Distribute cosign binary in CNG (Debian & Universal)

Problem to solve

Why are we doing this work

As part of the SLSA L3 epic, the Pipeline Security team has discussed several options to perform signatures of SLSA Provenance statements in the control plane. In the course of these discussions, we determined that the best course of action was to ship the cosign binary in our distributions.

This issue in particular discusses shipping the binary in Cloud Native GitLab container images.

Relevant links

• Evaluate options to bundle cosign with GitLab Rails
• ADR 004: Bundle cosign with GitLab Rails, perform attestation in GitLab Rails backend
• https://docs.gitlab.com/charts/architecture/goals/#helm-charts
• https://gitlab.com/gitlab-org/build/CNG/-/blob/master/docs/build.md?ref_type=heads#final-image-bases

Non-functional requirements

• Documentation: See discussion below regarding this. We will produce a README.md file in the cosign folder within the CNG repository.
• Feature flag: N/A
• Performance: N/A
• Testing: See verification steps below.

Implementation plan

We need to modify the CNG image associated with Sidekiq workers. Specifically gitlab-sidekiq. This is because the call to cosign will happen from the PublishProvenanceWorker worker.

A couple of key requirements:

• Following CNG common practice, new software artifacts should be built from source. For example see gomplate, postgresql, and exiftool, etc.
• A better pattern is to add this software "asset" (in this case cosign) into the final images where needed.

Steps:

• Solicit the creation of a repository under omnibus-mirror, similarly to how this is done for gitlab-exiftool. Instructions on how to achieve this are available on the omnibus-mirror documentation page.
• Create a Dockerfile that downloads and compiles the appropriate version of cosign, again similar to gitlab-exiftool. This should download the code from the GitLab mirror created above. In this case it will be the image associated with Sidekiq workers, as we've decided to do the call to the binary from that location.
• Modify gitlab-sidekiq Debian image to embed the newly created Dockerfile with a FROM statement. In the case of gitlab-exiftool this is performed by adding a FROM statement and then copying the files from that statement.
• Repeat the modification for the UBI image.
• Investigate how GitLab is upgraded to a new version of the CNG images.

Verification steps

This issue can be verified locally by:

1. Cloning the CNG repository, and building the sidekiq-worker image.
2. Get a shell by running docker run -it IMAGE_NAME bash
3. Ensure the cosign binary is present within the image by running cosign --version