Merge pull request #1 from controlplaneio-fluxcd/slsa-3

Conform with SLSA build level 3

.github/workflows/release.yml

@@ -99,7 +99,7 @@ jobs:
       - name: Generate SLSA metadata
         id: slsa
         run: |          
-          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
+          image_url=ghcr.io/controlplaneio-fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
           echo "image_url=$image_url" >> $GITHUB_OUTPUT
           
           image_digest=${{ steps.build-push.outputs.digest }}
@@ -114,7 +114,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
     with:
-      image: ghcr.io/${{ needs.release.outputs.image_url }}
+      image: ${{ needs.release.outputs.image_url }}
       digest: ${{ needs.release.outputs.image_digest }}
       registry-username: ${{ github.actor }}
     secrets:

README.md

@@ -3,6 +3,7 @@
 [![release](https://img.shields.io/github/release/controlplaneio-fluxcd/flux-operator/all.svg)](https://github.com/controlplaneio-fluxcd/flux-operator/releases)
 [![e2e](https://github.com/controlplaneio-fluxcd/flux-operator/actions/workflows/e2e.yaml/badge.svg)](https://github.com/controlplaneio-fluxcd/flux-operator/actions/workflows/e2e.yaml)
 [![license](https://img.shields.io/github/license/controlplaneio-fluxcd/flux-operator.svg)](https://github.com/controlplaneio-fluxcd/flux-operator/blob/main/LICENSE)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](#supply-chain-security)
 
 The Flux Operator is a Kubernetes CRD controller that manages
 the lifecycle of the [Flux CD](https://fluxcd.io) distribution.
@@ -73,3 +74,63 @@ spec:
             path: /spec/template/spec/containers/0/args/-
             value: --requeue-dependency=5s
 ```
+
+## Supply Chain Security
+
+The build, release and provenance portions of the ControlPlane distribution supply chain meet
+[SLSA Build Level 3](https://slsa.dev/spec/v1.0/levels).
+
+### Software Bill of Materials
+
+The ControlPlane images come with SBOMs in SPDX format for each CPU architecture.
+
+Example of extracting the SBOM from the flux-operator image:
+
+```shell
+docker buildx imagetools inspect \
+    ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 \
+    --format "{{ json (index .SBOM \"linux/amd64\").SPDX}}"
+```
+
+### Signature Verification
+
+The ControlPlane images are signed using Sigstore Cosign and GitHub OIDC.
+
+Example of verifying the signature of the flux-operator image:
+
+```shell
+cosign verify ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 \
+  --certificate-identity-regexp=^https://github\\.com/controlplaneio-fluxcd/.*$ \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### SLSA Provenance Verification
+
+The provenance attestations are generated at build time with Docker Buildkit and
+include facts about the build process such as:
+
+- Build timestamps
+- Build parameters and environment
+- Version control metadata
+- Source code details
+- Materials (files, scripts) consumed during the build
+
+Example of extracting the SLSA provenance JSON for the flux-operator image:
+
+```shell
+docker buildx imagetools inspect \
+  ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2 \
+  --format "{{ json (index .Provenance \"linux/amd64\").SLSA}}"
+```
+
+The provenance of the build artifacts is generated with the official
+[SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator).
+
+Example of verifying the provenance of the flux-operator image:
+
+```shell
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp=^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml.*$ \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  ghcr.io/controlplaneio-fluxcd/flux-operator:v0.0.2
+```

config/manager/kustomization.yaml

@@ -7,4 +7,4 @@ resources:
 images:
 - name: flux-operator
   newName: ghcr.io/controlplaneio-fluxcd/flux-operator
-  newTag: v0.0.1
+  newTag: v0.0.2