Batuhan Apaydın developer-guy
🐾
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | |
| --role roles/cloudkms.verifier \ | |
| --member serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com | |
| $ gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | |
| --role roles/cloudkms.viewer \ | |
| --member serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ helm repo add kyverno https://kyverno.github.io/kyverno/ | |
| $ helm repo update | |
| $ helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace |
developer-guy
/ gcp-annotate-serviceacc.sh
Created
March 22, 2022 14:12
gcp service account annotate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ kubectl annotate serviceaccount \ | |
| --namespace kyverno \ | |
| kyverno \ | |
| iam.gke.io/gcp-service-account=${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com |
developer-guy
/ generate-key-pair-kms.sh
Created
March 22, 2022 14:11
Cosign generate key pair GCP KMS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcloud kms keyrings create test - location "global" | |
| $ gcloud kms keys create "cosign" \ | |
| - location "global" \ | |
| - keyring "test" \ | |
| - purpose=asymmetric-signing - default-algorithm=ec-sign-p256-sha256 | |
| $ cosign generate-key-pair - kms gcpkms://projects/$PROJECT_ID/locations/global/keyRings/test/cryptoKeys/cosign/versions/1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cosign sign --key gcpkms://projects/$PROJECT_ID/locations/global/keyRings/test/cryptoKeys/cosign/versions/1 gcr.io/$PROJECT_ID/alpine:3.15.0 |
developer-guy
/ kyverno-verify-images.yaml
Created
March 22, 2022 14:10
Kyverno verifyImages GCP KMS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: kyverno.io/v1 | |
| kind: ClusterPolicy | |
| metadata: | |
| name: check-image | |
| spec: | |
| validationFailureAction: enforce | |
| background: false | |
| webhookTimeoutSeconds: 30 | |
| failurePolicy: Fail | |
| rules: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # signs the checksum file | |
| # all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to | |
| # https://goreleaser.com/customization/sign | |
| signs: | |
| - cmd: cosign | |
| env: | |
| - COSIGN_EXPERIMENTAL=1 | |
| certificate: '${artifact}.pem' | |
| args: | |
| - sign-blob |
developer-guy
/ sign-container-image.yaml
Created
March 21, 2022 14:47
GoReleaser setting to sign container images with cosign
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # signs our docker image | |
| # https://goreleaser.com/customization/docker_sign | |
| docker_signs: | |
| - cmd: cosign | |
| env: | |
| - COSIGN_EXPERIMENTAL=1 | |
| artifacts: images | |
| output: true | |
| args: | |
| - 'sign' |
developer-guy
/ cosign-installer.yaml
Created
March 21, 2022 14:30
install cosign with cosign-install GA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - uses: sigstore/[email protected] # installs cosign |
developer-guy
/ sbom.yaml
Created
March 21, 2022 12:47
GoReleaser SBOM generation configuration section
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # creates SBOMs of all archives and the source tarball using syft | |
| # https://goreleaser.com/customization/sbom | |
| # Two different sbom configurations need two different IDs | |
| sboms: | |
| - id: archive | |
| artifacts: archive | |
| - id: source | |
| artifacts: source |