initial commit

dev/tekton/tasks/cosign/cosign-pipeline-run.yaml

@@ -0,0 +1,73 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: cosign-pipeline-run-
+spec:
+  pipelineRef:
+    name: cosign-pipeline
+#gitea:
+  params:
+  - name: repo-url
+    value: http://gitea.gitea.svc.cluster.local:3000/allard/olproperties.git
+  - name: git-revision
+    value: 1.3
+
+#maven:
+  - name: maven-mirror-url
+    value: 'http://nexus.nexus.svc.cluster.local:8081/repository/maven-public/'
+
+#sonarqube:
+  - name: sonar-organization
+    value: "allarddcs"
+  - name: sonar-project-key
+    value: olproperties
+  - name: sonar-token
+    value: sqp_214ee7c92e1b82b0d43dd9b1d9462eac8f50434c
+  - name: sonar-host-url
+    value: "https://sonarqube-dev.allarddcs.nl"
+  - name: source-to-scan
+    value: ./src
+
+#push-to-harbor:
+  - name: registry
+    value: harbor-dev.allarddcs.nl
+  - name: project
+    value: allard
+  - name: image-name
+    value: olproperties
+
+#cosign
+  - name: cosign-image-url
+    value: harbor-dev.allarddcs.nl/allard/olproperties
+
+#dependency-track
+  - name: deptrack-apiKey
+    value: odt_BRpq4el8T0XqdeunYMnefniaS0n8Yxd8
+  - name: deptrack-projectName
+    value: olproperties
+  - name: deptrack-projectVersion
+    value: 1.1
+  - name: deptrack-url
+    value: https://deptracka-dev.allarddcs.nl
+
+  workspaces:
+  - name: shared-data
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+  - name: maven-settings
+    persistentVolumeClaim:
+    emptyDir: {}
+  - name: sonar-settings
+    configmap:
+      name: sonar-properties
+  - name: registry-credentials
+    secret:
+      secretName: registry-credentials
+      items:
+        - key: .dockerconfigjson
+          path: config.json

dev/tekton/tasks/cosign/cosign-pipeline.yaml

@@ -0,0 +1,64 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: cosign-pipeline
+spec:
+  description: |
+    This pipeline clones a git repo, builds a Docker image with Kaniko and
+    pushes it to a registry
+  params:
+  - name: repo-url
+    type: string
+  - name: git-revision
+    type: string
+
+  - name: maven-mirror-url
+    type: string
+
+  - name: sonar-organization
+    type: string
+  - name: sonar-project-key
+    type: string
+  - name: sonar-token
+    type: string
+  - name: sonar-host-url
+    type: string
+  - name: source-to-scan
+    type: string
+
+  - name: registry
+    type: string
+  - name: project
+    type: string
+  - name: image-name
+    type: string
+
+  - name: cosign-image-url
+    type: string
+
+  - name: deptrack-projectName
+    type: string
+  - name: deptrack-projectVersion
+    type: string
+  - name: deptrack-apiKey
+    type: string
+  - name: deptrack-url
+    type: string
+
+  workspaces:
+  - name: shared-data
+  - name: registry-credentials
+  - name: maven-settings
+  - name: sonar-settings
+
+  tasks:
+
+  - name: cosign-sign
+    taskRef:
+      name: cosign-sign
+    params:
+    - name: cosign-image-url
+      value: $(params.registry)/$(params.project)/$(params.image-name):$(params.git-revision)
+    - name: cosign-image-digest
+      value: sha256:bfb0a7c2b8960ec9a1f61df004bfea8826ab9bf95454368aead0acce929654a4
+

dev/tekton/tasks/cosign/cosign-sign-pipeline-run.yaml

@@ -0,0 +1,18 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: cosign-pipeline-run-
+spec:
+  pipelineRef:
+    name: cosign-sign-pipeline  # This refers to your pipeline defined earlier
+  params:
+    - name: image
+      value: "harbor-dev.allarddcs.nl/allard/olproperties:1.3"
+    - name: cosign-password
+      valueFrom:
+        secretKeyRef:
+          name: cosign-password-secret
+          key: password
+
+
+

dev/tekton/tasks/cosign/cosign-sign-pipeline.yaml

@@ -0,0 +1,15 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: cosign-sign-pipeline
+spec:
+  params:
+    - name: image
+      type: string
+  tasks:
+    - name: sign-image
+      taskRef:
+        name: cosign-sign
+      params:
+        - name: image
+          value: $(params.image)

dev/tekton/tasks/cosign/cosign-sign.yaml

@@ -0,0 +1,69 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: cosign-sign
+spec:
+  params:
+    - name: cosign-image-url
+      description: The image to sign (e.g., harbor.example.com/repo/image:tag)
+      type: string
+    - name: cosign-image-digest
+      type: string
+  steps:
+    - name: debug
+      image: busybox
+      command: [ "sh", "-c" ]
+      args:
+        - "cat /root/.docker/config.json"
+      volumeMounts:
+        - name: registry-credentials
+          mountPath: /root/.docker/config.json
+          subPath: .dockerconfigjson
+
+    - name: cosign-sign
+     #      image: ghcr.io/sigstore/cosign:v2.4.1
+      image: bitnamilegacy/cosign
+      securityContext:
+        runAsUser: 0  # Run as root
+        runAsGroup: 0 # Group ID for root
+        privileged: true # Allow privileged operations (if needed)
+      env:
+        - name: COSIGN_ACCEPT
+          value: "Y"               # Automatically agree to the terms & conditions
+        - name: COSIGN_PASSWORD
+          value: "Harbor01@"
+      script: |
+        #!/bin/bash
+        cosign login  harbor-dev.allarddcs.nl -u admin -p Harbor01@
+        set -e
+
+        echo "Signing image: $(params.cosign-image-url)"
+
+        # Sign the image with Cosign
+        echo "y" | cosign sign --key /cosign-keys/key $(params.cosign-image-url)@$(params.cosign-image-digest)
+
+      volumeMounts:
+        - name: cosign-key
+          mountPath: /cosign-keys  # Mount the secret at /cosign-keys
+        - name: registry-credentials
+          mountPath: /root/.docker/config.json
+          subPath: .dockerconfigjson
+        - name: docker-socket
+          mountPath: /var/run/docker.sock  # Mount the Docker socket inside the container
+  volumes:
+    - name: cosign-key
+      secret:
+        secretName: cosign-key-secret     # Secret name for the Cosign key
+        items:
+          - key: cosign.key               # Key in the secret that holds the Cosign private key
+            path: key                      # Path inside the container where the key will be available (i.e., /cosign-keys/key)
+    - name: registry-credentials
+      secret:
+        secretName: registry-credentials  # Secret containing Harbor credentials (from the previous step)
+        items:
+          - key: .dockerconfigjson       # Mount the Docker config to the right place
+            path: .dockerconfigjson
+    - name: docker-socket
+      hostPath:
+        path: /var/run/docker.sock  # Mount the Docker socket
+        type: Socket

dev/tekton/tasks/cosign/cosign.key

@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJ5c2d3bWNPQUpIKzVyR1h1OFRyZDY4UnpsVkkrZGRM
+MnA4cDBpdytaTEY4PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJjNUtMSyt2YmphbWtWQWs5SFJJcHZpL1BmNlBENW5uZSJ9LCJj
+aXBoZXJ0ZXh0IjoiVTVub2ZDLzd1MUtza1dqNWl2TGp4bW1GZ2pseVY1VnZkeGVr
+SmE5Ukkvbm1CWk53aHJsWWNUQjBRUGlTMUNlaVh5RGlqZnNNT1d4Tnh0Y3U5akxI
+a1BsMnNkNW0wVy91dlJrRmRWRVlFcXFCQWlrbzg3aW9oVkVxWC9CQitvaEd2Rkt0
+bWZBTU8yaUtwTm8wRmxieldHaW9sOFlKNHRCZlNZWlFrY055WGF1ait5Z3ovaTJK
+NG5tajBRWDM1QlhpQjQwa1ladXhhaDRsRkE9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----

dev/tekton/tasks/cosign/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7PCFjmQqVhO6j6uPMcLrFhEgFSeG
+vlpDy1WNaOUie/f40NIfRrA8nusDm5Kj7PF2X+zgGlQbgpjHpJd7iOMG2g==
+-----END PUBLIC KEY-----

dev/tekton/tasks/cosign/cosign.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: cosign-debug
+spec:
+  containers:
+    - name: cosign
+      image: bitnami/cosign
+      command: ["sleep", "3600"]
+      volumeMounts:
+        - name: cosign-key
+          mountPath: /cosign
+  volumes:
+    - name: cosign-key
+      secret:
+        secretName: cosign-key-secret
+        items:
+          - key: cosign.key
+            path: key

dev/tekton/tasks/cosign/create-cosign-key-secret.sh

@@ -0,0 +1 @@
+microk8s kubectl create secret generic cosign-key-secret --from-file=cosign.key=/home/ubuntu/containers/kubernetes/tekton/tasks/cosign/cosign.key

dev/tekton/tasks/cosign/create-cosign-password-secret.sh

@@ -0,0 +1 @@
+microk8s kubectl create secret generic cosign-password-secret --from-literal=password=Harbor01@