Skip to content
This repository has been archived by the owner on Jul 3, 2024. It is now read-only.

switching to new keycloak #37

switching to new keycloak

switching to new keycloak #37

Workflow file for this run

name: Validate SecureSign Ansible
on:
workflow_dispatch:
push:
branches: ["main", "release*"]
tags: ["*"]
pull_request:
branches: ["main", "release*"]
env:
GO_VERSION: 1.21
AWS_REGION: us-east-2
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
BASE_HOSTNAME: ${{ secrets.BASE_DOMAIN }}
FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }}
TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }}
KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }}
KEYCLOAK_REALM: trusted-artifact-signer
KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/trusted-artifact-signer
REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }}
TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }}
TF_VAR_vpc_id: ${{ secrets.VPC_ID }}
TF_VAR_rh_username: ${{ secrets.RH_USERNAME }}
TF_VAR_rh_password: ${{ secrets.RH_PASSWORD }}
TF_VAR_aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
TF_VAR_aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
IMAGE: ttl.sh/sigstore-test:15m
jobs:
deploy-and-test:
name: Deploy using terraform then tag, push, sign and verify
runs-on: ubuntu-latest
steps:
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.8.1
- name: update packages and the system
run: sudo apt-get update && sudo apt-get upgrade -y
- name: Checkout code
uses: actions/checkout@v2
- name: sshkeygen for ansible
run: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""
- name: build push sign and tag
run: |
buildah pull alpine:latest
buildah tag alpine:latest ${{ env.IMAGE }}
buildah push ${{ env.IMAGE }}
- name: generate an AWS credentials file
run: |
mkdir -p ~/.aws
echo "[default]" > ~/.aws/credentials
echo "aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY_ID }}" >> ~/.aws/credentials
echo "aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> ~/.aws/credentials
- name: Terraform Init
run: terraform init
- name: Terraform Apply
run: terraform apply -auto-approve
- name: install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2' # optional
- name: Grab the certificate and trust it
run: export ESCAPED_URL=sigstore_octo-emerging_redhataicoe_com && rm -rf ./*.pem && openssl s_client -showcerts -verify 5 -connect rekor.$BASE_HOSTNAME:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}' && for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem; echo "${newname}"; mv "${cert}" "${newname}" ; done && sudo mv $ESCAPED_URL.pem /etc/ssl/certs/ && sudo update-ca-certificates && cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
- name: sign and verify
run: |
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" ${{ env.KEYCLOAK_OIDC_ISSUER }}/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/')
cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN --oidc-client-id=${{ secrets.KEYCLOAK_REALM }} ${{ env.IMAGE }}
cosign verify --rekor-url=${{ env.REKOR_URL}} --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ${{ env.IMAGE }}
- name: Terraform Destroy
if: always()
run: terraform destroy -auto-approve