使用 GitHub actions 和 keyvault 使用 cosign 签名 OCI 和 Docker 镜像

huangapple go评论73阅读模式
英文:

Signing OCI and Docker Images with cosign in GitHub actions using keyvault

问题

我想要使用 [cosign](https://github.com/sigstore/cosign) 来签名我的 Docker 镜像,但不想手动管理每个仓库的私钥,而是想使用 Azure 密钥保管库 (Key Vault)。

在我的本地计算机上,这个操作完全正常:

```bash
cosign sign --key azurekms://<myvault>.vault.azure.net/<key-name> <my-image>

现在我想在 GitHub Actions 中自动化这个过程。我构建了镜像,登录到了注册表,登录到了 Azure(使用 Azure 服务主体以及联合身份验证凭据 OIDC),然后运行 cosign。但是出现了以下错误:

cosign sign --key azurekms://MyKeyVault.vault.azure.net/MyKeyName myimage@digest
Error: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&amp;resource=https%3A%2F%2Fvault.azure.net
main.go:74: error during command execution: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&amp;resource=https%3A%2F%2Fvault.azure.net

登录到 Azure 可以正常工作,我可以无问题地运行 az keyvault key list。但 cosign 却不起作用。有人可以帮忙吗?

这是我的 GitHub Actions 工作流程:

name: Docker-Build
on:
  push:

permissions:
  id-token: write
  contents: read
  packages: write

jobs:
  build:

    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2

      - name: Log into registry DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.MY_DOCKERHUB_USER }}
          password: ${{ secrets.MY_DOCKERHUB_TOKEN }}

      - name: Log in with Azure
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v4
        with:
          tags: ${{ github.actor }}/myimage:${{ github.ref_name }}

      - name: Sign the published Docker image
        run: |
          # Works
          az keyvault key list --id {{ secrets.COSIGN_KEY_STORE }}
          # Does not work
          cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}          

我尝试使用具有机密和 OpenID Connect (OIDC) 的服务主体,以及使用联合身份验证凭据的 Azure 服务主体 - 没有任何区别。
我还更改了范围并使用了 az cli(这可以正常工作)。

我现在没有更多的想法了。


<details>
<summary>英文:</summary>

I want to sign my Docker images with [cosign ](https://github.com/sigstore/cosign) but instead of manually managing my private key for each repo I want to use a keyvault (azure). 

This works perfectly on my local pc:

```bash
cosign sign --key azurekms://&lt;myvault&gt;.vault.azure.net/&lt;key-name&gt; &lt;my-image&gt;

Now I want to automate it in GitHub Actions. I build the image, log into the registries, log into azure (using (OIDC) with a Azure service principal using a Federated Identity Credential), and run cosign. And it fails with:

cosign sign --key  azurekms://MyKeyVault.vault.azure.net/MyKeyName myimage@digest
Error: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = &#39;400&#39;. Response body: {&quot;error&quot;:&quot;invalid_request&quot;,&quot;error_description&quot;:&quot;Identity not found&quot;} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&amp;resource=https%3A%2F%2Fvault.azure.net
main.go:74: error during command execution: public key: public key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.vault.azure.net/keys/MyKeyName/?api-version=7.1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = &#39;400&#39;. Response body: {&quot;error&quot;:&quot;invalid_request&quot;,&quot;error_description&quot;:&quot;Identity not found&quot;} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&amp;resource=https%3A%2F%2Fvault.azure.net

The login into azure works and I can run az keyvault key list without a problem. But cosign does not work. Can someone help?

This is my GH Action workflow:

name: Docker-Build
on:
  push:

permissions:
  id-token: write
  contents: read
  packages: write

jobs:
  build:

    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2

      - name: Log into registry DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.MY_DOCKERHUB_USER }}
          password: ${{ secrets.MY_DOCKERHUB_TOKEN }}

      - name: Log in with Azure
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v4
        with:
          tags: ${{ github.actor }}/myimage:${{ github.ref_name }}

      - name: Sign the published Docker image
        run: |
          # Works
          az keyvault key list --id {{ secrets.COSIGN_KEY_STORE }}
          # Does not work
          cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}          

I tried using a service principal with secrets and OpenID Connect (OIDC) with a Azure service principal using a Federated Identity Credential - no differance.
I also changed the scopes and use the az cli (which works)

I'm beyond ideas right now

答案1

得分: 0

从你找到的代码中,有一个未记录的变量AZURE_AUTH_METHOD=cli,可以设置它来改变身份验证方式,从使用环境变量改为使用CLI:

      - name: 对发布的Docker镜像进行签名
        env:
          AZURE_AUTH_METHOD: cli
        run: |
                    cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}
英文:

From the code you found, there's an undocumented variable, AZURE_AUTH_METHOD=cli, to set that will change the authentication from using environment variables to using the CLI:

      - name: Sign the published Docker image
        env:
          AZURE_AUTH_METHOD: cli
        run: |
                    cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}

Original answer:

Cosign needs the following environment variables defined:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET

Reference: https://docs.sigstore.dev/cosign/kms_support/#azure-key-vault

I believe that would look something like:

      - name: Sign the published Docker image
        env:
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
        run: |
                    cosign sign --key ${{ secrets.COSIGN_KEY_STORE }} ${{ github.actor }}/myimage@${{ github.ref_name }}

huangapple
  • 本文由 发表于 2023年5月28日 02:48:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/76348498.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定