Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Environments Team / 26 Sep 2023
GitLab / Environments Team / 26 Sep 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Demo - Image signing and verification with GitLab+Flux

Description

https://gitlab.com/gitlab-org/ci-cd/deploy-stage/demos/

A

Hello Victor tonight the product manager of gitlab speaking here. This is one more very short video of the demo projects how I expanded a little bit. These are demo projects that are public. Now you can check out the code yourself, but now, let's focus on what we have today: um I added, actually image signing and attestation uh checking site signature checking into the delivery project. Let me quickly walk through how that happens, but before that, let's take a look at what it means.

A

Basically, gitlab has this amazing Direction page and software Supply check, grid supplied security, and we have quite a few things ready already supported, and this part is actually to check the box here- that we can actually verify the validity of your image within your kubernetes cluster.

A

So, let's see how we do that um some things happen in GitHub CI, where we are building the oci artifacts and the ham charts to be deployed to the cluster and the other things happens in the cluster. First of all, we have um a dedicated image to.

A

That includes the necessary tools, and these necessary tools are.

A

Basically, cosine crane for moving the packages around Flag, City, JQ, Han and Cube CTL. This will be used throughout this pipeline. Basically, all the all the jobs here use the the image generated in this tools section. As you can see, this is one of them and this is the other job.

A

And what we do is that in the flux oci job, we create the image with flux, push artifact, and then we extract the digest URL of the that image in a single code actually, and we log into cosine and sign the image now login happens with the ID token the oidc support in gitlab CI. So you don't have to store any Longleaf tokens, Within gitlab and once the image is signed, we can actually.

A

Go and tell flux: this is a flux, ham release, as you can see, and you can say it to check the provider of this hem chart using cosine with a specified secret key, and similarly we can tell to the related oci Repository to check the image with cosine in the cluster. We have everything running as you can see. First of all, I'm using let's go back one more minute here um here you can see that I'm using a cosine key prefix with kubernetes.

A

This means that this key exists in the cluster. There is a dedicated cosine command, generate secret key if I remember well to generate the secret private public key pair and the password, and you can store it immediately in your cluster as well, and that's why we actually need to run Cube CT out here as well, in order to select the right cluster, after which cosine will be able to access that cluster using the selected context and everything uh nicely fits together. So first, let's see the secret it's there. This is cosine key.

A

um It has three keys, doesn't really matter. We only need the pub key for checking the signature and, of course, the password and the private key for signing itself, um and then, let's see how it looks like that, it's really there. uh We have this OCR repositories that I showed you before that are meant to be signed.

A

This is the detailed spec. This is what we provided to the flux, manifest that we want signature and in this status you can see this section here saying that the signature was verified. It was successful and everything runs as expected, as you have seen actually under the pods View.

A

This closes this short demo. uh I. Hope you like it. We can sign both the ham charts used here, as shown and the the oci repository the oci images. Actually so and afterwards, flux will check those signatures in the cluster.