Sign container images using AWS Signer and notation CLI.

release/cli/cmd/release.go

@@ -77,6 +77,7 @@ var releaseCmd = &cobra.Command{
 		weekly := viper.GetBool("weekly")
 		releaseTime := time.Now().UTC()
 		releaseDate := releaseTime.Format(constants.YYYYMMDD)
+		awsSignerProfileArn := viper.GetString("aws-signer-profile-arn")
 
 		var bundleRelease bool
 		var releaseEnvironment string
@@ -112,6 +113,7 @@ var releaseCmd = &cobra.Command{
 			DryRun:                   dryRun,
 			Weekly:                   weekly,
 			ReleaseEnvironment:       releaseEnvironment,
+			AwsSignerProfileArn:      awsSignerProfileArn,
 		}
 
 		err := operations.SetRepoHeads(releaseConfig)
@@ -327,4 +329,5 @@ func init() {
 	releaseCmd.Flags().String("release-environment", "", "Release environment")
 	releaseCmd.Flags().Bool("dry-run", false, "Flag to indicate if the release is a dry run")
 	releaseCmd.Flags().Bool("weekly", false, "Flag to indicate a weekly bundle release")
+	releaseCmd.Flags().String("aws-signer-profile-arn", "", "Arn of AWS Signer profile to sign the container images")
 }

release/cli/pkg/bundles/package-controller.go

@@ -65,7 +65,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st
 		}
 		if !PackageImage {
 			fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag))
-			err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag))
+			err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag), r.AwsSignerProfileArn)
 			if err != nil {
 				fmt.Printf("Error copying dev EKS Anywhere package controller image, to ECR Public: %v", err)
 			}
@@ -80,7 +80,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st
 		}
 		if !TokenImage {
 			fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag))
-			err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag))
+			err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag), r.AwsSignerProfileArn)
 			if err != nil {
 				fmt.Printf("Error copying dev EKS Anywhere package token refresher image, to ECR Public: %v", err)
 			}

release/cli/pkg/images/images.go

@@ -94,7 +94,7 @@ func PollForExistence(devRelease bool, authConfig *docker.AuthConfiguration, ima
 	return nil
 }
 
-func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri string) error {
+func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri, awsSignerProfileArn string) error {
 	retrier := retrier.NewRetrier(60*time.Minute, retrier.WithRetryPolicy(func(totalRetries int, err error) (retry bool, wait time.Duration) {
 		if err != nil && totalRetries < 10 {
 			return true, 30 * time.Second
@@ -119,6 +119,14 @@ func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfigura
 	if err != nil {
 		return fmt.Errorf("retries exhausted performing image copy from source to destination: %v", err)
 	}
+	// Sign public ECR image using AWS signer and notation CLI
+	// notation sign <registry>/<repository>:<tag> --plugin com.amazonaws.signer.notation.plugin --id <signer_profile_arn>
+	cmd := exec.Command("notation", "sign", releaseImageUri, "--plugin", "com.amazonaws.signer.notation.plugin", "--id", awsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword)
+	out, err := commandutils.ExecCommand(cmd)
+	fmt.Println(out)
+	if err != nil {
+		return fmt.Errorf("executing sigining container image with Notation CLI: %v", err)
+	}
 
 	return nil
 }

release/cli/pkg/operations/upload.go

@@ -111,7 +111,7 @@ func UploadArtifacts(r *releasetypes.ReleaseConfig, eksArtifacts map[string][]re
 				releaseImageUri := artifact.Image.ReleaseImageURI
 				fmt.Printf("Source Image - %s\n", sourceImageUri)
 				fmt.Printf("Destination Image - %s\n", releaseImageUri)
-				err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri)
+				err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri, r.AwsSignerProfileArn)
 				if err != nil {
 					return fmt.Errorf("copying image from source to destination: %v", err)
 				}

release/cli/pkg/types/types.go

@@ -52,6 +52,7 @@ type ReleaseConfig struct {
 	ReleaseClients           *clients.ReleaseClients
 	BundleArtifactsTable     map[string][]Artifact
 	EksAArtifactsTable       map[string][]Artifact
+	AwsSignerProfileArn      string
 }
 
 type ImageTagOverride struct {

release/scripts/bundle-release.sh

@@ -57,4 +57,5 @@ ${BASE_DIRECTORY}/release/bin/eks-anywhere-release release \
     --dev-release=false \
     --bundle-release=true \
     --build-repo-url "${BUILD_REPO_URL}" \
-    --cli-repo-url "${CLI_REPO_URL}"
+    --cli-repo-url "${CLI_REPO_URL}" \
+    --aws-signer-profile-arn "${AWS_SIGNER_PROFILE_ARN}"

release/scripts/release.sh

@@ -50,4 +50,5 @@ ${BASE_DIRECTORY}/release/bin/eks-anywhere-release release \
     --release-container-registry "${RELEASE_CONTAINER_REGISTRY}" \
     --dev-release=true \
     --dry-run=${DRY_RUN} \
-    --weekly=${WEEKLY}
+    --weekly=${WEEKLY} \
+    --aws-signer-profile-arn "${AWS_SIGNER_PROFILE_ARN}"