Skip to content

Commit 0425a07

Browse files
authored
Merge pull request #108 from tnevrlka/load-rekor-tuf-secrets
expose REKOR and TUF in GH Actions and Jenkins
2 parents 7b1b8bf + 541656b commit 0425a07

File tree

5 files changed

+62
-2
lines changed

5 files changed

+62
-2
lines changed

generated/gitops-template/githubactions/.github/workflows/gitops-promotion.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,10 @@ env:
2727
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
2828
# Set this password for your specific registry
2929
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
30+
# Set this only when using an external Rekor instance
31+
# REKOR_HOST: ${{ secrets.REKOR_HOST }}
32+
# Set this only when using an external TUF instance
33+
# TUF_MIRROR: ${{ secrets.TUF_MIRROR }}
3034
# QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
3135
# QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
3236
# ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
@@ -73,6 +77,10 @@ jobs:
7377
IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
7478
/* Set this password for your specific registry */
7579
IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
80+
/* Set this only when using an external Rekor instance */
81+
/*REKOR_HOST: `${{ secrets.REKOR_HOST }}`, */
82+
/* Set this only when using an external TUF instance */
83+
/*TUF_MIRROR: `${{ secrets.TUF_MIRROR }}`, */
7684
/*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
7785
/*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
7886
/*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */

generated/gitops-template/jenkins/Jenkinsfile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,10 @@ pipeline {
2626
QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
2727
/* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
2828
/* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
29+
/* Set when using Jenkins on non-local cluster and using an external Rekor instance */
30+
/* REKOR_HOST = credentials('REKOR_HOST') */
31+
/* Set when using Jenkins on non-local cluster and using an external TUF instance */
32+
/* TUF_MIRROR = credentials('TUF_MIRROR') */
2933
}
3034
stages {
3135
stage('Verify EC') {

generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@ env:
2323
IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
2424
# Set this password for your specific registry
2525
IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
26+
# Set this only when using an external Rekor instance
27+
# REKOR_HOST: ${{ secrets.REKOR_HOST }}
28+
# Set this only when using an external TUF instance
29+
# TUF_MIRROR: ${{ secrets.TUF_MIRROR }}
2630
# QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
2731
# QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
2832
# ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
@@ -74,6 +78,10 @@ jobs:
7478
IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`,
7579
/* Set this password for your specific registry */
7680
IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`,
81+
/* Set this only when using an external Rekor instance */
82+
/*REKOR_HOST: `${{ secrets.REKOR_HOST }}`, */
83+
/* Set this only when using an external TUF instance */
84+
/*TUF_MIRROR: `${{ secrets.TUF_MIRROR }}`, */
7785
/*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
7886
/*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
7987
/*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */

generated/source-repo/jenkins/Jenkinsfile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@ pipeline {
2323
COSIGN_SECRET_PASSWORD = credentials('COSIGN_SECRET_PASSWORD')
2424
COSIGN_SECRET_KEY = credentials('COSIGN_SECRET_KEY')
2525
COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
26+
/* Set when using Jenkins on non-local cluster and using an external Rekor instance */
27+
/* REKOR_HOST = credentials('REKOR_HOST') */
28+
/* Set when using Jenkins on non-local cluster and using an external TUF instance */
29+
/* TUF_MIRROR = credentials('TUF_MIRROR') */
2630
}
2731
stages {
2832
stage('init') {

templates/data.yaml

Lines changed: 38 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,15 @@ build_secrets:
2727
- name: IMAGE_REGISTRY_PASSWORD
2828
if: 'isGitHub'
2929
comment: "Set this password for your specific registry"
30+
# Expose Rekor and TUF in GitHub Actions so they can be set by user in secrets
31+
- name: REKOR_HOST
32+
if: 'isGitHub'
33+
comment: "Set this only when using an external Rekor instance"
34+
commented_out: true
35+
- name: TUF_MIRROR
36+
if: 'isGitHub'
37+
comment: "Set this only when using an external TUF instance"
38+
commented_out: true
3039
- name: IMAGE_REGISTRY_USER
3140
if: '!isGitHub'
3241
commented_out: true
@@ -66,6 +75,15 @@ build_secrets:
6675
- name: COSIGN_SECRET_PASSWORD
6776
- name: COSIGN_SECRET_KEY
6877
- name: COSIGN_PUBLIC_KEY
78+
# Rekor and TUF again, but there is a difference between GH Actions and Jenkins
79+
- name: REKOR_HOST
80+
if: 'isJenkins'
81+
comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
82+
commented_out: true
83+
- name: TUF_MIRROR
84+
if: 'isJenkins'
85+
comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
86+
commented_out: true
6987

7088
gitops_steps:
7189
- name: Verify EC
@@ -91,7 +109,16 @@ gitops_secrets:
91109
comment: "Set this to the user for your specific registry"
92110
- name: IMAGE_REGISTRY_PASSWORD
93111
if: 'isGitHub'
94-
comment: "Set this password for your specific registry"
112+
comment: "Set this password for your specific registry"
113+
# Expose Rekor and TUF in GitHub Actions so they can be set by user in secrets
114+
- name: REKOR_HOST
115+
if: 'isGitHub'
116+
comment: "Set this only when using an external Rekor instance"
117+
commented_out: true
118+
- name: TUF_MIRROR
119+
if: 'isGitHub'
120+
comment: "Set this only when using an external TUF instance"
121+
commented_out: true
95122
# other CIs in transition so comment out and leave Quay.io
96123
- name: IMAGE_REGISTRY_USER
97124
if: '!isGitHub'
@@ -129,4 +156,13 @@ gitops_secrets:
129156
commented_out: true
130157
- name: NEXUS_IO_CREDS_PSW
131158
if: '!isJenkins'
132-
commented_out: true
159+
commented_out: true
160+
# Rekor and TUF again, but there is a difference between GH Actions and Jenkins
161+
- name: REKOR_HOST
162+
if: 'isJenkins'
163+
comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
164+
commented_out: true
165+
- name: TUF_MIRROR
166+
if: 'isJenkins'
167+
comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
168+
commented_out: true

0 commit comments

Comments
 (0)