bank-vaults · csatib02 · Dec 16, 2024 · Dec 15, 2024 · Dec 15, 2024 · Dec 15, 2024
@@ -124,11 +124,24 @@ jobs:
           TAGS: ${{ steps.meta.outputs.tags }}
         run: |
           images=""
-          for tag in ${TAGS}; do
+          for tag in ${TAGS[@]}; do
             images+="${tag}@${DIGEST} "
           done
-
-          cosign sign --yes ${images}
+
+          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
+
+      - name: Verify signed image with cosign
+        if: ${{ inputs.publish && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          for tag in ${TAGS[@]}; do
+            cosign verify "${tag}@${DIGEST}" \
+              --rekor-url "https://rekor.sigstore.dev/" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+          done
 
       - name: Set image ref
         id: image-ref
@@ -240,13 +253,6 @@ jobs:
           helm package deploy/charts/${{ steps.chart-name.outputs.value }} --version ${{ steps.version.outputs.value }} --app-version ${{ steps.raw-version.outputs.value }}
           echo "package=${{ steps.chart-name.outputs.value }}-${{ steps.version.outputs.value }}.tgz" >> "$GITHUB_OUTPUT"
 
-      - name: Sign chart with GitHub OIDC Token
-        if: ${{ inputs.publish && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
-        env:
-          PACKAGE: ${{ steps.build.outputs.package }}
-        run: |
-          cosign sign-blob --yes $PACKAGE
-
       - name: Upload chart as artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
@@ -262,11 +268,30 @@ jobs:
         if: inputs.publish && inputs.release
 
       - name: Helm push
-        run: helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }}
+        id: push
+        run: |
+          helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} &> push-metadata.txt
+          echo "digest=$(awk '/Digest: /{print $2}' push-metadata.txt)" >> "$GITHUB_OUTPUT"
         env:
           HELM_REGISTRY_CONFIG: ~/.docker/config.json
         if: inputs.publish && inputs.release
 
+      - name: Sign chart with GitHub OIDC Token
+        if: ${{ inputs.publish && inputs.release && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+        run: cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"
+
+      - name: Verify signed chart with cosign
+        if: ${{ inputs.publish && inputs.release && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+        run: |
+          cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
+            --rekor-url "https://rekor.sigstore.dev/" \
+            --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+
       - name: Upload package as artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:

@@ -122,7 +122,7 @@ The following table lists the configurable parameters of the Helm chart.
 | `webhookClientConfig.useUrl` | bool | `false` | Use url if webhook should be contacted over loadbalancer or ingress instead of service object. By default, the mutating webhook uses the service of the webhook directly to contact webhook. |
 | `webhookClientConfig.url` | string | `"https://example.com"` | Set the url how the webhook should be contacted, including the protocol |
 | `vaultEnv.repository` | string | `"ghcr.io/bank-vaults/vault-env"` | Container image repo that contains the vault-env container |
-| `vaultEnv.tag` | string | `"v1.21.6"` | Container image tag for the vault-env container |
+| `vaultEnv.tag` | string | `"v1.21.7"` | Container image tag for the vault-env container |
 | `env` | object | `{}` | Custom environment variables available to webhook |
 | `initContainers` | list | `[]` | Containers to run before the webhook containers are started |
 | `metrics.enabled` | bool | `false` | Enable metrics service for the webhook |

@@ -73,7 +73,7 @@ vaultEnv:
   # -- Container image repo that contains the vault-env container
   repository: ghcr.io/bank-vaults/vault-env
   # -- Container image tag for the vault-env container
-  tag: "v1.21.6"
+  tag: "v1.21.7"
 
 # -- Custom environment variables available to webhook
 env: {}

@@ -43,7 +43,10 @@ import (
 )
 
 // Upgrade this when a new version is released
-const vaultOperatorVersion = "1.22.3"
+const (
+	defaultTimeout       = 2 * time.Minute
+	vaultOperatorVersion = "1.22.4"
+)
 
 var testenv env.Environment
 
@@ -132,7 +135,7 @@ func installVaultOperator(ctx context.Context, cfg *envconf.Config) (context.Con
 		helm.WithArgs("--create-namespace"),
 		helm.WithVersion(vaultOperatorVersion),
 		helm.WithWait(),
-		helm.WithTimeout("2m"),
+		helm.WithTimeout(defaultTimeout.String()),
 	)
 	if err != nil {
 		return ctx, fmt.Errorf("installing vault-operator: %w", err)
@@ -148,7 +151,7 @@ func uninstallVaultOperator(ctx context.Context, cfg *envconf.Config) (context.C
 		helm.WithName("vault-operator"),
 		helm.WithNamespace("vault-operator"),
 		helm.WithWait(),
-		helm.WithTimeout("2m"),
+		helm.WithTimeout(defaultTimeout.String()),
 	)
 	if err != nil {
 		return ctx, fmt.Errorf("uninstalling vault-operator: %w", err)
@@ -176,7 +179,7 @@ func installVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (conte
 		helm.WithNamespace("vault-secrets-webhook"),
 		helm.WithArgs("-f", "deploy/vault-secrets-webhook/values.yaml", "--set", "image.tag="+version),
 		helm.WithWait(),
-		helm.WithTimeout("2m"),
+		helm.WithTimeout(defaultTimeout.String()),
 	)
 	if err != nil {
 		return ctx, fmt.Errorf("installing vault-secrets-webhook: %w", err)
@@ -192,7 +195,7 @@ func uninstallVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (con
 		helm.WithName("vault-secrets-webhook"),
 		helm.WithNamespace("vault-secrets-webhook"),
 		helm.WithWait(),
-		helm.WithTimeout("2m"),
+		helm.WithTimeout(defaultTimeout.String()),
 	)
 	if err != nil {
 		return ctx, fmt.Errorf("uninstalling vault-secrets-webhook: %w", err)
@@ -233,7 +236,7 @@ func installVault(ctx context.Context, cfg *envconf.Config) (context.Context, er
 	}
 
 	// wait for the statefulSet to become available
-	err = wait.For(conditions.New(r).ResourcesFound(statefulSets), wait.WithTimeout(1*time.Minute))
+	err = wait.For(conditions.New(r).ResourcesFound(statefulSets), wait.WithTimeout(defaultTimeout))
 	if err != nil {
 		return ctx, err
 	}
@@ -245,7 +248,7 @@ func installVault(ctx context.Context, cfg *envconf.Config) (context.Context, er
 	}
 
 	// wait for the pod to become available
-	err = wait.For(conditions.New(r).PodReady(&pod), wait.WithTimeout(1*time.Minute))
+	err = wait.For(conditions.New(r).PodReady(&pod), wait.WithTimeout(defaultTimeout))
 	if err != nil {
 		return ctx, err
 	}
@@ -263,7 +266,7 @@ func waitForVaultTLS(ctx context.Context, cfg *envconf.Config) (context.Context,
 	}
 
 	// wait for the vault-tls secret to become available
-	err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(vaultTLSSecrets), wait.WithTimeout(1*time.Minute))
+	err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(vaultTLSSecrets), wait.WithTimeout(defaultTimeout))
 	if err != nil {
 		return ctx, err
 	}

@@ -5,7 +5,7 @@ spec:
   namespace: vault-operator
   chart:
     name: oci://ghcr.io/bank-vaults/helm-charts/vault-operator
-    version: "1.22.3"
+    version: "1.22.4"
 
 ---
 kind: Deploy