Sample Terraform module to demonstrate using HashiCorp Vault's Transit Engine to sign and verify container images and the Sigstore Kubernetes Policy Controller to enforce a container image signing policy in a Kubernetes cluster.
This module is intended only for demo purposes and should not be used in a production environment without careful consideration of applicable operational and security requirements.
- HashiCorp Vault cluster (e.g., HCP Vault Dedicated)
- Kubernetes Authentication configured in the Vault cluster
- Authentication role pre-provisioned for the Sigstore Policy Controller to
authenticate to Vault, e.g. restricting access to the
sigstorenamespace and thesigstore-policy-controller-webhookService Account.
Once you have signed a test container image, redeploy the Terraform root module
with the image_name and image_digest variables set. The Terraform root
module will then attempt to create a Kubernetes deployment to run the specified
container image and validate that Sigstore Policy Controller is enforcing the
container image signing policy.
| Name | Source | Version |
|---|---|---|
| harbor | ./modules/harbor | n/a |
| image_policies | ./modules/image-policies | n/a |
| policy_controller | ./modules/policy-controller | n/a |
| test_deployment | ./modules/test-deployment | n/a |
| vault_transit | ./modules/vault-transit | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| deploy_harbor | Toggle to deploy an instance of the Harbor registry in the cluster | bool |
false |
no |
| image_digest | SHA256 digest of the test container image (prefixed with sha256:) | string |
null |
no |
| image_name | Name of the container image to use for testing policy enforcement | string |
"library/busybox" |
no |