From 2ccfaff4ad641edfa13a3c80a57fbc5e09509a1d Mon Sep 17 00:00:00 2001
From: Andrew Suderman <andrew@sudermanjr.com>
Date: Tue, 22 Feb 2022 13:20:49 -0700
Subject: [PATCH] Get signing secret from vault and sign checksums (#222)

---
 .circleci/config.yml | 54 +++++++++++++++++++++++++++++++++++---------
 .goreleaser.yml      | 12 ++++++++++
 2 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 7a28644..f6a6783 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,7 +1,7 @@
 version: 2.1
 
 orbs:
-  rok8s-scripts: fairwinds/rok8s-scripts@11
+  rok8s: fairwinds/rok8s-scripts@11
 
 executors:
   golang-exec:
@@ -22,7 +22,15 @@ references:
         only: /.*/
       tags:
         ignore: /.*/
-
+  install_vault_alpine: &install_vault_alpine
+    run:
+      name: install hashicorp vault
+      command: |
+        apk --update add curl yq
+        cd /tmp
+        curl -LO https://releases.hashicorp.com/vault/1.9.3/vault_1.9.3_linux_amd64.zip
+        unzip vault_1.9.3_linux_amd64.zip
+        mv vault /usr/bin/vault
 jobs:
   test:
     working_directory: /go/src/github.com/fairwindsops/rbac-lookup
@@ -37,19 +45,26 @@ jobs:
   snapshot:
     working_directory: /go/src/github.com/fairwindsops/rbac-lookup
     docker:
-      - image: goreleaser/goreleaser:v1.1.0
+      - image: goreleaser/goreleaser:v1.3.0
     steps:
       - checkout
-      - run: goreleaser --snapshot
+      - setup_remote_docker
+      - run: goreleaser --snapshot --skip-sign
       - store_artifacts:
           path: dist
           destination: snapshot
   release:
     working_directory: /go/src/github.com/fairwindsops/rbac-lookup
     docker:
-      - image: goreleaser/goreleaser:v1.1.0
+      - image: goreleaser/goreleaser:v1.3.0
     steps:
       - checkout
+      - setup_remote_docker
+      - *install_vault_alpine
+      - rok8s/get_vault_env:
+          vault_path: repo/global/env
+      - rok8s/get_vault_env:
+          vault_path: repo/rbac-lookup/env
       - run: go mod download && go mod verify
       - run: goreleaser
   publish_docs:
@@ -66,17 +81,34 @@ jobs:
             npm run check-links
             npm run build
       - run:
-          name: Install AWS CLI
+          name: Install Tools
           command: |
+            cd /tmp
+            echo "Installing AWS CLI"
             curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
             unzip awscliv2.zip
             sudo ./aws/install
+
+            echo "Installing Hashicorp Vault"
+            curl -LO https://releases.hashicorp.com/vault/1.9.3/vault_1.9.3_linux_amd64.zip
+            unzip vault_1.9.3_linux_amd64.zip
+            sudo mv vault /usr/bin/vault
+            sudo chmod +x /usr/bin/vault
+            vault --version
+
+            echo "Installing yq"
+            curl -LO https://github.com/mikefarah/yq/releases/download/v4.16.2/yq_linux_amd64.tar.gz
+            tar -zxvf yq_linux_amd64.tar.gz
+            sudo mv yq_linux_amd64 /usr/bin/yq
+            sudo chmod +x /usr/bin/yq
+            yq --version
+      - rok8s/get_vault_env:
+          vault_path: repo/rbac-lookup/env
       - run:
           name: Publish Docs Site to S3
           command: |
             cd ./dist
             aws s3 sync ./ s3://rbac-lookup.docs.fairwinds.com --delete
-
 workflows:
   version: 2
   test-and-release:
@@ -93,19 +125,19 @@ workflows:
               only: /.*/
             tags:
               ignore: /.*/
-      - rok8s-scripts/kubernetes_e2e_tests:
+      - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.19"
           kind_node_image: "kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729"
           <<: *e2e_config
-      - rok8s-scripts/kubernetes_e2e_tests:
+      - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.20"
           kind_node_image: "kindest/node:v1.20.7@sha256:cbeaf907fc78ac97ce7b625e4bf0de16e3ea725daf6b04f930bd14c67c671ff9"
           <<: *e2e_config
-      - rok8s-scripts/kubernetes_e2e_tests:
+      - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.21"
           kind_node_image: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
           <<: *e2e_config
-      - rok8s-scripts/kubernetes_e2e_tests:
+      - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.22"
           kind_node_image: "kindest/node:v1.22.0@sha256:b8bda84bb3a190e6e028b1760d277454a72267a5454b57db34437c34a588d047"
           <<: *e2e_config
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 42c1579..9b1be3e 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -29,6 +29,18 @@ changelog:
     exclude:
     - '^docs:'
     - '^test:'
+release:
+  prerelease: auto
+  footer: |
+    You can verify the signature of the checksums.txt file using [cosign](https://github.com/sigstore/cosign).
+
+    ```
+    cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
+    ```
+signs:
+- cmd: cosign
+  args: ["sign-blob", "--key=hashivault://cosign", "-output-signature=${signature}", "${artifact}"]
+  artifacts: checksum
 brews:
 - name: rbac-lookup
   tap: