From 7ee4a32aa7f8d800bb1261e3b62aa61b7ba77faa Mon Sep 17 00:00:00 2001 From: Bhushan Nemade Date: Thu, 29 Aug 2024 18:13:53 +0530 Subject: [PATCH] doc: Cosign plugin doc (#5665) * doc for cosign plugin * edits in task name * updates in intro and other fixes. * Attached link to Cosign GitHub repo * Hyperlink fixes --------- Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> --- docs/SUMMARY.md | 1 + docs/user-guide/plugins/cosign.md | 59 +++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 docs/user-guide/plugins/cosign.md diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index 2a55ffcad3..439c026259 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -136,6 +136,7 @@ * [Code-Scan](user-guide/plugins/code-scan.md) * [Copacetic](user-guide/plugins/copacetic.md) * [Copy Container Image](user-guide/plugins/copy-container-image.md) + * [Cosign](user-guide/plugins/cosign.md) * [Dependency track - Maven & Gradle](user-guide/plugins/dependency-track-maven-gradle.md) * [Dependency track - NodeJS](user-guide/plugins/dependency-track-nodejs.md) * [Dependency track - Python](user-guide/plugins/dependency-track-python.md) diff --git a/docs/user-guide/plugins/cosign.md b/docs/user-guide/plugins/cosign.md new file mode 100644 index 0000000000..d91fbb2d3e --- /dev/null +++ b/docs/user-guide/plugins/cosign.md @@ -0,0 +1,59 @@ +# Cosign + +## Introduction +The **Cosign** plugin by Devtron enables secure signing of your container images, enhancing supply chain security. It authenticates your identity as the creator and ensures image integrity, allowing users to verify the source and detect any tampering. This provides greater assurance to developers incorporating your artifacts into their workflows. + +### Prerequisites +Before integrating the Cosign plugin, ensure that you have configured the [Cosign](https://github.com/sigstore/cosign) and have a set of private and public keys to sign the container images. + +--- + +## Steps +1. Go to **Applications** → **Devtron Apps**. +2. Click your application. +3. Go to **App Configuration** → **Workflow Editor**. +4. Click **New Workflow** and navigate to the **Build and Deploy from Source Code**. +5. Fill the required fields in the **Create build pipeline** window and navigate to the **Post-build stage**. + +{% hint style="warning" %} +If you have already configured workflow, edit the build pipeline, and navigate to **Post-build stage**. +{% endhint %} + +6. Under 'TASKS', click the **+ Add task** button. +7. Click the **Cosign** plugin. +8. Enter the following [user inputs](#user-inputs) with appropriate values. +--- + +## User Inputs + +### Task Name +Enter the name of your task + +e.g., `Signing of container images` + +### Description +Add a brief explanation of the task and the reason for choosing the plugin. Include information for someone else to understand the purpose of the task. + +e.g., `The Cosign plugin is integrated for ensuring the authenticity of container images.` + +### Input Variables + +| Variable | Format | Description | Sample Value | +| ------------------------ | ------------ | ----------- | ------------ | +| PrivateKeyFilePath | STRING | Path of private key file in Git repo | cosign/cosign.key | +| PostCommand | STRING | Command to run after image is signed by Cosign | cosign verify $DOCKER_IMAGE | +| ExtraArguments | STRING | Arguments for Cosign command | --certificate-identity=name@example.com | +| CosignPassword | STRING | Password for Cosign private key | S3cur3P@ssw0rd123! | +| VariableAsPrivateKey | STRING | base64 encoded private-key | @{{COSIGN_PRIVATE_KEY}} | +| PreCommand | STRING | Command to get the required conditions to execute Cosign command | curl -sLJO https://raw.githubusercontent.com/devtron-labs/sampleRepo/branchName/private | + +### Trigger/Skip Condition +Here you can set conditions to execute or skip the task. You can select `Set trigger conditions` for the execution of a task or `Set skip conditions` to skip the task. + +### Output Variables +Cosign will not be generating an output variable. + +Click **Update Pipeline**. + + +