Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/kameshsampath/go-hello-world

Demo to showcase how to build a golang application using ko. Sign and push the image to the container registry using https://sigstore.dev. Apply policy controller on Kubernetes to allow only signed images.
https://github.com/kameshsampath/go-hello-world

cosign demo-app docker drone-ci harness-ci k3d policy-controller sigstore

Last synced: 6 months ago
JSON representation

Demo to showcase how to build a golang application using ko. Sign and push the image to the container registry using https://sigstore.dev. Apply policy controller on Kubernetes to allow only signed images.

Awesome Lists containing this project

README 

          
# Continuous Build, Test and Sign your Containers



A simple REST API built in `golang` using Labstack's [Echo](https://https://echo.labstack.com/]), to demonstrate how integrate CI using,



- [Harness CI](https://app.harness.io)

- [Drone CI](https://drone.io)



Optionally as part of the CI the pipeline we can also sign the container image using [cosign](https://sigstore.dev).



## Pre-requisites



- [Docker Desktop](https://docs.docker.com/desktop/)

- [k3D](https://k3d.io/)

- [Drone CI CLI](https://docs.drone.io/cli/install/)

- [ko](https://ko.build)

- [helm](https://helm.sh)

- [cosign](https://docs.sigstore.dev/cosign/installation)



## Using Harness Platform



Register yourself for a Free Tier Harness Account at .



To configure the Harness CI pipeline for this project you need the following,



- Docker Registry Account Credentials e.g Docker Hub, Quay.io or Harbor

- GitHub Account with a Personal Access Token (PAT) with `admin:repo` and `user` permissions

- Private and Public Key pair to sign the built container image

- Kubernetes Cluster



## Download Sources



Clone the sources and `cd` into it,



```shell

git clone https://github.com/kameshsampath/go-hello-world.git && cd "$(basename "$_" .git)"

export TUTORIAL_HOME="$PWD"

```



## Setup Environment



Create `dontenv` file that we will be using to set/load our environment variables.



```shell

cp "$TUTORIAL_HOME/.env.example" "$TUTORIAL_HOME/.env"

```



Ensure you update `REPLACE ME` in "$TUTORIAL_HOME/.env" as per your settings.



Spin up a local Kubernetes cluster where we will deploy the demo application.



```shell

"$TUTORIAL_HOME/bin/setup.sh"

```



## Signing and Verify Image



Generate private and public key and save them as kubernetes secret `my-image-sigs` in namespace `cosign-system`,



```shell

kubectl create ns cosign-system

cosign generate-key-pair k8s://cosign-system/my-image-sigs

```



Sign and push the image using Drone CI pipelines,



> **IMPORTANT**: We need to make sure that drone is run with same network as the k3s cluster `$K3D_CLUSTER_NAME`, allowing it to have access to the Cluster kubeconfig



```shell

drone exec --env-file=.env --trusted --network="$K3D_CLUSTER_NAME"

```



Verify image signature,



```shell

drone exec --env-file=.env --trusted --pipeline=verify --network="$K3D_CLUSTER_NAME"

```



## Deploy Kubernetes



Let us use D[sigstore](https://github.com/sigstore/policy-controller) Policy Controller to enforce policy that will allow only signed images to be deployed as part of Kubernetes deployments.



```shell

helm repo add sigstore https://sigstore.github.io/helm-charts

helm repo update

```



Deploy `policy-controller`,



```shell

helm upgrade --install policy-controller \

  -n cosign-system \

  --wait \

  sigstore/policy-controller

```



```shell

kubectl create secret generic my-verify-key -n cosign-system \

  --from-file=cosign.pub="$TUTORIAL_HOME/cosign.pub"

```



Create a `ClusterImagePolicy` that will allow only images signed using keys from `my-verify-key` in `cosign-system`,



```shell

cat <