Install cosign.

Gerrit91 · Gerrit91 · commit 32f635740ee0 · 2025-07-22T15:28:28.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,7 @@
 FROM python:3.11-slim AS minimal
 
-ENV VERSION_CT=0.9.0 \
+ENV VERSION_COSIGN=2.5.3 \
+    VERSION_CT=0.9.0 \
     VERSION_HELM=3.16.4 \
     METAL_ROLES_VERSION=metal-stack-release-vector-module
 
@@ -31,7 +32,10 @@ RUN set -x \
         pyjwt==2.8.0 \
  && curl -Lo ct https://github.com/coreos/container-linux-config-transpiler/releases/download/v${VERSION_CT}/ct-v${VERSION_CT}-x86_64-unknown-linux-gnu \
  && chmod +x ct \
- && mv ct /usr/local/bin/
+ && mv ct /usr/local/bin/ \
+ && curl -Lo cosign https://github.com/sigstore/cosign/releases/download/v${VERSION_COSIGN}/cosign-linux-amd64 \
+ && chmod +x cosign \
+ && mv cosign /usr/local/bin/
 
 RUN mkdir -p /usr/share/ansible/collections/ansible_collections/metalstack/base/plugins \
  && cd /usr/share/ansible/collections/ansible_collections/metalstack/base/plugins \
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ In case your deployment depends on Ansible roles that are referenced in a metal-
 
 ```bash
 # requires the metal_stack_release_vector variable to be defined in your ansible variables
-$ ansible -m metalstack.base.metal_stack_release_vector localhost
+$ ansible localhost -m metalstack.base.metal_stack_release_vector
 - Installing ansible-common (v0.6.13) to /root/.ansible/roles/ansible-common
 - Installing metal-ansible-modules (v0.2.10) to /root/.ansible/roles/metal-ansible-modules
 - Installing metal-roles (v0.15.17) to /root/.ansible/roles/metal-roles
diff --git a/test/group_vars/all/release_vector.yaml b/test/group_vars/all/release_vector.yaml
@@ -1,25 +1,14 @@
 metal_stack_release_version: develop
-cloud_release_version: develop
 
 metal_stack_release_vectors:
-  # - url: https://raw.githubusercontent.com/fi-ts/releases/{{ cloud_release_version }}/release.yaml
-  #   variable_mapping_path: cloud_release.mapping
-  #   include_role_defaults: metal-extensions-roles/defaults
-  #   nested:
-  #     - url_path: vectors.metal-stack.url
-  #       variable_mapping_path: metal_stack_release.mapping
-  #       include_role_defaults: metal-roles/common/roles/defaults
-
   - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }}
     variable_mapping_path: metal_stack_release.mapping
     include_role_defaults: metal-roles/common/roles/defaults
-
-  # - url: https://raw.githubusercontent.com/metal-stack-cloud/releases/develop/release.yaml
-  #   variable_mapping_path: metal_stack_cloud_release.mapping
-  #   include_role_defaults: metal-stack-cloud-ansible-roles/roles/defaults
-  #   role_aliases:
-  #     - repository: https://github.com/metal-stack-cloud/ansible-roles
-  #       alias: metal-stack-cloud-ansible-roles
+    oci_cosign_verify_key: |
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdeAXd2namgVNDT0APmogKGwaV+Q4
+      rfe4uVgmsyBbb6TrhX5Py6x1PsonDahTvdVpbSGC7QGEjxIHdi8HnJ4Okg==
+      -----END PUBLIC KEY-----
 
 metal_stack_release_vector_replacements:
     - key: name
