First batch of followups to sigstore#1650 (sigstore#1664)

* First batch of followups to sigstore#1650 Signed-off-by: Ville Aikas <[email protected]> * Fix few typos. Signed-off-by: Ville Aikas <[email protected]> * remove some unnecessary cruft since the actions handle them. Signed-off-by: Ville Aikas <[email protected]> * kubectl apply vs. create Signed-off-by: Ville Aikas <[email protected]> * try harder Signed-off-by: Ville Aikas <[email protected]> * registry before installations. Signed-off-by: Ville Aikas <[email protected]> * Remove trying with 1.23 which might have different job retry behaviour. Signed-off-by: Ville Aikas <[email protected]>
mlieberman85 · May 6, 2022 · 4c80af5 · 4c80af5
1 parent a886b99
commit 4c80af5
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 118 deletions.
diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml
@@ -33,24 +33,21 @@ jobs:
       matrix:
         k8s-version:
         - v1.21.x
+        - v1.22.x
+        # Try without this one now, might have problems with job restartings
+        # may require upstream changes.
+        #- v1.23.x
 
     env:
       KNATIVE_VERSION: "1.1.0"
-      KO_DOCKER_REPO: "registry.local:5000/knative"
+      KO_DOCKER_REPO: "registry.local:5000/cosigned"
       SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
       COSIGN_EXPERIMENTAL: true
 
     steps:
-    - name: Configure DockerHub mirror
-      run: |
-        tmp=$(mktemp)
-        jq '."registry-mirrors" = ["https://mirror.gcr.io"]' /etc/docker/daemon.json > "$tmp"
-        sudo mv "$tmp" /etc/docker/daemon.json
-        sudo service docker restart
-
     - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.4.0
     - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
       with:
@@ -59,20 +56,34 @@ jobs:
     # will use the latest release available for ko
     - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
 
-    - name: Setup Cluster
+    - name: Install yq
+      uses: mikefarah/yq@03f57b7034d0330d54663881def67523347dfc9c # v4.16.2
+
+    - name: Setup mirror
+      uses: chainguard-dev/actions/setup-mirror@main
+      with:
+        mirror: mirror.gcr.io
+
+    - name: build cosign
       run: |
-        curl -Lo ./setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/setup-kind.sh
-        chmod u+x ./setup-kind.sh
-        ./setup-kind.sh \
-          --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \
-          --cluster-suffix cluster.local \
-          --k8s-version ${{ matrix.k8s-version }} \
-          --knative-version ${KNATIVE_VERSION}
-
-    - name: Install all the everythings
+        make cosign
+
+    - name: Setup kind cluster
+      uses: chainguard-dev/actions/setup-kind@main
+      with:
+        k8s-version: "${{ matrix.k8s-version }}"
+        cluster-suffix: "${{ matrix.cluster-suffix }}"
+
+    - name: Install knative
+      uses: chainguard-dev/actions/setup-knative@main
+      with:
+        serving-features: '{"kubernetes.podspec-fieldref":"enabled", "kubernetes.podspec-volumes-emptydir":"enabled", "kubernetes.podspec-init-containers": "enabled", "kubernetes.podspec-securitycontext":"enabled"}'
+        serving-autoscaler: '{"min-scale":"1","max-scale":"1"}'
+
+    - name: Install all the everythings, fulcio, rekor, ctlog...
       timeout-minutes: 10
       run: |
-        curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml | kubectl apply -f -
+        kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml
 
         # Wait for all the ksvc to be up.
         kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all
@@ -89,7 +100,7 @@ jobs:
         # so we can verify against it.
         kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
 
-        curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml | kubectl create -f -
+        kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml
 
         kubectl wait --for=condition=Complete --timeout=180s job/sign-job job/checktree job/verify-job
 
@@ -146,7 +157,8 @@ jobs:
         sleep 2
         kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken
 
-    # These set up the env variables so that
+    # These set up the env variables so that we can invoke cosign against the
+    # cluster sigstore services (fulcio, rekor, etc.)
     - name: Set the endpoints on the cluster and grab secrets
       run: |
         REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
@@ -173,10 +185,6 @@ jobs:
       run: |
         kubectl apply -f ./test/testdata/cosigned/e2e/cip.yaml
 
-    - name: build cosign
-      run: |
-        make cosign
-
     - name: Sign demoimage with cosign
       run: |
         ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}

diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
@@ -29,26 +29,9 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-        - v1.21.2
-        - v1.22.4
-        - v1.23.0
-
-        include:
-          # Map between K8s and KinD versions.
-          # This is attempting to make it a bit clearer what's being tested.
-          # See: https://github.com/kubernetes-sigs/kind/releases
-        - k8s-version: v1.21.2
-          kind-version: v0.11.1
-          kind-image-sha: sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-          cluster-suffix: c${{ github.run_id }}.local
-        - k8s-version: v1.22.4
-          kind-version: v0.11.1
-          kind-image-sha: sha256:ca3587e6e545a96c07bf82e2c46503d9ef86fc704f44c17577fca7bcabf5f978
-          cluster-suffix: c${{ github.run_id }}.local
-        - k8s-version: v1.23.0
-          kind-version: v0.11.1
-          kind-image-sha: sha256:2f93d3c7b12a3e93e6c1f34f331415e105979961fcddbe69a4e3ab5a93ccbb35
-          cluster-suffix: c${{ github.run_id }}.local
+        - v1.21.x
+        - v1.22.x
+        - v1.23.x
 
     env:
       # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
@@ -74,76 +57,16 @@ jobs:
       run: |
         go install ./cmd/cosign
 
-    # This KinD setup is based on what we use for knative/serving on GHA, and it includes several "fun"
-    # monkey wrenches (e.g. randomizing cluster suffix: `.svc.cluster.local`) to make sure we don't bake
-    # in any invalid assumptions about a particular Kubernetes configuration.
-    - name: Install KinD
-      run: |
-        set -x
-        # Disable swap otherwise memory enforcement doesn't work
-        # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600009955324200
-        sudo swapoff -a
-        sudo rm -f /swapfile
-        # Use in-memory storage to avoid etcd server timeouts.
-        # https://kubernetes.slack.com/archives/CEKK1KTN2/p1615134111016300
-        # https://github.com/kubernetes-sigs/kind/issues/845
-        sudo mkdir -p /tmp/etcd
-        sudo mount -t tmpfs tmpfs /tmp/etcd
-        go install sigs.k8s.io/kind@${{ matrix.kind-version }}
-
-    - name: Configure KinD Cluster
-      run: |
-        set -x
-        # KinD configuration.
-        cat > kind.yaml <<EOF
-        apiVersion: kind.x-k8s.io/v1alpha4
-        kind: Cluster
-        # Configure registry for KinD.
-        containerdConfigPatches:
-        - |-
-          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"]
-            endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"]
-        # This is needed in order to support projected volumes with service account tokens.
-        # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600268272383600
-        kubeadmConfigPatches:
-          - |
-            apiVersion: kubeadm.k8s.io/v1beta2
-            kind: ClusterConfiguration
-            metadata:
-              name: config
-            apiServer:
-              extraArgs:
-                "service-account-issuer": "kubernetes.default.svc"
-                "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
-            networking:
-              dnsDomain: "${{ matrix.cluster-suffix }}"
-        nodes:
-        - role: control-plane
-          image: kindest/node:${{ matrix.k8s-version }}@${{ matrix.kind-image-sha }}
-          extraMounts:
-          - containerPath: /var/lib/etcd
-            hostPath: /tmp/etcd
-        - role: worker
-          image: kindest/node:${{ matrix.k8s-version }}@${{ matrix.kind-image-sha }}
-        EOF
-
-    - name: Create KinD Cluster
-      run: |
-        set -x
-        kind create cluster --config kind.yaml
-
-    - name: Setup local registry
-      run: |
-        # Run a registry.
-        docker run -d --restart=always \
-          -p $REGISTRY_PORT:$REGISTRY_PORT --name $REGISTRY_NAME registry:2
-
-        # Connect the registry to the KinD network.
-        docker network connect "kind" $REGISTRY_NAME
+    - name: Setup mirror
+      uses: chainguard-dev/actions/setup-mirror@main
+      with:
+        mirror: mirror.gcr.io
 
-        # Make the $REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
-        # local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image
-        sudo echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts
+    - name: Setup kind cluster
+      uses: chainguard-dev/actions/setup-kind@main
+      with:
+        k8s-version: ${{ matrix.k8s-version }}
+        cluster-suffix: c${{ github.run_id }}.local
 
     - name: Setup local insecure registry
       run: |

diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go
@@ -117,6 +117,7 @@ func TestGetAuthorities(t *testing.T) {
 }
 
 func checkGetMatches(t *testing.T, c map[string][]v1alpha1.Authority, err error) {
+	t.Helper()
 	if err != nil {
 		t.Error("GetMatches Failed =", err)
 	}

diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go
@@ -278,7 +278,7 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K
 				logging.FromContext(ctx).Debugf("Fetching FulcioRoot for %s : From: %s ", ref.Name(), authority.Keyless.URL)
 				fulcioroot, err := getFulcioCert(authority.Keyless.URL)
 				if err != nil {
-					authorityErrors = append(authorityErrors, errors.Wrap(err, "failed to fetch FulcioRoot"))
+					authorityErrors = append(authorityErrors, errors.Wrap(err, "fetching FulcioRoot"))
 					continue
 				}
 				var rekorClient *client.Rekor
@@ -293,8 +293,8 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K
 				}
 				sps, err := validSignaturesWithFulcio(ctx, ref, fulcioroot, rekorClient, opts)
 				if err != nil {
-					logging.FromContext(ctx).Errorf("failed validSignatures for %s: %v", ref.Name(), err)
-					authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures"))
+					logging.FromContext(ctx).Errorf("failed validSignatures with fulcio for %s: %v", ref.Name(), err)
+					authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures with fulcio"))
 				} else {
 					if len(sps) > 0 {
 						logging.FromContext(ctx).Debugf("validated signature for %s, got %d signatures", len(sps))

diff --git a/test/testdata/cosigned/e2e/cip.yaml b/test/testdata/cosigned/e2e/cip.yaml
@@ -18,7 +18,7 @@ metadata:
   name: image-policy
 spec:
   images:
-  - glob: registry.local:5000/knative/demo*
+  - glob: registry.local:5000/cosigned/demo*
   authorities:
   - keyless:
       url: http://fulcio.fulcio-system.svc