Skip to content

Commit

Permalink
docs(mesh): use official tags and add version checks for mesh slsa
Browse files Browse the repository at this point in the history
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
  • Loading branch information
saisatishkarra committed Jun 20, 2024
1 parent e2d9b8a commit 05810ba
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 13 deletions.
4 changes: 2 additions & 2 deletions app/_src/mesh/features/provenance-verification-binaries.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,15 @@ For both examples, you need to:

1. Ensure `slsa-verifier` is installed.

2. [Download security assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets*+version%3A%3E%3D2.7.4) for the required version of {{site.mesh_product_name}} binaries
2. [Download security assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets*+version%3A{{page.kong_latest.version}}) for the required version of {{site.mesh_product_name}} binaries

3. Extract the downloaded `security-assets.tar.gz` to access the provenance file `kong-mesh.intoto.jsonl`

```sh
tar -xvzf security-assets.tar.gz
```

4. [Download compressed binaries](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Akong-mesh-*+version%3A%3E%3D2.7.4) for the required version of {{site.mesh_product_name}}
4. [Download compressed binaries](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Akong-mesh-*+version%3A{{page.kong_latest.version}}) for the required version of {{site.mesh_product_name}}

{:.important .no-icon}
> The GitHub owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`).
Expand Down
32 changes: 23 additions & 9 deletions app/_src/mesh/features/provenance-verification-images.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,16 @@ For both examples, you need to:
regctl manifest digest <image>:<tag>
```

5. Set the `COSIGN_REPOSITORY` environment variable:
{% if_version gte:2.8.x %}

1. Set the `COSIGN_REPOSITORY` environment variable:

```sh
export COSIGN_REPOSITORY=kong/notary
```

{% endif_version %}

{:.important .no-icon}
> The GitHub owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`).

Expand All @@ -71,7 +75,7 @@ Here's the same example using sample values instead of placeholders:
```sh
cosign verify-attestation \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
'kong/kuma-cp:2.7.4@sha256:87c441496c55569946384642d35fefa7f243809ed67a25cedef7f6ee043f9beb' \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
Expand All @@ -87,23 +91,28 @@ echo $?
#### Using slsa-verifier
{% if_version gte:2.8.x %}
{:.important .no-icon}
> Specify additional `--provenance-repository 'kong/notary'` argument to command below.
{% endif_version %}
Run the `slsa-verifier verify-image ...` command:
```sh
slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
--print-provenance \
--provenance-repository 'kong/notary' \
--source-uri 'github.com/Kong/<repo>'
```
Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-image \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
'kong/kuma-cp:2.7.4@sha256:87c441496c55569946384642d35fefa7f243809ed67a25cedef7f6ee043f9beb' \
--print-provenance \
--provenance-repository 'kong/notary' \
--source-uri 'github.com/Kong/kong-mesh'
```

Expand Down Expand Up @@ -135,7 +144,7 @@ Here's the same example using sample values instead of placeholders:
```sh
cosign verify-attestation \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
'kong/kuma-cp:2.7.4@sha256:87c441496c55569946384642d35fefa7f243809ed67a25cedef7f6ee043f9beb' \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
Expand All @@ -146,24 +155,29 @@ cosign verify-attestation \
#### Using slsa-verifier
{% if_version gte:2.8.x %}
{:.important .no-icon}
> Specify additional `--provenance-repository 'kong/notary'` argument to command below.
{% endif_version %}
Run the `slsa-verifier verify-image ...` command:
```sh
slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
--print-provenance \
--source-uri 'github.com/Kong/<repo>' \
--provenance-repository 'kong/notary' \
--source-tag '<version>'
```
Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-image \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
'kong/kuma-cp:2.7.4@sha256:87c441496c55569946384642d35fefa7f243809ed67a25cedef7f6ee043f9beb' \
--print-provenance \
--source-uri 'github.com/Kong/kong-mesh' \
--provenance-repository 'kong/notary' \
--source-tag '2.7.4'
```
4 changes: 2 additions & 2 deletions app/_src/mesh/features/signed-images.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ Here's the same example using sample values instead of placeholders:
```sh
cosign verify \
'kong/kuma-cp:2.7.4-preview.v6b466331d@sha256:76d59540e50c4bb1d6c5f33bc7aaf03add74f97e7efcb416a04d7fde86e86d0c' \
'kong/kuma-cp:2.7.4@sha256:87c441496c55569946384642d35fefa7f243809ed67a25cedef7f6ee043f9beb' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml'
```
Expand All @@ -76,7 +76,7 @@ Here's the same example using sample values instead of placeholders:

```sh
cosign verify \
'kong/kuma-cp:2.7.4-preview.v6b466331d@sha256:76d59540e50c4bb1d6c5f33bc7aaf03add74f97e7efcb416a04d7fde86e86d0c' \
'kong/kuma-cp:2.7.4@sha256:87c441496c55569946384642d35fefa7f243809ed67a25cedef7f6ee043f9beb' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml' \
-a repo='Kong/kong-mesh' \
Expand Down

0 comments on commit 05810ba

Please sign in to comment.