Skip to content

Commit

Permalink
Add valid signaturePullSecrets test
Browse files Browse the repository at this point in the history
Signed-off-by: Denny Hoang <[email protected]>
  • Loading branch information
DennyHoang committed Apr 27, 2022
1 parent f4063d6 commit 65bd3fd
Showing 1 changed file with 59 additions and 8 deletions.
67 changes: 59 additions & 8 deletions pkg/cosign/kubernetes/webhook/validator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ import (
"github.com/sigstore/cosign/pkg/oci/static"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"knative.dev/pkg/apis"
Expand Down Expand Up @@ -123,11 +122,23 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
})

kc := fakekube.Get(ctx)
kc.CoreV1().ServiceAccounts("default").Create(ctx, &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: "default",
},
}, metav1.CreateOptions{})
// Setup service acc and fakeSignaturePullSecrets for "default" and "cosign-system" namespace
for _, ns := range []string{"default", system.Namespace()} {
kc.CoreV1().ServiceAccounts(ns).Create(ctx, &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: "default",
},
}, metav1.CreateOptions{})

kc.CoreV1().Secrets(ns).Create(ctx, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "fakeSignaturePullSecrets",
},
Data: map[string][]byte{
"dockerconfigjson": []byte(`{"auths":{"https://index.docker.io/v1/":{"username":"username","password":"password","auth":"dXNlcm5hbWU6cGFzc3dvcmQ="}}`),
},
}, metav1.CreateOptions{})
}

v := NewValidator(ctx, secretName)

Expand Down Expand Up @@ -470,7 +481,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
}(),
cvs: fail,
}, {
name: "simple, error, authority source signaturePullSecrets, invalid secret",
name: "simple, error, authority source signaturePullSecrets, non exisiting secret",
ps: &corev1.PodSpec{
InitContainers: []corev1.Container{{
Name: "setup-stuff",
Expand All @@ -497,7 +508,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
},
Sources: []v1alpha1.Source{{
OCI: "example.com/alternative/signature",
SignaturePullSecrets: []v1.LocalObjectReference{{
SignaturePullSecrets: []corev1.LocalObjectReference{{
Name: "non-existing-secret",
}},
}},
Expand All @@ -521,6 +532,46 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
return errs
}(),
cvs: authorityPublicKeyCVS,
}, {
name: "simple, no error, authority source signaturePullSecrets, valid secret",
ps: &corev1.PodSpec{
InitContainers: []corev1.Container{{
Name: "setup-stuff",
Image: digest.String(),
}},
Containers: []corev1.Container{{
Name: "user-container",
Image: digest.String(),
}},
},
customContext: config.ToContext(ctx,
&config.Config{
ImagePolicyConfig: &config.ImagePolicyConfig{
Policies: map[string]webhookcip.ClusterImagePolicy{
"cluster-image-policy": {
Images: []v1alpha1.ImagePattern{{
Regex: ".*",
}},
Authorities: []webhookcip.Authority{
{
Key: &webhookcip.KeyRef{
Data: authorityKeyCosignPubString,
PublicKeys: []crypto.PublicKey{authorityKeyCosignPub},
},
Sources: []v1alpha1.Source{{
OCI: "example.com/alternative/signature",
SignaturePullSecrets: []corev1.LocalObjectReference{{
Name: "fakeSignaturePullSecrets",
}},
}},
},
},
},
},
},
},
),
cvs: authorityPublicKeyCVS,
}}

for _, test := range tests {
Expand Down

0 comments on commit 65bd3fd

Please sign in to comment.