ci: improve handling of public-key-check #2847
Conversation
Currently, in order to publish ig-k8s image / gadget images on a fork users will have to: - Set secrets for cosign (COSIGN_PRIVATE_KEY/COSIGN_PASSWORD) - Update the public key in source (pkg/resources/inspektor-gadget.pub) the idea of this change is to improve this workflow by not signing images by default on forks. We won't depend on public-key-check when publishing images, but add it in the release job to ensure images are published with correct keys. Signed-off-by: Qasim Sarfraz <qasimsarfraz@microsoft.com>
Signed-off-by: Qasim Sarfraz <qasimsarfraz@microsoft.com>
Signed-off-by: Qasim Sarfraz <qasimsarfraz@microsoft.com>
mqasimsarfraz
requested review from
blanquicet,
mauriciovasquezbernal,
eiffel-fl and
alban
as code owners
| if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') && needs.check-secrets.outputs.cosign == 'true' | ||
| # we merge something on main. Also, we ensure this job will always run on | ||
| # for 'inspektor-gadget/inspektor-gadget' respository | ||
| if: needs.check-secrets.outputs.cosign == 'true' || (github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget') |
There was a problem hiding this comment.
The comment refers to dependabot, but it was removed from the if, I suspect it will fail when run by the bot.
There was a problem hiding this comment.
Moreover, this totally blocks forks from signing their image without tweaking the CI.
So, before they had to tweak the public key, now they have to tweak the CI, in the end they still have something to tweak.
There was a problem hiding this comment.
I should have explained the approach bit better 🙈
The comment refers to dependabot, but it was removed from the if, I suspect it will fail when run by the bot.
Actually the first check needs.check-secrets.outputs.cosign == 'true' ensures that the job will only run if secrets are configured so if no secrets are configured the CI won't run!
Moreover, this totally blocks forks from signing their image without tweaking the CI.
Do you mean they need to modify (github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget') ?
I added this explicit check for our main repository so if somehow we delete cosign secrets the job will start to fail but for forks this check is ignored. I just tried it on a fork and configured the secrets and it seem to be working fine.
There was a problem hiding this comment.
I should have explained the approach bit better 🙈
The comment refers to dependabot, but it was removed from the if, I suspect it will fail when run by the bot.
Actually the first check
needs.check-secrets.outputs.cosign == 'true'ensures that the job will only run if secrets are configured so if no secrets are configured the CI won't run!
The secret exists, but dependabot has not access to it and I do not want to give it access.
So, we need this github.actor != 'dependabot[bot]'.
Moreover, this totally blocks forks from signing their image without tweaking the CI.
Do you mean they need to modify
(github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget')?
Indeed.
I added this explicit check for our main repository so if somehow we delete cosign secrets the job will start to fail but for forks this check is ignored. I just tried it on a fork and configured the secrets and it seem to be working fine.
Did you try to remove the secret?
Also, please share more information on the fork, because it is not clear why the job is run.
Actually, the goal of this PR is to avoid forks to tweak anything to have the CI running, but in your case the fork CI is failing because the secret does not correspond to the source public key, which is exactly like the current situation.
| @@ -715,7 +715,6 @@ jobs: | |||
| if: github.event_name != 'pull_request' | |||
| needs: | |||
| - build-gadget-container-images | |||
| - public-key-check | |||
There was a problem hiding this comment.
We sign our images on main, so we should not remove this from the needs here.
There was a problem hiding this comment.
See the comment below.
| @@ -1303,7 +1303,6 @@ jobs: | |||
| - build-ig | |||
| - build-helper-images | |||
| - check-secrets | |||
| - public-key-check | |||
There was a problem hiding this comment.
I know it isn't a nice part but the idea was to remove this dependency from here so the entire job won't be skipped and gadget images will be published without signing if secrets aren't configured. The other approach I have in mind is to split this job into two. 1) gadget pushing 2) gadget signing. The only tricky bit is how to share the gadgets digests between the jobs (I know how to do it but would require more changes) but in that case we can move the need of public-key-check to gadget-signing job. What do you say?
There was a problem hiding this comment.
If I understand correctly, if the public key check goes wrong, the gadgets will still be pushed.
On one hand, it seems "OK", on the other, I have the feeling this give a wrong feeling of security as people would just push unsigned gadget, which would end up being refused by the CLI (unless --verify-image=false is set).
I guess we do not have other possibilities than to split these jobs.
| verifyImage := true | ||
| if os.Getenv("GADGET_VERIFY_IMAGE") == "false" { | ||
| verifyImage = false | ||
| } |
There was a problem hiding this comment.
| verifyImage := true | |
| if os.Getenv("GADGET_VERIFY_IMAGE") == "false" { | |
| verifyImage = false | |
| } | |
| verifyImage := os.Getenv("GADGET_VERIFY_IMAGE") == "true" |
Unless you want to ensure the two possible values are "false" and "true".
| @@ -103,7 +103,7 @@ func TestRunTopFile(t *testing.T) { | |||
| RunTestSteps(commands, t, WithCbBeforeCleanup(PrintLogsFn(ns))) | |||
| }) | |||
|
|
|||
| cmd := fmt.Sprintf("$KUBECTL_GADGET run %s/top_file:%s -n %s -o json", *gadgetRepository, *gadgetTag, ns) | |||
| cmd := fmt.Sprintf("$KUBECTL_GADGET run %s/top_file:%s --verify-image=%t -n %s -o json", *gadgetRepository, *gadgetTag, *gadgetVerifyImage, ns) | |||
There was a problem hiding this comment.
OK for now, but we should definitely have a way to define and tweak this globally rather than having to do so in each file.
There was a problem hiding this comment.
Agreed, we can probably use config for this in future.
Currently, in order to publish ig-k8s image / gadget images on a fork users will have to:
COSIGN_PRIVATE_KEY/COSIGN_PASSWORD)Otherwise
public-key-checkjob will fail and ig-k8s image /gadgets images won't be published. The idea of this PR is to improve this workflow by not signing images by default on forks.public-key-checkis removed from theneedsof both the image publishing steps to allow images to still be published but not signed on forks. Having said that,public-key-checkis moved to release to ensure if incorrect keys are configured we won't be able to release. So it isn't a fatal job for CI runs on main but only for releases.Also tests need to be adapted to allow running without verification on a fork!
Testing Done