@@ -554,6 +554,38 @@ jobs:
554554 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
555555 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
556556 run : |
557+ # SIGN
558+ export WERF_SIGN_MANIFEST="1"
559+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
560+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
561+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
562+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
563+ export VAULT_ADDR="https://seguro.flant.com"
564+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
565+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
566+ export WERF_VAULT_AUTH_PATH="github"
567+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
568+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
569+ echo "Received Actions token";
570+ else
571+ echo "Actions token empty";
572+ fi
573+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
574+ if [ -n "${VAULT_TOKEN}" ]; then
575+ echo "Received Vault token";
576+ else
577+ echo "Vault token empty";
578+ fi
579+
580+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
581+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
582+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
583+
584+ # curl -f -o /tmp/test-key.json
585+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
586+
587+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
588+
557589 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
558590 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
559591 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -852,6 +884,38 @@ jobs:
852884 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
853885 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
854886 run : |
887+ # SIGN
888+ export WERF_SIGN_MANIFEST="1"
889+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
890+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
891+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
892+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
893+ export VAULT_ADDR="https://seguro.flant.com"
894+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
895+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
896+ export WERF_VAULT_AUTH_PATH="github"
897+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
898+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
899+ echo "Received Actions token";
900+ else
901+ echo "Actions token empty";
902+ fi
903+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
904+ if [ -n "${VAULT_TOKEN}" ]; then
905+ echo "Received Vault token";
906+ else
907+ echo "Vault token empty";
908+ fi
909+
910+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
911+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
912+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
913+
914+ # curl -f -o /tmp/test-key.json
915+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
916+
917+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
918+
855919 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
856920 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
857921 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -1149,6 +1213,38 @@ jobs:
11491213 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
11501214 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
11511215 run : |
1216+ # SIGN
1217+ export WERF_SIGN_MANIFEST="1"
1218+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
1219+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
1220+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
1221+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
1222+ export VAULT_ADDR="https://seguro.flant.com"
1223+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
1224+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
1225+ export WERF_VAULT_AUTH_PATH="github"
1226+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
1227+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
1228+ echo "Received Actions token";
1229+ else
1230+ echo "Actions token empty";
1231+ fi
1232+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
1233+ if [ -n "${VAULT_TOKEN}" ]; then
1234+ echo "Received Vault token";
1235+ else
1236+ echo "Vault token empty";
1237+ fi
1238+
1239+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
1240+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
1241+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
1242+
1243+ # curl -f -o /tmp/test-key.json
1244+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
1245+
1246+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
1247+
11521248 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
11531249 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
11541250 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -1446,6 +1542,38 @@ jobs:
14461542 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
14471543 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
14481544 run : |
1545+ # SIGN
1546+ export WERF_SIGN_MANIFEST="1"
1547+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
1548+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
1549+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
1550+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
1551+ export VAULT_ADDR="https://seguro.flant.com"
1552+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
1553+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
1554+ export WERF_VAULT_AUTH_PATH="github"
1555+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
1556+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
1557+ echo "Received Actions token";
1558+ else
1559+ echo "Actions token empty";
1560+ fi
1561+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
1562+ if [ -n "${VAULT_TOKEN}" ]; then
1563+ echo "Received Vault token";
1564+ else
1565+ echo "Vault token empty";
1566+ fi
1567+
1568+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
1569+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
1570+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
1571+
1572+ # curl -f -o /tmp/test-key.json
1573+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
1574+
1575+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
1576+
14491577 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
14501578 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
14511579 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -1743,6 +1871,38 @@ jobs:
17431871 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
17441872 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
17451873 run : |
1874+ # SIGN
1875+ export WERF_SIGN_MANIFEST="1"
1876+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
1877+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
1878+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
1879+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
1880+ export VAULT_ADDR="https://seguro.flant.com"
1881+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
1882+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
1883+ export WERF_VAULT_AUTH_PATH="github"
1884+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
1885+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
1886+ echo "Received Actions token";
1887+ else
1888+ echo "Actions token empty";
1889+ fi
1890+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
1891+ if [ -n "${VAULT_TOKEN}" ]; then
1892+ echo "Received Vault token";
1893+ else
1894+ echo "Vault token empty";
1895+ fi
1896+
1897+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
1898+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
1899+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
1900+
1901+ # curl -f -o /tmp/test-key.json
1902+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
1903+
1904+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
1905+
17461906 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
17471907 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
17481908 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -2040,6 +2200,38 @@ jobs:
20402200 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
20412201 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
20422202 run : |
2203+ # SIGN
2204+ export WERF_SIGN_MANIFEST="1"
2205+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
2206+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
2207+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
2208+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
2209+ export VAULT_ADDR="https://seguro.flant.com"
2210+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
2211+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
2212+ export WERF_VAULT_AUTH_PATH="github"
2213+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
2214+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
2215+ echo "Received Actions token";
2216+ else
2217+ echo "Actions token empty";
2218+ fi
2219+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
2220+ if [ -n "${VAULT_TOKEN}" ]; then
2221+ echo "Received Vault token";
2222+ else
2223+ echo "Vault token empty";
2224+ fi
2225+
2226+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
2227+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
2228+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
2229+
2230+ # curl -f -o /tmp/test-key.json
2231+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
2232+
2233+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
2234+
20432235 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
20442236 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
20452237 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -2337,6 +2529,38 @@ jobs:
23372529 REGISTRY_USER : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
23382530 REGISTRY_PASSWORD : ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
23392531 run : |
2532+ # SIGN
2533+ export WERF_SIGN_MANIFEST="1"
2534+ # export WERF_SIGN_CERT="/tmp/test-ca.pem"
2535+ # export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
2536+ export WERF_SIGN_KEY="hashivault://dh-dev-v01"
2537+ export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
2538+ export VAULT_ADDR="https://seguro.flant.com"
2539+ export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
2540+ export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
2541+ export WERF_VAULT_AUTH_PATH="github"
2542+ export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
2543+ if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
2544+ echo "Received Actions token";
2545+ else
2546+ echo "Actions token empty";
2547+ fi
2548+ export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
2549+ if [ -n "${VAULT_TOKEN}" ]; then
2550+ echo "Received Vault token";
2551+ else
2552+ echo "Vault token empty";
2553+ fi
2554+
2555+ export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
2556+ export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
2557+ # export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
2558+
2559+ # curl -f -o /tmp/test-key.json
2560+ # jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
2561+
2562+ # openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
2563+
23402564 # Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
23412565 REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
23422566 if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
0 commit comments