Created
September 15, 2021 17:46
-
-
Save mattmoor/aeb256d70a8443cd5b049c1d498c39d4 to your computer and use it in GitHub Desktop.
Tekton task to sign with gcloud credentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: tekton.dev/v1beta1 | |
kind: Task | |
metadata: | |
name: sign-with-gcloud | |
spec: | |
params: | |
- name: digest | |
description: The digest to sign | |
steps: | |
- name: sign-result | |
image: ko://github.com/sigstore/cosign/cmd/cosign | |
env: | |
# Enable keyless signing using the identity token for OIDC | |
- name: COSIGN_EXPERIMENTAL | |
value: "1" | |
command: ["/bin/sh"] | |
args: | |
- "-c" | |
- | | |
# Use gcloud as the credential helper, since it is here. | |
gcloud auth configure-docker --quiet | |
# Generate an identity token. | |
IDENTITY_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore) | |
# Use the identity token to sign the image. | |
/ko-app/cosign sign -f -upload \ | |
-identity-token $IDENTITY_TOKEN \ | |
$(params.digest) | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: kaniko | |
annotations: | |
# Allow the workloads run as kaniko to impersonate this robot, created with: | |
# gcloud iam service-accounts create kaniko-workload | |
# gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:mattmoor-credit.svc.id.goog[default/kaniko]" kaniko-workload@mattmoor-credit.iam.gserviceaccount.com | |
# gcloud projects add-iam-policy-binding mattmoor-credit --member=serviceAccount:kaniko-workload@mattmoor-credit.iam.gserviceaccount.com --role=roles/storage.admin | |
iam.gke.io/gcp-service-account: kaniko-workload@mattmoor-credit.iam.gserviceaccount.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment