Adding functionality for signing external modules

Author: Maxim Konovalenko

.examples/build.yml

@@ -29,4 +29,11 @@ jobs:
           svace_enabled: ${{ github.event.inputs.svace_enabled || contains(github.event.pull_request.labels.*.name, 'analyze/svace') }}
           svace_analyze_host: "${{ secrets.SVACE_ANALYZE_HOST }}"
           svace_analyze_ssh_user: "${{ secrets.SVACE_ANALYZE_SSH_USER }}"
-          svace_analyze_ssh_key: "${{ secrets.SVACE_ANALYZE_SSH_PRIVATE_KEY }}"
+          svace_analyze_ssh_key: "${{ secrets.SVACE_ANALYZE_SSH_PRIVATE_KEY }}"
+          werf_sign_cert: "${{ secrets.WERF_SIGN_CERT }}"
+          werf_sign_intermediates: "${{ secrets.WERF_SIGN_INTERMEDIATES }}"
+          werf_sign_key: "${{ secrets.WERF_SIGN_KEY }}"
+          vault_addr: "${{ secrets.VAULT_ADDR }}"
+          vault_role_id: "${{ secrets.VAULT_ROLE_ID }}"
+          vault_secret_id: "${{ secrets.VAULT_SECRET_ID }}"
+          transit_secret_engine_path: "${{ secrets.TRANSIT_SECRET_ENGINE_PATH }}"

README.md

@@ -7,13 +7,13 @@
 This repository contains GitHub Actions workflows for building and deploying modules for the Deckhouse Kubernetes Platform.
 
 ## Workflows
-| Workflow                              | Description                                                                                                           |
-|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
-| [**setup**](./setup/action.yml)       | Sets up the environment for building and deploying modules. This workflow **must** be run before any other workflows. |
-| [**build**](./build/action.yml)       | Builds the Deckhouse modules using the [werf](https://werf.io/) tool.                                                 |
-| [**deploy**](./deploy/action.yml)     | Deploys the Deckhouse modules to the one of selected release channels.                                                |
-| [**cve_scan**](./cve_scan/action.yml) | Trivy CVE Scan of module images. Documentation can be found [here](./.docs/cve_scan.md)                               |
-| [**svace_analyze**](./svace_analyze/action.yml) | Include svace analyze action to analyze and import builds made with svace tool  |
+| Workflow                                        | Description                                                                                                            |
+|-------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
+| [**setup**](./setup/action.yml)                 | Sets up the environment for building and deploying modules. This workflow **must** be run before any other workflows.  |
+| [**build**](./build/action.yml)                 | Builds the Deckhouse modules using the [werf](https://werf.io/) tool.                                                  |
+| [**deploy**](./deploy/action.yml)               | Deploys the Deckhouse modules to the one of selected release channels.                                                 |
+| [**cve_scan**](./cve_scan/action.yml)           | Trivy CVE Scan of module images. Documentation can be found [here](./.docs/cve_scan.md)                                |
+| [**svace_analyze**](./svace_analyze/action.yml) | Include svace analyze action to analyze and import builds made with svace tool                                         |
 
 ## Examples
 

build/action.yml

@@ -1,3 +1,4 @@
+# Добавляем подписывание модулей
 name: 'Build Deckhouse Module'
 description: 'Build Deckhouse module'
 inputs:
@@ -10,6 +11,27 @@ inputs:
   module_tag:
     description: 'The version of the module to deploy to release channel, e.g., v1.21.1'
     required: true
+  werf_sign_cert:
+    description: "Image signing certificate (file path or Base64)"
+    requierd: true
+  werf_sign_intermediates:
+    description: "Intermediate certificates (file path or Base64)"
+    requierd: true
+  werf_sign_key:
+    description: "Private key for signing (file path or Base64)"
+    requierd: true
+  vault_addr:
+    description: "Vault URL, e.g., http://localhost:8200"
+    requierd: true
+  vault_role_id:
+    description: "Vault role ID"
+    requierd: true
+  vault_secret_id:
+    description: "Vault secret ID"
+    requierd: true
+  transit_secret_engine_path:
+    description: "Vault namespace, e.g., dh-signer-dev"
+    requierd: true
   secondary_repo:
     description: 'Secondary repository address for module, e.g., registry.example.com/module-source/module_name'
     required: false
@@ -124,6 +146,17 @@ runs:
         SVACE_ANALYZE_HOST: "${{ inputs.svace_analyze_host }}"
         SVACE_ANALYZE_SSH_USER: "${{ inputs.svace_analyze_ssh_user }}"
         SVACE_ENABLED: "${{ inputs.svace_enabled }}"
+        WERF_SIGN_CERT: "${{ inputs.werf_sign_cert }}"
+        WERF_SIGN_INTERMEDIATES: "${{ inputs.werf_sign_intermediates }}"
+        WERF_SIGN_KEY: "${{ inputs.werf_sign_key }}"
+        VAULT_ADDR: "${{ inputs.vault_addr }}"
+        VAULT_ROLE_ID: "${{ inputs.vault_role_id }}"
+        VAULT_SECRET_ID: "${{ inputs.vault_secret_id }}"
+        TRANSIT_SECRET_ENGINE_PATH: "${{ inputs.transit_secret_engine_path }}"
+        WERF_SIGN_MANIFEST: "1"
+        WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH: "1"
+        WERF_SIGN_ELF_FILES: "1"
+        WERF_BSIGN_ELF_FILES: "1"
 
     - name: Cleanup ssh-agent
       if: ${{ steps.ssh_agent.outcome != 'skipped' && always() }}

cve_scan/action.yml

@@ -278,5 +278,4 @@ runs:
             send_report "License" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json"
           done < <(jq -rc 'to_entries[]' <<< "${digests}")
         done
-        rm -r ${workdir}
-
+        rm -r ${workdir}

setup/action.yml

@@ -10,13 +10,24 @@ inputs:
   registry_password:
     description: 'Registry password'
     required: true
+  werf_version:
+    description: 'Werf version'
+    required: true
 
 runs:
   using: "composite"
   steps:
-    - uses: werf/actions/install@v2
     - uses: imjasonh/[email protected]
 
+    - name: Install werf
+      shell: bash
+      run: |
+        curl --fail -sSL -o ~/bin/werf \
+        -H "PRIVATE-TOKEN: ${{ secrets.FOX_ACCESS_TOKEN }}" \
+        "https://${{ secrets.DECKHOUSE_PRIVATE_REPO }}/api/v4/projects/4052/packages/generic/werf/${{ inputs.werf_version }}/werf"
+        chmod +x ~/bin/werf
+        export PATH=~/bin:$PATH
+
     - name: Print werf version
       shell: bash
       run: werf version