Merge pull request #108 from tnevrlka/load-rekor-tuf-secrets

expose REKOR and TUF in GH Actions and Jenkins

Author: lcarva

generated/gitops-template/githubactions/.github/workflows/gitops-promotion.yml

@@ -27,6 +27,10 @@ env:
   IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
   # Set this password for your specific registry
   IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
+  # Set this only when using an external Rekor instance
+  # REKOR_HOST: ${{ secrets.REKOR_HOST }}
+  # Set this only when using an external TUF instance
+  # TUF_MIRROR: ${{ secrets.TUF_MIRROR }}
   # QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
   # QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
   # ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
@@ -73,6 +77,10 @@ jobs:
             IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`, 
             /* Set this password for your specific registry */
             IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`, 
+            /* Set this only when using an external Rekor instance */
+            /*REKOR_HOST: `${{ secrets.REKOR_HOST }}`, */
+            /* Set this only when using an external TUF instance */
+            /*TUF_MIRROR: `${{ secrets.TUF_MIRROR }}`, */
             /*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
             /*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
             /*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */

generated/gitops-template/jenkins/Jenkinsfile

@@ -26,6 +26,10 @@ pipeline {
         QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
         /* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
         /* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
+        /* Set when using Jenkins on non-local cluster and using an external Rekor instance */
+        /* REKOR_HOST = credentials('REKOR_HOST') */
+        /* Set when using Jenkins on non-local cluster and using an external TUF instance */
+        /* TUF_MIRROR = credentials('TUF_MIRROR') */
     }
     stages {
         stage('Verify EC') {

generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml

@@ -23,6 +23,10 @@ env:
   IMAGE_REGISTRY_USER: ${{ secrets.IMAGE_REGISTRY_USER }}
   # Set this password for your specific registry
   IMAGE_REGISTRY_PASSWORD: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
+  # Set this only when using an external Rekor instance
+  # REKOR_HOST: ${{ secrets.REKOR_HOST }}
+  # Set this only when using an external TUF instance
+  # TUF_MIRROR: ${{ secrets.TUF_MIRROR }}
   # QUAY_IO_CREDS_USR: ${{ secrets.QUAY_IO_CREDS_USR }}
   # QUAY_IO_CREDS_PSW: ${{ secrets.QUAY_IO_CREDS_PSW }}
   # ARTIFACTORY_IO_CREDS_USR: ${{ secrets.ARTIFACTORY_IO_CREDS_USR }}
@@ -74,6 +78,10 @@ jobs:
             IMAGE_REGISTRY_USER: `${{ secrets.IMAGE_REGISTRY_USER }}`, 
             /* Set this password for your specific registry */
             IMAGE_REGISTRY_PASSWORD: `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`, 
+            /* Set this only when using an external Rekor instance */
+            /*REKOR_HOST: `${{ secrets.REKOR_HOST }}`, */
+            /* Set this only when using an external TUF instance */
+            /*TUF_MIRROR: `${{ secrets.TUF_MIRROR }}`, */
             /*QUAY_IO_CREDS_USR: `${{ secrets.QUAY_IO_CREDS_USR }}`, */
             /*QUAY_IO_CREDS_PSW: `${{ secrets.QUAY_IO_CREDS_PSW }}`, */
             /*ARTIFACTORY_IO_CREDS_USR: `${{ secrets.ARTIFACTORY_IO_CREDS_USR }}`, */

generated/source-repo/jenkins/Jenkinsfile

@@ -23,6 +23,10 @@ pipeline {
         COSIGN_SECRET_PASSWORD = credentials('COSIGN_SECRET_PASSWORD')
         COSIGN_SECRET_KEY = credentials('COSIGN_SECRET_KEY')
         COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
+        /* Set when using Jenkins on non-local cluster and using an external Rekor instance */
+        /* REKOR_HOST = credentials('REKOR_HOST') */
+        /* Set when using Jenkins on non-local cluster and using an external TUF instance */
+        /* TUF_MIRROR = credentials('TUF_MIRROR') */
     }
     stages {
         stage('init') {

templates/data.yaml

@@ -27,6 +27,15 @@ build_secrets:
   - name: IMAGE_REGISTRY_PASSWORD 
     if: 'isGitHub'
     comment: "Set this password for your specific registry" 
+  # Expose Rekor and TUF in GitHub Actions so they can be set by user in secrets
+  - name: REKOR_HOST
+    if: 'isGitHub'
+    comment: "Set this only when using an external Rekor instance"
+    commented_out: true
+  - name: TUF_MIRROR
+    if: 'isGitHub'
+    comment: "Set this only when using an external TUF instance"
+    commented_out: true
   - name: IMAGE_REGISTRY_USER
     if: '!isGitHub'
     commented_out: true
@@ -66,6 +75,15 @@ build_secrets:
   - name: COSIGN_SECRET_PASSWORD
   - name: COSIGN_SECRET_KEY
   - name: COSIGN_PUBLIC_KEY
+  # Rekor and TUF again, but there is a difference between GH Actions and Jenkins
+  - name: REKOR_HOST
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
+    commented_out: true
+  - name: TUF_MIRROR
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
+    commented_out: true
 
 gitops_steps:
   - name: Verify EC
@@ -91,7 +109,16 @@ gitops_secrets:
     comment: "Set this to the user for your specific registry"
   - name: IMAGE_REGISTRY_PASSWORD 
     if: 'isGitHub'
-    comment: "Set this password for your specific registry" 
+    comment: "Set this password for your specific registry"
+  # Expose Rekor and TUF in GitHub Actions so they can be set by user in secrets
+  - name: REKOR_HOST
+    if: 'isGitHub'
+    comment: "Set this only when using an external Rekor instance"
+    commented_out: true
+  - name: TUF_MIRROR
+    if: 'isGitHub'
+    comment: "Set this only when using an external TUF instance"
+    commented_out: true
   # other CIs in transition so comment out and leave Quay.io
   - name: IMAGE_REGISTRY_USER
     if: '!isGitHub'
@@ -129,4 +156,13 @@ gitops_secrets:
     commented_out: true 
   - name: NEXUS_IO_CREDS_PSW
     if: '!isJenkins'  
-    commented_out: true 
+    commented_out: true
+  # Rekor and TUF again, but there is a difference between GH Actions and Jenkins
+  - name: REKOR_HOST
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external Rekor instance"
+    commented_out: true
+  - name: TUF_MIRROR
+    if: 'isJenkins'
+    comment: "Set when using Jenkins on non-local cluster and using an external TUF instance"
+    commented_out: true