From f7f1b0165d6d1223735e904b18ebae8a097495ee Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Wed, 18 May 2022 14:53:13 +0200 Subject: [PATCH] chore: rename script references to cosigned Signed-off-by: hectorj2f --- .github/workflows/build.yaml | 4 +- ...luster-image-policy-with-attestations.yaml | 14 +- .../workflows/kind-cluster-image-policy.yaml | 14 +- .github/workflows/kind-e2e-cosigned.yaml | 14 +- .../workflows/kind-verify-attestation.yaml | 2 +- .gitignore | 2 +- .ko.yaml | 2 +- Makefile | 24 +- hack/update-codegen.sh | 4 +- release/ko-sign-release-images.sh | 8 +- release/release.mk | 8 +- test/e2e_test_cosigned.sh | 260 ------------------ 12 files changed, 48 insertions(+), 308 deletions(-) delete mode 100755 test/e2e_test_cosigned.sh diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5b1ae9c7dabe..2aa07f1edd6f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -58,7 +58,7 @@ jobs: run: gcloud auth configure-docker --quiet - name: container run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container - - name: cosigned - run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-cosigned + - name: policy-controller + run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-policy-controller - name: sget run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-sget diff --git a/.github/workflows/kind-cluster-image-policy-with-attestations.yaml b/.github/workflows/kind-cluster-image-policy-with-attestations.yaml index 33500bbc17f0..4f29a2e39313 100644 --- a/.github/workflows/kind-cluster-image-policy-with-attestations.yaml +++ b/.github/workflows/kind-cluster-image-policy-with-attestations.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: Test cosigned with ClusterImagePolicy with attestations +name: Test policy-controller with ClusterImagePolicy with attestations on: pull_request: @@ -40,7 +40,7 @@ jobs: env: KNATIVE_VERSION: "1.1.0" - KO_DOCKER_REPO: "registry.local:5000/cosigned" + KO_DOCKER_REPO: "registry.local:5000/policy-controller" SCAFFOLDING_RELEASE_VERSION: "v0.2.8" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w @@ -74,17 +74,17 @@ jobs: - name: Install cluster + cosign uses: sigstore/scaffolding/actions/setup@main - - name: Install cosigned + - name: Install policy-controller env: GIT_HASH: ${{ github.sha }} GIT_VERSION: ci LDFLAGS: "" - COSIGNED_YAML: cosigned-e2e.yaml - KO_PREFIX: registry.local:5000/cosigned + COSIGNED_YAML: policy-controller-e2e.yaml + KO_PREFIX: registry.local:5000/cospolicy-controllerigned COSIGNED_ARCHS: linux/amd64 run: | - make ko-cosigned - kubectl apply -f cosigned-e2e.yaml + make ko-policy-controller + kubectl apply -f policy-controller-e2e.yaml # Wait for the webhook to come up and become Ready kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml index 497a45dd8e20..5722c114f928 100644 --- a/.github/workflows/kind-cluster-image-policy.yaml +++ b/.github/workflows/kind-cluster-image-policy.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: Test cosigned with ClusterImagePolicy +name: Test policy-controller with ClusterImagePolicy on: pull_request: @@ -40,7 +40,7 @@ jobs: env: KNATIVE_VERSION: "1.1.0" - KO_DOCKER_REPO: "registry.local:5000/cosigned" + KO_DOCKER_REPO: "registry.local:5000/policy-controller" SCAFFOLDING_RELEASE_VERSION: "v0.2.2" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w @@ -74,17 +74,17 @@ jobs: - name: Install cluster + cosign uses: sigstore/scaffolding/actions/setup@main - - name: Install cosigned + - name: Install policy-controller env: GIT_HASH: ${{ github.sha }} GIT_VERSION: ci LDFLAGS: "" - COSIGNED_YAML: cosigned-e2e.yaml - KO_PREFIX: registry.local:5000/cosigned + COSIGNED_YAML: policy-controller-e2e.yaml + KO_PREFIX: registry.local:5000/policy-controller COSIGNED_ARCHS: linux/amd64 run: | - make ko-cosigned - kubectl apply -f cosigned-e2e.yaml + make ko-policy-controller + kubectl apply -f policy-controller-e2e.yaml # Wait for the webhook to come up and become Ready kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 8ad355056b2b..110946c50ad8 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -40,7 +40,7 @@ jobs: REGISTRY_PORT: 5000 INSECURE_REGISTRY_NAME: insecure-registry.notlocal INSECURE_REGISTRY_PORT: 5001 - KO_DOCKER_REPO: registry.local:5000/cosigned + KO_DOCKER_REPO: registry.local:5000/policy-controller steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0 @@ -97,17 +97,17 @@ jobs: # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts - - name: Install cosigned + - name: Install policy-controller env: GIT_HASH: ${{ github.sha }} GIT_VERSION: ci LDFLAGS: "" - COSIGNED_YAML: cosigned-e2e.yaml - KO_PREFIX: registry.local:5000/cosigned + COSIGNED_YAML: policy-controller-e2e.yaml + KO_PREFIX: registry.local:5000/policy-controller COSIGNED_ARCHS: linux/amd64 run: | - make ko-cosigned - kubectl apply -f cosigned-e2e.yaml + make ko-policy-controller + kubectl apply -f policy-controller-e2e.yaml # Wait for the webhook to come up and become Ready kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook @@ -123,7 +123,7 @@ jobs: - name: Run Cosigned Tests run: | - ./test/e2e_test_cosigned.sh + ./test/e2e_test_policy_controller.sh - name: Collect diagnostics if: ${{ failure() }} diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index d291c1b57632..cf0727bb656f 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -40,7 +40,7 @@ jobs: env: KNATIVE_VERSION: "1.1.0" - KO_DOCKER_REPO: "registry.local:5000/cosigned" + KO_DOCKER_REPO: "registry.local:5000/policy-controller" SCAFFOLDING_RELEASE_VERSION: "v0.2.2" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w diff --git a/.gitignore b/.gitignore index 2c833c92ae7d..5ef31f9f5d59 100644 --- a/.gitignore +++ b/.gitignore @@ -28,7 +28,7 @@ bin* dist/ cosignImagerefs -cosignedImagerefs +policyControllerImagerefs sgetImagerefs policyImagerefs diff --git a/.ko.yaml b/.ko.yaml index 6fe5f6c178dd..7834fb846d66 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -32,7 +32,7 @@ builds: - -extldflags "-static" - "{{ .Env.LDFLAGS }}" -- id: cosigned +- id: policy-controller dir: . main: ./cmd/cosign/webhook env: diff --git a/Makefile b/Makefile index 4844bc3e9cd7..e7e4fc91e74d 100644 --- a/Makefile +++ b/Makefile @@ -91,9 +91,9 @@ cosign: $(SRCS) cosign-pivkey-pkcs11key: $(SRCS) CGO_ENABLED=1 go build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign -## Build cosigned binary -.PHONY: cosigned -cosigned: policy-webhook +## Build policy-controller binary +.PHONY: policy-controller +policy-controller: policy-webhook CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign/webhook .PHONY: policy-webhook @@ -128,7 +128,7 @@ test: clean: rm -rf cosign - rm -rf cosigned + rm -rf policy-controller rm -rf sget rm -rf dist/ @@ -151,7 +151,7 @@ endef # ko build ########## .PHONY: ko -ko: ko-cosign ko-sget ko-cosigned +ko: ko-cosign ko-sget ko-policy-controller .PHONY: ko-cosign ko-cosign: @@ -171,13 +171,13 @@ ko-sget: --image-refs sgetImagerefs \ github.com/sigstore/cosign/cmd/sget -.PHONY: ko-cosigned -ko-cosigned: kustomize-cosigned ko-policy-webhook - # cosigned +.PHONY: ko-policy-controller +ko-policy-controller: kustomize-policy-controller ko-policy-webhook + # policy-controller LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ - KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \ + KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-controller ko resolve --bare \ --platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ - --image-refs cosignedImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML) + --image-refs policyControllerImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML) ko-policy-webhook: # policy_webhook @@ -212,8 +212,8 @@ ko-apply: LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/ -.PHONY: kustomize-cosigned -kustomize-cosigned: +.PHONY: kustomize-policy-controller +kustomize-policy-controller: kustomize build config/ > $(COSIGNED_YAML) ################## diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh index 323c687c204d..c1f7018bfd37 100755 --- a/hack/update-codegen.sh +++ b/hack/update-codegen.sh @@ -45,7 +45,7 @@ group "Kubernetes Codegen" # instead of the $GOPATH directly. For normal projects this can be dropped. ${CODEGEN_PKG}/generate-groups.sh "deepcopy,client,informer,lister" \ github.com/sigstore/cosign/pkg/client github.com/sigstore/cosign/pkg/apis \ - "cosigned:v1alpha1 cosigned:v1beta1" \ + "policycontroller:v1alpha1 policycontroller:v1beta1" \ --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt group "Knative Codegen" @@ -53,7 +53,7 @@ group "Knative Codegen" # Knative Injection ${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \ github.com/sigstore/cosign/pkg/client github.com/sigstore/cosign/pkg/apis \ - "cosigned:v1alpha1 cosigned:v1beta1" \ + "policycontroller:v1alpha1 policycontroller:v1beta1" \ --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt group "Update CRD Schema" diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh index 47a1cea973c2..a0fbc0d6b3d8 100755 --- a/release/ko-sign-release-images.sh +++ b/release/ko-sign-release-images.sh @@ -37,8 +37,8 @@ if [[ ! -f sgetImagerefs ]]; then exit 1 fi -if [[ ! -f cosignedImagerefs ]]; then - echo "cosignedImagerefs not found" +if [[ ! -f policyControllerImagerefs ]]; then + echo "policyControllerImagerefs not found" exit 1 fi @@ -51,11 +51,11 @@ echo "Signing cosign images with GCP KMS Key..." cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignImagerefs)" cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat sgetImagerefs)" -cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignedImagerefs)" +cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyControllerImagerefs)" cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyImagerefs)" echo "Signing images with Keyless..." cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignImagerefs)" cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat sgetImagerefs)" -cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignedImagerefs)" +cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyControllerImagerefs)" cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyImagerefs)" diff --git a/release/release.mk b/release/release.mk index 05f69a043d53..427447c07127 100644 --- a/release/release.mk +++ b/release/release.mk @@ -28,9 +28,9 @@ snapshot: copy-cosign-signed-release-to-ghcr: cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) -.PHONY: copy-cosigned-signed-release-to-ghcr -copy-cosigned-signed-release-to-ghcr: - cosign copy $(KO_PREFIX)/cosigned:$(GIT_VERSION) $(GHCR_PREFIX)/cosigned:$(GIT_VERSION) +.PHONY: copy-policy-controller-signed-release-to-ghcr +copy-policy-controller-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/policy-controller:$(GIT_VERSION) $(GHCR_PREFIX)/policy-controller:$(GIT_VERSION) .PHONY: copy-policy-webhook-signed-release-to-ghcr copy-policy-webhook-signed-release-to-ghcr: @@ -41,4 +41,4 @@ copy-sget-signed-release-to-ghcr: cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION) .PHONY: copy-signed-release-to-ghcr -copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-cosigned-signed-release-to-ghcr copy-sget-signed-release-to-ghcr copy-policy-webhook-signed-release-to-ghcr +copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-policy-controller-signed-release-to-ghcr copy-sget-signed-release-to-ghcr copy-policy-webhook-signed-release-to-ghcr diff --git a/test/e2e_test_cosigned.sh b/test/e2e_test_cosigned.sh deleted file mode 100755 index 7a0b5b5799f7..000000000000 --- a/test/e2e_test_cosigned.sh +++ /dev/null @@ -1,260 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -ex - - -echo '::group:: publish test image' -DIGEST=$(ko publish -B ./cmd/sample) -cat > pod.yaml < distroless-pod.yaml < job.yaml < cronjob.yaml < manykeys.pem <> manykeys.pem - -# Save the old key -kubectl get secret -n cosign-system verification-key -o=json | jq -r '.data["cosign.key"]' | base64 --decode > cosign.key -kubectl delete secret -n cosign-system verification-key -kubectl create secret generic -n cosign-system verification-key --from-file=cosign.pub=manykeys.pem --from-literal=cosign.password=${COSIGN_PASSWORD} --from-file=cosign.key - -echo '::group:: disable verification' -kubectl label namespace default --overwrite cosigned.sigstore.dev/include=false -echo '::endgroup::' - - -echo '::group:: test pod success (before labeling)' -# This time it should succeed! -if ! kubectl create -f pod.yaml ; then - echo Failed to create Pod in namespace without label! - exit 1 -else - echo Successfully created Pod in namespace without label. -fi -echo '::endgroup::' - - -echo '::group:: test job success' -# This time it should succeed! -if ! kubectl create -f job.yaml ; then - echo Failed to create Job in namespace without label! - exit 1 -else - echo Successfully created Job in namespace without label. -fi -echo '::endgroup::' - -echo '::group:: test cronjob success' -# This time it should succeed! -if ! kubectl create -f cronjob.yaml ; then - echo Failed to create CronJob in namespace without label! - exit 1 -else - echo Successfully created CronJob in namespace without label. -fi -echo '::endgroup::' - -echo '::group:: enable verification' -kubectl label namespace default --overwrite cosigned.sigstore.dev/include=true -echo '::endgroup::' - - -echo '::group:: test pod rejection' -if kubectl create -f pod.yaml ; then - echo Failed to block Pod creation! - exit 1 -else - echo Successfully blocked Pod creation. -fi -echo '::endgroup::' - - -echo '::group:: test job rejection' -if kubectl create -f job.yaml ; then - echo Failed to block Job creation! - exit 1 -else - echo Successfully blocked Job creation. -fi -echo '::endgroup::' - -echo '::group:: test cronjob rejection' -if kubectl create -f cronjob.yaml ; then - echo Failed to block CronJob creation! - exit 1 -else - echo Successfully blocked CronJob creation. -fi -echo '::endgroup::' - -echo '::group:: sign test image' -cosign sign --key k8s://cosign-system/verification-key $DIGEST -echo '::endgroup::' - - - -echo '::group:: test pod digest resolution' -IMAGE=$(kubectl create --dry-run=server -f pod.yaml -oyaml | yq e '.spec.containers[0].image' -) - -if [ "$IMAGE" != "$DIGEST" ] ; then - echo Failed to resolve tag to digest! - exit 1 -else - echo Successfully resolved tag to digest. -fi -echo '::endgroup::' - -echo '::group:: test job digest resolution' -IMAGE=$(kubectl create --dry-run=server -f job.yaml -oyaml | yq e '.spec.template.spec.containers[0].image' -) - -if [ "$IMAGE" != "$DIGEST" ] ; then - echo Failed to resolve tag to digest! - exit 1 -else - echo Successfully resolved tag to digest. -fi -echo '::endgroup::' - -echo '::group:: test cronjob digest resolution' -IMAGE=$(kubectl create --dry-run=server -f cronjob.yaml -oyaml | yq e '.spec.jobTemplate.spec.template.spec.containers[0].image' -) - -if [ "$IMAGE" != "$DIGEST" ] ; then - echo Failed to resolve tag to digest! - exit 1 -else - echo Successfully resolved tag to digest. -fi -echo '::endgroup::' - -echo '::group:: test pod success' -# This time it should succeed! -if ! kubectl create -f pod.yaml ; then - echo Failed to create Pod with properly signed image! - exit 1 -else - echo Successfully created Pod from signed image. -fi -echo '::endgroup::' - - -echo '::group:: test job success' -# This time it should succeed! -if ! kubectl create -f job.yaml ; then - echo Failed to create Job with properly signed image! - exit 1 -else - echo Successfully created Job from signed image. -fi -echo '::endgroup::' - -echo '::group:: test cronjob success' -# This time it should succeed! -if ! kubectl create -f cronjob.yaml ; then - echo Failed to create CronJob with properly signed image! - exit 1 -else - echo Successfully created CronJob from signed image. -fi -echo '::endgroup::'