From c608d2dd8278854dd0c91e098d35963b60b4e14b Mon Sep 17 00:00:00 2001 From: Pankti Shah Date: Tue, 28 Nov 2023 15:29:10 -0800 Subject: [PATCH] Sign container images using AWS Signer and notation CLI during the release process --- release/cli/cmd/release.go | 3 +++ release/cli/pkg/bundles/package-controller.go | 4 ++-- release/cli/pkg/images/images.go | 10 +++++++++- release/cli/pkg/operations/upload.go | 2 +- release/cli/pkg/types/types.go | 1 + release/scripts/bundle-release.sh | 3 ++- release/scripts/release.sh | 3 ++- 7 files changed, 20 insertions(+), 6 deletions(-) diff --git a/release/cli/cmd/release.go b/release/cli/cmd/release.go index 2f74954b7a8e..0ed5257a15cb 100644 --- a/release/cli/cmd/release.go +++ b/release/cli/cmd/release.go @@ -77,6 +77,7 @@ var releaseCmd = &cobra.Command{ weekly := viper.GetBool("weekly") releaseTime := time.Now().UTC() releaseDate := releaseTime.Format(constants.YYYYMMDD) + awsSignerProfileArn := viper.GetString("aws-signer-profile-arn") var bundleRelease bool var releaseEnvironment string @@ -112,6 +113,7 @@ var releaseCmd = &cobra.Command{ DryRun: dryRun, Weekly: weekly, ReleaseEnvironment: releaseEnvironment, + AwsSignerProfileArn: awsSignerProfileArn, } err := operations.SetRepoHeads(releaseConfig) @@ -327,4 +329,5 @@ func init() { releaseCmd.Flags().String("release-environment", "", "Release environment") releaseCmd.Flags().Bool("dry-run", false, "Flag to indicate if the release is a dry run") releaseCmd.Flags().Bool("weekly", false, "Flag to indicate a weekly bundle release") + releaseCmd.Flags().String("aws-signer-profile-arn", "", "Arn of AWS Signer profile to sign the container images") } diff --git a/release/cli/pkg/bundles/package-controller.go b/release/cli/pkg/bundles/package-controller.go index 4d3022463e3c..9df8af5f7fc8 100644 --- a/release/cli/pkg/bundles/package-controller.go +++ b/release/cli/pkg/bundles/package-controller.go @@ -65,7 +65,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st } if !PackageImage { fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag)) - err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag)) + err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag), r.AwsSignerProfileArn) if err != nil { fmt.Printf("Error copying dev EKS Anywhere package controller image, to ECR Public: %v", err) } @@ -80,7 +80,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st } if !TokenImage { fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag)) - err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag)) + err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag), r.AwsSignerProfileArn) if err != nil { fmt.Printf("Error copying dev EKS Anywhere package token refresher image, to ECR Public: %v", err) } diff --git a/release/cli/pkg/images/images.go b/release/cli/pkg/images/images.go index 00bab71ce910..8052571fb29b 100644 --- a/release/cli/pkg/images/images.go +++ b/release/cli/pkg/images/images.go @@ -94,7 +94,7 @@ func PollForExistence(devRelease bool, authConfig *docker.AuthConfiguration, ima return nil } -func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri string) error { +func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri, awsSignerProfileArn string) error { retrier := retrier.NewRetrier(60*time.Minute, retrier.WithRetryPolicy(func(totalRetries int, err error) (retry bool, wait time.Duration) { if err != nil && totalRetries < 10 { return true, 30 * time.Second @@ -119,6 +119,14 @@ func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfigura if err != nil { return fmt.Errorf("retries exhausted performing image copy from source to destination: %v", err) } + // Sign public ECR image using AWS signer and notation CLI + // notation sign /: --plugin com.amazonaws.signer.notation.plugin --id + cmd := exec.Command("notation", "sign", releaseImageUri, "--plugin", "com.amazonaws.signer.notation.plugin", "--id", awsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword) + out, err := commandutils.ExecCommand(cmd) + fmt.Println(out) + if err != nil { + return fmt.Errorf("executing sigining container image with Notation CLI: %v", err) + } return nil } diff --git a/release/cli/pkg/operations/upload.go b/release/cli/pkg/operations/upload.go index 3133a815905d..abca3a62696c 100644 --- a/release/cli/pkg/operations/upload.go +++ b/release/cli/pkg/operations/upload.go @@ -111,7 +111,7 @@ func UploadArtifacts(r *releasetypes.ReleaseConfig, eksArtifacts map[string][]re releaseImageUri := artifact.Image.ReleaseImageURI fmt.Printf("Source Image - %s\n", sourceImageUri) fmt.Printf("Destination Image - %s\n", releaseImageUri) - err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri) + err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri, r.AwsSignerProfileArn) if err != nil { return fmt.Errorf("copying image from source to destination: %v", err) } diff --git a/release/cli/pkg/types/types.go b/release/cli/pkg/types/types.go index f4fda986a33c..cf947f6da2ee 100644 --- a/release/cli/pkg/types/types.go +++ b/release/cli/pkg/types/types.go @@ -52,6 +52,7 @@ type ReleaseConfig struct { ReleaseClients *clients.ReleaseClients BundleArtifactsTable map[string][]Artifact EksAArtifactsTable map[string][]Artifact + AwsSignerProfileArn string } type ImageTagOverride struct { diff --git a/release/scripts/bundle-release.sh b/release/scripts/bundle-release.sh index 09c01328183a..04205a18974e 100755 --- a/release/scripts/bundle-release.sh +++ b/release/scripts/bundle-release.sh @@ -57,4 +57,5 @@ ${BASE_DIRECTORY}/release/bin/eks-anywhere-release release \ --dev-release=false \ --bundle-release=true \ --build-repo-url "${BUILD_REPO_URL}" \ - --cli-repo-url "${CLI_REPO_URL}" + --cli-repo-url "${CLI_REPO_URL}" \ + --aws-signer-profile-arn "${AWS_SIGNER_PROFILE_ARN}" diff --git a/release/scripts/release.sh b/release/scripts/release.sh index 89faf5c70c92..9aed7ab03c3b 100755 --- a/release/scripts/release.sh +++ b/release/scripts/release.sh @@ -50,4 +50,5 @@ ${BASE_DIRECTORY}/release/bin/eks-anywhere-release release \ --release-container-registry "${RELEASE_CONTAINER_REGISTRY}" \ --dev-release=true \ --dry-run=${DRY_RUN} \ - --weekly=${WEEKLY} + --weekly=${WEEKLY} \ + --aws-signer-profile-arn "${AWS_SIGNER_PROFILE_ARN}"