Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.

Overview

sigstore-scaffolding

This repository contains scaffolding to make standing up a full sigstore stack easier and automatable. Our focus is on running on Kubernetes and rely on several primitives provided by k8s as well as some semantics. As a starting point, below is a markdown version of a Google document that @nsmith5 and @vaikas did based on a discussion in a sigstore community meeting on 2022-01-10.

Sigstore automation for tests

Ville Aikas <[email protected]>

Nathan Smith <[email protected]>

2022-01-11

Quickstart

If you do not care about the nitty gritty details and just want to stand up a stack, check out the Getting Started Guide

Background

Currently in various e2e tests we (the community) do not exercise all the components of the Sigstore when running tests. This results in us skipping some validation tests (for example, but not limited to, –insecure-skip-verify flag), or using public instances for some of the tests. Part of the reason is that there are currently some manual steps or some assumptions baked in some places that make this trickier than is strictly necessary. At Chainguard we use all the sigstore components heavily and utilize GitHub actions for our e2e/integration tests, and have put together some components that might make it easier for other folks as well as upstream to do more thorough testing as well as hopefully catch breaking changes by ensuring that we have the ability to test the full stack by various clients (for example, Tekton Chains is one example, I’m sure there are others).

A wonderful very detailed document for standing all the pieces from scratch is given in Luke Hinds’ “Sigstore the hard way

Overview

This document is meant to describe what pieces have been built and why. The goals are to be able to stand up a fully functional setup suitable for k8s clusters, including KinD, which is what we use in our GitHub actions for our integration testing.

Because we assume k8s is the environment that we run in, we make use of a couple of concepts provided by it that make automation easier.

  • Jobs - Run to completion abstraction. Creates pods, if they fail, will recreate until it succeeds, or finally gives up.
  • ConfigMaps - Hold arbitrary configuration information
  • Secrets - Hold secrety information, but care must be taken for these to actually be secret

By utilizing the Jobs “run to completion” properties, we can construct “gates” in our automation, which allows us to not proceed until a Job completes successfully (“full speed ahead”) or fails (fail the test setup and bail). These take a form of using kubectl wait command, for example, waiting for jobs in ‘mynamespace’ to complete within 5 minutes or fail.:

kubectl wait --timeout 5m -n mynamespace --for=condition=Complete jobs --all

Another k8s concept we utilize is the ability to mount both ConfigMaps and Secrets into Pods. Furthermore, if a ConfigMap or Secret (and more granularly a ‘key’ in either, but it’s not important) is not available, the Pod will block starting. This naturally gives us another “gate” which allows us to deploy components and rely on k8s to reconcile to a known good state (or fail if it can not be accomplished).

Components

Here’s a high level overview of the components in play that we would like to be able to spin up with the lines depicting dependencies. Later on in the document we will cover each of these components in detail, starting from the “bottom up”.

alt_text

Trillian

For Trillian, there needs to be a database and a schema before Trillian services are able to function. Our assumption is that there is a provisioned mysql database, for our Github actions, we spin up a container that has the mysql running, and then we need to create a schema for it.

For this we create a Kubernetes Job, which runs against a given mysql database and verifies that all the tables and indices exist. It does not currently handle upgrades to schema, but this is a feature that could be added, but looking at the Change History of the schema, the schema seems to be stable and adding this feature seemed not worth doing at this point.

So, we have a k8s Job called ‘CreateDB’ which is responsible for creating the schema for a given database. As a reminder, because this is a job, automation can gate any further action before this Job successfully completes. We can also (but not currently) make Trillian services depend on the output of ‘CreateDB’ before proceeding (by using the mounting technique described above), but we have not had need for that yet because they recover if the schema does not exist.

Rekor

Rekor requires a Merkle tree that has been created in Trillian to function. This can be achieved by using the admin grpc client CreateTree call. This again is a Job ‘CreateTree’ and this job will also create a ConfigMap containing the newly minted TreeID. This allows us to (recall mounting Configmaps to pods from above) to block Rekor server from starting before the TreeID has been provisioned. So, assuming that Rekor runs in Namespace rekor-system and the ConfigMap that is created by ‘CreateTree’ Job, we can have the following (some stuff omitted for readability) in our Rekor Deployment to ensure that Rekor will not start prior to TreeID having been properly provisioned.

spec:
  template:
    spec:
      containers:
      - name: rekor-server
        image: ko://github.com/sigstore/rekor/cmd/rekor-server
        args: [
          "serve",
          "--trillian_log_server.address=log-server.trillian-system.svc",
          "--trillian_log_server.port=80",
          "--trillian_log_server.tlog_id=$(TREE_ID)",
        ]
        env:
        - name: TREE_ID
          valueFrom:
            configMapKeyRef:
              name: rekor-config
              key: treeID

CTLog

CTLog is the first piece in the puzzle that requires a bit more wrangling because it actually has a dependency on Trillian as well as Fulcio (more about Fulcio details later).

For Trillian, we just need to create another TreeID, but we’re reusing the same ‘CreateTree’ Job from above.

In addition to Trillian, the dependency on Fulcio is that we need to establish trust for the Root Certificate that Fulcio is using so that when Fulcio sends requests for inclusion in our CTLog, we trust it. For this, we use RootCert API call to fetch the Certificate.

Lastly we need to create a Certificate for CTLog itself.

So in addition to ‘CreateTree’ Job, we also have a ‘CreateCerts’ Job that will fail to make progress until TreeID has been populated in the ConfigMap by the ‘CreateTree’ call above. Once the TreeID has been created, it will try to fetch a Fulcio Root Certificate (again, failing until it becomes available). Once the Fulcio Root Certificate is retrieved, the Job will then create a Public/Private keys to be used by the CTLog service and will write the following two Secrets (names can be changed ofc):

  • ctlog-secrets - Holds the public/private keys for CTLog as well as Root Certificate for Fulcio in the following keys:
    • private - CTLog private key
    • public - CTLog public key
    • rootca - Fulcio Root Certificate
  • ctlog-public-key - Holds the public key for CTLog so that clients calling Fulcio will able to verify the SCT that they receive from Fulcio.

In addition to the Secrets above, the Job will also add a new entry into the ConfigMap (now that I write this, it could just as well go in the secrets above I think…) created by the ‘CreateTree’ above. This entry is called ‘config’ and it’s a serialized ProtoBuf required by the CTLog to start up.

Again by using the fact that the Pod will not start until all the required ConfigMaps / Secrets are available, we can configure the CTLog deployment to block until everything is available. Again for brevity some things have been left out, but the CTLog configuration would look like so:

spec:
  template:
    spec:
      containers:
        - name: ctfe
          image: ko://github.com/google/certificate-transparency-go/trillian/ctfe/ct_server
          args: [
            "--http_endpoint=0.0.0.0:6962",
            "--log_config=/ctfe-config/ct_server.cfg",
            "--alsologtostderr"
          ]
          volumeMounts:
          - name: keys
            mountPath: "/ctfe-keys"
            readOnly: true
          - name: config
            mountPath: "/ctfe-config"
            readOnly: true
      volumes:
        - name: keys
          secret:
            secretName: ctlog-secret
            items:
            - key: private
              path: privkey.pem
            - key: public
              path: pubkey.pem
            - key: rootca
              path: roots.pem
        - name: config
          configMap:
            name: ctlog-config
            items:
            - key: config
              path: ct_server.cfg

Here instead of mounting into environmental variables, we must mount to the filesystem given how the CTLog expects these things to be materialized.

Ok, so with the ‘CreateTree’ and ‘CreateCerts’ jobs having successfully completed, CTLog will happily start up and be ready to serve requests. Again if it fails, tests will fail and the logs will contain information about the particular failure.

Also, the reason why the public key was created in a different secret is because clients will need access to this key because they need that public key to verify the SCT returned by the Fulcio to ensure it actually was properly signed.

Fulcio

Make it stop!!! Is there more??? Last one, I promise… For Fulcio we just need to create a Root Certificate that it will use to sign incoming Signing Certificate requests. For this we again have a Job ‘CreateCerts’ (different from above: TODO(vaikas): Rename)) that will create a self signed certificate, private/public keys as well as password used to encrypt the private key. Basically we need to ensure we have all the necessary pieces to start up Fulcio.

This ‘CreateCerts’ job just creates the pieces mentioned above and creates a Secret containing the following keys:

  • cert - Root Certificate
  • private - Private key
  • password - Password to use for decrypting the private key
  • public - Public key

And as seen already above, we modify the Deployment to not start the Pod until all the pieces are available, making our Deployment of Fulcio look (simplified again) like this.

spec:
  template:
    spec:
      containers:
      - image: ko://github.com/sigstore/fulcio/cmd/fulcio
        name: fulcio
        args:
          - "serve"
          - "--port=5555"
          - "--ca=fileca"
          - "--fileca-key"
          - "/var/run/fulcio-secrets/key.pem"
          - "--fileca-cert"
          - "/var/run/fulcio-secrets/cert.pem"
          - "--fileca-key-passwd"
          - "$(PASSWORD)"
          - "--ct-log-url=http://ctlog.ctlog-system.svc/e2e-test-tree"
        env:
        - name: PASSWORD
          valueFrom:
            secretKeyRef:
              name: fulcio-secret
              key: password
        volumeMounts:
        - name: fulcio-cert
          mountPath: "/var/run/fulcio-secrets"
          readOnly: true
      volumes:
      - name: fulcio-cert
        secret:
          secretName: fulcio-secret
          items:
          - key: private
            path: key.pem
          - key: cert
            path: cert.pem

Other rando stuff

This document focused on the Tree management, Certificate, Key and such creation automagically, coordinating the interactions and focusing on the fact that no manual intervention is required at any point during the deployment and relying on k8s primitives and semantics. What has been left out only because there are already existing solutions is configuring each of the services to actually connect at the dataplane level. For example, in the Fulcio case, the argument to Fulcio ‘--ct-log-url’ needs to point to where the CTLog above was installed or hilarity will of course follow.

I’m curious if there would be appetite for upstreaming these.

Comments
  • Quick Start

    Quick Start "FUN" Part 1

    Env Details KIND= kind v0.11.1 go1.16.4 linux/amd64 KO= v0.9.3 Knative Serving = latest K8s= 1.21.1 GO= go version go1.17.3 linux/amd64 Hardware OS = Ubuntu 20.04.2 LTS

    STEPS TO RECREATE:

    1. create a default cluster in kind and install knative serving
    2. run ko apply -BRf ./config

    Output of kubectl get pods --all-namespaces

    image

    Output of k get jobs --all-namespaces

    image

    Issue(s): ctlog-system

    looks like ctlog-public-key not found?

    image

    Trillian-System Log Signer (Pod ImagePullBackoff issue) image

    opened by danpopnyc 11
  • Use SIGSTORE_REKOR_PUBLIC_KEY, remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY

    Use SIGSTORE_REKOR_PUBLIC_KEY, remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY

    Description

    Users should be using verification material out of band, and we should deprecate SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY.

    Instead, the scaffolding setup should export SIGSTORE_REKOR_PUBLIC_KEY with the location of the public key file, similar to the CT log public key.

    enhancement 
    opened by asraa 10
  • Figure out what is causing grief on k8s 1.23

    Figure out what is causing grief on k8s 1.23

    This passed with 1.21 and 1.22 but 1.23 seemed to be timing out jobs since looked like they were only retried 6 times. Is this a new behaviour or did something else change? https://github.com/sigstore/cosign/runs/5697562612?check_suite_focus=true

    bug 
    opened by vaikas 9
  • sigstore/scaffolding/actions/setup@main currently broken

    sigstore/scaffolding/actions/[email protected] currently broken

    Description

    Currently working on an enhancement proposal for the Tekton Chains project. When running e2e tests for this project sigstore/scaffolding/actions/[email protected] is called. This currently fails with the following output:

    + kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/v0.4.0/release.yaml
    error: unable to read URL "https://github.com/sigstore/scaffolding/releases/download/v0.4.0/release.yaml", server reported 404 Not Found, status code=404
    

    This action is called here.

    bug 
    opened by bcaton85 7
  • Remove latency alerts on uptime checks

    Remove latency alerts on uptime checks

    Context and discussion at https://github.com/sigstore/public-good-instance/issues/513

    Signed-off-by: Priya Wadhwa [email protected]

    Summary

    Release Note

    Documentation

    opened by priyawadhwa 7
  • fix: actions/cache

    fix: actions/cache

    Summary

    Fixes actions/cache in the E2E tests by properly constructing a cache key and reordering certain steps to populate/reuse the cache, e.g. when installing dependencies.

    Ticket Link

    Fixes: #140 Signed-off-by: Michael Gasch [email protected]

    Release Note

    NONE
    
    opened by embano1 7
  • Bump google.golang.org/grpc from 1.45.0 to 1.46.0

    Bump google.golang.org/grpc from 1.45.0 to 1.46.0

    Bumps google.golang.org/grpc from 1.45.0 to 1.46.0.

    Release notes

    Sourced from google.golang.org/grpc's releases.

    Release 1.46.0

    New Features

    • server: Support setting TCP_USER_TIMEOUT on grpc.Server connections using keepalive.ServerParameters.Time (#5219)
    • client: perform graceful switching of LB policies in the ClientConn by default (#5285)
    • all: improve logging by including channelz identifier in log messages (#5192)

    API Changes

    • grpc: delete WithBalancerName() API, deprecated over 4 years ago in #1697 (#5232)
    • balancer: change BuildOptions.ChannelzParentID to an opaque identifier instead of int (#5192)
      • Note: the balancer package is labeled as EXPERIMENTAL, and we don't believe users were using this field.

    Behavior Changes

    • client: change connectivity state to TransientFailure in pick_first LB policy when all addresses are removed (#5274)
      • This is a minor change that brings grpc-go's behavior in line with the intended behavior and how C and Java behave.
    • metadata: add client-side validation of HTTP-invalid metadata before attempting to send (#4886)

    Bug Fixes

    • metadata: make a copy of the value slices in FromContext() functions so that modifications won't be made to the original copy (#5267)
    • client: handle invalid service configs by applying the default, if applicable (#5238)
    • xds: the xds client will now apply a 1 second backoff before recreating ADS or LRS streams (#5280)

    Dependencies

    Commits
    • e8d06c5 Change version to 1.46.0 (#5296)
    • efbd542 gcp/observability: correctly test this module in presubmit tests (#5300) (#5307)
    • 4467a29 gcp/observability: implement logging via binarylog (#5196)
    • 18fdf54 cmd/protoc-gen-go-grpc: allow hooks to modify client structs and service hand...
    • 337b815 interop: build client without timeout; add logs to help debug failures (#5294)
    • e583b19 xds: Add RLS in xDS e2e test (#5281)
    • 0066bf6 grpc: perform graceful switching of LB policies in the ClientConn by defaul...
    • 3cccf6a xdsclient: always backoff between new streams even after successful stream (#...
    • 4e78093 xds: ignore routes with unsupported cluster specifiers (#5269)
    • 99aae34 cluster manager: Add Graceful Switch functionality to Cluster Manager (#5265)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 7
  • Add Terraform resource for TUF preprod bucket

    Add Terraform resource for TUF preprod bucket

    This will be used to store the staged TUF prod root before it's synced to the production bucket, letting us catch issues early.

    This is already created in production.

    Signed-off-by: Hayden Blauzvern [email protected]

    Summary

    Ticket Link

    Fixes

    Release Note

    
    
    opened by haydentherapper 5
  • Update go.mod to fix v0.4.7 release

    Update go.mod to fix v0.4.7 release

    Pretty sure goreleaser is failing because go.mod isn't up to date

    failure: https://github.com/sigstore/scaffolding/actions/runs/3018886856

    Signed-off-by: Priya Wadhwa [email protected]

    Summary

    Release Note

    Documentation

    opened by priyawadhwa 4
  • Make the release artifacts more granular.

    Make the release artifacts more granular.

    Description

    While it's convenient to do a one fell swoop and launch all the jobs at the same time, it does make things slower because of the exponential back-off that jobs use. Since there are several jobs that get launched simultaneously and because previous jobs need to finish before the final ones do, by the time we get to later stage jobs, they are backing off into the minutes.

    So, if we create the release artifacts along the lines of steps as in the README.md and then launch those and wait for them to finish before starting the next step, we could shave off (guesstimate, minutes?) off the startup time.

    I think the natural break from README (trillian, rekor, ctlog, fulcio) might make sense and make things more granular. But I think even just pulling the trillian into it's own would be good. There's this PR that might help with that: https://github.com/google/trillian/pull/2754

    So, if we get that merged in, then we can remove some bits from here. But, this is just keeping track of this thought, as well as depending on how long it takes me to get that in, might start some work here ahead 🤷

    enhancement 
    opened by vaikas 4
  • Security Policy violation Branch Protection

    Security Policy violation Branch Protection

    This issue was automatically created by Allstar.

    Security Policy Violation Dismiss stale reviews not configured for branch main


    This issue will auto resolve when the policy is in compliance.

    Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

    allstar 
    opened by allstar-app[bot] 4
  • Fix typo in config var name

    Fix typo in config var name

    Noticed this config var frequency was misspelled as frequecy. The helm chart also contains this misspelling, so I will follow-up with a PR there to fix.

    Signed-off-by: Cody Soyland [email protected]

    Summary

    Release Note

    Documentation

    opened by codysoyland 0
  • Create K8s pod metric based logs and alerts

    Create K8s pod metric based logs and alerts

    Closes https://github.com/sigstore/public-good-instance/issues/703

    Summary

    This PR adds two log based metrics for K8s pod errors for Rekor and Fulcio (so four new logs are added in total). It also adds alerts around each of these metrics.

    https://github.com/sigstore/public-good-instance/issues/703 mentioned investigating whether we could use the GCP Error Reporting service, since it is automatically capturing the K8s pod errors. After some digging, that service does not seem to be supported in the Google Terraform provider and I was unable to configure PagerDuty notifications for it. So I opted to create these logs and alerts manually. These metrics and alerts are almost identical to each other, so it would be good to investigate whether we can reuse some of these metric and alert definitions but for the first pass, I opted to just create separate resource definitions for each metric and alert.

    Questions for the reviewer:

    • Do we want to create these metrics and alerts for the other K8s deployments in the project, like the prober? I just added metrics and alerts to Rekor and Fulcio to start but can add more in this PR.
    • It seems like others have tested Terraform changes by deploying the infrastructure to GCP. Have people been generally deploying this infrastructure to their own personal GCP projects?

    Release Note

    None.

    Documentation

    None.

    opened by malancas 0
  • WIP: Write the repository into secret, test air-gap mode.

    WIP: Write the repository into secret, test air-gap mode.

    Signed-off-by: Ville Aikas [email protected]

    Summary

    This builds on a few PRs, so WIP. TUF server now writes the compressed repo to a secret along with 1.root.json. This way we can test things like air-gap modes, especially in policy-controller without env variables. Add a test simulating air-gap mode where we bring in a filesystem based TUF repository. https://github.com/theupdateframework/go-tuf/pull/397 https://github.com/sigstore/sigstore/pull/715

    And: https://github.com/sigstore/cosign/compare/main...vaikas:cosign:air-gap?expand=1

    Release Note

    Documentation

    opened by vaikas 0
  • [WIP] Add ctlog shards that create their own Cloud SQL instances.

    [WIP] Add ctlog shards that create their own Cloud SQL instances.

    Signed-off-by: Ville Aikas [email protected]

    Summary

    WIP: Need to do some testing, but wanted to share the approach early :)

    Starts putting the pieces at the infra level necessary for:

    • https://github.com/sigstore/public-good-instance/issues/343
    • https://github.com/sigstore/public-good-instance/issues/418
    • https://github.com/sigstore/public-good-instance/issues/524

    In particular:

    • Add mysql creation (optionally) into the CTLog module. It's made optional since we already use that module, and we don't want to create a new Cloud SQL instance for the already existing one.
    • Add ctlog_shards variable to Sigstore ctlog_shards which is a list of shards. So we'd add, say 2021 into this list first to create a new separate Cloud SQL instance for the new CTLog
    • Add ctlog_mysql_instances which outputs the list of CTLog DB instances

    Release Note

    • Add ability to create new CTLog shards with their own Cloud SQL instance.

    Documentation

    opened by vaikas 4
  • Terraform: OpenStack Support

    Terraform: OpenStack Support

    Description

    Scaffolding project currently only supports GCP Terraform provider. We want (@developer-guy) to provision a full sigstore stack on OpenStack. Does it make sense to create a new folder called openstack in the terraform folder to drop all related modules in there?

    Of course, we can extend the supporting list in the future:

    • AWS
    • VMware Cloud Director
    • Azure
    • Alibaba
    • Azure
    • etc.
    enhancement 
    opened by Dentrax 1
Releases(v0.4.8)
  • v0.4.8(Sep 23, 2022)

    What's Changed

    • Add back support for RSA for legacy deployed CTLogs. by @vaikas in https://github.com/sigstore/scaffolding/pull/341
    • Remove /api/v1/index/retrieve endpoint from prober checks since it's experimental by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/340
    • do not use setup-kind action from the head. by @vaikas in https://github.com/sigstore/scaffolding/pull/345
    • Wire missing oslogin parameter to oslogin module. by @var-sdk in https://github.com/sigstore/scaffolding/pull/346
    • Add kind support for v1.25.x by @vaikas in https://github.com/sigstore/scaffolding/pull/343
    • Update prober alerts to accept 201s on write APIs. by @var-sdk in https://github.com/sigstore/scaffolding/pull/350
    • Fix prober alerts. by @var-sdk in https://github.com/sigstore/scaffolding/pull/353
    • Correct a link in README.md. by @var-sdk in https://github.com/sigstore/scaffolding/pull/355
    • Use file based signer now that Rekor supports it. by @vaikas in https://github.com/sigstore/scaffolding/pull/358
    • Close the httpresponse.Body by @vaikas in https://github.com/sigstore/scaffolding/pull/357
    • Make tuf generic in prep for more fulcio / ctlog certs/keys. by @vaikas in https://github.com/sigstore/scaffolding/pull/356
    • Stop testing way older versions. build/test with go1.19 by @vaikas in https://github.com/sigstore/scaffolding/pull/366
    • add dns resources to service-level terraform by @bobcallaway in https://github.com/sigstore/scaffolding/pull/336
    • Use ctlog.config for creating certs, add managecaroots job, tests. by @vaikas in https://github.com/sigstore/scaffolding/pull/352
    • Trillian v0.12.1, Rekor v0.12.1, update go deps. by @vaikas in https://github.com/sigstore/scaffolding/pull/367
    • refactor signing release images by @cpanato in https://github.com/sigstore/scaffolding/pull/368
    • fix shellcheck by @cpanato in https://github.com/sigstore/scaffolding/pull/376

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.7...v0.4.8

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.43 KB)
    release-fulcio.yaml(4.91 KB)
    release-prober.yaml(729 bytes)
    release-rekor.yaml(5.66 KB)
    release-trillian.yaml(7.73 KB)
    release-tuf.yaml(3.03 KB)
    setup-kind.sh(11.12 KB)
    setup-scaffolding-from-release.sh(4.88 KB)
    setup-scaffolding.sh(4.44 KB)
    testrelease.yaml(10.55 KB)
  • v0.4.6(Aug 24, 2022)

    What's Changed

    • Disable noisy rekor alert by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/303
    • Bump github.com/go-openapi/swag from 0.22.0 to 0.22.3 by @dependabot in https://github.com/sigstore/scaffolding/pull/310
    • Bump github.com/sigstore/cosign from 1.10.1 to 1.11.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/306
    • Bump github/codeql-action from 2.1.18 to 2.1.19 by @dependabot in https://github.com/sigstore/scaffolding/pull/305
    • Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/304
    • Bump github.com/google/trillian from 1.4.2 to 1.5.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/309
    • Bump github.com/sigstore/rekor from 0.10.0 to 0.11.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/311
    • Bump all sigstore components. Use GODEBUG=netdns=go for fulcio. by @vaikas in https://github.com/sigstore/scaffolding/pull/316

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.5...v0.4.6

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.76 KB)
    release-fulcio.yaml(4.91 KB)
    release-prober.yaml(729 bytes)
    release-rekor.yaml(5.07 KB)
    release-trillian.yaml(7.73 KB)
    release-tuf.yaml(3.20 KB)
    setup-kind.sh(9.97 KB)
    setup-scaffolding-from-release.sh(4.88 KB)
    setup-scaffolding.sh(4.44 KB)
    testrelease.yaml(5.50 KB)
  • v0.4.5(Aug 19, 2022)

    What's Changed

    • Updates to reflect v0.4.4 by @vaikas in https://github.com/sigstore/scaffolding/pull/300
    • remove deprecated github.com/pkg/errors and use native go error by @cpanato in https://github.com/sigstore/scaffolding/pull/301
    • New kind images + more retries to work around 1.23 by @vaikas in https://github.com/sigstore/scaffolding/pull/302

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.4...v0.4.5

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.76 KB)
    release-fulcio.yaml(4.75 KB)
    release-prober.yaml(729 bytes)
    release-rekor.yaml(5.07 KB)
    release-trillian.yaml(7.71 KB)
    release-tuf.yaml(3.20 KB)
    setup-kind.sh(9.97 KB)
    setup-scaffolding-from-release.sh(4.96 KB)
    setup-scaffolding.sh(4.52 KB)
    testrelease.yaml(5.50 KB)
  • v0.4.4(Aug 16, 2022)

    What's Changed

    • bump rekor to v0.10.0 and fulcio to v0.5.2 by @vaikas in https://github.com/sigstore/scaffolding/pull/295
    • actually parse the release-version, update curl to fail properly by @vaikas in https://github.com/sigstore/scaffolding/pull/290
    • Bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/293
    • add working-directory input so that you can control where files go. by @vaikas in https://github.com/sigstore/scaffolding/pull/294
    • Fix issue #129 by @vaikas in https://github.com/sigstore/scaffolding/pull/296
    • Increase ksvc wait times 45s->2m. by @vaikas in https://github.com/sigstore/scaffolding/pull/299

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.3...v0.4.4

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.21 KB)
    release-fulcio.yaml(4.47 KB)
    release-prober.yaml(729 bytes)
    release-rekor.yaml(4.59 KB)
    release-trillian.yaml(7.44 KB)
    release-tuf.yaml(2.93 KB)
    setup-kind.sh(9.94 KB)
    setup-scaffolding-from-release.sh(4.96 KB)
    setup-scaffolding.sh(4.52 KB)
    testrelease.yaml(5.50 KB)
  • v0.4.3(Aug 12, 2022)

    What's Changed

    • New Release artifact: add prober to build and release the image/manifests by @cpanato in https://github.com/sigstore/scaffolding/pull/288

    • Reenable noisy latency alert by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/280

    • use release 0.4.2. Bump knative to 1.6.0. by @vaikas in https://github.com/sigstore/scaffolding/pull/279

    • chore: use verification out of band by @hectorj2f in https://github.com/sigstore/scaffolding/pull/276

    • Fix prober metric alerts type by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/281

    • Remove latency alerts on uptime checks by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/273

    • Add clearer logging to prober by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/282

    • Fix #286 : Make waits for jobs uniform, 30 retries, ttl of 600. by @vaikas in https://github.com/sigstore/scaffolding/pull/287

    • Add flag sigstore-only for installing into existing clusters by @vaikas in https://github.com/sigstore/scaffolding/pull/285

    • Document action better. by @vaikas in https://github.com/sigstore/scaffolding/pull/284

    • add prober to build and release the image/manifests by @cpanato in https://github.com/sigstore/scaffolding/pull/288

    New Contributors

    • @hectorj2f made their first contribution in https://github.com/sigstore/scaffolding/pull/276

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.2...v0.4.3

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.21 KB)
    release-fulcio.yaml(4.54 KB)
    release-prober.yaml(729 bytes)
    release-rekor.yaml(4.58 KB)
    release-trillian.yaml(7.44 KB)
    release-tuf.yaml(2.93 KB)
    setup-kind.sh(9.94 KB)
    setup-scaffolding-from-release.sh(4.72 KB)
    setup-scaffolding.sh(4.53 KB)
    testrelease.yaml(5.50 KB)
  • v0.4.2(Aug 9, 2022)

    What's Changed

    • Breaking change: setup-scaffolding.sh assumed you had ko installed locally, so added a proper replacement for previous release.yaml and replace it with setup-scaffolding-from-release.sh instead.

    • Give mysql SA permissions to export Monitoring/Trace data by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/272

    • Roles should be applied directly to the mysql service account by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/278

    • FIX Broken main action . Test with 0.4.1 release by @vaikas in https://github.com/sigstore/scaffolding/pull/277

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.1...v0.4.2

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.21 KB)
    release-fulcio.yaml(4.54 KB)
    release-rekor.yaml(4.58 KB)
    release-trillian.yaml(7.44 KB)
    release-tuf.yaml(2.93 KB)
    setup-kind.sh(9.94 KB)
    setup-scaffolding-from-release.sh(4.72 KB)
    setup-scaffolding.sh(4.53 KB)
    testrelease.yaml(5.50 KB)
  • v0.4.1(Aug 9, 2022)

    What's Changed

    • Modify test to use release v0.4.0, update getting-started. by @vaikas in https://github.com/sigstore/scaffolding/pull/274

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.4.0...v0.4.1

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.21 KB)
    release-fulcio.yaml(4.54 KB)
    release-rekor.yaml(4.58 KB)
    release-trillian.yaml(7.44 KB)
    release-tuf.yaml(2.93 KB)
    setup-kind.sh(9.94 KB)
    setup-scaffolding-from-release.sh(4.28 KB)
    setup-scaffolding.sh(4.08 KB)
    testrelease.yaml(5.50 KB)
  • v0.4.0(Aug 8, 2022)

    What's Changed

    • Breaking change: remove release.yaml because for TUF you can not just do a simple kubectl apply. Replaced with setup-scaffolding.sh

    • Increse Cloud SQL disk utilization threshold to 95% by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/193

    • Add prober check for Fulcio write endpoint by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/194

    • Add github action to run prober once when it's updated by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/195

    • actually pass through the mysql version to the module. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/197

    • test go mod tidy by @k4leung4 in https://github.com/sigstore/scaffolding/pull/198

    • bump tuf version by @k4leung4 in https://github.com/sigstore/scaffolding/pull/200

    • Bump github/codeql-action from 2.1.11 to 2.1.12 by @dependabot in https://github.com/sigstore/scaffolding/pull/201

    • Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/203

    • Refactor alerts and fix prober error code alert by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/199

    • Bump tfsec/tfsec-sarif-action from 0.1.0 to 0.1.3 by @dependabot in https://github.com/sigstore/scaffolding/pull/202

    • Bump github.com/sigstore/rekor from 0.7.0 to 0.8.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/207

    • Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/205

    • Bump github.com/sigstore/fulcio from 0.4.1 to 0.5.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/208

    • Allow custom URLs for Rekor/Fulcio for prober by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/209

    • add data audit module. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/210

    • add slack token secret by @cpanato in https://github.com/sigstore/scaffolding/pull/212

    • raise version upper limit to allow terraform 1.2.0+ by @k4leung4 in https://github.com/sigstore/scaffolding/pull/213

    • Add Rekor write endpoint to prober by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/214

    • add maintenance policy, avoid work hours for google maintenance by @k4leung4 in https://github.com/sigstore/scaffolding/pull/215

    • Bump github.com/sigstore/rekor from 0.8.0 to 0.8.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/219

    • Bump sigs.k8s.io/release-utils from 0.6.0 to 0.7.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/216

    • raise allowed google provider version to 4.25 by @k4leung4 in https://github.com/sigstore/scaffolding/pull/224

    • Updates by @cpanato in https://github.com/sigstore/scaffolding/pull/222

    • enable managed prometheus by default. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/223

    • Bump github.com/sigstore/rekor from 0.8.1 to 0.8.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/226

    • Bump github/codeql-action from 2.1.12 to 2.1.14 by @dependabot in https://github.com/sigstore/scaffolding/pull/225

    • increase timeout from 5 to 15min for argocd helm release. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/227

    • upgrade kubectl / helm terraform providers by @cpanato in https://github.com/sigstore/scaffolding/pull/228

    • Add Terraform resource for TUF preprod bucket by @haydentherapper in https://github.com/sigstore/scaffolding/pull/229

    • Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in https://github.com/sigstore/scaffolding/pull/230

    • Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/231

    • Bump github.com/sigstore/rekor from 0.8.2 to 0.9.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/232

    • Temporarily disable Rekor alert until we get around to fixing it by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/234

    • Bump docs/test to using release v0.3.0. by @vaikas in https://github.com/sigstore/scaffolding/pull/235

    • Bump github.com/sigstore/rekor from 0.9.0 to 0.9.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/237

    • Bump github.com/sigstore/fulcio from 0.5.0 to 0.5.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/236

    • Update prober alert metric names to Prometheus targets by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/238

    • Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in https://github.com/sigstore/scaffolding/pull/240

    • Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 by @dependabot in https://github.com/sigstore/scaffolding/pull/241

    • Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/243

    • Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/239

    • Allow creating alerts with multiple notification channels by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/249

    • Bump github.com/sigstore/cosign from 1.9.0 to 1.10.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/250

    • Bump github.com/google/trillian from 1.4.1 to 1.4.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/257

    • Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/254

    • Bump sigs.k8s.io/release-utils from 0.7.1 to 0.7.3 by @dependabot in https://github.com/sigstore/scaffolding/pull/258

    • Bump github.com/sigstore/fulcio from 0.5.1 to 0.5.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/259

    • Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/256

    • Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in https://github.com/sigstore/scaffolding/pull/253

    • Bump github.com/sigstore/rekor from 0.9.1 to 0.10.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/255

    • add support for adding read replicas. can be used for failover by @k4leung4 in https://github.com/sigstore/scaffolding/pull/251

    • use workload identity for external secret instead of service key. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/233

    • bump external-secrets api to v1beta1 now we are on v0.5.x by @k4leung4 in https://github.com/sigstore/scaffolding/pull/260

    • plumb mysql replica configuration into sigstore module. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/261

    • Add a tuf server as well as repo management for tuf. by @vaikas in https://github.com/sigstore/scaffolding/pull/262

    • remove token creator role for external secrets. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/264

    • clean up unused module variables by @k4leung4 in https://github.com/sigstore/scaffolding/pull/266

    • Refactor the github action, test with tuf root. by @vaikas in https://github.com/sigstore/scaffolding/pull/263

    • Bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/270

    • Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in https://github.com/sigstore/scaffolding/pull/269

    • Bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/271

    • Add job ttls, use setup-scaffolding for e2e tests, update getting-started.md by @vaikas in https://github.com/sigstore/scaffolding/pull/267

    • Break release into smaller chunks. by @vaikas in https://github.com/sigstore/scaffolding/pull/268

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.3.0...v0.4.0

    Source code(tar.gz)
    Source code(zip)
    release-ctlog.yaml(5.21 KB)
    release-fulcio.yaml(4.54 KB)
    release-rekor.yaml(4.58 KB)
    release-trillian.yaml(7.44 KB)
    release-tuf.yaml(2.93 KB)
    setup-kind.sh(9.78 KB)
    setup-scaffolding.sh(4.08 KB)
    testrelease.yaml(5.50 KB)
  • v0.3.0(May 30, 2022)

    What's Changed

    • Bump k8s.io/apimachinery from 0.23.5 to 0.23.6 by @dependabot in https://github.com/sigstore/scaffolding/pull/137
    • Bump k8s.io/api from 0.23.5 to 0.23.6 by @dependabot in https://github.com/sigstore/scaffolding/pull/139
    • Bump actions/checkout from 3.0.1 to 3.0.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/135
    • Bump hashicorp/setup-terraform from 1.4.0 to 2 by @dependabot in https://github.com/sigstore/scaffolding/pull/134
    • Bump k8s.io/client-go from 0.23.5 to 0.23.6 by @dependabot in https://github.com/sigstore/scaffolding/pull/132
    • Bump k8s.io/code-generator from 0.23.5 to 0.23.6 by @dependabot in https://github.com/sigstore/scaffolding/pull/133
    • Update setup-kind.sh by @loosebazooka in https://github.com/sigstore/scaffolding/pull/142
    • have always 1 pod running to avoid scale to 0 in ci by @cpanato in https://github.com/sigstore/scaffolding/pull/143
    • Bump github.com/sigstore/sigstore from 1.1.0 to 1.2.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/136
    • fix: actions/cache by @embano1 in https://github.com/sigstore/scaffolding/pull/141
    • Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/146
    • Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/144
    • Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in https://github.com/sigstore/scaffolding/pull/145
    • Add Job for updating tree for sharding by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/147
    • Bump docker/login-action from 1.14.1 to 2 by @dependabot in https://github.com/sigstore/scaffolding/pull/148
    • Make mysql instance name, and keys configurable in Terraform by @k4leung4 in https://github.com/sigstore/scaffolding/pull/156
    • allow configuring of mysql db name. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/157
    • Add in a read-only prober across Rekor and Fulcio API endpoints by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/158
    • Add alerts for sigstore prober to monitoring tf module by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/160
    • make storage class and location configurable. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/159
    • Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in https://github.com/sigstore/scaffolding/pull/161
    • Bump github.com/google/certificate-transparency-go from 1.1.2 to 1.1.3 by @dependabot in https://github.com/sigstore/scaffolding/pull/165
    • Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/162
    • pass correct var for tuf region. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/166
    • Bind sigstore-prober KSA to GCP prometheus service account by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/167
    • Set keyring iam to depend on service account to avoid error. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/168
    • Add vars for mysql to allow matching prod migration instance. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/170
    • More uptime alerts for rekor endpoints by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/155
    • Fix alert documentation and set alignment period to 5m by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/172
    • set service account to correct prometheus namespace by @k4leung4 in https://github.com/sigstore/scaffolding/pull/173
    • Add necessary permissions to prometheus SA to export to GCP monitoring by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/174
    • allow specifying mysql dbname. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/175
    • Alignment period for latency alerts should be 60 seconds by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/176
    • Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/179
    • Bump goreleaser/goreleaser-action from 2.9.1 to 3 by @dependabot in https://github.com/sigstore/scaffolding/pull/178
    • Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in https://github.com/sigstore/scaffolding/pull/177
    • Bump google.golang.org/grpc from 1.45.0 to 1.46.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/164
    • sync go mod by @cpanato in https://github.com/sigstore/scaffolding/pull/184
    • add flag to run one time and exit. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/181
    • change default mysql version from 8.0 to 5.7 by @k4leung4 in https://github.com/sigstore/scaffolding/pull/180
    • update to go1.18 by @cpanato in https://github.com/sigstore/scaffolding/pull/185
    • Bump github.com/sigstore/rekor from 0.6.0 to 0.7.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/189
    • Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/186
    • add pathremove cache, not needed by @cpanato in https://github.com/sigstore/scaffolding/pull/192

    New Contributors

    • @embano1 made their first contribution in https://github.com/sigstore/scaffolding/pull/141

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.9...v0.3.0

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    release.yaml(20.94 KB)
    setup-kind.sh(9.78 KB)
    testrelease.yaml(4.23 KB)
  • v0.2.9(Apr 25, 2022)

    What's Changed

    • bump kind node versions. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/126
    • Add firewall to allow ingress webhook by @k4leung4 in https://github.com/sigstore/scaffolding/pull/123
    • Updated ctlog config to include CodeSigning usage. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/125
    • Add checks in setup-kind for existing steps by @eddiezane in https://github.com/sigstore/scaffolding/pull/122
    • Bump instructions to use latest release (v0.2.8) and test with it. by @vaikas in https://github.com/sigstore/scaffolding/pull/130
    • Do not scale fulcio/rekor down to zero to prevent flakes when waiting for things to come up.

    New Contributors

    • @eddiezane made their first contribution in https://github.com/sigstore/scaffolding/pull/122

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.8...v0.2.9

    Source code(tar.gz)
    Source code(zip)
    release.yaml(19.82 KB)
    setup-kind.sh(9.63 KB)
    testrelease.yaml(4.11 KB)
  • v0.2.8(Apr 19, 2022)

    What's Changed

    • sync go module by @cpanato in https://github.com/sigstore/scaffolding/pull/124
    • Fetch only root certificate from cert chain by @haydentherapper in https://github.com/sigstore/scaffolding/pull/111
    • Add KMS key for Fulcio by @haydentherapper in https://github.com/sigstore/scaffolding/pull/112
    • fix missing variables for kms rekor/fulcio by @cpanato in https://github.com/sigstore/scaffolding/pull/114
    • Add presubmit test for "terraform validate" to the sigstore module by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/116
    • use chainguard set of actions to avoid duplication by @cpanato in https://github.com/sigstore/scaffolding/pull/113
    • Split up KMS module keys into rekor and fulcio modules by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/117
    • Bump actions/checkout from 3.0.0 to 3.0.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/118
    • Bump github.com/sigstore/rekor from 0.5.0 to 0.6.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/121
    • Bump github/codeql-action from 1 to 2.1.8 by @dependabot in https://github.com/sigstore/scaffolding/pull/120
    • Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 by @dependabot in https://github.com/sigstore/scaffolding/pull/119

    New Contributors

    • @haydentherapper made their first contribution in https://github.com/sigstore/scaffolding/pull/111

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.6...v0.2.8

    Source code(tar.gz)
    Source code(zip)
    release.yaml(19.66 KB)
    setup-kind.sh(9.47 KB)
    testrelease.yaml(4.11 KB)
  • v0.2.6(Apr 11, 2022)

    What's Changed

    • Test with v0.2.5, update docs. by @vaikas in https://github.com/sigstore/scaffolding/pull/89
    • Add sigstore terraform for GCP by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/93
    • Add in github action for terraform fmt and tfsec by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/98
    • sigstore module depends on bastion module by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/97
    • Add examples for signing and verifying an image, as well as by @vaikas in https://github.com/sigstore/scaffolding/pull/94
    • Mention there are TF templates, add pointer. by @vaikas in https://github.com/sigstore/scaffolding/pull/96
    • Resurrect trillian createdb by @k4leung4 in https://github.com/sigstore/scaffolding/pull/92
    • fix secret keys to match helm chart expectation. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/99
    • Allow specifying the password to use for creating and encrypting keys and pems by @k4leung4 in https://github.com/sigstore/scaffolding/pull/103
    • change default cert registration info. by @k4leung4 in https://github.com/sigstore/scaffolding/pull/104
    • Make enabling CA service with Fulcio optional by @priyawadhwa in https://github.com/sigstore/scaffolding/pull/101
    • Bump actions/upload-artifact from 2 to 3 by @dependabot in https://github.com/sigstore/scaffolding/pull/109
    • Bump hashicorp/setup-terraform from 1.3.2 to 1.4.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/108
    • pin versions using git commit instead of tags by @cpanato in https://github.com/sigstore/scaffolding/pull/110

    New Contributors

    • @priyawadhwa made their first contribution in https://github.com/sigstore/scaffolding/pull/93
    • @k4leung4 made their first contribution in https://github.com/sigstore/scaffolding/pull/92

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.5...v0.2.6

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    release.yaml(19.66 KB)
    setup-kind.sh(9.47 KB)
    testrelease.yaml(4.11 KB)
  • v0.2.5(Apr 5, 2022)

  • v0.2.4(Apr 4, 2022)

    What's Changed

    ******* @vaikas screwed up this release :) Do not use, there are no artifacts *******

    • more detailed log for fulcio root cert fetch error by @tsl0922 in https://github.com/sigstore/scaffolding/pull/84
    • Start of an action to install kind,knative and sigstore pieces + tests. by @vaikas in https://github.com/sigstore/scaffolding/pull/85
    • rename inputs to be more consistent with others. by @vaikas in https://github.com/sigstore/scaffolding/pull/86
    • Test release with v0.2.3. by @vaikas in https://github.com/sigstore/scaffolding/pull/87
    • Use apko as base image and add version information by @cpanato in https://github.com/sigstore/scaffolding/pull/88

    New Contributors

    • @tsl0922 made their first contribution in https://github.com/sigstore/scaffolding/pull/84

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.3...v0.2.4

    Source code(tar.gz)
    Source code(zip)
  • v0.2.3(Mar 28, 2022)

    What's Changed

    • Bump docs release version to v0.2.2 and test with it. by @vaikas in https://github.com/sigstore/scaffolding/pull/74
    • Bump k8s.io/client-go from 0.23.4 to 0.23.5 by @dependabot in https://github.com/sigstore/scaffolding/pull/76
    • Bump k8s.io/code-generator from 0.23.4 to 0.23.5 by @dependabot in https://github.com/sigstore/scaffolding/pull/79
    • Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 by @dependabot in https://github.com/sigstore/scaffolding/pull/77
    • Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/83
    • Bump actions/cache from 2 to 3 by @dependabot in https://github.com/sigstore/scaffolding/pull/82
    • Starting to play with URLs in e2e tests. by @vaikas in https://github.com/sigstore/scaffolding/pull/75

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.2...v0.2.3

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    release.yaml(18.16 KB)
    setup-kind.sh(9.47 KB)
    testrelease.yaml(4.11 KB)
  • v0.2.2(Mar 16, 2022)

    What's Changed

    • update license headers and add job to check the boilerplate by @cpanato in https://github.com/sigstore/scaffolding/pull/69
    • Bump google.golang.org/grpc from 1.44.0 to 1.45.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/71
    • add shellcheck action job by @cpanato in https://github.com/sigstore/scaffolding/pull/72
    • Change job check-oidc name to sign-job. by @vaikas in https://github.com/sigstore/scaffolding/pull/73

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.1...v0.2.2

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    release.yaml(17.94 KB)
    setup-kind.sh(9.47 KB)
    testrelease.yaml(3.40 KB)
  • v0.2.1(Mar 8, 2022)

    What's Changed

    • Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/55
    • Bump google.golang.org/grpc from 1.43.0 to 1.44.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/59
    • Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/63
    • Bump github.com/go-openapi/runtime from 0.21.0 to 0.23.2 by @dependabot in https://github.com/sigstore/scaffolding/pull/62
    • Bump github.com/sigstore/rekor from 0.4.0 to 0.5.0 by @dependabot in https://github.com/sigstore/scaffolding/pull/61
    • Bump k8s.io/apimachinery from 0.23.1 to 0.23.4 by @dependabot in https://github.com/sigstore/scaffolding/pull/56
    • Bump k8s.io/api from 0.23.1 to 0.23.4 by @dependabot in https://github.com/sigstore/scaffolding/pull/60
    • Bump k8s.io/client-go from 0.23.1 to 0.23.4 by @dependabot in https://github.com/sigstore/scaffolding/pull/58
    • Bump k8s.io/code-generator from 0.22.5 to 0.23.4 by @dependabot in https://github.com/sigstore/scaffolding/pull/57
    • Fix issue #65 by renaming ctlog/createcerts to createctconfig by @vaikas in https://github.com/sigstore/scaffolding/pull/67
    • fix ko config by @cpanato in https://github.com/sigstore/scaffolding/pull/68

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.2.0...v0.2.1

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    release.yaml(20.56 KB)
    setup-kind.sh(9.02 KB)
    testrelease.yaml(1.89 KB)
  • v0.2.0(Mar 7, 2022)

    What's Changed

    • Test with 0.1.19 release. by @vaikas in https://github.com/sigstore/scaffolding/pull/49
    • Create codeql-analysis.yml by @vaikas in https://github.com/sigstore/scaffolding/pull/50
    • Clean up README, update links from vaikas/sigstore-scaffolding to sigstore/scaffolding. by @vaikas in https://github.com/sigstore/scaffolding/pull/51
    • Release job update by @cpanato in https://github.com/sigstore/scaffolding/pull/52
    • add dependabot by @cpanato in https://github.com/sigstore/scaffolding/pull/53
    • Bump actions/checkout from 2 to 3 by @dependabot in https://github.com/sigstore/scaffolding/pull/54

    New Contributors

    • @cpanato made their first contribution in https://github.com/sigstore/scaffolding/pull/52

    Full Changelog: https://github.com/sigstore/scaffolding/compare/v0.1.19...v0.2.0

    Thanks to all contributors!

    Source code(tar.gz)
    Source code(zip)
    release.yaml(20.55 KB)
    setup-kind.sh(9.02 KB)
    testrelease.yaml(1.89 KB)
  • v0.1.19(Feb 26, 2022)

  • v0.1.18(Feb 26, 2022)

  • v0.1.16(Feb 10, 2022)

  • v0.1.15(Feb 7, 2022)

  • v0.1.14(Feb 4, 2022)

  • v0.1.11-alpha(Jan 25, 2022)

  • v0.1.10-alpha(Jan 24, 2022)

  • v0.1.9-alpha(Jan 18, 2022)

Owner
Ville Aikas
Ville Aikas
kubectl plugin for signing Kubernetes manifest YAML files with sigstore

k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us

sigstore 38 Sep 7, 2022
Plugin for Helm to integrate the sigstore ecosystem

helm-sigstore Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log. Info he

sigstore 39 Aug 27, 2022
Lightweight, single-binary Backup Repository client. Part of E2E Backup Architecture designed by RiotKit

Backup Maker Tiny backup client packed in a single binary. Interacts with a Backup Repository server to store files, uses GPG to secure your backups e

RiotKit 1 Apr 4, 2022
Kubelet-bench - Example Go-based e2e benchmark for various Kubelet operations without spinning up whole K8s cluster

kubelet-bench An example of Go based e2e benchmark for various Kubelet operation

Bartlomiej Plotka 3 Mar 17, 2022
Utility to make kubeseal --raw a bit easier.

ks Utility to make kubeseal --raw a bit easier. Building GOOS=windows GOARCH=amd64 go build -o ks-windows-amd64.exe ks.go GOOS=windows GOARCH=386 go b

null 1 Aug 19, 2022
Golang Integration Testing Framework For Kong Kubernetes APIs and Controllers.

Kong Kubernetes Testing Framework (KTF) Testing framework used by the Kong Kubernetes Team for the Kong Kubernetes Ingress Controller (KIC). Requireme

Kong 23 Sep 27, 2022
Terraform provider to help with various AWS automation tasks (mostly all that stuff we cannot accomplish with the official AWS terraform provider)

terraform-provider-awsutils Terraform provider for performing various tasks that cannot be performed with the official AWS Terraform Provider from Has

Cloud Posse 22 Aug 26, 2022
Kubernetes Stuff

Kubernetes Stuff

Brian 0 Jan 11, 2022
This is a CLI to help changing and doing stuff in Terraform Cloud.

Terraform Cloud Tool This is a CLI to help changing and doing stuff in Terraform Cloud. Terraform CLI Functions $ terraform-cloud-tool Terraform Cloud

Edson Ribeiro Junior 2 Jul 27, 2022
jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Website • Getting Started Guide • Documentation • Blog • Twitter • Slack jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Loft Labs 218 Sep 19, 2022
Go library for easier work with sqlgo

sqlgo go library for easier work with sql Installation go get github.com/Mikhail

null 1 Jan 7, 2022
Kubeswitch - Easier way to switch your kubernetes context

Switch Kubectl Context Easier way to switch your kubernetes context Set PATH Dow

sai umesh 3 Jun 17, 2022
LTF is a minimal, transparent Terraform wrapper. It makes Terraform projects easier to work with.

LTF Status: alpha LTF is a minimal, transparent Terraform wrapper. It makes Terraform projects easier to work with. In standard Terraform projects, th

Raymond Butcher 21 Sep 20, 2022
A kubectl plugin for easier query and operate k8s cluster.

kube-query A kubectl plug-in that makes it easier to query and manipulate K8S clusters. (what is kubectl plug-in ?) Kube-query support some resource s

Shadow-L 14 Jun 9, 2022
A demo repository that shows CI/CD integration using DroneCI + ArgoCD + Kubernetes.

CI/CD Demo This is the demo repo for my blog post. This tutorial shows how to build CI/CD pipeline with DroneCI and ArgoCD. In this demo, we use Drone

Hao-Ming, Hsu 41 Aug 18, 2022
Prevent Kubernetes misconfigurations from ever making it (again 😤) to production! The CLI integration provides policy enforcement solution to run automatic checks for rule violations. Docs: https://hub.datree.io

What is Datree? Datree helps to prevent Kubernetes misconfigurations from ever making it to production. The CLI integration can be used locally or in

datree.io 5.9k Sep 28, 2022
TriggerMesh open source event-driven integration platform powered by Kubernetes and Knative.

TriggerMesh open source event-driven integration platform powered by Kubernetes and Knative. TriggerMesh allows you to declaratively define event flows between sources and targets as well as add even filter, splitting and processing using functions.

TriggerMesh 328 Sep 27, 2022
Mutagen Compose is a modified version of Docker Compose that offers automated integration with Mutagen.

Mutagen Compose Mutagen Compose is a (minimally) modified version of Docker Compose that offers automated integration with Mutagen. This allows you to

Mutagen 69 Sep 22, 2022
A best practices Go source project with unit-test and integration test, also use skaffold & helm to automate CI & CD at local to optimize development cycle

Dependencies Docker Go 1.17 MySQL 8.0.25 Bootstrap Run chmod +x start.sh if start.sh script does not have privileged to run Run ./start.sh --bootstrap

Quang Nguyen 4 Apr 4, 2022