diff --git a/release/cli/cmd/release.go b/release/cli/cmd/release.go index 2f74954b7a8ea..0ed5257a15cbc 100644 --- a/release/cli/cmd/release.go +++ b/release/cli/cmd/release.go @@ -77,6 +77,7 @@ var releaseCmd = &cobra.Command{ weekly := viper.GetBool("weekly") releaseTime := time.Now().UTC() releaseDate := releaseTime.Format(constants.YYYYMMDD) + awsSignerProfileArn := viper.GetString("aws-signer-profile-arn") var bundleRelease bool var releaseEnvironment string @@ -112,6 +113,7 @@ var releaseCmd = &cobra.Command{ DryRun: dryRun, Weekly: weekly, ReleaseEnvironment: releaseEnvironment, + AwsSignerProfileArn: awsSignerProfileArn, } err := operations.SetRepoHeads(releaseConfig) @@ -327,4 +329,5 @@ func init() { releaseCmd.Flags().String("release-environment", "", "Release environment") releaseCmd.Flags().Bool("dry-run", false, "Flag to indicate if the release is a dry run") releaseCmd.Flags().Bool("weekly", false, "Flag to indicate a weekly bundle release") + releaseCmd.Flags().String("aws-signer-profile-arn", "", "Arn of AWS Signer profile to sign the container images") } diff --git a/release/cli/pkg/bundles/package-controller.go b/release/cli/pkg/bundles/package-controller.go index 4d3022463e3c3..9df8af5f7fc82 100644 --- a/release/cli/pkg/bundles/package-controller.go +++ b/release/cli/pkg/bundles/package-controller.go @@ -65,7 +65,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st } if !PackageImage { fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag)) - err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag)) + err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag), r.AwsSignerProfileArn) if err != nil { fmt.Printf("Error copying dev EKS Anywhere package controller image, to ECR Public: %v", err) } @@ -80,7 +80,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st } if !TokenImage { fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag)) - err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag)) + err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag), r.AwsSignerProfileArn) if err != nil { fmt.Printf("Error copying dev EKS Anywhere package token refresher image, to ECR Public: %v", err) } diff --git a/release/cli/pkg/images/images.go b/release/cli/pkg/images/images.go index 00bab71ce9100..59fac49bf070d 100644 --- a/release/cli/pkg/images/images.go +++ b/release/cli/pkg/images/images.go @@ -94,7 +94,7 @@ func PollForExistence(devRelease bool, authConfig *docker.AuthConfiguration, ima return nil } -func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri string) error { +func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri, awsSignerProfileArn string) error { retrier := retrier.NewRetrier(60*time.Minute, retrier.WithRetryPolicy(func(totalRetries int, err error) (retry bool, wait time.Duration) { if err != nil && totalRetries < 10 { return true, 30 * time.Second @@ -116,6 +116,19 @@ func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfigura return nil }) + // Sign public ECR image using AWS signer and notation CLI + // notation sign public.ecr.aws/y8b4r0e8/eksa-controller:latest8 @sha256:ff76a27fb06d711dafd399b97b142a23217ab171eb0468aeaa9374b69849a1e0 + // --plugin com.amazonaws.signer.notation.plugin --id arn:aws:signer:us-east-1:189183948571:/signing-profiles/notation_test_nov_8 + err = retrier.Retry(func() error { + cmd := exec.Command("notation", "sign", releaseImageUri, "--plugin", "com.amazonaws.signer.notation.plugin", "--id", awsSignerProfileArn) + out, err := commandutils.ExecCommand(cmd) + fmt.Println(out) + if err != nil { + return fmt.Errorf("executing skopeo copy command: %v", err) + } + + return nil + }) if err != nil { return fmt.Errorf("retries exhausted performing image copy from source to destination: %v", err) } diff --git a/release/cli/pkg/operations/upload.go b/release/cli/pkg/operations/upload.go index 3133a815905d2..abca3a62696c1 100644 --- a/release/cli/pkg/operations/upload.go +++ b/release/cli/pkg/operations/upload.go @@ -111,7 +111,7 @@ func UploadArtifacts(r *releasetypes.ReleaseConfig, eksArtifacts map[string][]re releaseImageUri := artifact.Image.ReleaseImageURI fmt.Printf("Source Image - %s\n", sourceImageUri) fmt.Printf("Destination Image - %s\n", releaseImageUri) - err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri) + err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri, r.AwsSignerProfileArn) if err != nil { return fmt.Errorf("copying image from source to destination: %v", err) } diff --git a/release/cli/pkg/types/types.go b/release/cli/pkg/types/types.go index f4fda986a33ce..cf947f6da2ee7 100644 --- a/release/cli/pkg/types/types.go +++ b/release/cli/pkg/types/types.go @@ -52,6 +52,7 @@ type ReleaseConfig struct { ReleaseClients *clients.ReleaseClients BundleArtifactsTable map[string][]Artifact EksAArtifactsTable map[string][]Artifact + AwsSignerProfileArn string } type ImageTagOverride struct { diff --git a/release/scripts/bundle-release.sh b/release/scripts/bundle-release.sh index 09c01328183ab..197c08166a682 100755 --- a/release/scripts/bundle-release.sh +++ b/release/scripts/bundle-release.sh @@ -57,4 +57,5 @@ ${BASE_DIRECTORY}/release/bin/eks-anywhere-release release \ --dev-release=false \ --bundle-release=true \ --build-repo-url "${BUILD_REPO_URL}" \ - --cli-repo-url "${CLI_REPO_URL}" + --cli-repo-url "${CLI_REPO_URL}"\ + --aws-signer-profile-arn "${AWS_SIGNER_PROFILE_ARN}" diff --git a/release/scripts/release.sh b/release/scripts/release.sh index 89faf5c70c920..8745342431f41 100755 --- a/release/scripts/release.sh +++ b/release/scripts/release.sh @@ -50,4 +50,5 @@ ${BASE_DIRECTORY}/release/bin/eks-anywhere-release release \ --release-container-registry "${RELEASE_CONTAINER_REGISTRY}" \ --dev-release=true \ --dry-run=${DRY_RUN} \ - --weekly=${WEEKLY} + --weekly=${WEEKLY}\ + --aws-signer-profile-arn "${AWS_SIGNER_PROFILE_ARN}"