Skip to content
This repository has been archived by the owner on Jul 3, 2024. It is now read-only.

Commit

Permalink
patching with new keycloak
Browse files Browse the repository at this point in the history 
Signed-off-by: Ryan Cook <[email protected]>
  • Loading branch information
@cooktheryan
cooktheryan committed Apr 23, 2024
1 parent addb45d commit bf4b065
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 7 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ env:
FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }}
TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }}
KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }}
KEYCLOAK_REALM: sigstore
KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/sigstore
KEYCLOAK_REALM: trusted-artifact-signer
KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/trusted-artifact-signer
REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }}
TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }}
TF_VAR_vpc_id: ${{ secrets.VPC_ID }}
Expand Down Expand Up @@ -65,8 +65,8 @@ jobs:

- name: sign and verify
run: |
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/')
cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN ${{ env.IMAGE }}
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" ${{ env.KEYCLOAK_OIDC_ISSUER }}/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/')
cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN --oidc-client-id=${{ secrets.KEYCLOAK_REALM }} ${{ env.IMAGE }}
cosign verify --rekor-url=${{ env.REKOR_URL}} --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ${{ env.IMAGE }}
- name: Terraform Destroy
Expand Down
6 changes: 3 additions & 3 deletions roles/sigstore_scaffolding/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,9 @@ ct_logprefix: sigstoreansible

scaffolding_utils_image: quay.io/ablock/sigstore-scaffolding-helper:latest

oidc_issuers: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore
sigstore_client_id: sigstore
issuer_url: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore
oidc_issuers: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer
sigstore_client_id: trusted-artifact-signer
issuer_url: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer
oidc_issuers_type: email

# Sigstore Images
Expand Down

0 comments on commit bf4b065

Please sign in to comment.