Adding CI/CD security features and version CLI command

[louison77]

I worked on the project on my own fork https://github.com/louison77/k8s-kms-plugin.

Indeed, I did the fork before renaming the original draft project from https://github.com/ThalesGroup/k8s-kms-plugin to https://github.com/ThalesGroup/k8s-kms-plugin-tmp, and before doing a clean move of the original k8s-kms-plugin project from its original repo on https://github.com/orgs/ThalesIgnite to its new repo https://github.com/ThalesGroup.

Therefore, the states of commit hashes was messed up, and the pull request from https://github.com/louison77/k8s-kms-plugin was harder to merged. So we did a clean fork on @Nicolas-Peiffer profile, and incorporated the contributions from @louison77.

Proposed Changes

• Github workflow file using Goreleaser tool for generating a release.
• Publish action file releasing artifacts with Goreleaser.
• Automate the publication of container images with ko-build tool integrated into Goreleaser.
• Signing of binary and container images artifacts.
• Generation of SLSA level 3 attestations for both kind of artifacts.
• Verification of SLSA images attestations.
• Version CLI command for k8s-kms-plugin.
• Gitlab-ci file equivalent for the Github workflow.
• Detailed explanations of the changes in the Readme.

Types of Changes

These changes introduce a new feature with is a Github CI/CD workflow allowing the creation of release including artifacts signatures, provenance attestations.

Verification

These changes can be verified by tagging a commit and push the tag into Github. This tag will trigger the workflow which will creating release. For signing the artifacts, it is important to go on the Github project in the workflow previously triggered to sign manually the artifacts with OIDC authentication.
A verification of the provenance attestation is done in the pipeline but the detailed commands to verify the signatures are explained in the Readme file.

Testing

As it is CI/CD feature, there are no tests that covered it. But different examples are present on the fork project: https://github.com/louison77/k8s-kms-plugin.

Linked Issues

User-Facing Change

New command version:

k8s-kms-plugin version

{
  "major": 0,
  "minor": 6,
  "version": "0.6.0",
  "commitIdLong": "98026fbd433da5a81b5793db9d69f6b6bbddb895",
  "commitIdShort": "98026fbd",
  "goVersion": "go version go1.22.5 linux/amd64",
  "date": "2024-08-09T11:17:14+02:00",
  "plaform": "x86_64"
}

Further Comments

[IceManGreen]

Great contribution ! Thank you.
However, in case of no tag for a given build, a developer can end with this error :

./k8s-kms-plugin version
panic: 67dde6b is not in dotted-tri format
goroutine 1 [running]:
github.com/coreos/go-semver/semver.Must(...)
        /go/pkg/mod/github.com/coreos/[email protected]/semver/semver.go:65
github.com/coreos/go-semver/semver.New({0xbce8b8?, 0x0?})
        /go/pkg/mod/github.com/coreos/[email protected]/semver/semver.go:49 +0x34
github.com/ThalesGroup/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd.CreateJsonVersion()
        /go/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd/version.go:52 +0x25
github.com/ThalesGroup/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd.generateOutput()
        /go/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd/version.go:94 +0xaf
github.com/ThalesGroup/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd.init.func8(0xc0000df300?, {0xad76d4?, 0x4?, 0xad7670?})
        /go/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd/version.go:111 +0x78
github.com/spf13/cobra.(*Command).execute(0xfd7480, {0x1046e80, 0x0, 0x0})
        /go/pkg/mod/github.com/spf13/[email protected]/command.go:987 +0xa91
github.com/spf13/cobra.(*Command).ExecuteC(0xfd6060)
        /go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        /go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
github.com/ThalesGroup/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd.Execute()
        /go/k8s-kms-plugin/cmd/k8s-kms-plugin/cmd/root.go:82 +0x10c
main.main()
        /go/k8s-kms-plugin/cmd/k8s-kms-plugin/main.go:29 +0xf

We should always have an output for the command version, even with no version number (or at least a 'snapshot' information in the version name), rather than a stack trace.

[IceManGreen]

Also check goreleaser DEPRECATED recipe :

# goreleaser release --clean --snapshot --skip validate,publish,sign

  • only configurations files on  version: 2  are supported, yours is  version: 0 , please update your configuration
  • skipping announce, publish, sign and validate...
  • cleaning distribution directory
  • loading environment variables
  • getting and validating git state
    • ignoring errors because this is a snapshot     error=git doesn't contain any tags. Either add a tag or use --snapshot
    • git state                                      commit=67dde6bcc03533e9d05f5a15aedcbfe7e1011ed1 branch=master current_tag=v0.0.0 previous_tag=<unknown> dirty=false
    • pipe skipped                                   reason=disabled during snapshot mode
  • parsing tag
  • setting defaults
    • DEPRECATED:  snapshot.name_template  should not be used anymore, check https://goreleaser.com/deprecations#snapshotnametemplate for more info
  ⨯ release failed after 0s                          error=template: failed to apply "{{ .Env.GITHUB_REPOSITORY_OWNER }}": template: failed to apply "{{ .Env.GITHUB_REPOSITORY_OWNER }}": map has no entry for key "GITHUB_REPOSITORY_OWNER"