{"id":26797773,"url":"https://github.com/kameshsampath/go-hello-world","last_synced_at":"2025-04-22T22:09:36.309Z","repository":{"id":65771131,"uuid":"556559531","full_name":"kameshsampath/go-hello-world","owner":"kameshsampath","description":"Demo to showcase how to build a golang application using ko. Sign and push the image to the container registry using https://sigstore.dev. Apply policy controller on Kubernetes to allow only signed images.","archived":false,"fork":false,"pushed_at":"2023-04-17T12:41:12.000Z","size":67,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-12-22T20:02:53.826Z","etag":null,"topics":["cosign","demo-app","docker","drone-ci","harness-ci","k3d","policy-controller","sigstore"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kameshsampath.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-24T04:30:57.000Z","updated_at":"2023-09-06T09:42:20.000Z","dependencies_parsed_at":"2024-06-21T00:33:06.083Z","dependency_job_id":null,"html_url":"https://github.com/kameshsampath/go-hello-world","commit_stats":{"total_commits":23,"total_committers":3,"mean_commits":7.666666666666667,"dds":"0.21739130434782605","last_synced_commit":"ca7961a35fa6f6c6d3479773be65f85b09b76ac5"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kameshsampath%2Fgo-hello-world","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kameshsampath%2Fgo-hello-world/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kameshsampath%2Fgo-hello-world/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kameshsampath%2Fgo-hello-world/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kameshsampath","download_url":"https://codeload.github.com/kameshsampath/go-hello-world/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246230519,"owners_count":20744349,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosign","demo-app","docker","drone-ci","harness-ci","k3d","policy-controller","sigstore"],"created_at":"2025-03-29T19:15:46.091Z","updated_at":"2025-03-29T19:15:46.513Z","avatar_url":"https://github.com/kameshsampath.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Continuous Build, Test and Sign your Containers\n\nA simple REST API built in `golang` using Labstack's [Echo](https://https://echo.labstack.com/]), to demonstrate how integrate CI using,\n\n- [Harness CI](https://app.harness.io)\n- [Drone CI](https://drone.io)\n\nOptionally as part of the CI the pipeline we can also sign the container image using [cosign](https://sigstore.dev).\n\n## Pre-requisites\n\n- [Docker Desktop](https://docs.docker.com/desktop/)\n- [k3D](https://k3d.io/)\n- [Drone CI CLI](https://docs.drone.io/cli/install/)\n- [ko](https://ko.build)\n- [helm](https://helm.sh)\n- [cosign](https://docs.sigstore.dev/cosign/installation)\n\n## Using Harness Platform\n\nRegister yourself for a Free Tier Harness Account at \u003chttps://app.harness.io\u003e.\n\nTo configure the Harness CI pipeline for this project you need the following,\n\n- Docker Registry Account Credentials e.g Docker Hub, Quay.io or Harbor\n- GitHub Account with a Personal Access Token (PAT) with `admin:repo` and `user` permissions\n- Private and Public Key pair to sign the built container image\n- Kubernetes Cluster\n\n## Download Sources\n\nClone the sources and `cd` into it,\n\n```shell\ngit clone https://github.com/kameshsampath/go-hello-world.git \u0026\u0026 cd \"$(basename \"$_\" .git)\"\nexport TUTORIAL_HOME=\"$PWD\"\n```\n\n## Setup Environment\n\nCreate `dontenv` file that we will be using to set/load our environment variables.\n\n```shell\ncp \"$TUTORIAL_HOME/.env.example\" \"$TUTORIAL_HOME/.env\"\n```\n\nEnsure you update `REPLACE ME` in \"$TUTORIAL_HOME/.env\" as per your settings.\n\nSpin up a local Kubernetes cluster where we will deploy the demo application.\n\n```shell\n\"$TUTORIAL_HOME/bin/setup.sh\"\n```\n\n## Signing and Verify Image\n\nGenerate private and public key and save them as kubernetes secret `my-image-sigs` in namespace `cosign-system`,\n\n```shell\nkubectl create ns cosign-system\ncosign generate-key-pair k8s://cosign-system/my-image-sigs\n```\n\nSign and push the image using Drone CI pipelines,\n\n\u003e **IMPORTANT**: We need to make sure that drone is run with same network as the k3s cluster `$K3D_CLUSTER_NAME`, allowing it to have access to the Cluster kubeconfig\n\n```shell\ndrone exec --env-file=.env --trusted --network=\"$K3D_CLUSTER_NAME\"\n```\n\nVerify image signature,\n\n```shell\ndrone exec --env-file=.env --trusted --pipeline=verify --network=\"$K3D_CLUSTER_NAME\"\n```\n\n## Deploy Kubernetes\n\nLet us use D[sigstore](https://github.com/sigstore/policy-controller) Policy Controller to enforce policy that will allow only signed images to be deployed as part of Kubernetes deployments.\n\n```shell\nhelm repo add sigstore https://sigstore.github.io/helm-charts\nhelm repo update\n```\n\nDeploy `policy-controller`,\n\n```shell\nhelm upgrade --install policy-controller \\\n  -n cosign-system \\\n  --wait \\\n  sigstore/policy-controller\n```\n\n```shell\nkubectl create secret generic my-verify-key -n cosign-system \\\n  --from-file=cosign.pub=\"$TUTORIAL_HOME/cosign.pub\"\n```\n\nCreate a `ClusterImagePolicy` that will allow only images signed using keys from `my-verify-key` in `cosign-system`,\n\n```shell\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: policy.sigstore.dev/v1alpha1\nkind: ClusterImagePolicy\nmetadata:\n  name: cip-key-secret\n  namespace: cosign-system\nspec:\n  images:\n  - glob: \"**\"\n  authorities:\n  - key:\n      secretRef:\n        name: my-verify-key\nEOF\n```\n\nLet us create a namespace to deploy the application,\n\n```shell\nkubectl create ns demo-apps\n```\n\nTo enforce policy on all applications in this namespace, label the namespace with `policy.sigstore.dev/include=true`\n\n```shell\nkubectl label namespace demo-apps policy.sigstore.dev/include=true\n```\n\nTry deploying an image which are not signed using the `my-image-sigs`,\n\n```shell\nkubectl run --image library/nginx -n demo-apps nginx\n```\n\nThe deployment should fail with message like,\n\n```text\nError from server (BadRequest): admission webhook \"policy.sigstore.dev\" denied the request: validation failed: failed policy: cip-key-secret: spec.containers[0].image\nindex.docker.io/library/nginx@sha256:b8f2383a95879e1ae064940d9a200f67a6c79e710ed82ac42263397367e7cc4e signature key validation failed for authority authority-0 for index.docker.io/library/nginx@sha256:b8f2383a95879e1ae064940d9a200f67a6c79e710ed82ac42263397367e7cc4e: no matching signatures:\n```\n\nLet us now deploy `$IMAGE_REGISTRY/$IMAGE_REGISTRY_USERNAME/go-hello-world:$IMAGE_TAG`,\n\n```shell\nkubectl run --image \"$IMAGE_REGISTRY/$IMAGE_REGISTRY_USERNAME/go-hello-world:$IMAGE_TAG\" -n demo-apps hello-world\n```\n\nThe application should now be created as the image is signed using the keys from `my-image-sigs`.\n\n## Call API\n\nDo a port-forward to application port `8080`,\n\n```shell\nkubectl port-forward -n demo-apps hello-world 8080:8080\n```\n\nTry calling the API to see a response `Hello World!`.\n\n```shell\ncurl http://localhost:8080/\n```\n\nThe command should return `Hello World!`.\n\n## Cleanup\n\n```shell\n\"$TUTORIAL_HOME/bin/cleanup.sh\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkameshsampath%2Fgo-hello-world","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkameshsampath%2Fgo-hello-world","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkameshsampath%2Fgo-hello-world/lists"}