chore(ci): kaniko Phase B -- swap bespoke verify-posture to catalog component

Andrew Dunnrequested to merge
andunn-phase-b-posture-verify into main

Summary

Phase B of the kaniko -> catalog-v2.x migration. Replaces the bespoke verify-posture job (90 lines) and its companion script scripts/verify-posture.sh (235 lines) with the catalog's posture-verify@v2.1.1 component. Net: ~280 lines deleted.

What changed

  • .gitlab-ci.yml: add posture-verify@v2.1.1 component include (with kaniko's .gitlab/posture-claims.yaml as input). Collapse the 90-line bespoke verify-posture: job to a ~40-line overlay carrying the kaniko-specific bits the component doesn't:
    • variables: (REGISTRY, KANIKO_VERSION, REGISTRY_AUTH_FILE, SKIP_BINARY_CHECKS, EXPECTED_ARCHES)
    • before_script: writing the docker-config-format auth file (skopeo + cosign both consume it)
    • artifacts: for the posture-claims.yaml provenance artifact
    • rules: toggling SKIP_BINARY_CHECKS on tag pipelines for audit-grade FIPS marker extraction
  • .gitlab/posture-claims.yaml: fips-cryptography evidence (build-tag, default-godebug) rewritten from podman create | podman cp to skopeo copy + tar -tzf | tar -xzf. The catalog image bundles cosign + glab + skopeo + jq + go + python3 + PyYAML -- no container build engine (podman/buildah are out-of-scope for a posture verifier). Both binary-marker evidences guard with SKIP_BINARY_CHECKS=1 so default-branch pipelines skip the fragile-in-CI extraction; tag pipelines re-enable it for audit evidence. Runtime FIPS remains proven by fips-smoke.
  • scripts/verify-posture.sh deleted (235 lines).

Why skopeo + tar over keeping the bespoke job

The bespoke job imaged on quay.io/buildah/stable:v1.43.0 because it needed podman/buildah for binary extraction. The catalog's posture-verify image is intentionally smaller (no build engine) since the verifier's job is to read artifacts, not build them. skopeo copy docker://X dir:Y + tar over the layer blobs is the daemon-free extraction path; it works without privileged/DinD setup.

Posture evidence delta

  • On tag pipelines (audit grade): full evidence preserved end-to-end. cosign + SBOM + SLSA + arch + release + scanning + renovate + binary FIPS markers all run.
  • On default-branch pipelines: binary FIPS marker extraction skips (was fragile under podman-in-container anyway; SKIP_BINARY_CHECKS=1 was already the default in the bespoke job). All other evidence (cosign verify, attestation verify, arch check, release lookup, scanning grep, renovate config check) runs as before. Runtime FIPS remains proven by the fips-smoke job's actual GODEBUG=fips140=on execution.

Test plan

  • MR pipeline green (posture-verify won't run on MR; rules: gate it to default-branch + tag)
  • Post-merge main pipeline: posture-verify runs and all 8 claims pass (with binary-marker evidence SKIPped per rule)
  • Future tag pipeline (smoke RC after merge): binary-marker evidence runs via skopeo + tar and passes for all 3 FIPS variants

Merge request reports