docker: use SLSA Provenance

Signed-off-by: Victor Login <batazor@evrone.com>

ops/Makefile/docker.mk

@@ -26,6 +26,7 @@ docker-login: ## Docker login
 docker_build:
 	@echo "Building ${CI_REGISTRY_IMAGE}-$(SERVICE):${CI_COMMIT_TAG}"
 	@docker buildx build --platform=linux/amd64 \
+		--provenance=true \
 		--force-rm \
 		--push \
 		-t ${CI_REGISTRY_IMAGE}-$(SERVICE):${CI_COMMIT_TAG} \

ops/Makefile/k8s/csi.mk

@@ -6,8 +6,14 @@ SNAPSHOTTER_VERSION=v3.0.1
 csi-build: ## Build the CSI container
 		@echo docker buildx build \
 			--platform=linux/amd64 \
+			--provenance=true \
 			image ${CI_REGISTRY_IMAGE}-csi:${CI_COMMIT_TAG}
-		@docker buildx build --platform=linux/amd64 --no-cache -t ${CI_REGISTRY_IMAGE}-csi -f ops/dockerfile/csi.Dockerfile .
+		@docker buildx build \
+			--platform=linux/amd64 \
+			--provenance=true \
+			--no-cache \
+			-t ${CI_REGISTRY_IMAGE}-csi \
+			-f ops/dockerfile/csi.Dockerfile .
 
 csi-up: ## Deploy CSI plugin
 		# Apply VolumeSnapshot CRDs

ops/dockerfile/bot.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/csi.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/go.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/landing.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/proxy.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/referral.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/shortdb.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/ui-kit.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/dockerfile/ui-next.Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 
 # Link: https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
 # enable scanning for the intermediate build stage

ops/gitlab/templates/build.yml

@@ -1,9 +1,9 @@
 .template_build:
   stage: build
   services:
-    - name: docker:23.0.0-rc.1-dind
+    - name: docker:23.0.0-rc.3-dind
       command: [ "--experimental" ]
-  image: docker:23.0.0-rc.1-cli
+  image: docker:23.0.0-rc.3-cli
   variables:
     DOCKER_BUILDKIT: 1
     DOCKER_CONTENT_TRUST: 1
@@ -21,6 +21,7 @@
   script:
     - docker buildx build 
       --platform=linux/amd64
+      --provenance=true
       --push $CMD_PATH $DOCKERFILE_ARGS
       -t ${REGISTRY_IMAGE}:latest
       -t ${REGISTRY_IMAGE}:${CI_COMMIT_TAG}