Skip to content

Latest commit

 

History

History
97 lines (81 loc) · 3.29 KB

example_scenario.md

File metadata and controls

97 lines (81 loc) · 3.29 KB
Raw

A sample scenario that demonstrate ArgoCD Interlacer's capability

This example scenario will walk you through

  • Signing source materials used for generating manifest
  • Creating an application resource in ArgoCD
  • Verifying signature and retriving manifest generated by ArgoCD Interlace
  • Verifying provenance generated by ArgoCD Interlace

Signing source materials used for generating manifest

Let's say we want to create a sample ArgoCD application.

Fork this repo.

Follow the steps described here for signing source material

Creating an application resource in ArgoCD

To create a sample ArgoCD application, modify the sample applicatin.yaml to refer to forked repository and run:

kubectl apply --filename https://raw.githubusercontent.com/argoproj-labs/argocd-interlace/main/examples/application.yaml

ArgoCD will deploy this application to helloworld-ns namespace.

Verifying signature and retriving manifest generated by ArgoCD Interlace

ArgoCD Interlace generates signature for the manifest as an annotation to a selected resource or a configured Secret resource.

Verifying provenance generated by ArgoCD Interlace

Let's assume we configured ArgoCD Interlace to publish the transparent verifiable records to Sigstore transparancy log: https://rekor.sigstore.dev

export LOG_INDEX=841672
UUID=$(curl -s "https://rekor.sigstore.dev/api/v1/log/entries/?logIndex=${LOG_INDEX}" | jq keys | jq -c '.[]')
export QUERY=".${UUID}.attestation.data"
curl -s "https://rekor.sigstore.dev/api/v1/log/entries/?logIndex=${LOG_INDEX}" | jq -r $QUERY | base64 -D | base64 -D | jq .

Example provenanace record would look like:

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://in-toto.io/Provenance/v0.1",
  "subject": [
    {
      "name": "/tmp/output/akmebank-app-ma4kmc3-stage-1/roles/stage/manifest.yaml",
      "digest": {
        "sha256": "2edc9e85ea77a842660b7d1606f54cdf55a209e701340e57c9ac602478ddb182"
      }
    }
  ],
  "predicate": {
    "builder": {
      "id": ""
    },
    "recipe": {
      "type": "",
      "entryPoint": "argocd-interlace",
      "arguments": [
        "-n openshift-gitops"
      ]
    },
    "metadata": {
      "buildStartedOn": "2021-11-10T14:43:43.453259376Z",
      "buildFinishedOn": "2021-11-10T14:43:44.777560012Z",
      "completeness": {
        "arguments": false,
        "environment": false,
        "materials": false
      },
      "reproducible": true
    },
    "materials": [
      {
        "uri": "https://github.com/gajananan/akmebank-config.git",
        "digest": {
          "commit": "dcf41c59871c9057da3bf2aef5603efb47e3a4eb",
          "path": "roles/stage",
          "revision": "main"
        }
      },
      {
        "uri": "https://github.com/gajananan/akmebank-app.git",
        "digest": {
          "commit": "29821780a3ca56137e71098d0c772b055e7790fe",
          "path": "deploy/base",
          "revision": "master"
        }
      }
    ]
  }
}