Created
September 15, 2021 17:45
-
-
Save mattmoor/6d0345d99575b23271b6cdb55f9458a5 to your computer and use it in GitHub Desktop.
Tekton task to sign with ambient creds
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: tekton.dev/v1beta1 | |
| kind: Task | |
| metadata: | |
| name: sign-with-ambient | |
| spec: | |
| params: | |
| - name: digest | |
| description: The digest to sign | |
| steps: | |
| # The Goal: | |
| # - name: sign-result | |
| # image: gcr.io/projectsigstore/cosign | |
| # args: [sign, -f, -upload, $(params.digest)] | |
| - name: sign-result | |
| # Produced with: | |
| # docker-credential-magician mutate \ | |
| # gcr.io/projectsigstore/cosign/ci/cosign:3f83940d3f3d97075d606af1e0793051cc6fc19b \ | |
| # -t ghcr.io/mattmoor/cosign:magic | |
| image: ghcr.io/mattmoor/cosign:magic | |
| env: | |
| # Enable keyless signing using the identity token for OIDC | |
| - name: COSIGN_EXPERIMENTAL | |
| value: "1" | |
| args: [sign, -f, -upload, $(params.digest)] | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kaniko | |
| annotations: | |
| # Allow the workloads run as kaniko to impersonate this robot, created with: | |
| # gcloud iam service-accounts create kaniko-workload | |
| # gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:mattmoor-credit.svc.id.goog[default/kaniko]" kaniko-workload@mattmoor-credit.iam.gserviceaccount.com | |
| # gcloud projects add-iam-policy-binding mattmoor-credit --member=serviceAccount:kaniko-workload@mattmoor-credit.iam.gserviceaccount.com --role=roles/storage.admin | |
| iam.gke.io/gcp-service-account: kaniko-workload@mattmoor-credit.iam.gserviceaccount.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment