 }} + {{- $imageName := index . 1 }} + {{- $knownVulnPath := "" }} + {{- $isVault := false }} + {{- if eq $imageName "dev" }} + {{- $knownVulnPath = "/deckhouse-controller/known_vulnerabilities.vex" }} + {{- else if eq $imageName "dev/install" }} + {{- $knownVulnPath = "/dhctl/known_vulnerabilities.vex" }} + {{- else if eq $imageName "bundle" }} + {{- $knownVulnPath = "/known_vulnerabilities.vex" }} + {{- else if hasKey $context "ModulePriority" }} + {{- $knownVulnPath = (printf "/%smodules/%s-%s/images/%s/known_vulnerabilities.vex" $context.ModulePath $context.ModulePriority $context.ModuleName $context.ImageName) }} + {{- else }} + {{- $knownVulnPath = (printf "/images/%s/known_vulnerabilities.vex" $context.ImageName) }} + {{- end }} + {{- $vexFile := false }} + {{- if eq (len ($context.Files.Glob $knownVulnPath)) 1 }} + {{- $vexFile = true }} + {{- end }} + {{- $werfSignKey := env "WERF_SIGN_KEY" "" }} + {{- $vaultKey := env "VAULT_KEY" "" }} + {{- $actionsIdToken := env "ACTIONS_ID_TOKEN_REQUEST_TOKEN" "" }} + {{- if or (ne $werfSignKey "") (ne $vaultKey "") (ne $actionsIdToken "") }} + {{- $isVault = true }} + {{- end }} + {{- if $vexFile }} +--- +image: {{ $imageName }}-vex-artifact +fromImage: base/vex +final: true +secrets: +- id: REGISTRY_USER + env: REGISTRY_USER +- id: REGISTRY_PASSWORD + env: REGISTRY_PASSWORD +{{- if eq $isVault true }} +{{- if ne $werfSignKey "" }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: WERF_SIGN_KEY +- id: VAULT_ROLE + env: WERF_VAULT_AUTH_ROLE +- id: VAULT_JWT + env: WERF_VAULT_AUTH_JWT +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- else }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: VAULT_KEY +- id: VAULT_ROLE + env: VAULT_ROLE +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- if eq $actionsIdToken "" }} +- id: VAULT_JWT + env: VAULT_ID_TOKEN +{{- end }} +{{- end }} +{{- if ne $actionsIdToken "" }} +- id: ACTIONS_ID_TOKEN_REQUEST_TOKEN + env: ACTIONS_ID_TOKEN_REQUEST_TOKEN +- id: ACTIONS_ID_TOKEN_REQUEST_URL + env: ACTIONS_ID_TOKEN_REQUEST_URL +{{- end }} +{{- end }} +git: +- add: {{ $knownVulnPath }} + to: /known_vulnerabilities.vex + stageDependencies: + install: + - "**/*" +dependencies: +- image: {{ $imageName }} + before: install + imports: + - type: ImageDigest + targetEnv: IMAGE_DIGEST + - type: ImageRepo + targetEnv: IMAGE_REPO +shell: + install: + - export REGISTRY_USER="$(cat /run/secrets/REGISTRY_USER)" + - export REGISTRY_PASSWORD="$(cat /run/secrets/REGISTRY_PASSWORD)" +{{- if $isVault }} + - export VAULT_ADDR="$(cat /run/secrets/VAULT_ADDR)" + - export VAULT_ROLE="$(cat /run/secrets/VAULT_ROLE)" + - export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/TRANSIT_SECRET_ENGINE_PATH)" + - VAULT_KEY=$(cat /run/secrets/VAULT_KEY) + - export VAULT_KEY="hashivault://${VAULT_KEY#hashivault://}" +{{- if ne $actionsIdToken "" }} + - export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)" + - export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)" + - export VAULT_AUTH_PATH="github" + - > + export VAULT_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) + - > + if [ -n "${VAULT_JWT}" ]; then + echo "Received Actions token"; + else + echo "Actions token empty"; + fi +{{- else }} + - export VAULT_AUTH_PATH="fox" + - export VAULT_JWT="$(cat /run/secrets/VAULT_JWT)" +{{- end }} + - > + export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${VAULT_AUTH_PATH}/login" -d '{"role":"'${VAULT_ROLE}'","jwt":"'${VAULT_JWT}'"}' | jq -r '.auth.client_token')" + - > + if [ -n "${VAULT_TOKEN}" ]; then + echo "Received Vault token"; + else + echo "Vault token empty"; + fi + - echo "Using predicate known_vulnerabilities.vex" +{{- else }} + - | + echo -e "\033[33mWARNING!!! Cosign will sign attestation with self-generated key pair!\033[0m" + export COSIGN_PASSWORD="" + cosign generate-key-pair + export VAULT_KEY="cosign.key" +{{- end }} + - | + cosign attest \ + --replace \ + --registry-username="${REGISTRY_USER}" \ + --registry-password="${REGISTRY_PASSWORD}" \ + --predicate /known_vulnerabilities.vex \ + --type openvex \ + --key ${VAULT_KEY} \ + --tlog-upload=false \ + -y -d \ + "${IMAGE_REPO}@${IMAGE_DIGEST}" + {{- end }} +{{- end }} diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index ee82bc554f..7be1aea499 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -13,6 +13,9 @@ config: - SVACE_ANALYZE_HOST - SVACE_ANALYZE_SSH_USER - DEBUG_COMPONENT + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - VAULT_KEY + - WERF_SIGN_KEY stapel: mount: allowBuildDir: true @@ -25,6 +28,17 @@ config: - GOPROXY - DISTRO_PACKAGES_PROXY helm: + allowEnvVariables: + - REGISTRY_USER + - REGISTRY_PASSWORD + - VAULT_ADDR + - WERF_SIGN_KEY + - WERF_VAULT_AUTH_ROLE + - WERF_VAULT_AUTH_JWT + - TRANSIT_SECRET_ENGINE_PATH + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - ACTIONS_ID_TOKEN_REQUEST_URL + allowUncommittedFiles: - "Chart.lock" - "charts/*.tgz" From 950c98f770f7416b2f2f4470a0cfa01eea4ccf5e Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 15:40:55 +0300 Subject: [PATCH 02/10] Fix VEX build: correct vex include and/or REGISTRY credentials in CI. Signed-off-by: Maksim Khimchenko --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 56b28affbb..6c8a81575a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -139,6 +139,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_PROD_REGISTRY_PASSWORD} MODULES_REGISTRY: registry-write.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/deckhouse/${EDITION}/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: PROD # Templates ============================================================================================================ From 68a982085f7e4949afdc889767d21f9f764ca2b5 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 15:44:18 +0300 Subject: [PATCH 03/10] Fix VEX build: add REGISTRY_USER/PASSWORD to CI build jobs. Signed-off-by: Maksim Khimchenko --- .../release_module_build-and-registration.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release_module_build-and-registration.yml b/.github/workflows/release_module_build-and-registration.yml index dfeb005353..4478ebdcdc 100644 --- a/.github/workflows/release_module_build-and-registration.yml +++ b/.github/workflows/release_module_build-and-registration.yml @@ -86,8 +86,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -141,8 +141,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -197,8 +197,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -253,8 +253,8 @@ jobs: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} - registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} - registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" From ec8c6cb20864d35c54dbec1e1737bd3bc098ef0d Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 16:11:51 +0300 Subject: [PATCH 04/10] Fix VEX build: set REGISTRY_USER/PASSWORD per dev and prod CI extends. Signed-off-by: Maksim Khimchenko --- .gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6c8a81575a..53aa2c439f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -119,8 +119,6 @@ before_script: # Vars ================================================================================================================= variables: - REGISTRY_USER: ${MODULES_DEV_REGISTRY_LOGIN} - REGISTRY_PASSWORD: ${MODULES_DEV_REGISTRY_PASSWORD} MODULES_MODULE_NAME: virtualization # DEV registry From d1dea0d2cdec23dcec295ebd00dfdd88c4737d46 Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 16:14:53 +0300 Subject: [PATCH 05/10] Fix VEX build: set REGISTRY_USER/PASSWORD per dev and prod CI extends. Signed-off-by: Maksim Khimchenko --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 53aa2c439f..1662e35a1f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -128,6 +128,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_DEV_REGISTRY_PASSWORD} MODULES_REGISTRY: dev-registry.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/sys/deckhouse-oss/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: DEV # PROD registry From d65e7a858c6f1fadf43930df0241b1d0e6de696c Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko <39365040+himax1991@users.noreply.github.com> Date: Fri, 26 Jun 2026 17:13:08 +0300 Subject: [PATCH 06/10] fix werf-giterminism Signed-off-by: Maksim Khimchenko <39365040+himax1991@users.noreply.github.com> --- werf-giterminism.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index 7be1aea499..6c71495f7a 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -13,9 +13,9 @@ config: - SVACE_ANALYZE_HOST - SVACE_ANALYZE_SSH_USER - DEBUG_COMPONENT - - ACTIONS_ID_TOKEN_REQUEST_TOKEN - - VAULT_KEY - - WERF_SIGN_KEY + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - VAULT_KEY + - WERF_SIGN_KEY stapel: mount: allowBuildDir: true From b86047187c9d71725099c6ce64f81b5fd5b3392c Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Fri, 26 Jun 2026 17:15:28 +0300 Subject: [PATCH 07/10] fix wef-giterminism section Signed-off-by: Maksim Khimchenko --- werf-giterminism.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index 6c71495f7a..8f9e954dd2 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -1,7 +1,7 @@ giterminismConfigVersion: 1 config: goTemplateRendering: # The rules for the Go-template functions - allowEnvVariables: + allowEnvVariables: - /CI_.+/ - GOPROXY - MODULES_MODULE_TAG @@ -27,7 +27,6 @@ config: - DECKHOUSE_PRIVATE_REPO - GOPROXY - DISTRO_PACKAGES_PROXY -helm: allowEnvVariables: - REGISTRY_USER - REGISTRY_PASSWORD @@ -38,7 +37,7 @@ helm: - TRANSIT_SECRET_ENGINE_PATH - ACTIONS_ID_TOKEN_REQUEST_TOKEN - ACTIONS_ID_TOKEN_REQUEST_URL - +helm: allowUncommittedFiles: - "Chart.lock" - "charts/*.tgz" From 18a88d781ab1b558b67be76e7182b8d0ae88a2bb Mon Sep 17 00:00:00 2001 From: Nikita Korolev Date: Wed, 1 Jul 2026 16:32:28 +0300 Subject: [PATCH 08/10] build(werf): add base/vex image for VEX attestation infrastructure Define the base/vex image consumed by the "vex mitigation" template (.werf/defines/vex.tmpl). Placed in werf.yaml rather than a separate .werf/*.yaml file so its tools/* imports (cosign, jq, curl, bash) are discovered by parse_base_images_map, which scans only werf.yaml and images/*/werf.inc.yaml. Validated with 'werf config render --dev'. Signed-off-by: Nikita Korolev --- werf.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/werf.yaml b/werf.yaml index 69521a1dc4..d11c7f47a6 100644 --- a/werf.yaml +++ b/werf.yaml @@ -12,6 +12,35 @@ build: # Base Images {{- include "parse_base_images_map" . }} --- +# Base image for VEX attestations (cosign attest --type openvex). +# Consumed by the "vex mitigation" template in .werf/defines/vex.tmpl. +# Defined here (not in .werf/*.yaml) so its tools/* imports are discovered +# by parse_base_images_map, which scans only werf.yaml and images/*/werf.inc.yaml. +image: base/vex +fromImage: tools/coreutils +final: false +import: +- image: builder/alpine + add: /etc/ssl/certs/ca-certificates.crt + to: /etc/ssl/certs/ca-certificates.crt + before: install +- image: tools/cosign + add: /usr/bin/cosign + to: /usr/bin/cosign + before: install +- image: tools/jq + add: /usr/bin/jq + to: /usr/bin/jq + before: install +- image: tools/curl + add: /usr/bin/curl-static + to: /usr/bin/curl + before: install +- image: tools/bash + add: /usr/bin/bash + to: /bin/bash + before: install +--- # Source repo settings {{- $_ := set . "SOURCE_REPO" (env "SOURCE_REPO" "https://github.com") }} From a6a7951ea43fb95a51b9418348503198efe8699e Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Thu, 2 Jul 2026 10:54:58 +0300 Subject: [PATCH 09/10] exclude vex artifact image from images-digests Signed-off-by: Maksim Khimchenko --- werf.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/werf.yaml b/werf.yaml index d11c7f47a6..02174aa99b 100644 --- a/werf.yaml +++ b/werf.yaml @@ -60,6 +60,7 @@ import: {{- $_ := set . "ImagesIDList" list }} + {{- range $path, $content := .Files.Glob ".werf/*.yaml" }} {{- tpl $content $ }} {{- end }} @@ -69,13 +70,16 @@ image: images-digests fromImage: builder/alpine dependencies: {{- range $ImageID := $.ImagesIDList }} + {{- $ImageName := $ImageID | splitList "/" | last }} {{- $ImageNameCamel := $ImageID | splitList "/" | last | camelcase | untitle }} + {{- if eq $ImageName (trimSuffix "-vex-artifact" $ImageName) }} - image: {{ $ImageID }} before: setup imports: - type: ImageDigest targetEnv: MODULE_IMAGE_DIGEST_{{ $ImageNameCamel }} {{- end }} + {{- end }} import: - from: tools/jq add: /usr/bin/jq From 40727ccd026192df6aa8e13eb6754bb6614ddd6c Mon Sep 17 00:00:00 2001 From: Maksim Khimchenko Date: Thu, 2 Jul 2026 11:00:15 +0300 Subject: [PATCH 10/10] add action inputs Signed-off-by: Maksim Khimchenko --- .github/workflows/dev_build_precache.yml | 2 ++ .github/workflows/dev_module_build-and-registration.yml | 2 ++ .github/workflows/release_module_release-channels.yml | 8 ++++++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/dev_build_precache.yml b/.github/workflows/dev_build_precache.yml index 3049ebee5e..ee6f3df83a 100644 --- a/.github/workflows/dev_build_precache.yml +++ b/.github/workflows/dev_build_precache.yml @@ -75,6 +75,8 @@ jobs: module_tag: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO}} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - name: Cleanup Docker config run: | diff --git a/.github/workflows/dev_module_build-and-registration.yml b/.github/workflows/dev_module_build-and-registration.yml index bd78e812a2..28844b02b3 100644 --- a/.github/workflows/dev_module_build-and-registration.yml +++ b/.github/workflows/dev_module_build-and-registration.yml @@ -120,6 +120,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - name: Cleanup Docker config run: | diff --git a/.github/workflows/release_module_release-channels.yml b/.github/workflows/release_module_release-channels.yml index fcbbd15080..02c9528a1d 100644 --- a/.github/workflows/release_module_release-channels.yml +++ b/.github/workflows/release_module_release-channels.yml @@ -213,6 +213,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: @@ -279,6 +281,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: @@ -338,6 +342,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: @@ -401,6 +407,8 @@ jobs: source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} - uses: deckhouse/modules-actions/deploy@v2 with: