Fix signing Dockerfile

Fix the path to the sign-file binary. Build the signing image in CI.
kubernetes-sigs · Mar 2, 2023 · 8744ff3 · 8744ff3
1 parent 4343445
commit 8744ff3
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 18 deletions.
diff --git a/.github/actions/collect-troubleshooting/action.yml b/.github/actions/collect-troubleshooting/action.yml
@@ -26,6 +26,10 @@ runs:
       run: kubectl describe pod -l kmm.node.kubernetes.io/module.name
       shell: bash
 
+    - name: Describe Jobs
+      run: kubectl describe job.batch -l kmm.node.kubernetes.io/module.name
+      shell: bash
+
     - name: Collect dmesg
       run: sudo dmesg
       shell: bash

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -30,11 +30,34 @@ jobs:
           path: kmm_local.tar
           retention-days: 1
 
+  build-signing-image:
+    runs-on: ubuntu-latest
+
+    name: Build the signing image
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build the image
+        run:  make signimage-build SIGNER_IMG=kmm-signimage:latest
+
+      - name: Export the image
+        run: docker save -o kmm-signimage.tar kmm-signimage:latest
+
+      - name: Upload the image
+        uses: actions/upload-artifact@v3
+        with:
+          name: ci-images
+          if-no-files-found: error
+          path: kmm-signimage.tar
+          retention-days: 1
+
   in-cluster-build:
 
     runs-on: ubuntu-latest
     name: in-cluster-build
-    needs: [build-operator-image]
+    needs: [build-operator-image, build-signing-image]
 
     services:
       registry:
@@ -56,9 +79,12 @@ jobs:
         with:
           name: ci-images
 
-      - name: Import the KMMO image into minikube
+      - name: Import the KMM operator image into minikube
         run: minikube image load kmm_local.tar
 
+      - name: Copy the signing image to the registry
+        run: skopeo copy --dest-tls-verify=false tarball:kmm-signimage.tar docker://localhost:5000/kmm/signimage:latest
+
       - name: Cache binaries needed by Makefile
         id: cache-bin
         uses: actions/cache@v3

diff --git a/Makefile b/Makefile
@@ -312,7 +312,7 @@ catalog-push: ## Push a catalog image.
 
 .PHONY: signimage-build 
 signimage-build: ## Build docker image with the signer.
-	docker build -f Dockerfile.signimage -t $(SIGNER_IMG)
+	docker build -f Dockerfile.signimage -t $(SIGNER_IMG) .
 
 include docs.mk
 
diff --git a/ci/install-ci/kustomization.yaml b/ci/install-ci/kustomization.yaml
@@ -22,3 +22,6 @@ patchesStrategicMerge:
           containers:
             - name: manager
               imagePullPolicy: Never
+              env:
+                - name: RELATED_IMAGES_SIGN
+                  value: host.minikube.internal:5000/kmm/signimage:latest
diff --git a/internal/sign/job/signer_test.go b/internal/sign/job/signer_test.go
@@ -158,19 +158,17 @@ var _ = Describe("MakeJobTemplate", func() {
 
 FROM some-sign-image:some-tag AS signimage
 
-USER 0
+RUN mkdir -p /tmp/signroot
 
-RUN ["mkdir", "/signroot"]
-
-COPY --from=source /modules/simple-kmod.ko /signroot/modules/simple-kmod.ko
-RUN /sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot/modules/simple-kmod.ko
-COPY --from=source /modules/simple-procfs-kmod.ko /signroot/modules/simple-procfs-kmod.ko
-RUN /sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot/modules/simple-procfs-kmod.ko
+COPY --from=source /modules/simple-kmod.ko /tmp/signroot/modules/simple-kmod.ko
+RUN /usr/local/bin/sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /tmp/signroot/modules/simple-kmod.ko
+COPY --from=source /modules/simple-procfs-kmod.ko /tmp/signroot/modules/simple-procfs-kmod.ko
+RUN /usr/local/bin/sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /tmp/signroot/modules/simple-procfs-kmod.ko
 
 FROM source
 
-COPY --from=signimage /signroot/modules/simple-kmod.ko /modules/simple-kmod.ko
-COPY --from=signimage /signroot/modules/simple-procfs-kmod.ko /modules/simple-procfs-kmod.ko
+COPY --from=signimage /tmp/signroot/modules/simple-kmod.ko /modules/simple-kmod.ko
+COPY --from=signimage /tmp/signroot/modules/simple-procfs-kmod.ko /modules/simple-procfs-kmod.ko
 `,
 						},
 					},

diff --git a/internal/sign/job/templates/Dockerfile.gotmpl b/internal/sign/job/templates/Dockerfile.gotmpl
@@ -3,15 +3,13 @@ FROM {{ .UnsignedImage }} as source
 
 FROM {{ .SignImage }} AS signimage
 
-USER 0
-
-RUN ["mkdir", "/signroot"]
+RUN mkdir -p /tmp/signroot
 {{ range .FilesToSign }}
-COPY --from=source {{ . }} /signroot{{ . }}
-RUN /sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /signroot{{ . }}
+COPY --from=source {{ . }} /tmp/signroot{{ . }}
+RUN /usr/local/bin/sign-file sha256 /run/secrets/key/key.pem /run/secrets/cert/cert.pem /tmp/signroot{{ . }}
 {{- end }}
 
 FROM source
 {{ range .FilesToSign }}
-COPY --from=signimage /signroot{{ . }} {{ . }}
+COPY --from=signimage /tmp/signroot{{ . }} {{ . }}
 {{- end }}