Checking keyless signature for k8s components

nicholasdille · nicholasdille · commit 8af25ea099e1 · 2022-12-06T09:49:59.000+01:00
diff --git a/tools/kube-apiserver/Dockerfile.template b/tools/kube-apiserver/Dockerfile.template
@@ -1,13 +1,31 @@
 #syntax=docker/dockerfile:1.4.3
 
 ARG ref=main
-FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
 
+FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
+
+FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
+COPY --from=cosign / /
 ARG name
 ARG version
-
 RUN <<EOF
-curl --silent --location --output "${prefix}${target}/bin/kube-apiserver" \
-    "https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/linux/${alt_arch}/kube-apiserver"
+curl --silent --location --fail --output "${prefix}${target}/bin/kube-apiserver" \
+    "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-apiserver"
 chmod +x "${prefix}${target}/bin/kube-apiserver"
+
+if test "$(echo -e "1.26.0-beta.0\n${version}" | sort -V | head -n 1)" == "1.26.0-beta.0"; then
+    echo "Verifying keyless signature for kube-apiserver"
+    curl --silent --location --fail --output "/tmp/kube-apiserver.sig" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-apiserver.sig"
+    curl --silent --location --fail --output "/tmp/kube-apiserver.cert" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-apiserver.cert"
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob "${prefix}${target}/bin/kube-apiserver" \
+        --signature "/tmp/kube-apiserver.sig" \
+        --certificate "/tmp/kube-apiserver.cert" \
+        --certificate-oidc-issuer https://accounts.google.com \
+        --certificate-email krel-staging@k8s-releng-prod.iam.gserviceaccount.com
+    rm -f \
+        "/tmp/kube-apiserver.sig" \
+        "/tmp/kube-apiserver.cert"
+fi
 EOF
diff --git a/tools/kube-apiserver/manifest.yaml b/tools/kube-apiserver/manifest.yaml
@@ -1,6 +1,8 @@
 name: kube-apiserver
 version: "1.25.4"
 check: ${binary} --version | cut -d' ' -f2 | tr -d v
+dependencies:
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
diff --git a/tools/kube-controller-manager/Dockerfile.template b/tools/kube-controller-manager/Dockerfile.template
@@ -1,13 +1,31 @@
 #syntax=docker/dockerfile:1.4.3
 
 ARG ref=main
-FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
 
+FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
+
+FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
+COPY --from=cosign / /
 ARG name
 ARG version
-
 RUN <<EOF
 curl --silent --location --output "${prefix}${target}/bin/kube-controller-manager" \
     "https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/linux/${alt_arch}/kube-controller-manager"
 chmod +x "${prefix}${target}/bin/kube-controller-manager"
+
+if test "$(echo -e "1.26.0-beta.0\n${version}" | sort -V | head -n 1)" == "1.26.0-beta.0"; then
+    echo "Verifying keyless signature for kube-controller-manager"
+    curl --silent --location --fail --output "/tmp/kube-controller-manager.sig" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-controller-manager.sig"
+    curl --silent --location --fail --output "/tmp/kube-controller-manager.cert" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-controller-manager.cert"
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob "${prefix}${target}/bin/kube-controller-manager" \
+        --signature "/tmp/kube-controller-manager.sig" \
+        --certificate "/tmp/kube-controller-manager.cert" \
+        --certificate-oidc-issuer https://accounts.google.com \
+        --certificate-email krel-staging@k8s-releng-prod.iam.gserviceaccount.com
+    rm -f \
+        "/tmp/kube-controller-manager.sig" \
+        "/tmp/kube-controller-manager.cert"
+fi
 EOF
diff --git a/tools/kube-controller-manager/manifest.yaml b/tools/kube-controller-manager/manifest.yaml
@@ -1,6 +1,8 @@
 name: kube-controller-manager
 version: "1.25.4"
 check: ${binary} --version | cut -d' ' -f2 | tr -d v
+dependencies:
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
diff --git a/tools/kube-proxy/Dockerfile.template b/tools/kube-proxy/Dockerfile.template
@@ -1,13 +1,31 @@
 #syntax=docker/dockerfile:1.4.3
 
 ARG ref=main
-FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
 
+FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
+
+FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
+COPY --from=cosign / /
 ARG name
 ARG version
-
 RUN <<EOF
 curl --silent --location --output "${prefix}${target}/bin/kube-proxy" \
     "https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/linux/${alt_arch}/kube-proxy"
 chmod +x "${prefix}${target}/bin/kube-proxy"
+
+if test "$(echo -e "1.26.0-beta.0\n${version}" | sort -V | head -n 1)" == "1.26.0-beta.0"; then
+    echo "Verifying keyless signature for kube-proxy"
+    curl --silent --location --fail --output "/tmp/kube-proxy.sig" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-proxy.sig"
+    curl --silent --location --fail --output "/tmp/kube-proxy.cert" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-proxy.cert"
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob "${prefix}${target}/bin/kube-proxy" \
+        --signature "/tmp/kube-proxy.sig" \
+        --certificate "/tmp/kube-proxy.cert" \
+        --certificate-oidc-issuer https://accounts.google.com \
+        --certificate-email krel-staging@k8s-releng-prod.iam.gserviceaccount.com
+    rm -f \
+        "/tmp/kube-proxy.sig" \
+        "/tmp/kube-proxy.cert"
+fi
 EOF
diff --git a/tools/kube-proxy/manifest.yaml b/tools/kube-proxy/manifest.yaml
@@ -1,6 +1,8 @@
 name: kube-proxy
 version: "1.25.4"
 check: ${binary} --version | cut -d' ' -f2 | tr -d v
+dependencies:
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
diff --git a/tools/kube-scheduler/Dockerfile.template b/tools/kube-scheduler/Dockerfile.template
@@ -1,13 +1,31 @@
 #syntax=docker/dockerfile:1.4.3
 
 ARG ref=main
-FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
 
+FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
+
+FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
+COPY --from=cosign / /
 ARG name
 ARG version
-
 RUN <<EOF
 curl --silent --location --output "${prefix}${target}/bin/kube-scheduler" \
     "https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/linux/${alt_arch}/kube-scheduler"
 chmod +x "${prefix}${target}/bin/kube-scheduler"
+
+if test "$(echo -e "1.26.0-beta.0\n${version}" | sort -V | head -n 1)" == "1.26.0-beta.0"; then
+    echo "Verifying keyless signature for kube-scheduler"
+    curl --silent --location --fail --output "/tmp/kube-scheduler.sig" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-scheduler.sig"
+    curl --silent --location --fail --output "/tmp/kube-scheduler.cert" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kube-scheduler.cert"
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob "${prefix}${target}/bin/kube-scheduler" \
+        --signature "/tmp/kube-scheduler.sig" \
+        --certificate "/tmp/kube-scheduler.cert" \
+        --certificate-oidc-issuer https://accounts.google.com \
+        --certificate-email krel-staging@k8s-releng-prod.iam.gserviceaccount.com
+    rm -f \
+        "/tmp/kube-scheduler.sig" \
+        "/tmp/kube-scheduler.cert"
+fi
 EOF
diff --git a/tools/kube-scheduler/manifest.yaml b/tools/kube-scheduler/manifest.yaml
@@ -1,6 +1,8 @@
 name: kube-scheduler
 version: "1.25.4"
 check: ${binary} --version | cut -d' ' -f2 | tr -d v
+dependencies:
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
diff --git a/tools/kubeadm/Dockerfile.template b/tools/kubeadm/Dockerfile.template
@@ -1,17 +1,35 @@
 #syntax=docker/dockerfile:1.4.3
 
 ARG ref=main
-FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
 
+FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
+
+FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
+COPY --from=cosign / /
 ARG name
 ARG version
-
 COPY kubelet.service ${prefix}/etc/systemd/system/
-
 RUN <<EOF
 curl --silent --location --output "${prefix}${target}/bin/kubeadm" \
     "https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/linux/${alt_arch}/kubeadm"
 chmod +x "${prefix}${target}/bin/kubeadm"
+
+if test "$(echo -e "1.26.0-beta.0\n${version}" | sort -V | head -n 1)" == "1.26.0-beta.0"; then
+    echo "Verifying keyless signature for kubeadm"
+    curl --silent --location --fail --output "/tmp/kubeadm.sig" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kubeadm.sig"
+    curl --silent --location --fail --output "/tmp/kubeadm.cert" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kubeadm.cert"
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob "${prefix}${target}/bin/kubeadm" \
+        --signature "/tmp/kubeadm.sig" \
+        --certificate "/tmp/kubeadm.cert" \
+        --certificate-oidc-issuer https://accounts.google.com \
+        --certificate-email krel-staging@k8s-releng-prod.iam.gserviceaccount.com
+    rm -f \
+        "/tmp/kubeadm.sig" \
+        "/tmp/kubeadm.cert"
+fi
+
 "${prefix}${target}/bin/kubeadm" completion bash >"${prefix}${target}/share/bash-completion/completions/kubeadm"
 "${prefix}${target}/bin/kubeadm" completion zsh >"${prefix}${target}/share/zsh/vendor-completions/_kubeadm"
 EOF
diff --git a/tools/kubeadm/manifest.yaml b/tools/kubeadm/manifest.yaml
@@ -3,6 +3,7 @@ version: "1.25.4"
 check: ${binary} version --output short | tr -d v
 dependencies:
 - kubelet
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
diff --git a/tools/kubectl/manifest.yaml b/tools/kubectl/manifest.yaml
@@ -1,6 +1,8 @@
 name: kubectl
 version: "1.25.4"
 check: ${binary} version --client --short 2>/dev/null | grep ^Client | cut -d' ' -f3 | tr -d v
+dependencies:
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
diff --git a/tools/kubelet/Dockerfile.template b/tools/kubelet/Dockerfile.template
@@ -1,15 +1,32 @@
 #syntax=docker/dockerfile:1.4.3
 
 ARG ref=main
-FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
 
+FROM ghcr.io/nicholasdille/docker-setup/cosign:${ref} AS cosign
+
+FROM ghcr.io/nicholasdille/docker-setup/base:${ref} AS prepare
+COPY --from=cosign / /
 ARG name
 ARG version
-
 COPY kubelet.service ${prefix}/etc/systemd/system/
-
 RUN <<EOF
 curl --silent --location --output "${prefix}${target}/bin/kubelet" \
     "https://storage.googleapis.com/kubernetes-release/release/v${version}/bin/linux/${alt_arch}/kubelet"
 chmod +x "${prefix}${target}/bin/kubelet"
+
+if test "$(echo -e "1.26.0-beta.0\n${version}" | sort -V | head -n 1)" == "1.26.0-beta.0"; then
+    echo "Verifying keyless signature for kubelet"
+    curl --silent --location --fail --output "/tmp/kubelet.sig" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kubelet.sig"
+    curl --silent --location --fail --output "/tmp/kubelet.cert" \
+        "https://dl.k8s.io/release/v${version}/bin/linux/amd64/kubelet.cert"
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob "${prefix}${target}/bin/kubelet" \
+        --signature "/tmp/kubelet.sig" \
+        --certificate "/tmp/kubelet.cert" \
+        --certificate-oidc-issuer https://accounts.google.com \
+        --certificate-email krel-staging@k8s-releng-prod.iam.gserviceaccount.com
+    rm -f \
+        "/tmp/kubelet.sig" \
+        "/tmp/kubelet.cert"
+fi
 EOF
diff --git a/tools/kubelet/manifest.yaml b/tools/kubelet/manifest.yaml
@@ -1,6 +1,8 @@
 name: kubelet
 version: "1.25.4"
 check: ${binary} --version | cut -d' ' -f2 | tr -d v
+dependencies:
+- cosign
 tags:
 - org/cncf
 - org/kubernetes
