feat(ostree-images): import river template files from wayblue

2024-11-06 11:23:10 -03:00 · 2024-11-06 11:23:10 -03:00 · 576311545e
commit 576311545e
parent 3f8e44008c
60 changed files with 2169 additions and 0 deletions
--- a/ostree-images/river/modules/wayblue-signing/module.yml
+++ b/ostree-images/river/modules/wayblue-signing/module.yml
@ -0,0 +1,4 @@
+name: wayblue-signing
+shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc.
+example: |
+  type: wayblue-signing # this sets up the proper policy & signing files for signed images to work fully
--- a/ostree-images/river/modules/wayblue-signing/policy.json
+++ b/ostree-images/river/modules/wayblue-signing/policy.json
@ -0,0 +1,25 @@
+{
+  "default": [
+      {
+          "type": "reject"
+      }
+  ],
+  "transports": {
+      "docker": {
+          "registry.access.redhat.com": [
+              {
+                  "type": "signedBy",
+                  "keyType": "GPGKeys",
+                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+              }
+          ],
+          "registry.redhat.io": [
+              {
+                  "type": "signedBy",
+                  "keyType": "GPGKeys",
+                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+              }
+          ]
+      }
+  }
+}
--- a/ostree-images/river/modules/wayblue-signing/registry-config.yml
+++ b/ostree-images/river/modules/wayblue-signing/registry-config.yml
@ -0,0 +1,3 @@
+docker:
+  ghcr.io/IMAGENAME:
+    use-sigstore-attachments: true
--- a/ostree-images/river/modules/wayblue-signing/wayblue-signing.sh
+++ b/ostree-images/river/modules/wayblue-signing/wayblue-signing.sh
@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -euo pipefail
+
+CONTAINER_DIR="/usr/etc/containers"
+MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
+IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
+IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
+
+echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
+echo "Registry to write: $IMAGE_REGISTRY"
+
+if ! [ -d "$CONTAINER_DIR" ]; then
+    mkdir -p "$CONTAINER_DIR"
+fi
+
+if ! [ -d $CONTAINER_DIR/registries.d ]; then
+   mkdir -p "$CONTAINER_DIR/registries.d"
+fi
+
+if ! [ -d "/usr/etc/pki/containers" ]; then
+    mkdir -p "/usr/etc/pki/containers"
+fi
+
+if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
+    cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
+fi
+
+mv "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
+
+POLICY_FILE="$CONTAINER_DIR/policy.json"
+
+yq -i -o=j '.transports.docker |=
+    {"'"$IMAGE_REGISTRY"'": [
+            {
+                "type": "sigstoreSigned",
+                "keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY_TITLE"'.pub",
+                "signedIdentity": {
+                    "type": "matchRepository"
+                }
+            }
+        ]
+    }
+ .' "$POLICY_FILE"
+
+mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
+sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"