pub/cosign-images
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix build
All checks were successful
build, sign and push / build-and-sign (push) Successful in 27s
Details

Browse Source
This commit is contained in:
Vassiliy Yegorov
2026-03-26 19:38:05 +07:00
parent aadfe767d3
commit 430d4de3d6
6 changed files with 61 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.claude/settings.local.json Normal file
View File

@@ -0,0 +1,8 @@
{
"permissions": {
"allow": [
"mcp__context7__resolve-library-id",
"mcp__context7__query-docs"
]
}
}

23
helm/nginx/templates/deployment.yaml
View File

@@ -1,22 +1,31 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: { { include "nginx.fullname" . } }
name: {{ include "nginx.fullname" . }}
labels:
app: { { include "nginx.name" . } }
app: {{ include "nginx.name" . }}
spec:
replicas: { { .Values.replicaCount } }
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: { { include "nginx.name" . } }
app: {{ include "nginx.name" . }}
template:
metadata:
labels:
app: { { include "nginx.name" . } }
app: {{ include "nginx.name" . }}
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: nginx
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: { { .Values.image.pullPolicy } }
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 80
- containerPort: 8080

10
helm/nginx/templates/service.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: { { include "nginx.fullname" . } }
name: {{ include "nginx.fullname" . }}
spec:
type: { { .Values.service.type } }
type: {{ .Values.service.type }}
ports:
- port: { { .Values.service.port } }
targetPort: 80
- port: {{ .Values.service.port }}
targetPort: 8080
selector:
app: { { include "nginx.name" . } }
app: {{ include "nginx.name" . }}

3
image/Dockerfile
View File

@@ -1,2 +1,5 @@
FROM nginx:1.25-alpine
COPY nginx.conf /etc/nginx/nginx.conf
RUN chown -R nginx:nginx /var/cache/nginx /var/log/nginx /etc/nginx
USER nginx
EXPOSE 8080

12
image/nginx.conf
View File

@@ -1,7 +1,17 @@
worker_processes auto;
pid /tmp/nginx.pid;
events {}
http {
client_body_temp_path /tmp/client_body;
proxy_temp_path /tmp/proxy;
fastcgi_temp_path /tmp/fastcgi;
uwsgi_temp_path /tmp/uwsgi;
scgi_temp_path /tmp/scgi;
server {
listen 80;
listen 8080;
location / {
return 200 'Hello from custom nginx!';
}

35
policies/kyverno-image-signature-policy.yaml
View File

@@ -4,21 +4,22 @@ metadata:
name: require-image-signature
spec:
validationFailureAction: Enforce
background: false
rules:
- name: verify-image-signature
match:
resources:
kinds:
- Pod
include:
resources:
namespaces:
- cosign-test
verifyImages:
- image: "git.ntk.novotelecom.ru/adm/docker-trust*"
key: "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1kmEd1dzkY0MLMhNlkPz8LbX70tdw5acXoKYvOGzcTUK4jppKBCLst121UMC0L5DcgqNE9uly0S78aE8pbIxpBSgVdM8NPRa90vGTi50rauzOGiVRSxOzmkh3BVErqga84U9xb8QmS28rwjdSCbZSx27quzkDrvHwrfid5DroCSkNFQo7Bb84jlgTbrV5KwXkd7G5bMB3qaAzIpBQH+LbKn8/76rlU9/NfUpzftFdOwVVOWQIC7PYU8z2cKI9C+Su+MkrozuGSLrR/Z/urCK9xibrUzRMX7N2v5ORXGhili4pFJG7asxQjPzl2a23iYGkt8c5egxlXWFk4zrVnmawIDAQAB-----END PUBLIC KEY-----"
attestors:
- entries:
- keyless:
subject: "*"
issuer: "*"
- name: check-image-signature
match:
any:
- resources:
kinds: [Pod]
namespaces: ["cosign-test"]
verifyImages:
- imageReferences:
- "git.realmanual.ru/pub/*"
attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZZ/9MbR3WZg9K/pk936vukFjeWVt
2oMpW4OmElpIq1aH3jZIA03Hwm7FVdhyumb1vPu5k0DOV8RX4UIs6rkhzA==
-----END PUBLIC KEY-----