feat: binary auth enabled

.github/workflows/attest-images.yml

@@ -0,0 +1,47 @@
+name: Attest Images
+on: [workflow_call]
+jobs:
+  binary-auth:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: .
+    steps:
+    - uses: actions/checkout@v2
+    - id: gcloud-auth
+      name: Authenticate with gcloud
+      uses: 'google-github-actions/auth@v1'
+      with:
+        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+    - name: Set up Cloud SDK
+      id: setup-gcloud-sdk
+      uses: 'google-github-actions/setup-gcloud@v1'
+    - name: Install gcloud beta
+      id: install-gcloud-beta
+      run: gcloud components install beta
+    - name: Attest Images
+      run: |
+        grep -ir "image:" ./manifests/blog-app/ | awk {'print $3'} | sort -t: -u -k1,1 > ./images
+        for image in $(cat ./images); do
+          no_of_slash=$(echo $image | tr -cd '/' | wc -c)
+          prefix=""
+          if [ $no_of_slash -eq 1 ]; then
+            prefix="docker.io/"
+          fi
+          if [ $no_of_slash -eq 0 ]; then
+            prefix="docker.io/library/"
+          fi
+          image_to_attest=$image
+          if [[ $image =~ "@" ]]; then
+            echo "Image $image has DIGEST"
+            image_to_attest="${prefix}${image}"
+          else
+            echo "All images should be in the SHA256 digest format"
+            exit 1
+          fi
+          echo "Processing $image"
+          attestation_present=$(gcloud beta container binauthz attestations list --attestor-project="${{ secrets.PROJECT_ID }}" --attestor="${{ secrets.ATTESTOR_NAME }}" --artifact-url="${image_to_attest}")
+          if [ -z "${attestation_present// }" ]; then
+            gcloud beta container binauthz attestations sign-and-create --artifact-url="${image_to_attest}" --attestor="${{ secrets.ATTESTOR_NAME }}" --attestor-project="${{ secrets.PROJECT_ID }}" --keyversion-project="${{ secrets.PROJECT_ID }}" --keyversion-location="${{ secrets.KMS_KEY_LOCATION }}" --keyversion-keyring="${{ secrets.KMS_KEYRING_NAME }}" --keyversion-key="${{ secrets.KMS_KEY_NAME }}" --keyversion="${{ secrets.KMS_KEY_VERSION }}"
+          fi
+        done

.github/workflows/dev-cd-workflow.yml

@@ -11,10 +11,10 @@ jobs:
     name: Run Integration Tests
     uses: ./.github/workflows/run-tests.yml
     secrets: inherit
-  # binary-auth:
-  #   name: Attest Images
-  #   uses: ./.github/workflows/attest-images.yml
-  #   secrets: inherit
+  binary-auth:
+    name: Attest Images
+    uses: ./.github/workflows/attest-images.yml
+    secrets: inherit
   # raise-pull-request:
   #   name: Raise PR to prod branch
   #   uses: ./.github/workflows/raise-pr.yml

manifests/blog-app/blog-app.yaml

@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
         - name: mongodb
-          image: mongo:7.0
+          image: docker.io/library/mongo@sha256:e64f27edef80b41715e5830312da25ea5e6874a2b62ed1adb3e8f74bde7475a6
           imagePullPolicy: Always
           ports:
             - containerPort: 27017
@@ -78,7 +78,7 @@ spec:
     spec:
       containers:
         - name: posts
-          image: tunacinsoy/sba-posts:83047ac
+          image: docker.io/tunacinsoy/sba-posts@sha256:54245463f0b41501c871c0cba14029583d6c5fd0bc8e202fa5201db6ab52d46d
           imagePullPolicy: Always
           ports:
             - containerPort: 5000
@@ -124,7 +124,7 @@ spec:
     spec:
       containers:
         - name: reviews
-          image: tunacinsoy/sba-reviews:74bcc5c
+          image: docker.io/tunacinsoy/sba-reviews@sha256:66d7f398d5b2f5a28e68776adb26fe6931eb9099ab8195e2cb36e9e0ae8620b5
           imagePullPolicy: Always
           ports:
             - containerPort: 5000
@@ -170,7 +170,7 @@ spec:
     spec:
       containers:
         - name: ratings
-          image: tunacinsoy/sba-ratings:a32b00a
+          image: docker.io/tunacinsoy/sba-ratings@sha256:c20883b45f92194a14ab093ca1c10d019b93a8458cead1a0645a2b762885627e
           imagePullPolicy: Always
           ports:
             - containerPort: 5000
@@ -216,7 +216,7 @@ spec:
     spec:
       containers:
         - name: users
-          image: tunacinsoy/sba-users:ddf2a8e
+          image: docker.io/tunacinsoy/sba-users@sha256:106c04abd8bfe3ff1f5c57031b67f4beee8d159ae4d51a0ccca1470f383e064a
           imagePullPolicy: Always
           ports:
             - containerPort: 5000
@@ -262,7 +262,7 @@ spec:
     spec:
       containers:
         - name: frontend
-          image: tunacinsoy/sba-frontend:2aea612
+          image: docker.io/tunacinsoy/sba-frontend@sha256:466ef8f59a7ef5081334c0e4082a2c16f01e251eaa08c94d803aeb0ed9684fd6
           imagePullPolicy: Always
           ports:
             - containerPort: 5000

scripts/convert-images-into-sha256-format.sh

@@ -0,0 +1,25 @@
+for image in $(cat ./images); do
+  no_of_slash=$(echo $image | tr -cd '/' | wc -c)
+  prefix=""
+  if [ $no_of_slash -eq 1 ]; then
+    prefix="docker.io/"
+  fi
+  if [ $no_of_slash -eq 0 ]; then
+    prefix="docker.io/library/"
+  fi
+  image_to_attest=$image
+  if [[ $image =~ "@" ]]; then
+    echo "Image $image has DIGEST"
+    image_to_attest="${prefix}${image}"
+  else
+    DIGEST=$(docker pull $image | grep Digest | awk {'print $2'})
+    image_name=$(echo $image | awk -F ':' {'print $1'})
+    image_to_attest="${prefix}${image_name}@${DIGEST}"
+  fi
+  escaped_image=$(printf '%s\n' "${image}" | sed -e 's/[]\/$*.^[]/\\&/g')
+  escaped_image_to_attest=$(printf '%s\n' "${image_to_attest}" |
+    sed -e 's/[]\/$*.^[]/\\&/g')
+  echo "Processing $image"
+  grep -rl $image ./manifests |
+    xargs sed -i "s/${escaped_image}/${escaped_image_to_attest}/g"
+done

terraform/binaryauth.tf

@@ -0,0 +1,55 @@
+resource "google_kms_key_ring" "qa-attestor-keyring" {
+  count = var.branch == "dev" ? 1 : 0
+  name     = "qa-attestor-keyring"
+  location = var.region
+  lifecycle {
+    prevent_destroy = false
+  }
+}
+
+module "qa-attestor" {
+  count = var.branch == "dev" ? 1 : 0
+  source = "terraform-google-modules/kubernetes-engine/google//modules/binary-authorization"
+  attestor-name = "quality-assurance"
+  project_id    = var.project_id
+  keyring-id    = google_kms_key_ring.qa-attestor-keyring[0].id
+}
+
+resource "google_binary_authorization_policy" "policy" {
+  count = var.branch == "dev" ? 1 : 0
+  admission_whitelist_patterns {
+    name_pattern = "gcr.io/google_containers/*"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "gcr.io/google-containers/*"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "k8s.gcr.io/**"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "gke.gcr.io/**"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "gcr.io/stackdriver-agents/*"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "quay.io/argoproj/*"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "ghcr.io/dexidp/*"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "docker.io/redis[@:]*"
+  }
+  admission_whitelist_patterns {
+    name_pattern = "ghcr.io/external-secrets/*"
+  }
+  global_policy_evaluation_mode = "ENABLE"
+  default_admission_rule {
+    evaluation_mode  = "REQUIRE_ATTESTATION"
+    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+    require_attestations_by = [
+      module.qa-attestor[0].attestor
+    ]
+  }
+}

terraform/cluster.tf

@@ -18,6 +18,14 @@ resource "google_container_cluster" "main" {
   location           = var.location
   initial_node_count = 3
 
+  # Only for prod env it will be deployed, since prod won't accept not attested images
+  dynamic "binary_authorization" {
+    for_each = var.branch == "prod" ? [1] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   node_config {
     service_account = local.service_account_email # Retrieving the email of the service account from locals
     disk_size_gb    = 10                          # Setting disk size to 10 GB because of the free account quota limits