Skip to content

Commit

Permalink
feat(slsa/provenance)[SEC-1079]: Add cloudsmith links for mesh slsa a…
Browse files Browse the repository at this point in the history
…ssets
  • Loading branch information
saisatishkarra committed Jun 10, 2024
1 parent ff4f5cc commit 9bb8c9c
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 36 deletions.
4 changes: 2 additions & 2 deletions app/_src/mesh/features/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,14 @@ You can [install {{site.mesh_product_name}} on Windows](/mesh/{{page.release}}/i

## Docker container image signing

Starting with {{site.mesh_product_name}} 2.7.0, Docker container images are signed, and can be verified using `cosign` with signatures published to a Docker Hub repository. Read the [Verify signatures for Signed Mesh Images](/mesh/{{ page.release }}/features/signed-images/) documentation to learn more.
Starting with {{site.mesh_product_name}} 2.7.4, Docker container images are signed, and can be verified using `cosign` with signatures published to a Docker Hub repository. Read the [Verify signatures for Signed Mesh Images](/mesh/{{ page.release }}/features/signed-images/) documentation to learn more.
{% endif_version %}

{% if_version gte:2.7.x %}

## Build provenance

Starting with {{site.mesh_product_name}} 2.7.0, {{site.mesh_product_name}} produces build provenance for Docker container images and binaries and can be verified using `cosign` / `slsa-verifier`.
Starting with {{site.mesh_product_name}} 2.7.4, {{site.mesh_product_name}} produces build provenance for Docker container images and binaries and can be verified using `cosign` / `slsa-verifier`.

* Read the [Verify Build Provenance for Signed Mesh Images](/mesh/{{ page.release }}/features/provenance-verification-images/) to learn more.
* Read the [Verify Build Provenance for Signed Mesh Binaries](/mesh/{{ page.release }}/features/provenance-verification-binaries/) to learn more.
Expand Down
43 changes: 26 additions & 17 deletions app/_src/mesh/features/provenance-verification-binaries.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Verify Build Provenance for Kong Mesh Binaries
badge: enterprise
---

Starting with 2.7.0, {{site.mesh_product_name}} produces build provenance for binary artifacts, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.
Starting with 2.7.4, {{site.mesh_product_name}} produces build provenance for binary artifacts, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.

This guide provides steps to verify build provenance for signed {{site.mesh_product_name}} binary artifacts in two different ways:

Expand All @@ -19,6 +19,9 @@ For the complete example, you need the same details as the minimal example, as w
| `<repo>` | GitHub repository | `kong-mesh` |
| `<workflow name>` | GitHub workflow name | `build-test-distribute` |
| `<workflow trigger>` | Github workflow trigger name | `push` |
| `<version>` | Artifact version to download | `2.7.4` |
| `<binary-files>` | Compressed binary files for the specified version | `kong-mesh-<version>-*-*.tar.gz` |
| `<provenance-file>` | Binary provenance file | `kong-mesh.intoto.jsonl` |

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.

Expand All @@ -30,9 +33,15 @@ For both examples, you need to:

1. Ensure `slsa-verifier` is installed.

2. [Download binary artifacts]() of {{site.mesh_product_name}}
2. [Download security assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-preview/packages/?q=name%3Asecurity-assets*+version%3A%3E%3D2.7.4) for the required version of {{site.mesh_product_name}} binaries

3. [Download provenance file for binary artifacts]() of {{site.mesh_product_name}}
3. Extract the downloaded `security-assets.tar.gz` to access the provenance file `kong-mesh.intoto.jsonl`

```sh
tar -xvzf security-assets.tar.gz
```

4. [Download compressed binaries](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-preview/packages/?q=name%3Akong-mesh-*+version%3A%3E%3D2.7.4) for the required version of {{site.mesh_product_name}}

{:.important .no-icon}
> The GitHub owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`).
Expand All @@ -46,19 +55,19 @@ Run the `slsa-verifier verify-artifact...` command:
```sh
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '<path to binary-provenance-file>' \
--provenance-path '<provenance-file>' \
--source-uri 'github.com/Kong/<repo>' \
'<path to binary-artifact>.tar.gz'
<binary-files>
```

Here's the same example using sample values instead of placeholders where the download path is assumed to `/tmp`:
Here's the same example using sample values instead of placeholders:
```sh
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '/tmp/<binary-provenance-file>.intoto.jsonl' \
--source-uri 'github.com/Kong/<repo>' \
'/tmp/<binary-artifact>.tar.gz'
--provenance-path 'kong-mesh.intoto.jsonl' \
--source-uri 'github.com/Kong/kong-mesh' \
kong-mesh-2.7.4-*-*.tar.gz
```
The command will print "Verified SLASA provenance" if successful:
Expand All @@ -77,19 +86,19 @@ Run the `slsa-verifier verify-artifact ...` command:
```sh
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '<path to binary-provenance-file>' \
--provenance-path '<provenance-file>' \
--source-uri 'github.com/Kong/<repo>' \
--source-tag '<release-tag-version>' \
'<path to binary-artifact>.tar.gz'
--source-tag '<version>' \
<binary-files>
```
Here's the same example using sample values instead of placeholders where the download path is assumed to `/tmp`:
Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-artifact \
--print-provenance \
--provenance-path '/tmp/<binary-provenance-file>.intoto.jsonl' \
--source-uri 'github.com/Kong/<repo>' \
--source-tag '2.7.0' \
'/tmp/<binary-artifact>.tar.gz'
--provenance-path 'kong-mesh.intoto.jsonl' \
--source-uri 'github.com/Kong/kong-mesh' \
--source-tag '2.7.4' \
kong-mesh-2.7.4-*-*.tar.gz
```
21 changes: 11 additions & 10 deletions app/_src/mesh/features/provenance-verification-images.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Verify Build Provenance for Signed Kong Mesh Images
badge: enterprise
---

Starting with 2.7.0, {{site.mesh_product_name}} produces build provenance for docker container images, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.
Starting with 2.7.4, {{site.mesh_product_name}} produces build provenance for docker container images, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.

This guide provides steps to verify build provenance for signed {{site.mesh_product_name}} Docker container images in two different ways:

Expand All @@ -22,6 +22,7 @@ For the complete example, you need the same details as the minimal example, as w
| `<repo>` | GitHub repository | `kong-mesh` |
| `<workflow name>` | GitHub workflow name | `build-test-distribute` |
| `<workflow trigger>` | Github workflow trigger name | `push` |
| `<version>` | Artifact version to download | `2.7.4` |

Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for container images, which is why many of these details are GitHub-related.

Expand Down Expand Up @@ -70,7 +71,7 @@ Here's the same example using sample values instead of placeholders:
```sh
cosign verify-attestation \
'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
Expand Down Expand Up @@ -99,9 +100,9 @@ Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-image \
'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
--print-provenance \
--source-uri 'github.com/kumahq/kuma'
--source-uri 'github.com/Kong/kong-mesh'
```

The command will print "Verified SLASA provenance" if successful:
Expand Down Expand Up @@ -132,11 +133,11 @@ Here's the same example using sample values instead of placeholders:
```sh
cosign verify-attestation \
'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
--certificate-github-workflow-repository='kumahq/kuma' \
--certificate-github-workflow-repository='Kong/kong-mesh' \
--certificate-github-workflow-name='build-test-distribute' \
--certificate-github-workflow-trigger='push'
```
Expand All @@ -150,15 +151,15 @@ slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
--print-provenance \
--source-uri 'github.com/Kong/<repo>' \
--source-tag '<release-tag-version>'
--source-tag '<version>'
```
Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-image \
'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
--print-provenance \
--source-uri 'github.com/kumahq/kuma' \
--source-tag '2.7.0-testprov'
--source-uri 'github.com/Kong/kong-mesh' \
--source-tag '2.7.4'
```
6 changes: 3 additions & 3 deletions app/_src/mesh/features/signed-images.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Verify Signatures for Signed Kong Mesh Images
badge: enterprise
---

Starting with {{site.mesh_product_name}} 2.7.0, Docker container images are now signed using `cosign` with signatures published to a Docker Hub repository.
Starting with {{site.mesh_product_name}} 2.7.4, Docker container images are now signed using `cosign` with signatures published to a Docker Hub repository.

This guide provides steps to verify signatures for signed {{site.mesh_product_name}} Docker container images in two different ways:

Expand Down Expand Up @@ -56,7 +56,7 @@ Here's the same example using sample values instead of placeholders:
```sh
cosign verify \
'kong/kuma-cp:2.7.0-preview.v579166351@sha256:4382a3879994a08df804e0007431907d014f9d4899efb4fb5cedf292f14e6a4a' \
'kong/kuma-cp:2.7.4-preview.v6b466331d@sha256:76d59540e50c4bb1d6c5f33bc7aaf03add74f97e7efcb416a04d7fde86e86d0c' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml'
```
Expand All @@ -76,7 +76,7 @@ Here's the same example using sample values instead of placeholders:

```sh
cosign verify \
'kong/kuma-cp:2.7.0-preview.v579166351@sha256:4382a3879994a08df804e0007431907d014f9d4899efb4fb5cedf292f14e6a4a' \
'kong/kuma-cp:2.7.4-preview.v6b466331d@sha256:76d59540e50c4bb1d6c5f33bc7aaf03add74f97e7efcb416a04d7fde86e86d0c' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml' \
-a repo='Kong/kong-mesh' \
Expand Down
21 changes: 17 additions & 4 deletions app/_src/mesh/sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,21 @@ toc: false

A software bill of materials (SBOM) is an inventory of all software components (proprietary and open source), open source licenses, and dependencies in a given product. A software bill of materials (SBOM) provides visibility into the software supply chain and any license compliance, security, and quality risks that may exist.

Starting in {{site.mesh_product_name}} 2.7.0, we are generating SBOMs for our artifact images and binaries.
You can learn more about this from our software bill of materials knowledge base page:
Starting in {{site.mesh_product_name}} 2.7.4, we are generating SBOMs for {{site.mesh_product_name}} and docker container images.

* [{{site.mesh_product_name}} 2.7.0 SBOM](https://support.konghq.com/support/s/article/SBOM-Artifacts-for-Kong-Mesh-2.7.0).
* [{{site.mesh_product_name}} 2.8.0 SBOM](https://support.konghq.com/support/s/article/SBOM-Artifacts-for-Kong-Mesh-2.8.0).
1. Download the security assets for the required version of {{site.mesh_product_name}}

* [0.0.0-preview.vb402ff182 Security Asssets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-preview/packages/?q=name%3Asecurity-assets+version%3A0.0.0-preview.vb402ff182)

Check failure on line 12 in app/_src/mesh/sbom.md

View workflow job for this annotation

GitHub Actions / Vale

[vale] reported by reviewdog 🐶 [kong.Spelling] Did you really mean 'Asssets'? Raw Output: {"message": "[kong.Spelling] Did you really mean 'Asssets'?", "location": {"path": "app/_src/mesh/sbom.md", "range": {"start": {"line": 12, "column": 41}}}, "severity": "ERROR"}
* [2.7.4 Security Assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets+version%3A2.7.4)
* [2.8.0 Security Assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets+version%3A2.8.0)

2. Extract the downloaded `security-assets.tar.gz`

```sh
tar -xvzf security-assets.tar.gz
```

3. Access the below SBOMs:

* `sbom.spdx.json` and `sbom.cyclonedx.json` are the SBOM files for {{site.mesh_product_name}}
* `image_<image_name>-*.spdx.json` and `image_<image_name>-*.cyclonedx.json` are the SBOM files for Docker Container Images of {{site.mesh_product_name}}

0 comments on commit 9bb8c9c

Please sign in to comment.