ci: fix image signing image list

miracum · Nov 27, 2022 · df0d037 · df0d037
1 parent 602b1e5
commit df0d037
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 9 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -228,7 +228,7 @@ jobs:
       - name: Sign images
         env:
           COSIGN_EXPERIMENTAL: "true"
-          IMAGES: ${{ steps.container_meta.outputs.version }}
+          IMAGES: ${{ steps.container_meta.outputs.tags }}
         run: |
           while read -r image; do
             echo "Signing '$image' using keyless approach"

diff --git a/k8s/kustomize/base/kustomization.yaml b/k8s/kustomize/base/kustomization.yaml
@@ -8,11 +8,3 @@ resources:
   - web-service.yaml
   - merger-deployment.yaml
   - merger-service.yaml
-helmCharts:
-  - name: hapi-fhir-jpaserver
-    repo: https://hapifhir.github.io/hapi-fhir-jpaserver-starter
-    version: 0.11.0
-    valuesInline:
-      postgresql:
-        auth:
-          postgresPassword: hapi-fhir-postgres-admin-pass
diff --git a/k8s/kustomize/overlays/staging/bitnami-image-policy.yaml b/k8s/kustomize/overlays/staging/bitnami-image-policy.yaml
@@ -0,0 +1,11 @@
+apiVersion: policy.sigstore.dev/v1beta1
+kind: ClusterImagePolicy
+metadata:
+  name: bitnami-image-policy
+spec:
+  images:
+    - glob: "docker.io/bitnami/**"
+    - glob: "index.docker.io/bitnami/**"
+  authorities:
+    - static:
+        action: pass
diff --git a/k8s/kustomize/overlays/staging/kustomization.yaml b/k8s/kustomize/overlays/staging/kustomization.yaml
@@ -3,6 +3,8 @@ kind: Kustomization
 resources:
   - ../../base
   - ingress.yaml
+  - registry-on-fhir-image-policy.yaml
+  - bitnami-image-policy.yaml
 images:
   - name: ghcr.io/miracum/registry-on-fhir/multi-site-merger
     newTag: master
@@ -31,3 +33,12 @@ patchesStrategicMerge:
           containers:
             - name: web
               imagePullPolicy: Always
+helmCharts:
+  - name: hapi-fhir-jpaserver
+    repo: https://hapifhir.github.io/hapi-fhir-jpaserver-starter
+    version: 0.11.0
+    namespace: registry
+    valuesInline:
+      postgresql:
+        auth:
+          postgresPassword: hapi-fhir-postgres-admin-pass
diff --git a/k8s/kustomize/overlays/staging/registry-on-fhir-image-policy.yaml b/k8s/kustomize/overlays/staging/registry-on-fhir-image-policy.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy.sigstore.dev/v1beta1
+kind: ClusterImagePolicy
+metadata:
+  name: image-policy
+spec:
+  images:
+    - glob: "ghcr.io/miracum/registry-on-fhir/**"
+  authorities:
+    - keyless:
+        identities:
+          - issuer: https://token.actions.githubusercontent.com
+            subjectRegExp: https://github.com/miracum/registry-on-fhir/.github/workflows/*@*