Rollout of Redhat Trusted Artifact Signer

Rollout

• As cluster-admin:

  • Deploy operator as cluster-admin: oc apply -f operator.yaml
  • Create namespace (project)
  • Set quotas with: oc apply -f resourcequotas.yaml
  • Set permissions for namespace

• All other tasks are to be performed as a normal admin of the namespace (not of the cluster)

• Adjust the following in securesign.yaml:

  • metadata.name
  • spec.fulcio.config.OIDCIssuers ...
  • spec.fulcio.certificate

• If own PKIs and CAs are in use, you need to create a cm-manual-ca-bundle.yaml as ConfigMap with the correct Root CAs and import it first.
  Furthermore, the comment status must be removed from the respective sequences in securesign.yaml.

• Then deploy with: oc apply -f securesign.yaml

• Create a client in KeyCloak that you referenced earlier.
  There is an import JSON under brz-artifact-signer.json (optionally adjust the name there)

There are 4 ingresses (and thus routes). For the end-user, the route to the rekor-search-ui is interesting, where direct queries to the Rekor Log can be made using the browser.

Usage

The script get-config-rhtas-edition.sh serves as an example for setting all variables to publish a Rekor/Fulcio instance. It generates a directory with namespace and securesign-name with the required assets and an env.sh shell script.

So:

• Execute get-config-rhtas-edition.sh: ./get-config-rhtas-edition.sh igbvc-rhtas-dev securesign-brz-test
  This creates a directory [namespace].[rolloutname].configs (not synced in the repo (.gitignore!))
• Signing an image:

  • with a local installation of cosign

    • Signature:

      # you need to be logged in to the registry (with a PAT at gitlab.opencode)
      cd igbvc-rhtas-dev.securesign-brz-test.configs
      ./sign-image.sh registry.opencode.de/ig-bvc/ag-sig/cosign-tools/signed-test:first
      

    • Signature verification:

      cd igbvc-rhtas-dev.securesign-brz-test.configs
      ./verify-image.sh peter@pflaeging.net registry.opencode.de/ig-bvc/ag-sig/cosign-tools/signed-test:first
      
      Verification for registry.opencode.de/ig-bvc/ag-sig/cosign-tools/signed-test:first --
      The following checks were performed on each of these signatures:
        - The cosign claims were validated
        - Existence of the claims in the transparency log was verified offline
        - The code-signing certificate was verified using trusted certificate authority certificates
      [
        {
          "critical": {
            "identity": {
              "docker-reference": "registry.opencode.de/ig-bvc/ag-sig/cosign-tools/signed-test"
            },
            "image": {
              "docker-manifest-digest": "sha256:a7e9f2cf7cb056e18c445c3607814ab3e49c2bb8243e6587fd0ca51d2fb95115"
            },
            "type": "cosign container image signature"
          },
          "optional": {
            "1.3.6.1.4.1.57264.1.1": "https://idp.pflaeging.net/auth/realms/pflaeging.net",
            "Bundle": {
              "SignedEntryTimestamp": "MGQCMB66Ri5AS+pBThP7rkz3yfsFCkUdchUNj/HoZ53dmY/GxYVxqynepGcr8EEum3tipAIwa5Qc95Pwqb5968nanoUmGhNvViWbd2TyBaihdgCa8kJlcbjCU/hQzUQeY0lkkpRo",
              "Payload": {
                "body": "eyJhcGlWZXJzaW9uIjoiMC..........",
                "integratedTime": 1738657701,
                "logIndex": 9,
                "logID": "97e3ded2d25727075358f0da0a3ba1615399bd4bb5adaf241ebcb73e00e10585"
              }
            },
            "Issuer": "https://idp.pflaeging.net/auth/realms/pflaeging.net",
            "Subject": "peter@pflaeging.net"
          }
        }
      ]
      

  • Signature with a pod or container (also see the repo https://gitlab.opencode.de/ig-bvc/ag-sig/cosign-tools)

    • We only need the .env file from the directory:

      cd igbvc-rhtas-dev.securesign-brz-test.configs
      

    • Starting as a Docker container locally (you need Docker or Podman!)

      docker run -ti --env-file cosign.env registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest sh
      

    • Starting the container as a pod in any cluster you have access to:

      kubectl run -it ubi-cosign-$USER \\
        --image=registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest  \\
        $(awk '{print "--env=" $1}' < cosign.env) \\
        --restart=Never --rm sh
      

    • In the container, we can now sign and verify the image:

      # login to your registry (with your gitlab PAT)
      ./cosign-login.sh registry.opencode.de
      # sign image
      # you get an url: copy & paste it in your browser
      # log in and paste the token code in the shell asking for it
      ./sign-image.sh registry.opencode.de/ig-bvc/ag-sig/cosign-tools/signed-test:first
      # verify image
      ./verify-image.sh peter@pflaeging.net registry.opencode.de/ig-bvc/ag-sig/cosign-tools/signed-test:first
      

      (The container used for signing is a minimal UBI container with cosign added. Info in the repo https://gitlab.opencode.de/ig-bvc/ag-sig/cosign-tools)

ToDo

• Better rollout (more GitOps)
• Generate configs with YAMLs according to IG-BvC standardization proposal
• Test real rollouts
• Improve documentation
• Test rollout in plain Kubernetes

Links

• https://developers.redhat.com/products/trusted-artifact-signer/overview
• https://github.com/securesign/secure-sign-operator
• https://www.linkedin.com/pulse/basic-guide-rhtas-red-hat-trusted-artifact-signer-pramod-padmanabhan-0cdlfA