Skip to content

Add VEX attestation #2546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
himax1991 wants to merge 7 commits into
base: main
Choose a base branch
from
+188 −14
Open

Add VEX attestation #2546

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1cb2043
Add VEX attestation infrastructure for module builds.
himax1991 Jun 26, 2026
950c98f
Fix VEX build: correct vex include and/or REGISTRY credentials in CI.
himax1991 Jun 26, 2026
68a9820
Fix VEX build: add REGISTRY_USER/PASSWORD to CI build jobs.
himax1991 Jun 26, 2026
ec8c6cb
Fix VEX build: set REGISTRY_USER/PASSWORD per dev and prod CI extends.
himax1991 Jun 26, 2026
d1dea0d
Fix VEX build: set REGISTRY_USER/PASSWORD per dev and prod CI extends.
himax1991 Jun 26, 2026
d65e7a8
fix werf-giterminism
himax1991 Jun 26, 2026
b860471
fix wef-giterminism section
himax1991 Jun 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dev_build_precache.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
env:
WERF_EXPERIMENTAL_IMPORT_BY_SOURCE_IMAGE_TAG: "true"
with:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/dev_build_svace.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,11 +111,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE}}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{needs.set_vars.outputs.modules_module_tag}}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
svace_enabled: "true"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dev_module_build-and-registration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ github.event.inputs.enableBuild == 'true' }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE}}
module_name: ${{ vars.MODULE_NAME }}
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/dev_module_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -418,11 +418,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE}}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{needs.set_vars.outputs.modules_module_tag}}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
svace_enabled: ${{ inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }}
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/e2e-test-releases.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,11 +196,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ vars.DEV_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ matrix.module_tag }}
registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{ secrets.SOURCE_REPO_GIT }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}

Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/release_module_build-and-registration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down Expand Up @@ -134,11 +136,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down Expand Up @@ -188,11 +192,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down Expand Up @@ -242,11 +248,13 @@ jobs:
registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- uses: deckhouse/modules-actions/build@v4
- uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
module_tag: ${{ github.ref_name }}
registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
source_repo: ${{secrets.DECKHOUSE_PRIVATE_3P_REPO }}
source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/release_module_release-channels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
Expand Down Expand Up @@ -271,7 +271,7 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
Expand Down Expand Up @@ -330,7 +330,7 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
Expand Down Expand Up @@ -393,7 +393,7 @@ jobs:
registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

- if: ${{ inputs.enableBuild }}
uses: deckhouse/modules-actions/build@v4
uses: deckhouse/modules-actions/build@v15
with:
module_source: ${{ steps.set_vars.outputs.MODULES_MODULE_SOURCE }}
module_name: ${{ vars.MODULE_NAME }}
Expand Down
4 changes: 4 additions & 0 deletions .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ variables:
MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_DEV_REGISTRY_PASSWORD}
MODULES_REGISTRY: dev-registry.deckhouse.io
MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/sys/deckhouse-oss/modules
REGISTRY_USER: ${MODULES_REGISTRY_LOGIN}
REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD}
ENV: DEV

# PROD registry
Expand All @@ -137,6 +139,8 @@ variables:
MODULES_REGISTRY_PASSWORD: ${EXTERNAL_MODULES_PROD_REGISTRY_PASSWORD}
MODULES_REGISTRY: registry-write.deckhouse.io
MODULES_MODULE_SOURCE: ${MODULES_REGISTRY}/deckhouse/${EDITION}/modules
REGISTRY_USER: ${MODULES_REGISTRY_LOGIN}
REGISTRY_PASSWORD: ${MODULES_REGISTRY_PASSWORD}
ENV: PROD

# Templates ============================================================================================================
Expand Down
143 changes: 143 additions & 0 deletions .werf/defines/vex.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
# put image with vex mitigations to registry.
# Mitigations can be found in the known_vulnerabilities.vex file in the image directory
# input parameters:
# list of $ and image name.
# list ($ "common/kubernetes")
{{- define "vex mitigation" }}
{{- $context := index . 0 }}
{{- $imageName := index . 1 }}
{{- $knownVulnPath := "" }}
{{- $isVault := false }}
{{- if eq $imageName "dev" }}
{{- $knownVulnPath = "/deckhouse-controller/known_vulnerabilities.vex" }}
{{- else if eq $imageName "dev/install" }}
{{- $knownVulnPath = "/dhctl/known_vulnerabilities.vex" }}
{{- else if eq $imageName "bundle" }}
{{- $knownVulnPath = "/known_vulnerabilities.vex" }}
{{- else if hasKey $context "ModulePriority" }}
{{- $knownVulnPath = (printf "/%smodules/%s-%s/images/%s/known_vulnerabilities.vex" $context.ModulePath $context.ModulePriority $context.ModuleName $context.ImageName) }}
{{- else }}
{{- $knownVulnPath = (printf "/images/%s/known_vulnerabilities.vex" $context.ImageName) }}
{{- end }}
{{- $vexFile := false }}
{{- if eq (len ($context.Files.Glob $knownVulnPath)) 1 }}
{{- $vexFile = true }}
{{- end }}
{{- $werfSignKey := env "WERF_SIGN_KEY" "" }}
{{- $vaultKey := env "VAULT_KEY" "" }}
{{- $actionsIdToken := env "ACTIONS_ID_TOKEN_REQUEST_TOKEN" "" }}
{{- if or (ne $werfSignKey "") (ne $vaultKey "") (ne $actionsIdToken "") }}
{{- $isVault = true }}
{{- end }}
{{- if $vexFile }}
---
image: {{ $imageName }}-vex-artifact
fromImage: base/vex
final: true
secrets:
- id: REGISTRY_USER
env: REGISTRY_USER
- id: REGISTRY_PASSWORD
env: REGISTRY_PASSWORD
{{- if eq $isVault true }}
{{- if ne $werfSignKey "" }}
- id: VAULT_ADDR
env: VAULT_ADDR
- id: VAULT_KEY
env: WERF_SIGN_KEY
- id: VAULT_ROLE
env: WERF_VAULT_AUTH_ROLE
- id: VAULT_JWT
env: WERF_VAULT_AUTH_JWT
- id: TRANSIT_SECRET_ENGINE_PATH
env: TRANSIT_SECRET_ENGINE_PATH
{{- else }}
- id: VAULT_ADDR
env: VAULT_ADDR
- id: VAULT_KEY
env: VAULT_KEY
- id: VAULT_ROLE
env: VAULT_ROLE
- id: TRANSIT_SECRET_ENGINE_PATH
env: TRANSIT_SECRET_ENGINE_PATH
{{- if eq $actionsIdToken "" }}
- id: VAULT_JWT
env: VAULT_ID_TOKEN
{{- end }}
{{- end }}
{{- if ne $actionsIdToken "" }}
- id: ACTIONS_ID_TOKEN_REQUEST_TOKEN
env: ACTIONS_ID_TOKEN_REQUEST_TOKEN
- id: ACTIONS_ID_TOKEN_REQUEST_URL
env: ACTIONS_ID_TOKEN_REQUEST_URL
{{- end }}
{{- end }}
git:
- add: {{ $knownVulnPath }}
to: /known_vulnerabilities.vex
stageDependencies:
install:
- "**/*"
dependencies:
- image: {{ $imageName }}
before: install
imports:
- type: ImageDigest
targetEnv: IMAGE_DIGEST
- type: ImageRepo
targetEnv: IMAGE_REPO
shell:
install:
- export REGISTRY_USER="$(cat /run/secrets/REGISTRY_USER)"
- export REGISTRY_PASSWORD="$(cat /run/secrets/REGISTRY_PASSWORD)"
{{- if $isVault }}
- export VAULT_ADDR="$(cat /run/secrets/VAULT_ADDR)"
- export VAULT_ROLE="$(cat /run/secrets/VAULT_ROLE)"
- export TRANSIT_SECRET_ENGINE_PATH="$(cat /run/secrets/TRANSIT_SECRET_ENGINE_PATH)"
- VAULT_KEY=$(cat /run/secrets/VAULT_KEY)
- export VAULT_KEY="hashivault://${VAULT_KEY#hashivault://}"
{{- if ne $actionsIdToken "" }}
- export ACTIONS_ID_TOKEN_REQUEST_TOKEN="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_TOKEN)"
- export ACTIONS_ID_TOKEN_REQUEST_URL="$(cat /run/secrets/ACTIONS_ID_TOKEN_REQUEST_URL)"
- export VAULT_AUTH_PATH="github"
- >
export VAULT_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
- >
if [ -n "${VAULT_JWT}" ]; then
echo "Received Actions token";
else
echo "Actions token empty";
fi
{{- else }}
- export VAULT_AUTH_PATH="fox"
- export VAULT_JWT="$(cat /run/secrets/VAULT_JWT)"
{{- end }}
- >
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${VAULT_AUTH_PATH}/login" -d '{"role":"'${VAULT_ROLE}'","jwt":"'${VAULT_JWT}'"}' | jq -r '.auth.client_token')"
- >
if [ -n "${VAULT_TOKEN}" ]; then
echo "Received Vault token";
else
echo "Vault token empty";
fi
- echo "Using predicate known_vulnerabilities.vex"
{{- else }}
- |
echo -e "\033[33mWARNING!!! Cosign will sign attestation with self-generated key pair!\033[0m"
export COSIGN_PASSWORD=""
cosign generate-key-pair
export VAULT_KEY="cosign.key"
{{- end }}
- |
cosign attest \
--replace \
--registry-username="${REGISTRY_USER}" \
--registry-password="${REGISTRY_PASSWORD}" \
--predicate /known_vulnerabilities.vex \
--type openvex \
--key ${VAULT_KEY} \
--tlog-upload=false \
-y -d \
"${IMAGE_REPO}@${IMAGE_DIGEST}"
{{- end }}
{{- end }}
15 changes: 14 additions & 1 deletion werf-giterminism.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
giterminismConfigVersion: 1
config:
goTemplateRendering: # The rules for the Go-template functions
allowEnvVariables:
allowEnvVariables:
- /CI_.+/
- GOPROXY
- MODULES_MODULE_TAG
Expand All @@ -13,6 +13,9 @@ config:
- SVACE_ANALYZE_HOST
- SVACE_ANALYZE_SSH_USER
- DEBUG_COMPONENT
- ACTIONS_ID_TOKEN_REQUEST_TOKEN
- VAULT_KEY
- WERF_SIGN_KEY
stapel:
mount:
allowBuildDir: true
Expand All @@ -24,6 +27,16 @@ config:
- DECKHOUSE_PRIVATE_REPO
- GOPROXY
- DISTRO_PACKAGES_PROXY
allowEnvVariables:
- REGISTRY_USER
- REGISTRY_PASSWORD
- VAULT_ADDR
- WERF_SIGN_KEY
- WERF_VAULT_AUTH_ROLE
- WERF_VAULT_AUTH_JWT
- TRANSIT_SECRET_ENGINE_PATH
- ACTIONS_ID_TOKEN_REQUEST_TOKEN
- ACTIONS_ID_TOKEN_REQUEST_URL
helm:
allowUncommittedFiles:
- "Chart.lock"
Expand Down
Loading