metal-stack · Gerrit91 · Nov 21, 2025 · May 27, 2025 · May 28, 2025 · May 28, 2025
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -20,8 +20,9 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     permissions:
-      packages: write
-      contents: read
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
 
     steps:
     - name: Check out code into the Go module directory
@@ -40,11 +41,29 @@ jobs:
         [ "${GITHUB_EVENT_NAME}" == 'release' ] && echo "tag=${GITHUB_REF##*/}" >> $GITHUB_ENV || true
         [ "${GITHUB_EVENT_NAME}" == 'push' ] && echo "tag=latest" >> $GITHUB_ENV || true
 
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
+    - name: Build and export minimal image to Docker
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        load: true
+        tags: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }}-minimal
+        target: minimal
+
+    - name: Test
+      run: |
+        make test
+      env:
+        TAG: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }}-minimal
+
     - name: Build and push minimal image
       uses: docker/build-push-action@v6
+      id: build_minimal
       with:
         context: .
         push: true
@@ -54,9 +73,35 @@ jobs:
 
     - name: Build and push image
       uses: docker/build-push-action@v6
+      id: build
       with:
         context: .
         push: true
         sbom: true
         tags: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }}
         target: withcloudproviders
+
+    - uses: google-github-actions/auth@v2
+      id: auth
+      with:
+        workload_identity_provider: projects/723287855471/locations/global/workloadIdentityPools/github/providers/github-actions
+        service_account: keyless@metal-stack.iam.gserviceaccount.com
+        token_format: id_token
+        id_token_audience: sigstore
+        id_token_include_email: true
+
+    - name: Sign image
+      run: |
+        cosign sign --yes --key env://COSIGN_PRIVATE_KEY \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }} \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }}-minimal \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}@${{ steps.build_minimal.outputs.digest }} \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
+        cosign sign --yes --identity-token=${{ steps.auth.outputs.id_token }} \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }} \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.tag }}-minimal \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}@${{ steps.build_minimal.outputs.digest }} \
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,9 @@
 FROM python:3.13-slim AS minimal
 
-ENV VERSION_CT=0.9.0 \
-    VERSION_HELM=3.18.4
+ENV VERSION_COSIGN=2.5.3 \
+    VERSION_CT=0.9.0 \
+    VERSION_HELM=3.18.4 \
+    ANSIBLE_COMMON_VERSION=metal-stack-release-vector-module
 
 RUN set -x \
  && apt-get update \
@@ -32,7 +34,13 @@ RUN set -x \
         pyjwt==2.10.1 \
  && curl -Lo ct https://github.com/coreos/container-linux-config-transpiler/releases/download/v${VERSION_CT}/ct-v${VERSION_CT}-x86_64-unknown-linux-gnu \
  && chmod +x ct \
- && mv ct /usr/local/bin/
+ && mv ct /usr/local/bin/ \
+ && curl -Lo cosign https://github.com/sigstore/cosign/releases/download/v${VERSION_COSIGN}/cosign-linux-amd64 \
+ && chmod +x cosign \
+ && mv cosign /bin/ \
+ && bash -c 'mkdir -p /usr/share/ansible/collections/ansible_collections/metalstack/base/plugins/{action,modules}' \
+ && curl -Lo /usr/share/ansible/collections/ansible_collections/metalstack/base/plugins/action/metal_stack_release_vector.py https://raw.githubusercontent.com/metal-stack/ansible-common/${ANSIBLE_COMMON_VERSION}/action_plugins/metal_stack_release_vector.py \
+ && curl -Lo /usr/share/ansible/collections/ansible_collections/metalstack/base/plugins/modules/metal_stack_release_vector.py https://raw.githubusercontent.com/metal-stack/ansible-common/${ANSIBLE_COMMON_VERSION}/library/metal_stack_release_vector.py
 
 COPY ansible.cfg /etc/ansible/ansible.cfg
 COPY gai.conf /etc/gai.conf

diff --git a/Dockerfile.test b/Dockerfile.test
@@ -0,0 +1,3 @@
+ARG TAG=metal-deployment-base
+FROM ${TAG}
+COPY test .
diff --git a/Makefile b/Makefile
@@ -0,0 +1,17 @@
+TAG := $(or $(TAG),metal-deployment-base)
+
+ifeq ($(CI),true)
+  DOCKER_RUN_ARG=
+else
+  DOCKER_RUN_ARG=t
+endif
+
+.PHONY: build
+build:
+	docker build -t $(TAG) .
+
+.PHONY: test
+test:
+	docker build -t $(TAG)-test -f Dockerfile.test --build-arg=TAG=$(TAG) .
+	docker run --rm -i$(DOCKER_RUN_ARG) $(TAG)-test bash -c \
+		'ansible -m metalstack.base.metal_stack_release_vector localhost && find ~/.ansible/roles -maxdepth 1 -type d -ls'
diff --git a/README.md b/README.md
@@ -1,3 +1,30 @@
 # metal-stack deployment
 
 This repository builds the deployment base image that can be used for deploying metal-stack with Ansible.
+
+## Using metal-stack Ansible Roles
+
+In case your deployment depends on Ansible roles that are referenced in a metal-stack release vector (e.g. [releases](https://github.com/metal-stack/releases)), these role dependencies can be dynamically installed through the release vector OCI artifacts by running the following command before playbook execution:
+
+```bash
+# requires the metal_stack_release_vectors variable to be defined in your ansible variables
+$ ansible localhost -m metalstack.base.metal_stack_release_vector
+- Installing ansible-common (v0.6.13) to /root/.ansible/roles/ansible-common
+- Installing metal-ansible-modules (v0.2.10) to /root/.ansible/roles/metal-ansible-modules
+- Installing metal-roles (v0.15.17) to /root/.ansible/roles/metal-roles
+```
+
+Alternatively, you can also create a small playbook and execute this instead:
+
+```yaml
+---
+# requires the metal_stack_release_vectors variable to be defined in your ansible variables
+- name: Resolve metal-stack release vector
+  gather_facts: no
+  hosts: localhost
+  connection: local
+  tasks:
+    - metalstack.base.metal_stack_release_vector:
+```
+
+After that, just as if `ansible-galaxy` was used, the roles referenced in the release vector are installed in `~/.ansible/roles`.
diff --git a/test/group_vars/all/release_vector.yaml b/test/group_vars/all/release_vector.yaml
@@ -0,0 +1,10 @@
+---
+metal_stack_release_vectors:
+  - url: oci://ghcr.io/metal-stack/releases:develop
+    variable_mapping_path: metal_stack_release.mapping
+    include_role_defaults: metal-roles/common/roles/defaults
+    oci_cosign_verify_key: |
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdeAXd2namgVNDT0APmogKGwaV+Q4
+      rfe4uVgmsyBbb6TrhX5Py6x1PsonDahTvdVpbSGC7QGEjxIHdi8HnJ4Okg==
+      -----END PUBLIC KEY-----