Skip to content

Commit 0880709

Browse files
YrrepNojjeff-mccoy
andauthored
Rust Binary Checks SHA256 (zarf-dev#449)
* add shasum check of init payload * fix path to rust injector in workflow * update zarf-ijector to version that checks sha * switch to govcloud KMS * update rust injector cargo version * add cosign annotations * include github url in release-engineer annotation Co-authored-by: Jeff McCoy <code@jeffm.us>
1 parent 1ea806b commit 0880709

File tree

7 files changed

+56
-22
lines changed

7 files changed

+56
-22
lines changed

.github/workflows/build-rust-injector.yml

+13-5
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
11
name: Build Rust Binary
2+
3+
env:
4+
zarfInjectorPath: 'src/injector/stage1/target/x86_64-unknown-linux-musl/release/zarf-injector'
5+
26
on:
37
workflow_dispatch:
48
inputs:
@@ -29,13 +33,13 @@ jobs:
2933
args: cargo build --target x86_64-unknown-linux-musl --release --manifest-path src/injector/stage1/Cargo.toml
3034

3135
- name: "Strip The Binary Down"
32-
run: sudo strip src/injector/stage1/target/x86_64-unknown-linux-musl/release/zarf-injector
36+
run: sudo strip ${{ env.zarfInjectorPath }}
3337

3438
- name: "Upload Rust Binary"
3539
uses: actions/upload-artifact@v2
3640
with:
3741
name: zarf-injector
38-
path: src/injector/stage1/target/x86_64-unknown-linux-musl/release/zarf-injector
42+
path: ${{ env.zarfInjectorPath }}
3943

4044
- name: Login to Docker Hub
4145
uses: docker/login-action@v1
@@ -44,9 +48,13 @@ jobs:
4448
password: ${{ secrets.DOCKERHUB_TOKEN }}
4549

4650
- name: "Upload Binary To DockerHub"
47-
run: cosign upload blob -f zarf-injector defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
51+
run: cosign upload blob -f ${{ env.zarfInjectorPath }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
4852

4953
- name: "Sign the binary"
50-
run: cosign sign --key ${{ secrets.COSIGN_SIGNING_KEY }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
54+
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:${{ github.event.inputs.versionTag }}
5155
env:
52-
COSIGN_EXPERIMENTAL: 1
56+
COSIGN_EXPERIMENTAL: 1
57+
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
58+
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
59+
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
60+

cosign.pub

+13-3
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,14 @@
11
-----BEGIN PUBLIC KEY-----
2-
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkK3glLLNDKX7ny8wRzrh/G04huzV
3-
QaiLEEMlVHpdzfwqkspAWxzbcUaTj5SPyaLT5TLDEXiOt4AS4D/Q3twxfw==
4-
-----END PUBLIC KEY-----
2+
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9u472y/wY0tjIiR2T6rY
3+
zOG1q4qwx5ZdmnoGsiG0Zc3rYo2DMiuKciG0MI4opCf4IID7kfYOD4aWILymwFID
4+
xW0L6pEbxknHRQacWZSf/qfA+aAcjbKOY3ZWU8/uLJJeq37Y4OLc17ThJ7ZOj1Yf
5+
Uvj81Uz9ZWVW7kYY31vWCruJh4VxZLsUAmFc6CsQUtzSGordLhh1b1rDP6ZRAaIP
6+
mQnniULogwIBqnUTkIVwxiRYG+V2a3IC5vqlBLQRQ3UOWQ9mgZcfcXuTA6Fh8bwO
7+
2lG768UfI1RBYioXAgXbPwXK+kM3Idvjcr+X2F3VpYWhHTscMIQF0ERzK7BkRqRI
8+
x9l/RRm5lP+9a1kt6giYtvX2OqEsWaG3lTen3ocwblaHRlmqnaiVBtAnVny6QDHX
9+
9p1HPMD/NjWjZucxWMjtdL5FZxBywbJVlxhe7sFByMoBZYhea9vGGSn2M2Q9kPiq
10+
Bgl6bKZdeYIhaKQ7wrNkS6YVHMIqqpCIUI6/YGYwnu0hodbjR0yA2LFx4TgFZAuY
11+
uGEiRP4Oi7WEOPkjRjP7kPXGpEBB7ulZ/Wohq1B6pB1Odo8WlfJRAek319F2aqqh
12+
J1c3YdZ/w3EvCLKd+Inp1UNbamb79UN6jtwhqwKw72YbZh/yP0rim49lQ++umwPX
13+
JWqG8iY/UzGB/3ch4/Wb09UCAwEAAQ==
14+
-----END PUBLIC KEY-----

packages/zarf-injector/zarf.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ components:
99
cosignKeyPath: ../../cosign.pub
1010
files:
1111
# Rust Injector Binary
12-
- source: sget://defenseunicorns/zarf-injector:0.1.0
12+
- source: sget://defenseunicorns/zarf-injector:0.4.3
1313
target: "###ZARF_TEMP###/zarf-injector"
1414
executable: true
1515
# Go Registry Binary

src/injector/stage1/Cargo.lock

+7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/injector/stage1/Cargo.toml

+2-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ panic = "abort"
66

77
[package]
88
name = "zarf-injector"
9-
version = "0.1.0"
9+
version = "0.4.3"
1010
edition = "2021"
1111

1212
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
@@ -16,3 +16,4 @@ glob = "0.3.0"
1616
flate2 = "1.0.22"
1717
tar = "0.4.38"
1818
sha2 = "0.10.2"
19+
hex = "0.4.3"

src/injector/stage1/src/main.rs

+3-2
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ use std::io::Read;
77
use std::io::Write;
88
use std::path::PathBuf;
99
use tar::Archive;
10+
use hex::ToHex;
1011

1112
// Inspired by https://medium.com/@nlauchande/rust-coding-up-a-simple-concatenate-files-tool-and-first-impressions-a8cbe680e887
1213

@@ -69,8 +70,8 @@ fn main() {
6970

7071
// read hash digest and consume hasher
7172
let result = hasher.finalize();
72-
73-
assert_eq!(result[..], sha_sum.as_bytes()[..]);
73+
let result_string = result.encode_hex::<String>();
74+
assert_eq!(*sha_sum, result_string);
7475
}
7576

7677
let tar = GzDecoder::new(&contents[..]);

src/internal/packager/injector.go

+17-10
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package packager
22

33
import (
4+
"crypto/sha256"
45
"fmt"
56
"io/ioutil"
67
"os"
@@ -31,6 +32,7 @@ func runInjectionMadness(tempPath tempPaths) {
3132
var images []string
3233
var envVars []corev1.EnvVar
3334
var payloadConfigmaps []string
35+
var sha256sum string
3436

3537
// Try to create the zarf namespace
3638
spinner.Updatef("Creating the Zarf namespace")
@@ -62,7 +64,7 @@ func runInjectionMadness(tempPath tempPaths) {
6264
}
6365

6466
spinner.Updatef("Loading the seed registry configmaps")
65-
if payloadConfigmaps, err = createPayloadConfigmaps(tempPath, spinner); err != nil {
67+
if payloadConfigmaps, sha256sum, err = createPayloadConfigmaps(tempPath, spinner); err != nil {
6668
message.Fatal(err, "Unable to generate the injector payload configmaps")
6769
}
6870

@@ -82,7 +84,7 @@ func runInjectionMadness(tempPath tempPaths) {
8284
_ = k8s.DeletePod(k8s.ZarfNamespace, "injector")
8385

8486
// Update the podspec image path
85-
pod := buildInjectionPod(image, envVars, payloadConfigmaps)
87+
pod := buildInjectionPod(image, envVars, payloadConfigmaps, sha256sum)
8688

8789
// Create the pod in the cluster
8890
pod, err = k8s.CreatePod(pod)
@@ -103,13 +105,14 @@ func runInjectionMadness(tempPath tempPaths) {
103105
spinner.Fatalf(nil, "Unable to perform the injection")
104106
}
105107

106-
func createPayloadConfigmaps(tempPath tempPaths, spinner *message.Spinner) ([]string, error) {
108+
func createPayloadConfigmaps(tempPath tempPaths, spinner *message.Spinner) ([]string, string, error) {
107109
message.Debugf("packager.tryInjectorPayloadDeploy(%v)", tempPath)
108110
var (
109111
err error
110112
tarFile []byte
111113
chunks [][]byte
112114
configMaps []string
115+
sha256sum string
113116
)
114117

115118
// Chunk size has to accomdate base64 encoding & etcd 1MB limit
@@ -125,14 +128,19 @@ func createPayloadConfigmaps(tempPath tempPaths, spinner *message.Spinner) ([]st
125128
spinner.Updatef("Creating the seed registry archive to send to the cluster")
126129
// Create a tar archive of the injector payload
127130
if err = archiver.Archive(tarFileList, tarPath); err != nil {
128-
return configMaps, err
131+
return configMaps, "", err
129132
}
130133

134+
archiver.Archive(tarFileList, "/home/user/payload.tgz")
135+
131136
// Open the created archive for io.Copy
132137
if tarFile, err = ioutil.ReadFile(tarPath); err != nil {
133-
return configMaps, err
138+
return configMaps, "", err
134139
}
135140

141+
//Calculate the sha256sum of the tarFile before we split it up
142+
sha256sum = fmt.Sprintf("%x", sha256.Sum256(tarFile))
143+
136144
spinner.Updatef("Splitting the archive into binary configmaps")
137145
// Loop over the tarball breaking it into chunks based on the payloadChunkSize
138146
for {
@@ -165,7 +173,7 @@ func createPayloadConfigmaps(tempPath tempPaths, spinner *message.Spinner) ([]st
165173

166174
// Attempt to create the configmap in the cluster
167175
if _, err = k8s.ReplaceConfigmap(k8s.ZarfNamespace, fileName, labels, configData); err != nil {
168-
return configMaps, err
176+
return configMaps, "", err
169177
}
170178

171179
// Add the configmap to the configmaps slice for later usage in the pod
@@ -175,7 +183,7 @@ func createPayloadConfigmaps(tempPath tempPaths, spinner *message.Spinner) ([]st
175183
time.Sleep(100 * time.Millisecond)
176184
}
177185

178-
return configMaps, nil
186+
return configMaps, sha256sum, nil
179187
}
180188

181189
func hasSeedImages(spinner *message.Spinner) bool {
@@ -295,21 +303,20 @@ func buildEnvVars(tempPath tempPaths) ([]corev1.EnvVar, error) {
295303
}
296304

297305
// buildInjectionPod return a pod for injection with the appropriate containers to perform the injection
298-
func buildInjectionPod(image string, envVars []corev1.EnvVar, payloadConfigmaps []string) *corev1.Pod {
306+
func buildInjectionPod(image string, envVars []corev1.EnvVar, payloadConfigmaps []string, payloadShasum string) *corev1.Pod {
299307
pod := k8s.GeneratePod("injector", k8s.ZarfNamespace)
300308
executeMode := int32(0777)
301309
seedImage := config.GetSeedImage()
302310

303311
pod.Labels["app"] = "zarf-injector"
304312

305313
pod.Spec.RestartPolicy = corev1.RestartPolicyNever
306-
307314
pod.Spec.InitContainers = []corev1.Container{
308315
{
309316
Name: "init-injector",
310317
Image: image,
311318
WorkingDir: "/zarf-stage1",
312-
Command: []string{"/zarf-stage1/zarf-injector"},
319+
Command: []string{"/zarf-stage1/zarf-injector", payloadShasum},
313320

314321
VolumeMounts: []corev1.VolumeMount{
315322
{

0 commit comments

Comments
 (0)