Day 5 of Week 3 of #CloudNativeNewYear!
The theme for this week is Bringing Your Application to Kubernetes. Yesterday we talked about debugging and instrumenting our application. Today we'll explore the topic of container image signing and secure supply chain.
Watch the recorded demo and conversation about this week's topics.
We were live on YouTube walking through today's (and the rest of this week's) demos. Join us Friday, February 10th and bring your questions!
What We'll Cover
- Create a digital signing certificate
- Generate an Azure Container Registry Token
- Set up Notation
- Install the Notation Azure Key Vault Plugin
- Add the signing Certificate to Notation
- Sign Container Images
The secure supply chain is a crucial aspect of software development, delivery, and deployment, and digital signing plays a critical role in this process.
By using digital signatures to verify the authenticity and integrity of container images, organizations can improve the security of your software supply chain and reduce the risk of security breaches and data compromise.
In this article, you'll learn how to use Notary, an open-source project hosted by the Cloud Native Computing Foundation (CNCF) to digitally sign container images stored on Azure Container Registry.
To follow along, you'll need an instance of:
Create a digital signing certificate
A digital signing certificate is a certificate that is used to digitally sign and verify the authenticity and integrity of digital artifacts. Such documents, software, and of course container images.
Before you can implement digital signatures, you must first create a digital signing certificate.
Run the following command to generate the certificate:
Create the policy file
cat <<EOF > ./my_policy.json
The ekus and key usage of this certificate policy dictate that the certificate can only be used for digital signatures.
Create the certificate in Azure Key Vault
az keyvault certificate create --name $keyName --vault-name $keyVaultName --policy @my_policy.json
$keyVaultNamewith your desired certificate name and Azure Key Vault instance name.
Generate a Azure Container Registry token
Azure Container Registry tokens are used to grant access to the contents of the registry. Tokens can be used for a variety of things such as pulling images, pushing images, or managing the registry.
As part of the container image signing workflow, you'll need a token to authenticate the Notation CLI with your Azure Container Registry.
Run the following command to generate an ACR token:
az acr token create \
--name $tokenName \
--registry $registry \
--scope-map _repositories_admin \
--query 'credentials.passwords.value' \
$tokenName with your name for the ACR token and
$registry with the name of your ACR instance.
Notation is the command-line interface for the CNCF Notary project. You'll use it to digitally sign the api and web container images for the eShopOnWeb application.
Run the following commands to download and install the NotationCli:
Open a terminal or command prompt window
Download the Notary notation release
curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v1.0.0-rc.1/notation_1.0.0-rc.1_linux_amd64.tar.gz > /dev/null 2>&1
If you're not using Linux, you can find the releases here.
Extract the contents of the
tar xvzf notation.tar.gz > /dev/null 2>&1
Copy the notation binary to the $HOME/bin directory
cp ./notation $HOME/bin
Add the $HOME/bin directory to the PATH environment variable
Remove the downloaded files
rm notation.tar.gz LICENSE
Check the notation version
Install the Notation Azure Key Vault plugin
By design the NotationCli supports plugins that extend its digital signing capabilities to remote registries. And in order to sign your container images stored in Azure Container Registry, you'll need to install the Azure Key Vault plugin for Notation.
Run the following commands to install the
Download the plugin
curl -Lo notation-azure-kv.tar.gz \
https://github.com/Azure/notation-azure-kv/releases/download/v0.5.0-rc.1/notation-azure-kv_0.5.0-rc.1_linux_amd64.tar.gz > /dev/null 2>&1
Non-Linux releases can be found here.
Extract to the plugin directory & delete download files
tar xvzf notation-azure-kv.tar.gz -C ~/.config/notation/plugins/azure-kv notation-azure-kv > /dev/null 2>&
rm -rf notation-azure-kv.tar.gz
Verify the plugin was installed
notation plugin ls
Add the signing certificate to Notation
Now that you have Notation and the Azure Key Vault plugin installed, add the certificate's keyId created above to Notation.
Get the Certificate Key ID from Azure Key Vault
az keyvault certificate show \
--vault-name $keyVaultName \
--name $keyName \
--query "kid" --only-show-errors --output tsv
$keyNamewith the appropriate information.
Add the Key ID to KMS using Notation
notation key add --plugin azure-kv --id $keyID $keyName
Check the key list
notation key ls
Sign Container Images
At this point, all that's left is to sign the container images.
notation sign command to sign the api and web container images:
notation sign $registry.azurecr.io/web:$tag \
--username $tokenName \
notation sign $registry.azurecr.io/api:$tag \
--username $tokenName \
$tokenPassword with the appropriate values. To improve security, use a SHA hash for the tag.
NOTE: If you didn't take note of the token password, you can rerun the
az acr token createcommand to generate a new password.
Digital signing plays a critical role in ensuring the security of software supply chains.
By signing software components, organizations can verify the authenticity and integrity of software, helping to prevent unauthorized modifications, tampering, and malware.
And if you want to take digital signing to a whole new level by using them to prevent the deployment of unsigned container images, check out the Ratify project on GitHub!
Enroll in the Cloud Skills Challenge!
Don't miss out on this opportunity to level up your skills and stay ahead of the curve in the world of cloud native.