Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump cosign to 0.0.20 for google cloud / workstation signing #2587

Merged
merged 1 commit into from
Apr 29, 2024
Merged

Bump cosign to 0.0.20 for google cloud / workstation signing #2587

merged 1 commit into from
Apr 29, 2024

Conversation

smoser
Copy link
Contributor

@smoser smoser commented Apr 27, 2024

This makes signing and publishing of sboms "just work" on a google cloud / workstation instance.

So on a workstation, you can just 'make image/busybox' and sboms will be populated.

See chainguard-dev/terraform-provider-cosign#158 for more information.

New Image Pull Request Template

Image Size

  • The Image is smaller in size than its common public counterpart.
  • The Image is larger in size than its common public counterpart (please explain in the notes).

Notes:

Image Vulnerabilities

  • The Grype vulnerability scan returned 0 CVE(s).
  • The Grype vulnerability scan returned > 0 CVE(s) (please explain in the notes).

Notes:

Image Tagging

  • The image is not tagged with version tags.
  • The image is tagged with :latest
  • The image is not tagged with :latest (please explain in the notes).

Notes:

Basic Testing - K8s cluster

  • The container image was successfully loaded into a kind cluster.
  • The container image could not be loaded into a kind cluster (please explain in the notes).

Notes:

Basic Testing - Package/Application

  • The application is accessible to the user/cluster/etc. after start-up.
  • The application is not accessible to the user/cluster/etc. after start-up. (please explain in the notes).

Notes:

Helm

  • A Helm chart has been provided and the container image can be used with the chart. If needed, please add a -compat package to close any gaps with the public helm chart.
  • A Helm chart has been provided and the container image is not working with the chart (please explain in the notes).
  • A Helm chart was not provided.

Notes:

Processor Architectures

  • The image was built and tested for x86_64.
  • The image could not be built for x86_64 (please explain in the notes).
  • The image was built and tested for aarch64.
  • The image could not be built for aarch64. (please explain in the notes).

Notes:

Functional Testing + Documentation

  • Functional tests have been included and the tests are passing. All tests have been documnted in the notes section.

Notes:

Environment Testing + Documentation

  • There has not been a request and/or there is no indication that this image needs tested on a public cloud provider.
  • The container image has been tested successfully on a public cloud provider (AWS, GCP, Azure).
  • The container image has not been tested successfully on a public cloud provider (AWS, GCP, Azure) (please explain in the notes).

Notes:

Version

  • The package version is the latest version of the package. The latest tag points to this version.
  • The package version is the not the latest version of the package (please explain in the notes).

Notes:

Dev Tag Availability

  • There is a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base')
  • There is not a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base') (please explain in the notes).

Notes:

Access Control + Authentication

  • The image runs as nonroot and GID/UID are set to 65532 or upstream default
  • Alternatively the username and GID/UID may be a commonly used one from the ecosystem e.g: postgres
  • The image requires a non-standard username or non-standard GID/UID (please explain in the notes).

ENTRYPOINT

  • applications/servers/utilities set to call main program with no arguments e.g. [redis-server]
  • applications/servers/utilities not set to call main program with no arguments e.g. [redis-server] (please explain in the notes)
  • base images leave empty.
  • base image and not empty (please explain in the notes).
  • dev variants is set to entrypoint script that falls back to system.
  • dev variants is not set to entrypoint script that falls back to system (please explain in the notes).

CMD

  • For server applications give arguments to start in daemon mode (may be empty)
  • For utilities/tooling bring up help e.g. –help
  • For base images with a shell, call it e.g. [/bin/sh]

Environment Variables

  • Environment variables added.
  • Environment variables not added and not required.

SIGTERM

  • The image responds to SIGTERM (e.g., docker kill $(docker run -d --rm cgr.dev/chainguard/nginx))

Logs

  • Error logs write to stderr and normal logs to stdout. Logs DO NOT write to file.

Documentation - README

  • A README file has been provided and it follows the README template.

@smoser smoser mentioned this pull request Apr 27, 2024
Merged
@smoser smoser force-pushed the feature/gce-sboms branch from 8f65871 to 555084f Compare April 27, 2024 15:04
Bump cosign to 0.0.20 for google cloud / workstation signing
edfe561 
This makes signing and publishing of sboms "just work" on a google
cloud / workstation instance.

So on a workstation, you can just 'make image/busybox' and sboms
will be populated.

See chainguard-dev/terraform-provider-cosign#158
for more information

Signed-off-by: Scott Moser <scott.moser@chainguard.com>
@smoser smoser force-pushed the feature/gce-sboms branch from 555084f to edfe561 Compare April 29, 2024 12:58
@smoser smoser marked this pull request as ready for review April 29, 2024 14:27
@imjasonh imjasonh merged commit 6e731e7 into chainguard-images:main Apr 29, 2024
40 of 54 checks passed
@imjasonh
Copy link
Member

Test failures are unrelated, merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smoser @imjasonh