Fix signing Dockerfile

Fix the path to the sign-file binary. Build the signing image in CI.
kubernetes-sigs · Mar 2, 2023 · 503fa11 · 503fa11
1 parent 4343445
commit 503fa11
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 6 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -30,6 +30,29 @@ jobs:
           path: kmm_local.tar
           retention-days: 1
 
+  build-signing-image:
+    runs-on: ubuntu-latest
+
+    name: Build the signing image
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build the image
+        run:  make signimage-build SIGNER_IMG=kmm-signimage:local
+
+      - name: Export the image
+        run: docker save -o kmm-signimage_local.tar kmm-signimage:local
+
+      - name: Upload the image
+        uses: actions/upload-artifact@v3
+        with:
+          name: ci-images
+          if-no-files-found: error
+          path: kmm-signimage_local.tar
+          retention-days: 1
+
   in-cluster-build:
 
     runs-on: ubuntu-latest
@@ -56,8 +79,10 @@ jobs:
         with:
           name: ci-images
 
-      - name: Import the KMMO image into minikube
-        run: minikube image load kmm_local.tar
+      - name: Import the KMM images into minikube
+        run: |
+          minikube image load kmm_local.tar
+          minikube image load kmm-signimage_local.tar
 
       - name: Cache binaries needed by Makefile
         id: cache-bin

diff --git a/Makefile b/Makefile
@@ -312,7 +312,7 @@ catalog-push: ## Push a catalog image.
 
 .PHONY: signimage-build 
 signimage-build: ## Build docker image with the signer.
-	docker build -f Dockerfile.signimage -t $(SIGNER_IMG)
+	docker build -f Dockerfile.signimage -t $(SIGNER_IMG) .
 
 include docs.mk
 
diff --git a/ci/install-ci/kustomization.yaml b/ci/install-ci/kustomization.yaml
@@ -22,3 +22,6 @@ patchesStrategicMerge:
           containers:
             - name: manager
               imagePullPolicy: Never
+              env:
+                - name: RELATED_IMAGES_SIGN
+                  value: kmm-signimage:local
diff --git a/internal/sign/job/signer_test.go b/internal/sign/job/signer_test.go
@@ -163,9 +163,9 @@ USER 0
 RUN ["mkdir", "/signroot"]
 
 COPY --from=source /modules/simple-kmod.ko /signroot/modules/simple-kmod.ko
-RUN /sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot/modules/simple-kmod.ko
+RUN /usr/local/bin/sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot/modules/simple-kmod.ko
 COPY --from=source /modules/simple-procfs-kmod.ko /signroot/modules/simple-procfs-kmod.ko
-RUN /sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot/modules/simple-procfs-kmod.ko
+RUN /usr/local/bin/sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot/modules/simple-procfs-kmod.ko
 
 FROM source
 

diff --git a/internal/sign/job/templates/Dockerfile.gotmpl b/internal/sign/job/templates/Dockerfile.gotmpl
@@ -8,7 +8,7 @@ USER 0
 RUN ["mkdir", "/signroot"]
 {{ range .FilesToSign }}
 COPY --from=source {{ . }} /signroot{{ . }}
-RUN /sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot{{ . }}
+RUN /usr/local/bin/sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot{{ . }}
 {{- end }}
 
 FROM source