Release process: stage SLSA provenance metadata #2273
Conversation
k8s-ci-robot
requested review from
cpanato,
justaugustus,
palnabarun,
Verolop and
a team
k8s-ci-robot
added
kind/feature
There was a problem hiding this comment.
@puerco -- This is a nice treat to see over the weekend!
When you're happy with testing, we'll want to move the provenance package to sigs.k8s.io/release-sdk. Most, if not all of it, looks fit to be generally useful (as opposed to krel-specific).
|
Definitely, once it has the base features we need, I'll ship it over there. There is only one big one left to write and off it goes. |
puerco
force-pushed
the
provenance
branch
2 times, most recently
from
2721499 to
995ee00
Compare
|
@puerco -- Also, just to make sure we're not reinventing the wheel, can you look into https://github.com/in-toto/in-toto-golang and see if there's functionality overlap? |
Yep, see similar usage in sigstore/cosign#582. |
|
@justaugustus originally that's where I lifted the types from, I was expecting to replicate just one or two but in the end there were more than a few. I reverted to the original code that embeds them. |
puerco
force-pushed
the
provenance
branch
3 times, most recently
from
f6071c7 to
9e9957f
Compare
The anago state now registers the beggining of stage/release as it is needed to generate the provenance metadata. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Add a constant for the provenance filename `provenance.json` Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
We now make the GCB BUILD_ID identifier available to krel as an envvar to include it in the provenance metadata. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit adds a new go package: provenance This code contains the types and functions to generate provenance metadata. It currently includes code to generate SLSA compliant predicates and automatically scan direcories to add files as subjects in a provenance attestation. Signing is currently not supported but the envelope type is already in the package for the next itearation, the push towards SLSA2 in the Kubernetes release process. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commits adds testing for the provenance package. It depends on the next commit which generates the fakes. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
puerco
force-pushed
the
provenance
branch
8 times, most recently
from
8a890dd to
999bfd6
Compare
To be able to work with the source tarball, anago/stage now deletes the source tarball after staging the rest of the artifacts. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
When running a multi-tag release (eg official + rc), krel would compress and upload the whole kubernetes source for each version. Now, we only do it once as the tarball is exactly the same for all release in a single run. This should speed the release process. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
anago/stage will now generate the provenance metadata of the artifacts produced after building. While staging the files, an in-toto attestation is built and uploaded with the release. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Regenerate the stage implementation fakes with the new provenance functions Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit adds the new provenance functions in anago/stage to the integration tests in TestStageArtifacts() Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit modifies the function Instance.PushReleaseArtifacts() in the build package to support pushing single files to the release buckets. Before, PushReleaseArtifacts() would fail if applied to a single file. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
OK, this os ready to go! PTAL @justaugustus 🚀
That run was hacked to run faster, I'll kick off a full stage to test but it should not have any difference. The generated metadata is in the test bucket, here: The next step will be to read that file during release and, after validation, propagate the provenance metadata in subsequent attestation files for each tag we release 🥳 |
puerco
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
There was a problem hiding this comment.
@puerco -- Phenomenal work!
I've left a set of non-blocking comments that we should address in a follow-up.
In addition, to capture the "in-person" review we did earlier...
- Let's emit a SHA512 for all artifacts, not just
src.tar.gz
"subject": [
{
"name": "gs://kubernetes-release-gcb/stage/v1.23.0-alpha.3.105+0ac956ff2bef9c/src.tar.gz",
"digest": {
"sha256": "a9ac55b2fe04c940d1755bd63e0be95565930046a9f79207ac2a6b7a375788a5",
"sha512": "d99203a4480697e5e6f5624d77a296ca8686065b6669dd25d05a6e6e389ad49b2a374fbed0697e267bf81b5fe1a3d318460186e5818ab3707204d5e86445aaa5"
}
},
{
"name": "gs://kubernetes-release-gcb/stage/v1.23.0-alpha.3.105+0ac956ff2bef9c/v1.23.0-alpha.4/gcs-stage/v1.23.0-alpha.4/SHA256SUMS",
"digest": {
"sha256": "71d47a3948d18f3fdee6c88ee3b254663f40be9f5598aa8841b9ab0fb78d7c60"
}
},- In:
"materials": [
{
"uri": "git+https://github.com/kubernetes/kubernetes",
"digest": {
"sha1": "commit 94db9bed6b7c56420e722d1b15db4610c9cacd3f"
}
}
]Should sha1 be:
commit 94db9bed6b7c56420e722d1b15db4610c9cacd3f
OR
94db9bed6b7c56420e722d1b15db4610c9cacd3f
|
|
||
| "github.com/blang/semver" | ||
| "github.com/pkg/errors" | ||
| "github.com/sirupsen/logrus" | ||
|
|
||
| intoto "github.com/in-toto/in-toto-golang/in_toto" |
There was a problem hiding this comment.
Non-blocking: This should be in the previous import group
| @@ -740,40 +753,53 @@ func (d *DefaultStage) GenerateBillOfMaterials() error { | |||
| } | |||
|
|
|||
| func (d *DefaultStage) StageArtifacts() error { | |||
| // Generat the intoto attestation, reloaded with the current run data | |||
There was a problem hiding this comment.
Non-blocking:
| // Generat the intoto attestation, reloaded with the current run data | |
| // Generate the in-toto attestation, reloaded with the current run data |
| if err != nil { | ||
| return errors.Wrap(err, "generating the provenance attestation") | ||
| } | ||
| // Init a the push options we will use |
There was a problem hiding this comment.
Non-blocking:
| // Init a the push options we will use | |
| // Init push options for provenance document |
| "--type=": options.ReleaseType, | ||
| "--branch=": options.ReleaseBranch, | ||
| "--build-version=": options.BuildVersion, |
There was a problem hiding this comment.
Non-blocking:
| "--type=": options.ReleaseType, | |
| "--branch=": options.ReleaseBranch, | |
| "--build-version=": options.BuildVersion, | |
| "release-type": options.ReleaseType, | |
| "branch": options.ReleaseBranch, | |
| "build-version": options.BuildVersion, |
Otherwise, we get:
"recipe": {
"type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v1",
"definedInMaterial": 0,
"entryPoint": "https://github.com/kubernetes/release/blob/master/gcb/stage/cloudbuild.yaml",
"arguments": {
"--branch=": "master",
"--build-version=": "v1.23.0-alpha.3.105+0ac956ff2bef9c",
"--type=": "alpha"
}
},(Note the extraneous -- and = in the arguments.)
| if options.NoMock { | ||
| arguments["--nomock"] = "true" | ||
| } |
There was a problem hiding this comment.
Non-blocking:
(Similar to previous review comment)
| if options.NoMock { | |
| arguments["--nomock"] = "true" | |
| } | |
| if options.NoMock { | |
| arguments["nomock"] = "true" | |
| } |
Hmmmm... do we want "true" (string) or true (bool) / does it matter?
| finfo, err := os.Stat(srcPath) | ||
| if err != nil { | ||
| return errors.Wrap(err, "checking if source path is a directory") | ||
| } | ||
|
|
||
| // If we are handling a single file copy instead of rsync | ||
| if !finfo.IsDir() { | ||
| return errors.Wrap( | ||
| bi.objStore.CopyToRemote(srcPath, dstPath), "copying file to GCS", | ||
| ) | ||
| } | ||
|
|
||
| return errors.Wrap( | ||
| bi.objStore.RsyncRecursive(srcPath, dstPath), "rsync artifacts to GCS", | ||
| ) |
There was a problem hiding this comment.
Non-blocking: Let's handle "this" (dir vs file logic) in the sigs.k8s.io/release-sdk/object package instead.
| ) | ||
| } | ||
|
|
||
| // AddMaterial adds a material to the entry |
There was a problem hiding this comment.
| // AddMaterial adds a material to the entry | |
| // AddMaterial adds material to the entry |
|
|
||
| type defaultPredicateImplementation struct{} | ||
|
|
||
| // Write dumps the predicate data into a JSON file |
There was a problem hiding this comment.
| // Write dumps the predicate data into a JSON file | |
| // Write dumps the predicate data as a JSON file |
| "errors" | ||
| "testing" | ||
|
|
||
| "github.com/stretchr/testify/require" |
There was a problem hiding this comment.
Non-blocking:
| "github.com/stretchr/testify/require" | |
| "github.com/stretchr/testify/require" | |
| "github.com/pkg/errors" | ||
| "sigs.k8s.io/release-utils/hash" | ||
|
|
||
| intoto "github.com/in-toto/in-toto-golang/in_toto" |
There was a problem hiding this comment.
Non-blocking: Separate import groups
| "github.com/pkg/errors" | |
| "sigs.k8s.io/release-utils/hash" | |
| intoto "github.com/in-toto/in-toto-golang/in_toto" | |
| intoto "github.com/in-toto/in-toto-golang/in_toto" | |
| "github.com/pkg/errors" | |
| "sigs.k8s.io/release-utils/hash" |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justaugustus, puerco The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This commit addresses nits noted in kubernetes#2273. Signed-off-by: Adolfo García Veytia <[email protected]>
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds the first stage of provenance metadata generation during the staging phase of the Kubernetes release process. To push towards SLSA1 compliance, our release process needs to generate provenance metadata. This PR adds the necessary packages and functionality to make the
stagephase SLSA1 compliant.It adds a new Go package
provenancewhich creates in-toto attestations with SLSA compliant predicates. Using the package, krel/anago now writes an attestation file with the build environment information and all artifacts fromstageas subjects of the attestation.We need to complete the chain, consuming this file and verifying in the
releasephase, and afterwards, produce the provenance metadata for each version we release. This PR represents roughly 2/3 of the work to make the Kubernetes release process SLSA1 compliant.Which issue(s) this PR fixes:
Part of: #2267
Special notes for your reviewer:
This first push is the first rough iteration of the code. I will run a few tests until the provenance file is correctly staged and then remove the WIP label. I'm opening the PR now to provide an early look and visibility on the effort.
/cc @justaugustus @cpanato @Verolop @palnabarun
/cc @kubernetes/release-engineering
Does this PR introduce a user-facing change?