[Video Course][Siddharth Barahalikar] FluxCD 101 with Hands-On Labs [ENG, 2023][~5h 45m]


10. DEMO - Install Cosign


$ cd ~/tmp
$ wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-linux-amd64"
$ sudo mv cosign-linux-amd64 /usr/local/bin/cosign
$ chmod +x /usr/local/bin/cosign

$ cosign version

$ cosign generate-key-pair

$ kubectl -n flux-system create secret generic cosign-pub --from-file=cosign.pub=cosign.pub

11. DEMO - Cosign + OCI Artifacts

$ cd ~/projects/dev/fluxcd/bb-app-source/
$ git switch 10-demo

$ docker logout

$ docker login ghcr.io --username webmakaka

$ flux push artifact oci://ghcr.io/wildmakaka/bb-app:7.10.0-$(git rev-parse --short HEAD) \
  --path="./manifests" \
  --source="$(git config --get remote.origin.url)" \
  --revision="7.10.0/$(git rev-parse --short HEAD)"

$ cd ~/tmp
$ cosign sign --key cosign.key ghcr.io/wildmakaka/bb-app@sha256:5e0b86ed6c4cd61e7beebab4b6ea98b21ae1fc9e100fcbb0c229992d308c6bcc

Появилась подпись в package на github.

$ cosign verify --key cosign.pub ghcr.io/wildmakaka/bb-app@sha256:5e0b86ed6c4cd61e7beebab4b6ea98b21ae1fc9e100fcbb0c229992d308c6bcc

$ cd ~/projects/dev/fluxcd/block-buster/flux-clusters/dev-cluster/
$ rm 8-demo-*.yaml

$ flux create source oci 10-demo-source-oci-bb-app \
  --url oci://ghcr.io/wildmakaka/bb-app \
  --tag 7.10.0-f0f5090 \
  --secret-ref ghcr-auth \
  --provider generic \
  --export > 10-demo-source-oci-bb-app.yaml

$ flux create secret oci ghcr-auth \
  --url ghcr.io \
  --username wildmakaka \
  --password <GITHUB_TOKEN>

$ kubectl -n flux-system get secrets ghcr-auth
NAME        TYPE                             DATA   AGE
ghcr-auth   kubernetes.io/dockerconfigjson   1      6s

$ kubectl -n flux-system get secrets cosign-pub
NAME         TYPE     DATA   AGE
cosign-pub   Opaque   1      26m

$ vi 10-demo-source-oci-bb-app.yaml


  provider: cosign
    name: cosign-pub

$ flux create kustomization 10-demo-kustomize-oci-bb-app \
  --source OCIRepository/10-demo-source-oci-bb-app \
  --target-namespace 10-demo \
  --interval 10s \
  --prune false \
  --export > 10-demo-kustomize-oci-bb-app.yaml

$ flux reconcile source git flux-system

$ flux get source oci 10-demo-source-oci-bb-app
NAME                     	REVISION                      	SUSPENDED	READY	MESSAGE
10-demo-source-oci-bb-app	7.10.0-f0f5090@sha256:5e0b86ed	False    	True 	stored artifact for digest '7.10.0-f0f5090@sha256:5e0b86ed'

$ flux get kustomizations 10-demo-kustomize-oci-bb-app
NAME                        	REVISION                      	SUSPENDED	READY	MESSAGE
10-demo-kustomize-oci-bb-app	7.10.0-f0f5090@sha256:5e0b86ed	False    	True 	Applied revision: 7.10.0-f0f5090@sha256:5e0b86ed

$ kubectl -n flux-system get ocirepositories.source.toolkit.fluxcd.io NAME                        URL                               READY   STATUS                                                                                                                AGE
10-demo-source-oci-bb-app   oci://ghcr.io/wildmakaka/bb-app   True    stored artifact for digest '7.10.0-f0f5090@sha256:5e0b86ed6c4cd61e7beebab4b6ea98b21ae1fc9e100fcbb0c229992d308c6bcc'   3m16s

$ kubectl -n flux-system get ocirepositories.source.toolkit.fluxcd.io  -o yaml
- lastTransitionTime: "2023-05-01T15:42:23Z"
      message: verified signature of revision 7.10.0-f0f5090@sha256:5e0b86ed6c4cd61e7beebab4b6ea98b21ae1fc9e100fcbb0c229992d308c6bcc
      observedGeneration: 1
      reason: Succeeded
      status: "True"
      type: SourceVerified

// OK!