New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Implement signed releases #10925
Conversation
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
Codecov ReportBase: 45.64% // Head: 45.64% // No change to project coverage 👍
Additional details and impacted files@@ Coverage Diff @@
## master #10925 +/- ##
=======================================
Coverage 45.64% 45.64%
=======================================
Files 237 237
Lines 28719 28719
=======================================
Hits 13108 13108
Misses 13808 13808
Partials 1803 1803 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @34fathombelow!
Should complete signed releases #10852 |
@34fathombelow how much work would it be to also sign the checksums file, in effect signing the binaries? |
@crenshaw-dev Not much work at all, it's on my to do list. Was hoping for a patch release or another RC just to double check that things are working smoothly. Will there be another RC before 2.5 become GA? Todo at a later time
Also could this PR at least be cherry picked to 2.4? It's neither a feature or fix. |
At least one! Bug reports have been kinda low, so we're trying to encourage more folks to take the RCs for a spin.
Ah yep, you did mention this
I can't think of a reason why it couldn't... I think before 2.5 GA I wanna do one last 2.2 release. I'll plan to cherry-pick this all the way back to 2.2 after we validate the release workflow on 2.5.0-rc3. |
* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Chris Davis <74455480+chris-codeflow@users.noreply.github.com>
* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
Cherry-picked onto release-2.2 for 2.2.15, release-2.3 for 2.3.10, release-2.4 for 2.4.15, and release-2.5 for 2.5.0-rc3. |
* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
* fix: Resource list loading slowly due to Sync Wave sorting (#10932) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: fix wrong annotation in function (#10923) Signed-off-by: wujunwei <wjw3323@live.com> Signed-off-by: wujunwei <wjw3323@live.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * feat: add bcrypt support for argocd CLI (#10934) * Adding bcrypt support for argocd CLI Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Fixing linter issues Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Nesting bcrypt under account instead of admin Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Removing admin bcrypt docs Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Update docs/faq.md Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Amey Totawar <ameytotawar@gmail.com> Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Signed-off-by: Amey Totawar <ameytotawar@gmail.com> Co-authored-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: improve error logs Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: improve error logs Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: implement signed images (#10925) * consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: delete old snyk reports (#10938) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: rewording of misleading message (#10407) Signed-off-by: Ryan Talbot <ryan-talbot@outlook.com> Signed-off-by: Ryan Talbot <ryan-talbot@outlook.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: delete old snyk reports, 2nd attempt (#10950) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: wrap error objects to include context (#10592) (#10940) Signed-off-by: Niharika <ns8gupta@gmail.com> Signed-off-by: Niharika <niharika_sahai@intuit.com> Signed-off-by: Niharika <ns8gupta@gmail.com> Signed-off-by: Niharika <niharika_sahai@intuit.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * fix: Use os.PathSeparator instead of hard-coded string to resolve local file paths (#10945) (#10946) fix: Use os.PathSeparator instead of hard-coded string to resolve local file paths (#10945) (#10946) Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: improve error logs Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: covered error log in controllers Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: sign checksums file for release binaries (#10963) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * [Bot] Update Snyk reports (#10953) Signed-off-by: CI <ci@argoproj.com> Signed-off-by: CI <ci@argoproj.com> Co-authored-by: CI <ci@argoproj.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * feat: make applicationset controller configurable in argocd-cmd-params (#10961) Signed-off-by: toVersus <toversus2357@gmail.com> Signed-off-by: toVersus <toversus2357@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * docs: message is no longer truncated (#10962) Signed-off-by: Shawn Toffel <shawn.toffel@gmail.com> Signed-off-by: Shawn Toffel <shawn.toffel@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * fix: addressed review comments Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> Signed-off-by: wujunwei <wjw3323@live.com> Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Signed-off-by: Amey Totawar <ameytotawar@gmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Ryan Talbot <ryan-talbot@outlook.com> Signed-off-by: Niharika <ns8gupta@gmail.com> Signed-off-by: Niharika <niharika_sahai@intuit.com> Signed-off-by: CI <ci@argoproj.com> Signed-off-by: toVersus <toversus2357@gmail.com> Signed-off-by: Shawn Toffel <shawn.toffel@gmail.com> Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Co-authored-by: Adam <wjw3323@live.com> Co-authored-by: Amey Totawar <ameytotawar@gmail.com> Co-authored-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Smriti Prakash <smriti_prakash@intuit.com> Co-authored-by: 34FathomBelow <34fathombelow@protonmail.com> Co-authored-by: Ryan Talbot <4523072+RyanTalbot@users.noreply.github.com> Co-authored-by: nsahai8 <ns8gupta@gmail.com> Co-authored-by: Chris Davis <chris@codeflow.org.uk> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: CI <ci@argoproj.com> Co-authored-by: Tsubasa Nagasawa <toversus2357@gmail.com> Co-authored-by: Shawn Toffel <shawn.toffel+github@gmail.com>
* consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Nicholas Johnson <nbjohnson10@gmail.com>
* fix: Resource list loading slowly due to Sync Wave sorting (argoproj#10932) Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: fix wrong annotation in function (argoproj#10923) Signed-off-by: wujunwei <wjw3323@live.com> Signed-off-by: wujunwei <wjw3323@live.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * feat: add bcrypt support for argocd CLI (argoproj#10934) * Adding bcrypt support for argocd CLI Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Fixing linter issues Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Nesting bcrypt under account instead of admin Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Removing admin bcrypt docs Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> * Update docs/faq.md Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Amey Totawar <ameytotawar@gmail.com> Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Signed-off-by: Amey Totawar <ameytotawar@gmail.com> Co-authored-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: improve error logs Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: improve error logs Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: implement signed images (argoproj#10925) * consolidate checksums into one file Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * sign container images Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> * remove id-token permissions Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: delete old snyk reports (argoproj#10938) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: rewording of misleading message (argoproj#10407) Signed-off-by: Ryan Talbot <ryan-talbot@outlook.com> Signed-off-by: Ryan Talbot <ryan-talbot@outlook.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: delete old snyk reports, 2nd attempt (argoproj#10950) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: wrap error objects to include context (argoproj#10592) (argoproj#10940) Signed-off-by: Niharika <ns8gupta@gmail.com> Signed-off-by: Niharika <niharika_sahai@intuit.com> Signed-off-by: Niharika <ns8gupta@gmail.com> Signed-off-by: Niharika <niharika_sahai@intuit.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * fix: Use os.PathSeparator instead of hard-coded string to resolve local file paths (argoproj#10945) (argoproj#10946) fix: Use os.PathSeparator instead of hard-coded string to resolve local file paths (argoproj#10945) (argoproj#10946) Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: improve error logs Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: covered error log in controllers Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * chore: sign checksums file for release binaries (argoproj#10963) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * [Bot] Update Snyk reports (argoproj#10953) Signed-off-by: CI <ci@argoproj.com> Signed-off-by: CI <ci@argoproj.com> Co-authored-by: CI <ci@argoproj.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * feat: make applicationset controller configurable in argocd-cmd-params (argoproj#10961) Signed-off-by: toVersus <toversus2357@gmail.com> Signed-off-by: toVersus <toversus2357@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * docs: message is no longer truncated (argoproj#10962) Signed-off-by: Shawn Toffel <shawn.toffel@gmail.com> Signed-off-by: Shawn Toffel <shawn.toffel@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> * fix: addressed review comments Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Signed-off-by: Smriti Prakash <smriti_prakash@intuit.com> Signed-off-by: wujunwei <wjw3323@live.com> Signed-off-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Signed-off-by: Amey Totawar <ameytotawar@gmail.com> Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Ryan Talbot <ryan-talbot@outlook.com> Signed-off-by: Niharika <ns8gupta@gmail.com> Signed-off-by: Niharika <niharika_sahai@intuit.com> Signed-off-by: CI <ci@argoproj.com> Signed-off-by: toVersus <toversus2357@gmail.com> Signed-off-by: Shawn Toffel <shawn.toffel@gmail.com> Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Co-authored-by: Adam <wjw3323@live.com> Co-authored-by: Amey Totawar <ameytotawar@gmail.com> Co-authored-by: Amey Totawar <ameysanjaykumar_totawar@intuit.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Smriti Prakash <smriti_prakash@intuit.com> Co-authored-by: 34FathomBelow <34fathombelow@protonmail.com> Co-authored-by: Ryan Talbot <4523072+RyanTalbot@users.noreply.github.com> Co-authored-by: nsahai8 <ns8gupta@gmail.com> Co-authored-by: Chris Davis <chris@codeflow.org.uk> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: CI <ci@argoproj.com> Co-authored-by: Tsubasa Nagasawa <toversus2357@gmail.com> Co-authored-by: Shawn Toffel <shawn.toffel+github@gmail.com> Signed-off-by: Nicholas Johnson <nbjohnson10@gmail.com>
This PR implements container images to be signed using
sigstore/cosign
It also consolidates the checksums of the cli-binaries at release time into a single file that can also be signed at a later time.Three GitHub secrets will need to be created before this PR is merged. The process to do this is listed below.
TLDR: https://docs.sigstore.dev/cosign/git_support
cosign --version
to verified it has been installed correctly.cosign generate-key-pair github://argoproj/argocd
This will start the process of creating the GitHub Secrets automatically for you, and prompt you to enter a password. This Password will be stored as the Github secretCOSIGN_PASSWORD
I would recommend to use well respected password generator such as KeePassXC or Bitwarden and use a paranoid level of characters of at least 32.COSIGN_PASSWORD
COSIGN_PRIVATE_KEY
&COSIGN_PUBLIC_KEY
Todo at a later time
More about cosign and how it is used
https://docs.sigstore.dev/
https://blog.sigstore.dev/cosign-image-signatures-77bab238a93
https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images
https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-images/
https://cloud.redhat.com/blog/software-supply-chain-security-on-openshift-with-kyverno-and-cosign
https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations
https://kyverno.io/docs/writing-policies/verify-images/