Skip to content

Commit 0b9edcd

Browse files
committed
wip
Signed-off-by: Vladimir Portnov <vladimir.portnov@flant.com>
1 parent 833ab8f commit 0b9edcd

7 files changed

Lines changed: 737 additions & 0 deletions

File tree

.github/ci_templates/build.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,38 @@ steps:
131131
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_STAGE_PASSWORD }}
132132
{!{- end }!}
133133
run: |
134+
# SIGN
135+
export WERF_SIGN_MANIFEST="1"
136+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
137+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
138+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
139+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
140+
export VAULT_ADDR="https://seguro.flant.com"
141+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
142+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
143+
export WERF_VAULT_AUTH_PATH="github"
144+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
145+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
146+
echo "Received Actions token";
147+
else
148+
echo "Actions token empty";
149+
fi
150+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
151+
if [ -n "${VAULT_TOKEN}" ]; then
152+
echo "Received Vault token";
153+
else
154+
echo "Vault token empty";
155+
fi
156+
157+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
158+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
159+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
160+
161+
# curl -f -o /tmp/test-key.json
162+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
163+
164+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
165+
134166
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
135167
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
136168
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then

.github/workflows/build-and-test_dev.yml

Lines changed: 224 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,38 @@ jobs:
554554
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
555555
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
556556
run: |
557+
# SIGN
558+
export WERF_SIGN_MANIFEST="1"
559+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
560+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
561+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
562+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
563+
export VAULT_ADDR="https://seguro.flant.com"
564+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
565+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
566+
export WERF_VAULT_AUTH_PATH="github"
567+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
568+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
569+
echo "Received Actions token";
570+
else
571+
echo "Actions token empty";
572+
fi
573+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
574+
if [ -n "${VAULT_TOKEN}" ]; then
575+
echo "Received Vault token";
576+
else
577+
echo "Vault token empty";
578+
fi
579+
580+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
581+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
582+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
583+
584+
# curl -f -o /tmp/test-key.json
585+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
586+
587+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
588+
557589
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
558590
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
559591
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -852,6 +884,38 @@ jobs:
852884
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
853885
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
854886
run: |
887+
# SIGN
888+
export WERF_SIGN_MANIFEST="1"
889+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
890+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
891+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
892+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
893+
export VAULT_ADDR="https://seguro.flant.com"
894+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
895+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
896+
export WERF_VAULT_AUTH_PATH="github"
897+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
898+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
899+
echo "Received Actions token";
900+
else
901+
echo "Actions token empty";
902+
fi
903+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
904+
if [ -n "${VAULT_TOKEN}" ]; then
905+
echo "Received Vault token";
906+
else
907+
echo "Vault token empty";
908+
fi
909+
910+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
911+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
912+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
913+
914+
# curl -f -o /tmp/test-key.json
915+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
916+
917+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
918+
855919
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
856920
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
857921
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -1149,6 +1213,38 @@ jobs:
11491213
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
11501214
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
11511215
run: |
1216+
# SIGN
1217+
export WERF_SIGN_MANIFEST="1"
1218+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
1219+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
1220+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
1221+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
1222+
export VAULT_ADDR="https://seguro.flant.com"
1223+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
1224+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
1225+
export WERF_VAULT_AUTH_PATH="github"
1226+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
1227+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
1228+
echo "Received Actions token";
1229+
else
1230+
echo "Actions token empty";
1231+
fi
1232+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
1233+
if [ -n "${VAULT_TOKEN}" ]; then
1234+
echo "Received Vault token";
1235+
else
1236+
echo "Vault token empty";
1237+
fi
1238+
1239+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
1240+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
1241+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
1242+
1243+
# curl -f -o /tmp/test-key.json
1244+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
1245+
1246+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
1247+
11521248
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
11531249
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
11541250
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -1446,6 +1542,38 @@ jobs:
14461542
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
14471543
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
14481544
run: |
1545+
# SIGN
1546+
export WERF_SIGN_MANIFEST="1"
1547+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
1548+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
1549+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
1550+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
1551+
export VAULT_ADDR="https://seguro.flant.com"
1552+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
1553+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
1554+
export WERF_VAULT_AUTH_PATH="github"
1555+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
1556+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
1557+
echo "Received Actions token";
1558+
else
1559+
echo "Actions token empty";
1560+
fi
1561+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
1562+
if [ -n "${VAULT_TOKEN}" ]; then
1563+
echo "Received Vault token";
1564+
else
1565+
echo "Vault token empty";
1566+
fi
1567+
1568+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
1569+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
1570+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
1571+
1572+
# curl -f -o /tmp/test-key.json
1573+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
1574+
1575+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
1576+
14491577
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
14501578
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
14511579
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -1743,6 +1871,38 @@ jobs:
17431871
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
17441872
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
17451873
run: |
1874+
# SIGN
1875+
export WERF_SIGN_MANIFEST="1"
1876+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
1877+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
1878+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
1879+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
1880+
export VAULT_ADDR="https://seguro.flant.com"
1881+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
1882+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
1883+
export WERF_VAULT_AUTH_PATH="github"
1884+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
1885+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
1886+
echo "Received Actions token";
1887+
else
1888+
echo "Actions token empty";
1889+
fi
1890+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
1891+
if [ -n "${VAULT_TOKEN}" ]; then
1892+
echo "Received Vault token";
1893+
else
1894+
echo "Vault token empty";
1895+
fi
1896+
1897+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
1898+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
1899+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
1900+
1901+
# curl -f -o /tmp/test-key.json
1902+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
1903+
1904+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
1905+
17461906
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
17471907
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
17481908
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -2040,6 +2200,38 @@ jobs:
20402200
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
20412201
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
20422202
run: |
2203+
# SIGN
2204+
export WERF_SIGN_MANIFEST="1"
2205+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
2206+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
2207+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
2208+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
2209+
export VAULT_ADDR="https://seguro.flant.com"
2210+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
2211+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
2212+
export WERF_VAULT_AUTH_PATH="github"
2213+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
2214+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
2215+
echo "Received Actions token";
2216+
else
2217+
echo "Actions token empty";
2218+
fi
2219+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
2220+
if [ -n "${VAULT_TOKEN}" ]; then
2221+
echo "Received Vault token";
2222+
else
2223+
echo "Vault token empty";
2224+
fi
2225+
2226+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
2227+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
2228+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
2229+
2230+
# curl -f -o /tmp/test-key.json
2231+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
2232+
2233+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
2234+
20432235
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
20442236
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
20452237
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then
@@ -2337,6 +2529,38 @@ jobs:
23372529
REGISTRY_USER: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
23382530
REGISTRY_PASSWORD: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
23392531
run: |
2532+
# SIGN
2533+
export WERF_SIGN_MANIFEST="1"
2534+
# export WERF_SIGN_CERT="/tmp/test-ca.pem"
2535+
# export WERF_SIGN_INTERMEDIATES="/tmp/test-cert.pem"
2536+
export WERF_SIGN_KEY="hashivault://dh-dev-v01"
2537+
export WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH="1"
2538+
export VAULT_ADDR="https://seguro.flant.com"
2539+
export TRANSIT_SECRET_ENGINE_PATH="dev-int-signer"
2540+
export WERF_VAULT_AUTH_ROLE="dh-signer-dev_dh-signer-dev"
2541+
export WERF_VAULT_AUTH_PATH="github"
2542+
export WERF_VAULT_AUTH_JWT=$(jq -r .value <<< $(curl -fsH "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=github-access-aud" ))
2543+
if [ -n "${WERF_VAULT_AUTH_JWT}" ]; then
2544+
echo "Received Actions token";
2545+
else
2546+
echo "Actions token empty";
2547+
fi
2548+
export VAULT_TOKEN="$(curl -fX POST "${VAULT_ADDR}/v1/auth/${WERF_VAULT_AUTH_PATH}/login" -d '{"role":"'${WERF_VAULT_AUTH_ROLE}'","jwt":"'${WERF_VAULT_AUTH_JWT}'"}' | jq -r '.auth.client_token')"
2549+
if [ -n "${VAULT_TOKEN}" ]; then
2550+
echo "Received Vault token";
2551+
else
2552+
echo "Vault token empty";
2553+
fi
2554+
2555+
export WERF_SIGN_INTERMEDIATES=$(curl -f "${VAULT_ADDR}/v1/dev-int-pki/issuer/default/pem" | base64 -w0)
2556+
export WERF_SIGN_CERT=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-pki/cert/56:61:03:74:72:94:e1:e7:7b:d9:ac:44:f1:4c:57:aa:2b:b2:8d:9d" | jq -r '.data.certificate' | base64 -w0)
2557+
# export WERF_SIGN_KEY=$(curl -f --header "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/dev-int-signer/keys/dh-dev-v01" | jq -r '.data.keys."1".public_key')
2558+
2559+
# curl -f -o /tmp/test-key.json
2560+
# jq -r '.data.certificate' < /tmp/test-cert.pem.json > /tmp/test-cert.pem
2561+
2562+
# openssl verify -CAfile /tmp/test-ca.pem /tmp/test-cert.pem
2563+
23402564
# Extract REPO_SUFFIX from repository name: trim prefix 'deckhouse/deckhouse-'.
23412565
REPO_SUFFIX=${GITHUB_REPOSITORY#deckhouse/deckhouse-}
23422566
if [[ $REPO_SUFFIX == $GITHUB_REPOSITORY ]] ; then

0 commit comments

Comments
 (0)