Skip to content
This repository was archived by the owner on Jul 3, 2024. It is now read-only.

Commit bf4b065

Browse files
cooktheryancooktheryan
committed
patching with new keycloak
Signed-off-by: Ryan Cook <[email protected]>
1 parent addb45d commit bf4b065

File tree

2 files changed

+7
-7
lines changed

2 files changed

+7
-7
lines changed

.github/workflows/main.yaml

+4-4
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ env:
1616
FULCIO_URL: https://fulcio.${{ secrets.BASE_DOMAIN }}
1717
TUF_URL: https://tuf.${{ secrets.BASE_DOMAIN }}
1818
KEYCLOAK_URL: ${{ secrets.KEYCLOAK_URL }}
19-
KEYCLOAK_REALM: sigstore
20-
KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/sigstore
19+
KEYCLOAK_REALM: trusted-artifact-signer
20+
KEYCLOAK_OIDC_ISSUER: ${{ secrets.KEYCLOAK_URL}}/realms/trusted-artifact-signer
2121
REKOR_URL: https://rekor.${{ secrets.BASE_DOMAIN }}
2222
TF_VAR_base_domain: ${{ secrets.BASE_DOMAIN }}
2323
TF_VAR_vpc_id: ${{ secrets.VPC_ID }}
@@ -65,8 +65,8 @@ jobs:
6565

6666
- name: sign and verify
6767
run: |
68-
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/')
69-
cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN ${{ env.IMAGE }}
68+
TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=jdoe" -d "password=secure" -d "grant_type=password" -d "scope=openid" -d "client_id=sigstore" ${{ env.KEYCLOAK_OIDC_ISSUER }}/protocol/openid-connect/token | sed -E 's/.*"access_token":"([^"]*).*/\1/')
69+
cosign sign -y --fulcio-url=${{ env.FULCIO_URL}} --rekor-url=${{ env.REKOR_URL}} --oidc-issuer=${{ env.KEYCLOAK_OIDC_ISSUER}} --identity-token=$TOKEN --oidc-client-id=${{ secrets.KEYCLOAK_REALM }} ${{ env.IMAGE }}
7070
cosign verify --rekor-url=${{ env.REKOR_URL}} --certificate-identity-regexp ".*@redhat" --certificate-oidc-issuer-regexp ".*keycloak.*" ${{ env.IMAGE }}
7171
7272
- name: Terraform Destroy

roles/sigstore_scaffolding/defaults/main.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -98,9 +98,9 @@ ct_logprefix: sigstoreansible
9898

9999
scaffolding_utils_image: quay.io/ablock/sigstore-scaffolding-helper:latest
100100

101-
oidc_issuers: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore
102-
sigstore_client_id: sigstore
103-
issuer_url: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/sigstore
101+
oidc_issuers: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer
102+
sigstore_client_id: trusted-artifact-signer
103+
issuer_url: https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer
104104
oidc_issuers_type: email
105105

106106
# Sigstore Images

0 commit comments

Comments
 (0)