feat: add goreleaser and cloudbuild for releases

[cpanato]

Summary

Add goreleaser and cloudbuild definition to cut a rekor release, similar we do in the cosign project

Some questions to be answered:

• We will use the same KMS key that is used in cosign to sing the blob/images here?
• How can we send the to the Rekor server the logs using the keyless approach?

Ticket Link

Related: #419

Release Note

feat: add goreleaser and cloudbuild for releases

[cpanato]

@dlorenc @lukehinds need your thoughts here :)

should we discard the cloudbuild and make a github actions with manual dispatch to trigger the release? then we can use the GH support for the OIDC and use keyless

[cpanato]

gently ping @dlorenc @lukehinds would like to hear the thoughts, I will apply the same behaviour for fulcio as well

[dlorenc]

cc @asraa for comments on which keys to use here, she's working on setting up proper delegations in the sigstore root.

WDYT about skipping the signing for now to get something in?

[cpanato]

cc @asraa for comments on which keys to use here, she's working on setting up proper delegations in the sigstore root.

WDYT about skipping the signing for now to get something in?

Ok, will remove the signing part and finish it, by tomorrow we will be good to go

[cpanato]

I need to run se dry run before

[cpanato]

did a rehearsal release in my fork repo using cloubuild

https://github.com/cpanato/rekor/releases/tag/v99.99.99

and images

gcr.io/cpanato-general/rekor-server:99.99.99 and gcr.io/cpanato-general/rekor-cli:99.99.99

for now, we are not signing to wait for some discussion in which key we will use and this uses the same github token that cosign uses

[asraa]

Using the same keys as the cosign release key would be fine since it's already inside the TUF root -- https://github.com/sigstore/root-signing/blob/main/repository/staged/targets/artifact.pub

that's the public key just for double-checking ^

It's possible we re-sign targets to make the root compatible with rust TUF, in case we do this, do you want to sign with a different key that I can add?

[cpanato]

Using the same keys as the cosign release key would be fine since it's already inside the TUF root -- https://github.com/sigstore/root-signing/blob/main/repository/staged/targets/artifact.pub

that's the public key just for double-checking ^

It's possible we re-sign targets to make the root compatible with rust TUF, in case we do this, do you want to sign with a different key that I can add?

this is a decision we need to make:

• have a different key for each project
• or use the same for all projects

good things:

• one key is already there we can just reuse
• don't need to manage several keys

not so good:

• if we need to change the key we need to update all projects that use that

[cpanato]

tested the images generated by the release job in the rekor helm chart and seems to work fine

$ k get po
NAME                                         READY   STATUS    RESTARTS   AGE
rekor-mysql-756d7b8b4f-gcn82                 1/1     Running   0          3m44s
rekor-redis-6d5c5c99d8-5t8bn                 1/1     Running   0          3m44s
rekor-server-579c97969-s9dvs                 1/1     Running   0          23s
rekor-trillian-log-server-7b659656bb-s67cb   1/1     Running   0          33s
rekor-trillian-log-signer-c8ccc8cfc-8hsrk    1/1     Running   4          3m44s

$ k logs rekor-server-579c97969-s9dvs
2021-10-28T15:10:17.844Z        INFO    app/serve.go:68 starting rekor-server @ {
  "GitVersion": "v99.99.99",
  "GitCommit": "6972492120aa20fbde2f8f46b05c16e774c73c14",
ERROR 2021/10/28 15:10:17 Couldn't discover absolute path
ERROR 2021/10/28 15:10:17 stat .: permission denied
  "GitTreeState": "clean",
  "BuildDate": "'2021-10-28T13:13:44Z'",
  "GoVersion": "go1.17.2",
  "Compiler": "gc",
  "Platform": "linux/amd64"
}
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'rpm'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'rpm'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'jar'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'jar'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'intoto'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'intoto'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'rfc3161'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'rfc3161'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'alpine'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'alpine'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'helm'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'helm'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'tuf'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'tuf'
2021-10-28T15:10:17.909Z        INFO    app/serve.go:94 Loading support for pluggable type 'rekord'
2021-10-28T15:10:17.910Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'rekord'
2021-10-28T15:10:17.926Z        INFO    storage/storage.go:40   Configuring attestation storage at file:///var/run/attestations
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
spec:2021/10/28 15:10:17 warning: could not resolve current working directory: stat .: permission denied
2021-10-28T15:10:17.968Z        INFO    restapi/server.go:230   Serving rekor server at http://[::]:3000

need to check why it is try to get the current directory

UPDATE: figured out, fixing the dockerfile

UPDATE 2: fixed

$ k logs rekor-server-848d79466f-wsc6x
2021-10-28T15:23:48.012Z        INFO    app/serve.go:68 starting rekor-server @ {
  "GitVersion": "v99.99.99-1-gb665bfa-dirty",
  "GitCommit": "b665bfa6ea241b73f2c0b10c545d82b031828aab",
  "GitTreeState": "dirty",
  "BuildDate": "'2021-10-28T14:45:55Z'",
  "GoVersion": "go1.17.2",
  "Compiler": "gc",
  "Platform": "linux/amd64"
}
2021-10-28T15:23:48.062Z        INFO    app/serve.go:94 Loading support for pluggable type 'intoto'
2021-10-28T15:23:48.062Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'intoto'
2021-10-28T15:23:48.062Z        INFO    app/serve.go:94 Loading support for pluggable type 'rfc3161'
2021-10-28T15:23:48.062Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'rfc3161'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:94 Loading support for pluggable type 'alpine'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'alpine'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:94 Loading support for pluggable type 'helm'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'helm'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:94 Loading support for pluggable type 'tuf'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'tuf'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:94 Loading support for pluggable type 'rekord'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'rekord'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:94 Loading support for pluggable type 'rpm'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'rpm'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:94 Loading support for pluggable type 'jar'
2021-10-28T15:23:48.063Z        INFO    app/serve.go:95 Loading version '0.0.1' for pluggable type 'jar'
2021-10-28T15:23:48.202Z        INFO    storage/storage.go:40   Configuring attestation storage at file:///var/run/attestations
2021-10-28T15:23:48.248Z        INFO    restapi/server.go:230   Serving rekor server at http://[::]:3000

[asraa]

this is a decision we need to make:

I would probably say sticking to one key for the sigstore org is ok for the next quarter? but ultimately up to you -- as the number of projects grow it's probably easier to have separate keys

[dlorenc]

I think one key is fine for now.

[cpanato]

I think one key is fine for now.

great, will add the signing part back, maybe later we can discuss sending the data to rekor using keyless or another approach

[dlorenc]

I'm happy with this if you all are!

[cpanato]

I'm happy with this if you all are!

i will add the signing during the weekend and let's aim to a release early next week using this, wdyt?

[dlorenc]

SGTM!

[cpanato]

oh you merged, ok i open a new pr