Skip to content

Commit

Permalink
Sign container images with notation CLI with shasum instead of tag (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
panktishah26 authored Dec 15, 2023
1 parent 3805885 commit 2a15b1b
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 12 deletions.
6 changes: 6 additions & 0 deletions release/cli/cmd/release.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,12 @@ var releaseCmd = &cobra.Command{
os.Exit(1)
}

err = operations.SignImagesNotation(releaseConfig, imageDigests)
if err != nil {
fmt.Printf("Error signing container images using notation CLI and AWS Signer: %v\n", err)
os.Exit(1)
}

err = operations.GenerateBundleSpec(releaseConfig, bundle, imageDigests)
if err != nil {
fmt.Printf("Error generating bundles manifest: %+v\n", err)
Expand Down
4 changes: 2 additions & 2 deletions release/cli/pkg/bundles/package-controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st
}
if !PackageImage {
fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag))
err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag), r.AwsSignerProfileArn)
err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "eks-anywhere-packages", Imagetag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "eks-anywhere-packages", Imagetag))
if err != nil {
fmt.Printf("Error copying dev EKS Anywhere package controller image, to ECR Public: %v", err)
}
Expand All @@ -80,7 +80,7 @@ func GetPackagesBundle(r *releasetypes.ReleaseConfig, imageDigests map[string]st
}
if !TokenImage {
fmt.Printf("Did not find the required helm image in Public ECR... copying image: %v\n", fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag))
err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag), r.AwsSignerProfileArn)
err := images.CopyToDestination(r.SourceClients.ECR.AuthConfig, r.ReleaseClients.ECRPublic.AuthConfig, fmt.Sprintf("%s/%s:%s", r.SourceContainerRegistry, "ecr-token-refresher", Tokentag), fmt.Sprintf("%s/%s:%s", r.ReleaseContainerRegistry, "ecr-token-refresher", Tokentag))
if err != nil {
fmt.Printf("Error copying dev EKS Anywhere package token refresher image, to ECR Public: %v", err)
}
Expand Down
10 changes: 1 addition & 9 deletions release/cli/pkg/images/images.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func PollForExistence(devRelease bool, authConfig *docker.AuthConfiguration, ima
return nil
}

func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri, awsSignerProfileArn string) error {
func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfiguration, sourceImageUri, releaseImageUri string) error {
retrier := retrier.NewRetrier(60*time.Minute, retrier.WithRetryPolicy(func(totalRetries int, err error) (retry bool, wait time.Duration) {
if err != nil && totalRetries < 10 {
return true, 30 * time.Second
Expand All @@ -119,14 +119,6 @@ func CopyToDestination(sourceAuthConfig, releaseAuthConfig *docker.AuthConfigura
if err != nil {
return fmt.Errorf("retries exhausted performing image copy from source to destination: %v", err)
}
// Sign public ECR image using AWS signer and notation CLI
// notation sign <registry>/<repository>:<tag> --plugin com.amazonaws.signer.notation.plugin --id <signer_profile_arn>
cmd := exec.Command("notation", "sign", releaseImageUri, "--plugin", "com.amazonaws.signer.notation.plugin", "--id", awsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword)
out, err := commandutils.ExecCommand(cmd)
fmt.Println(out)
if err != nil {
return fmt.Errorf("executing sigining container image with Notation CLI: %v", err)
}

return nil
}
Expand Down
22 changes: 22 additions & 0 deletions release/cli/pkg/operations/bundle_release.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package operations

import (
"fmt"
"os/exec"

"github.com/pkg/errors"

Expand All @@ -27,6 +28,7 @@ import (
"github.com/aws/eks-anywhere/release/cli/pkg/filereader"
releasetypes "github.com/aws/eks-anywhere/release/cli/pkg/types"
artifactutils "github.com/aws/eks-anywhere/release/cli/pkg/util/artifacts"
commandutils "github.com/aws/eks-anywhere/release/cli/pkg/util/command"
)

func GenerateBundleArtifactsTable(r *releasetypes.ReleaseConfig) (map[string][]releasetypes.Artifact, error) {
Expand Down Expand Up @@ -110,6 +112,26 @@ func GenerateImageDigestsTable(r *releasetypes.ReleaseConfig) (map[string]string
return imageDigests, nil
}

func SignImagesNotation(r *releasetypes.ReleaseConfig, imageDigests map[string]string) error {
if r.DryRun {
fmt.Println("Skipping image signing in dry-run mode")
return nil
}
releaseRegistryUsername := r.ReleaseClients.ECRPublic.AuthConfig.Username
releaseRegistryPassword := r.ReleaseClients.ECRPublic.AuthConfig.Password
for image, digest := range imageDigests {
// Sign public ECR image using AWS signer and notation CLI
// notation sign <registry>/<repository>@<sha256:shasum> --plugin com.amazonaws.signer.notation.plugin --id <signer_profile_arn>
cmd := exec.Command("notation", "sign", fmt.Sprintf("%s@%s", image, digest), "--plugin", "com.amazonaws.signer.notation.plugin", "--id", r.AwsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword)
out, err := commandutils.ExecCommand(cmd)
fmt.Println(out)
if err != nil {
return fmt.Errorf("executing sigining container image with Notation CLI: %v", err)
}
}
return nil
}

func GenerateBundleSpec(r *releasetypes.ReleaseConfig, bundle *anywherev1alpha1.Bundles, imageDigests map[string]string) error {
fmt.Println("\n==========================================================")
fmt.Println(" Bundles Manifest Spec Generation")
Expand Down
2 changes: 1 addition & 1 deletion release/cli/pkg/operations/upload.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ func UploadArtifacts(r *releasetypes.ReleaseConfig, eksArtifacts map[string][]re
releaseImageUri := artifact.Image.ReleaseImageURI
fmt.Printf("Source Image - %s\n", sourceImageUri)
fmt.Printf("Destination Image - %s\n", releaseImageUri)
err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri, r.AwsSignerProfileArn)
err := images.CopyToDestination(sourceEcrAuthConfig, releaseEcrAuthConfig, sourceImageUri, releaseImageUri)
if err != nil {
return fmt.Errorf("copying image from source to destination: %v", err)
}
Expand Down

0 comments on commit 2a15b1b

Please sign in to comment.