Skip to content
Merged
4 changes: 3 additions & 1 deletion .github/workflows/dev_build_precache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
env:
WERF_EXPERIMENTAL_IMPORT_BY_SOURCE_IMAGE_TAG: "true"
with:
Expand All @@ -75,6 +75,8 @@ jobs:
module_tag: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO}}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- name: Cleanup Docker config
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/dev_build_svace.yml
Original file line number Diff line number Diff line change
Expand Up @@ -111,11 +111,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE}}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{needs.set_vars.outputs.modules_module_tag}}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
svace_enabled: "true"
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/dev_module_build-and-registration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,16 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ github.event.inputs.enableBuild == 'true' }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE}}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ steps.get-tag.outputs.MODULES_MODULE_TAG }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- name: Cleanup Docker config
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/dev_module_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -418,11 +418,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE}}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{needs.set_vars.outputs.modules_module_tag}}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
svace_enabled: ${{ inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }}
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/e2e-test-releases.yml
Original file line number Diff line number Diff line change
Expand Up @@ -196,11 +196,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ matrix.module_tag }}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{ secrets.SOURCE_REPO_GIT }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}

Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/release_module_build-and-registration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down Expand Up @@ -134,11 +136,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down Expand Up @@ -188,11 +192,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down Expand Up @@ -242,11 +248,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/release_module_release-channels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -205,14 +205,16 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.event.inputs.tag }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/deploy@v2
with:
Expand Down Expand Up @@ -271,14 +273,16 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.event.inputs.tag }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/deploy@v2
with:
Expand Down Expand Up @@ -330,14 +334,16 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.event.inputs.tag }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/deploy@v2
with:
Expand Down Expand Up @@ -393,14 +399,16 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.event.inputs.tag }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/deploy@v2
with:
Expand Down
4 changes: 4 additions & 0 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ variables:
MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_DEV_REGISTRY_PASSWORD}
MODULES_REGISTRY: dev-registry.deckhouse.io
MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/sys/deckhouse-oss/modules
REGISTRY_USER: ${MODULES_REGISTRY_LOGIN}
REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD}
ENV: DEV

# PROD registry
Expand All @@ -137,6 +139,8 @@ variables:
MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_PROD_REGISTRY_PASSWORD}
MODULES_REGISTRY: registry-write.deckhouse.io
MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/deckhouse/${EDITION}/modules
REGISTRY_USER: ${MODULES_REGISTRY_LOGIN}
REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD}
ENV: PROD

# Templates ============================================================================================================
Expand Down
143 changes: 143 additions & 0 deletions .werf/defines/vex.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
# put image with vex mitigations to registry.
# Mitigations can be found in the known_vulnerabilities.vex file in the image directory
# input parameters:
# list of $ and image name.
# list ($ "common/kubernetes")
{{- define "vex mitigation" }}
{{- $context := index . 0 }}
{{- $imageName := index . 1 }}
{{- $knownVulnPath := "" }}
{{- $isVault := false }}
{{- if eq $imageName "dev" }}
{{- $knownVulnPath = "/deckhouse-controller/known_vulnerabilities.vex" }}
{{- else if eq $imageName "dev/install" }}
{{- $knownVulnPath = "/dhctl/known_vulnerabilities.vex" }}
{{- else if eq $imageName "bundle" }}
{{- $knownVulnPath = "/known_vulnerabilities.vex" }}
{{- else if hasKey $context "ModulePriority" }}
{{- $knownVulnPath = (printf "/%smodules/%s-%s/images/%s/known_vulnerabilities.vex" $context.ModulePath $context.ModulePriority $context.ModuleName $context.ImageName) }}
{{- else }}
{{- $knownVulnPath = (printf "/images/%s/known_vulnerabilities.vex" $context.ImageName) }}
{{- end }}
{{- $vexFile := false }}
{{- if eq (len ($context.Files.Glob $knownVulnPath)) 1 }}
{{- $vexFile = true }}
{{- end }}
{{- $werfSignKey := env "WERF_SIGN_KEY" "" }}
{{- $vaultKey := env "VAULT_KEY" "" }}
{{- $actionsIdToken := env "ACTIONS_ID_TOKEN_REQUEST_TOKEN" "" }}
{{- if or (ne $werfSignKey "") (ne $vaultKey "") (ne $actionsIdToken "") }}
{{- $isVault = true }}
{{- end }}
{{- if $vexFile }}
---
image: {{ $imageName }}-vex-artifact
fromImage: base/vex
final: true
secrets:
- id: REGISTRY_USER
env: REGISTRY_USER
- id: REGISTRY_PASSWORD
env: REGISTRY_PASSWORD
{{- if eq $isVault true }}
{{- if ne $werfSignKey "" }}
- id: VAULT_ADDR
env: VAULT_ADDR
- id: VAULT_KEY
env: WERF_SIGN_KEY
- id: VAULT_ROLE
env: WERF_VAULT_AUTH_ROLE
- id: VAULT_JWT
env: WERF_VAULT_AUTH_JWT
- id: TRANSIT_SECRET_ENGINE_PATH
env: TRANSIT_SECRET_ENGINE_PATH
{{- else }}
- id: VAULT_ADDR
env: VAULT_ADDR
- id: VAULT_KEY
env: VAULT_KEY
- id: VAULT_ROLE
env: VAULT_ROLE
- id: TRANSIT_SECRET_ENGINE_PATH
env: TRANSIT_SECRET_ENGINE_PATH
{{- if eq $actionsIdToken "" }}
- id: VAULT_JWT
env: VAULT_ID_TOKEN
{{- end }}
{{- end }}
{{- if ne $actionsIdToken "" }}
- id: ACTIONS_ID_TOKEN_REQUEST_TOKEN
env: ACTIONS_ID_TOKEN_REQUEST_TOKEN
- id: ACTIONS_ID_TOKEN_REQUEST_URL
env: ACTIONS_ID_TOKEN_REQUEST_URL
{{- end }}
{{- end }}
git:
- add: {{ $knownVulnPath }}
to: /known_vulnerabilities.vex
stageDependencies:
install:
- "**/*"
dependencies:
- image: {{ $imageName }}
before: install
imports:
- type: ImageDigest
targetEnv: IMAGE_DIGEST
- type: ImageRepo
targetEnv: IMAGE_REPO
shell:
install:
- export REGISTRY_USER="$(cat /run/secrets/REGISTRY_USER)"
- export REGISTRY_PASSWORD="$(cat /run/secrets/REGISTRY_PASSWORD)"
{{- if $isVault }}
- export VAULT_ADDR="$(cat /run/secrets/VAULT_ADDR)"
- export VAULT_ROLE="$(cat /run/secrets/VAULT_ROLE)"
- export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/TRANSIT_SECRET_ENGINE_PATH)"
- VAULT_KEY=$(cat /run/secrets/VAULT_KEY)
- export VAULT_KEY="hashivault://${VAULT_KEY#hashivault://}"
{{- if ne $actionsIdToken "" }}
- export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)"
- export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)"
- export VAULT_AUTH_PATH="github"
- >
export VAULT_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
- >
if [ -n "${VAULT_JWT}" ]; then
echo "Received Actions token";
else
echo "Actions token empty";
fi
{{- else }}
- export VAULT_AUTH_PATH="fox"
- export VAULT_JWT="$(cat /run/secrets/VAULT_JWT)"
{{- end }}
- >
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${VAULT_AUTH_PATH}/login" -d '{"role":"'${VAULT_ROLE}'","jwt":"'${VAULT_JWT}'"}' | jq -r '.auth.client_token')"
- >
if [ -n "${VAULT_TOKEN}" ]; then
echo "Received Vault token";
else
echo "Vault token empty";
fi
- echo "Using predicate known_vulnerabilities.vex"
{{- else }}
- |
echo -e "\033[33mWARNING!!! Cosign will sign attestation with self-generated key pair!\033[0m"
export COSIGN_PASSWORD=""
cosign generate-key-pair
export VAULT_KEY="cosign.key"
{{- end }}
- |
cosign attest \
--replace \
--registry-username="${REGISTRY_USER}" \
--registry-password="${REGISTRY_PASSWORD}" \
--predicate /known_vulnerabilities.vex \
--type openvex \
--key ${VAULT_KEY} \
--tlog-upload=false \
-y -d \
"${IMAGE_REPO}@${IMAGE_DIGEST}"
{{- end }}
{{- end }}
Loading
Loading