diff --git a/.github/workflows/dev_build_precache.yml b/.github/workflows/dev_build_precache.yml index 6406ddbd5e..3049ebee5e 100644 --- a/.github/workflows/dev_build_precache.yml +++ b/.github/workflows/dev_build_precache.yml @@ -66,7 +66,7 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 env: WERF_EXPERIMENTAL_IMPORT_BY_SOURCE_IMAGE_TAG: "true" with: diff --git a/.github/workflows/dev_build_svace.yml b/.github/workflows/dev_build_svace.yml index c31fef6c1a..5e0a4da61a 100644 --- a/.github/workflows/dev_build_svace.yml +++ b/.github/workflows/dev_build_svace.yml @@ -111,11 +111,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: "true" diff --git a/.github/workflows/dev_module_build-and-registration.yml b/.github/workflows/dev_module_build-and-registration.yml index b251cedb82..bd78e812a2 100644 --- a/.github/workflows/dev_module_build-and-registration.yml +++ b/.github/workflows/dev_module_build-and-registration.yml @@ -112,7 +112,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ github.event.inputs.enableBuild == 'true' }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} diff --git a/.github/workflows/dev_module_build.yml b/.github/workflows/dev_module_build.yml index 93088ddcc7..f3ee59e7c9 100644 --- a/.github/workflows/dev_module_build.yml +++ b/.github/workflows/dev_module_build.yml @@ -418,11 +418,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE}} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{needs.set_vars.outputs.modules_module_tag}} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} svace_enabled: ${{ inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }} diff --git a/.github/workflows/e2e-test-releases.yml b/.github/workflows/e2e-test-releases.yml index 8404c029a7..e4ec3ff351 100644 --- a/.github/workflows/e2e-test-releases.yml +++ b/.github/workflows/e2e-test-releases.yml @@ -196,11 +196,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ vars.DEV_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ matrix.module_tag }} + registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} source_repo: ${{ secrets.SOURCE_REPO_GIT }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} diff --git a/.github/workflows/release_module_build-and-registration.yml b/.github/workflows/release_module_build-and-registration.yml index 8a2937c51f..4478ebdcdc 100644 --- a/.github/workflows/release_module_build-and-registration.yml +++ b/.github/workflows/release_module_build-and-registration.yml @@ -81,11 +81,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -134,11 +136,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -188,11 +192,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" @@ -242,11 +248,13 @@ jobs: registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }} registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - - uses: deckhouse/modules-actions/build@v4 + - uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} module_tag: ${{ github.ref_name }} + registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }} + registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }} source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }} source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }} secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}" diff --git a/.github/workflows/release_module_release-channels.yml b/.github/workflows/release_module_release-channels.yml index f91ee80dea..fcbbd15080 100644 --- a/.github/workflows/release_module_release-channels.yml +++ b/.github/workflows/release_module_release-channels.yml @@ -205,7 +205,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -271,7 +271,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -330,7 +330,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} @@ -393,7 +393,7 @@ jobs: registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }} - if: ${{ inputs.enableBuild }} - uses: deckhouse/modules-actions/build@v4 + uses: deckhouse/modules-actions/build@v15 with: module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }} module_name: ${{ vars.MODULE_NAME }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2ad3e5a2df..1662e35a1f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -128,6 +128,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_DEV_REGISTRY_PASSWORD} MODULES_REGISTRY: dev-registry.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/sys/deckhouse-oss/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: DEV # PROD registry @@ -137,6 +139,8 @@ variables: MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_PROD_REGISTRY_PASSWORD} MODULES_REGISTRY: registry-write.deckhouse.io MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/deckhouse/${EDITION}/modules + REGISTRY_USER: ${MODULES_REGISTRY_LOGIN} + REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD} ENV: PROD # Templates ============================================================================================================ diff --git a/.werf/defines/vex.tmpl b/.werf/defines/vex.tmpl new file mode 100644 index 0000000000..f1571f99eb --- /dev/null +++ b/.werf/defines/vex.tmpl @@ -0,0 +1,143 @@ +# put image with vex mitigations to registry. +# Mitigations can be found in the known_vulnerabilities.vex file in the image directory +# input parameters: +# list of $ and image name. +# list ($ "common/kubernetes") +{{- define "vex mitigation" }} + {{- $context := index . 0 }} + {{- $imageName := index . 1 }} + {{- $knownVulnPath := "" }} + {{- $isVault := false }} + {{- if eq $imageName "dev" }} + {{- $knownVulnPath = "/deckhouse-controller/known_vulnerabilities.vex" }} + {{- else if eq $imageName "dev/install" }} + {{- $knownVulnPath = "/dhctl/known_vulnerabilities.vex" }} + {{- else if eq $imageName "bundle" }} + {{- $knownVulnPath = "/known_vulnerabilities.vex" }} + {{- else if hasKey $context "ModulePriority" }} + {{- $knownVulnPath = (printf "/%smodules/%s-%s/images/%s/known_vulnerabilities.vex" $context.ModulePath $context.ModulePriority $context.ModuleName $context.ImageName) }} + {{- else }} + {{- $knownVulnPath = (printf "/images/%s/known_vulnerabilities.vex" $context.ImageName) }} + {{- end }} + {{- $vexFile := false }} + {{- if eq (len ($context.Files.Glob $knownVulnPath)) 1 }} + {{- $vexFile = true }} + {{- end }} + {{- $werfSignKey := env "WERF_SIGN_KEY" "" }} + {{- $vaultKey := env "VAULT_KEY" "" }} + {{- $actionsIdToken := env "ACTIONS_ID_TOKEN_REQUEST_TOKEN" "" }} + {{- if or (ne $werfSignKey "") (ne $vaultKey "") (ne $actionsIdToken "") }} + {{- $isVault = true }} + {{- end }} + {{- if $vexFile }} +--- +image: {{ $imageName }}-vex-artifact +fromImage: base/vex +final: true +secrets: +- id: REGISTRY_USER + env: REGISTRY_USER +- id: REGISTRY_PASSWORD + env: REGISTRY_PASSWORD +{{- if eq $isVault true }} +{{- if ne $werfSignKey "" }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: WERF_SIGN_KEY +- id: VAULT_ROLE + env: WERF_VAULT_AUTH_ROLE +- id: VAULT_JWT + env: WERF_VAULT_AUTH_JWT +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- else }} +- id: VAULT_ADDR + env: VAULT_ADDR +- id: VAULT_KEY + env: VAULT_KEY +- id: VAULT_ROLE + env: VAULT_ROLE +- id: TRANSIT_SECRET_ENGINE_PATH + env: TRANSIT_SECRET_ENGINE_PATH +{{- if eq $actionsIdToken "" }} +- id: VAULT_JWT + env: VAULT_ID_TOKEN +{{- end }} +{{- end }} +{{- if ne $actionsIdToken "" }} +- id: ACTIONS_ID_TOKEN_REQUEST_TOKEN + env: ACTIONS_ID_TOKEN_REQUEST_TOKEN +- id: ACTIONS_ID_TOKEN_REQUEST_URL + env: ACTIONS_ID_TOKEN_REQUEST_URL +{{- end }} +{{- end }} +git: +- add: {{ $knownVulnPath }} + to: /known_vulnerabilities.vex + stageDependencies: + install: + - "**/*" +dependencies: +- image: {{ $imageName }} + before: install + imports: + - type: ImageDigest + targetEnv: IMAGE_DIGEST + - type: ImageRepo + targetEnv: IMAGE_REPO +shell: + install: + - export REGISTRY_USER="$(cat /run/secrets/REGISTRY_USER)" + - export REGISTRY_PASSWORD="$(cat /run/secrets/REGISTRY_PASSWORD)" +{{- if $isVault }} + - export VAULT_ADDR="$(cat /run/secrets/VAULT_ADDR)" + - export VAULT_ROLE="$(cat /run/secrets/VAULT_ROLE)" + - export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/TRANSIT_SECRET_ENGINE_PATH)" + - VAULT_KEY=$(cat /run/secrets/VAULT_KEY) + - export VAULT_KEY="hashivault://${VAULT_KEY#hashivault://}" +{{- if ne $actionsIdToken "" }} + - export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)" + - export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)" + - export VAULT_AUTH_PATH="github" + - > + export VAULT_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" )) + - > + if [ -n "${VAULT_JWT}" ]; then + echo "Received Actions token"; + else + echo "Actions token empty"; + fi +{{- else }} + - export VAULT_AUTH_PATH="fox" + - export VAULT_JWT="$(cat /run/secrets/VAULT_JWT)" +{{- end }} + - > + export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${VAULT_AUTH_PATH}/login" -d '{"role":"'${VAULT_ROLE}'","jwt":"'${VAULT_JWT}'"}' | jq -r '.auth.client_token')" + - > + if [ -n "${VAULT_TOKEN}" ]; then + echo "Received Vault token"; + else + echo "Vault token empty"; + fi + - echo "Using predicate known_vulnerabilities.vex" +{{- else }} + - | + echo -e "\033[33mWARNING!!! Cosign will sign attestation with self-generated key pair!\033[0m" + export COSIGN_PASSWORD="" + cosign generate-key-pair + export VAULT_KEY="cosign.key" +{{- end }} + - | + cosign attest \ + --replace \ + --registry-username="${REGISTRY_USER}" \ + --registry-password="${REGISTRY_PASSWORD}" \ + --predicate /known_vulnerabilities.vex \ + --type openvex \ + --key ${VAULT_KEY} \ + --tlog-upload=false \ + -y -d \ + "${IMAGE_REPO}@${IMAGE_DIGEST}" + {{- end }} +{{- end }} diff --git a/werf-giterminism.yaml b/werf-giterminism.yaml index ee82bc554f..8f9e954dd2 100644 --- a/werf-giterminism.yaml +++ b/werf-giterminism.yaml @@ -1,7 +1,7 @@ giterminismConfigVersion: 1 config: goTemplateRendering: # The rules for the Go-template functions - allowEnvVariables: + allowEnvVariables: - /CI_.+/ - GOPROXY - MODULES_MODULE_TAG @@ -13,6 +13,9 @@ config: - SVACE_ANALYZE_HOST - SVACE_ANALYZE_SSH_USER - DEBUG_COMPONENT + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - VAULT_KEY + - WERF_SIGN_KEY stapel: mount: allowBuildDir: true @@ -24,6 +27,16 @@ config: - DECKHOUSE_PRIVATE_REPO - GOPROXY - DISTRO_PACKAGES_PROXY + allowEnvVariables: + - REGISTRY_USER + - REGISTRY_PASSWORD + - VAULT_ADDR + - WERF_SIGN_KEY + - WERF_VAULT_AUTH_ROLE + - WERF_VAULT_AUTH_JWT + - TRANSIT_SECRET_ENGINE_PATH + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - ACTIONS_ID_TOKEN_REQUEST_URL helm: allowUncommittedFiles: - "Chart.lock"