Sign images (#1533)

* Bump Sonar * Refactor inventories * Refactor agent inventory * Use logger * Sign released images * Add --sign flag to CLI * Update release notes * Use Actions env. variables * Remove the if for testing * Change AWS default region * Artifactory login * Debug env variable access * Fix logging * Try echo variable * Update release-single-image.yml * Replace env with var * Putting back the conditional release * Remove dot after ubi * Fix pipeline arguments * Refactor e2e inventory
mongodb · May 6, 2024 · 7cfc2f7 · 7cfc2f7
1 parent ea008d7
commit 7cfc2f7
Show file tree

Hide file tree

Showing 12 changed files with 367 additions and 534 deletions.
diff --git a/.action_templates/jobs/setup.yaml b/.action_templates/jobs/setup.yaml
@@ -4,7 +4,7 @@ setup:
     fail-fast: false
     matrix:
       include:
-        - pipeline-argument: mongodb-kubernetes-operator
+        - pipeline-argument: operator
         - pipeline-argument: version-upgrade-hook
         - pipeline-argument: readiness-probe
         - pipeline-argument: agent

diff --git a/.action_templates/jobs/tests.yaml b/.action_templates/jobs/tests.yaml
@@ -10,7 +10,7 @@ tests:
         - test-name: replica_set_enterprise_upgrade_4_5
           distro: ubi
         - test-name: replica_set_enterprise_upgrade_5_6
-          distro: ubi.
+          distro: ubi
         - test-name: replica_set_enterprise_upgrade_6_7
           distro: ubi
         - test-name: replica_set_recovery

diff --git a/.github/workflows/release-images.yml b/.github/workflows/release-images.yml
@@ -56,11 +56,17 @@ jobs:
 
       - name: Publish Image To Quay
         if: steps.release_status.outputs.OUTPUT == 'unreleased'
-        run: python pipeline.py --image-name ${{ matrix.pipeline-argument }} --release
+        run: python pipeline.py --image-name ${{ matrix.pipeline-argument }} --release --sign
         env:
           MONGODB_COMMUNITY_CONFIG: "${{ github.workspace }}/scripts/ci/config.json"
           AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
           AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          GRS_USERNAME: "${{ vars.GRS_USERNAME }}"
+          GRS_PASSWORD: "${{ secrets.GRS_PASSWORD }}"
+          PKCS11_URI: "${{ vars.PKCS11_URI }}"
+          ARTIFACTORY_USERNAME: "${{ vars.ARTIFACTORY_USERNAME }}"
+          ARTIFACTORY_PASSWORD: "${{ secrets.ARTIFACTORY_PASSWORD }}"
+          AWS_DEFAULT_REGION: "${{ vars.AWS_DEFAULT_REGION }}"
 
   create-draft-release:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-single-image.yml b/.github/workflows/release-single-image.yml
@@ -46,8 +46,13 @@ jobs:
 
       - name: Publish Image To Quay
         if: steps.release_status.outputs.OUTPUT == 'unreleased'
-        run: python pipeline.py --image-name ${{ github.event.inputs.pipeline-argument }} --release
+        run: python pipeline.py --image-name ${{ github.event.inputs.pipeline-argument }} --release --sign
         env:
           MONGODB_COMMUNITY_CONFIG: "${{ github.workspace }}/scripts/ci/config.json"
           AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
           AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          GRS_USERNAME: "${{ vars.GRS_USERNAME }}"
+          GRS_PASSWORD: "${{ secrets.GRS_PASSWORD }}"
+          PKCS11_URI: "${{ vars.PKCS11_URI }}"
+          ARTIFACTORY_USERNAME: "${{ vars.ARTIFACTORY_USERNAME }}"
+          ARTIFACTORY_PASSWORD: "${{ secrets.ARTIFACTORY_PASSWORD }}"
diff --git a/docs/RELEASE_NOTES.md b/docs/RELEASE_NOTES.md
@@ -1,7 +1,5 @@
-# MongoDB Kubernetes Operator 0.9.0
+# MongoDB Kubernetes Operator 0.10.0
 
-## MongoDBCommunity Resource
+## Released images signed
 
-- Changes
-  - Introduced support for [Mongodb7](https://www.mongodb.com/docs/manual/release-notes/7.0/)
-  - Upgrading Kubernetes client APIs to 1.26
+All container images published for the community operator are signed with our private key. This is visible on our Quay registry. Signature can be verified using our public key, which is available at [this address](https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem).
diff --git a/inventories/e2e-inventory.yaml b/inventories/e2e-inventory.yaml
@@ -1,14 +1,15 @@
 vars:
   registry: <registry>
+  architecture: amd64
 
 images:
-  - name: e2e-arm64
+  - name: e2e
     vars:
       context: .
       template_context: scripts/dev/templates
     inputs:
       - image
-    platform: linux/arm64
+    platform: linux/$(inputs.params.architecture)
     stages:
       - name: e2e-template
         task_type: dockerfile_template
@@ -31,40 +32,6 @@ images:
 
         output:
           - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: $(inputs.params.version_id)-arm64
+            tag: $(inputs.params.version_id)-$(inputs.params.architecture)
           - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: latest-arm64
-
-  - name: e2e-amd64
-    vars:
-      context: .
-      template_context: scripts/dev/templates
-    inputs:
-      - image
-    platform: linux/amd64
-    stages:
-      - name: e2e-template
-        task_type: dockerfile_template
-        distro: e2e
-
-        inputs:
-          - builder
-          - base_image
-
-        output:
-          - dockerfile: scripts/dev/templates/Dockerfile.ubi-$(inputs.params.version_id)
-
-      - name: e2e-build
-        task_type: docker_build
-
-        dockerfile: scripts/dev/templates/Dockerfile.ubi-$(inputs.params.version_id)
-
-        labels:
-          quay.expires-after: 48h
-
-        output:
-          - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: $(inputs.params.version_id)-amd64
-          - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: latest-amd64
-
+            tag: latest-$(inputs.params.architecture)
diff --git a/inventories/operator-inventory.yaml b/inventories/operator-inventory.yaml
@@ -1,8 +1,9 @@
 vars:
   registry: <registry>
+  architecture: amd64
 
 images:
-  - name: operator-amd64
+  - name: operator
     vars:
       context: .
       template_context: scripts/dev/templates/operator
@@ -11,7 +12,7 @@ images:
       - image
       - image_dev
 
-    platform: linux/amd64
+    platform: linux/$(inputs.params.architecture)
 
     stages:
 #
@@ -30,7 +31,7 @@ images:
 
         output:
         - registry: $(inputs.params.registry)/$(inputs.params.image_dev)
-          tag: $(inputs.params.version_id)-context-amd64
+          tag: $(inputs.params.version_id)-context-$(inputs.params.architecture)
 
       - name: operator-template-dev
         task_type: dockerfile_template
@@ -51,16 +52,16 @@ images:
           - version_id
 
         buildargs:
-          imagebase: $(inputs.params.registry)/$(inputs.params.image_dev):$(inputs.params.version_id)-context-amd64
+          imagebase: $(inputs.params.registry)/$(inputs.params.image_dev):$(inputs.params.version_id)-context-$(inputs.params.architecture)
 
         labels:
           quay.expires-after: 48h
 
         output:
           - registry: $(inputs.params.registry)/$(inputs.params.image_dev)
-            tag: $(inputs.params.version_id)-amd64
+            tag: $(inputs.params.version_id)-$(inputs.params.architecture)
           - registry: $(inputs.params.registry)/$(inputs.params.image_dev)
-            tag: latest-amd64
+            tag: latest-$(inputs.params.architecture)
 
 #
 # Release build stages
@@ -83,7 +84,7 @@ images:
 
         output:
           - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: $(inputs.params.release_version)-context-amd64
+            tag: $(inputs.params.release_version)-context-$(inputs.params.architecture)
 
       - name: operator-template-release
         task_type: dockerfile_template
@@ -107,125 +108,11 @@ images:
         dockerfile: scripts/dev/templates/operator/Dockerfile.operator-$(inputs.params.release_version)
 
         buildargs:
-          imagebase: $(inputs.params.registry)/$(inputs.params.image):$(inputs.params.release_version)-context-amd64
+          imagebase: $(inputs.params.registry)/$(inputs.params.image):$(inputs.params.release_version)-context-$(inputs.params.architecture)
 
         labels:
           quay.expires-after: Never
 
         output:
           - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: $(inputs.params.release_version)-amd64
-
-  - name: operator-arm64
-    vars:
-      context: .
-      template_context: scripts/dev/templates/operator
-
-    inputs:
-      - image
-      - image_dev
-
-    platform: linux/arm64
-
-    stages:
-      #
-      # Dev build stages
-      #
-      - name: operator-builder-dev
-        task_type: docker_build
-        tags: [ "ubi" ]
-        dockerfile: scripts/dev/templates/operator/Dockerfile.builder
-
-        buildargs:
-          builder_image: $(inputs.params.builder_image)
-
-        labels:
-          quay.expires-after: 48h
-
-        output:
-          - registry: $(inputs.params.registry)/$(inputs.params.image_dev)
-            tag: $(inputs.params.version_id)-context-arm64
-
-      - name: operator-template-dev
-        task_type: dockerfile_template
-        tags: [ "ubi" ]
-        template_file_extension: operator
-        inputs:
-          - base_image
-
-        output:
-          - dockerfile: scripts/dev/templates/operator/Dockerfile.operator-$(inputs.params.version_id)
-
-      - name: operator-build-dev
-        task_type: docker_build
-        tags: [ "ubi" ]
-        dockerfile: scripts/dev/templates/operator/Dockerfile.operator-$(inputs.params.version_id)
-
-        inputs:
-          - version_id
-
-        buildargs:
-          imagebase: $(inputs.params.registry)/$(inputs.params.image_dev):$(inputs.params.version_id)-context-arm64
-
-        labels:
-          quay.expires-after: 48h
-
-        output:
-          - registry: $(inputs.params.registry)/$(inputs.params.image_dev)
-            tag: $(inputs.params.version_id)-arm64
-          - registry: $(inputs.params.registry)/$(inputs.params.image_dev)
-            tag: latest-arm64
-
-      #
-      # Release build stages
-      #
-      - name: operator-builder-release
-        task_type: docker_build
-        tags: [ "ubi", "release" ]
-
-        inputs:
-          - builder_image
-          - release_version
-
-        dockerfile: scripts/dev/templates/operator/Dockerfile.builder
-
-        labels:
-          quay.expires-after: Never
-
-        buildargs:
-          builder_image: $(inputs.params.builder_image)
-
-        output:
-          - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: $(inputs.params.release_version)-context-arm64
-
-      - name: operator-template-release
-        task_type: dockerfile_template
-        tags: [ "ubi", "release" ]
-        template_file_extension: operator
-        inputs:
-          - base_image
-          - release_version
-
-        output:
-          - dockerfile: scripts/dev/templates/operator/Dockerfile.operator-$(inputs.params.release_version)
-          - dockerfile: $(inputs.params.s3_bucket)/mongodb-kubernetes-operator/$(inputs.params.release_version)/ubi/Dockerfile
-
-      - name: operator-build-release
-        task_type: docker_build
-        tags: [ "ubi", "release" ]
-
-        inputs:
-          - release_version
-
-        dockerfile: scripts/dev/templates/operator/Dockerfile.operator-$(inputs.params.release_version)
-
-        buildargs:
-          imagebase: $(inputs.params.registry)/$(inputs.params.image):$(inputs.params.release_version)-context-arm64
-
-        labels:
-          quay.expires-after: Never
-
-        output:
-          - registry: $(inputs.params.registry)/$(inputs.params.image)
-            tag: $(inputs.params.release_version)-arm64
+            tag: $(inputs.params.release_version)-$(inputs.params.architecture)