Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind #1650
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ville Aikas <[email protected]>
Signed-off-by: Ville Aikas <[email protected]>
Signed-off-by: Ville Aikas <[email protected]>
vaikas
force-pushed
the
scaffolding
branch
5 times, most recently
from
8cbd24c
to
3c3903f
Compare
Signed-off-by: Ville Aikas <[email protected]>
Signed-off-by: Ville Aikas <[email protected]>
we need to make sure that all policies have at least one validating authority. Signed-off-by: Ville Aikas <[email protected]>
understand how to test fully with both rekor/fulcio the good case. Signed-off-by: Ville Aikas <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #1650 +/- ##
==========================================
+ Coverage 27.89% 28.77% +0.87%
==========================================
Files 139 139
Lines 7972 8139 +167
==========================================
+ Hits 2224 2342 +118
- Misses 5512 5544 +32
- Partials 236 253 +17
Continue to review full report at Codecov.
|
Signed-off-by: Ville Aikas <[email protected]>
mattmoor
reviewed
Mar 24, 2022
Comment on lines
+149
to
+211
| # These set up the env variables so that | ||
| - name: Set the endpoints on the cluster and grab secrets | ||
| run: | | ||
| REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` | ||
| echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV | ||
| curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem | ||
|
|
||
| FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4` | ||
| echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV | ||
| CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4` | ||
| echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV | ||
|
|
||
| ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4` | ||
| echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV | ||
| OIDC_TOKEN=`curl -s $ISSUER_URL` | ||
| echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV | ||
|
|
||
| kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem | ||
| echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV | ||
|
|
||
| kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem | ||
| echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV | ||
|
|
||
| - name: Deploy ClusterImagePolicy | ||
| run: | | ||
| kubectl apply -f ./test/testdata/cosigned/e2e/cip.yaml | ||
|
|
||
| - name: build cosign | ||
| run: | | ||
| make cosign | ||
|
|
||
| - name: Sign demoimage with cosign | ||
| run: | | ||
| ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | ||
|
|
||
| - name: Verify with cosign | ||
| run: | | ||
| SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1 COSIGN_EXPERIMENTAL=1 ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} | ||
|
|
||
| - name: Deploy jobs and verify signed works, unsigned fails | ||
| run: | | ||
| kubectl create namespace demo | ||
| kubectl label namespace demo cosigned.sigstore.dev/include=true | ||
|
|
||
| echo '::group:: test job success' | ||
| # We signed this above, this should work | ||
| if ! kubectl create -n demo job demo --image=${{ env.demoimage }} ; then | ||
| echo Failed to create Job in namespace without label! | ||
| exit 1 | ||
| else | ||
| echo Succcessfully created Job with signed image | ||
| fi | ||
| echo '::endgroup:: test job success' | ||
|
|
||
| echo '::group:: test job rejection' | ||
| # We did not sign this, should fail | ||
| if kubectl create -n demo job demo2 --image=${{ env.demoimage2 }} ; then | ||
| echo Failed to block unsigned Job creation! | ||
| exit 1 | ||
| else | ||
| echo Successfully blocked Job creation with unsigned image | ||
| fi | ||
| echo '::endgroup::' |
There was a problem hiding this comment.
Move this into scripts like these?
cosign/.github/workflows/kind-e2e-cosigned.yaml
Lines 185 to 196 in bdef009
There was a problem hiding this comment.
Then you can avoid some of the GITHUB_ENV bits for passing env vars across steps, and folks can more easily run this locally.
There was a problem hiding this comment.
Yeah! I was planning on doing that as a follow on. Part of the original reasoning for the test/testadata/cosigned was to dump things into there so that we can then easier pick and choose what we run and automate that. I wasn't quite sure how to structure that :)
There's some stuff that I'd like to pass from the cluster (like the oidc_token, or a way to fetch it, or fulcio URL), etc. but I reckon when I call from actions to shell, env persists?
| - glob: registry.local:5000/knative/demo* | ||
| authorities: | ||
| - keyless: | ||
| url: http://fulcio.fulcio-system.svc/api/v1/rootCert |
There was a problem hiding this comment.
Can we drop /api/v1/rootCert everywhere now?
There was a problem hiding this comment.
Yes, it actually doesn't work with this anymore, I had fixed it already 👍
mattmoor
approved these changes
Mar 24, 2022
hectorj2f
approved these changes
Mar 24, 2022
hectorj2f
reviewed
Mar 24, 2022
hectorj2f
reviewed
Mar 24, 2022
hectorj2f
reviewed
Mar 24, 2022
|
Thanks for the reviews / feedbacks. Since you were both in the approval mood, I'll merge this now and then I'll address / refactor in a follow up PRs. I think it's good to get started testing the pieces and now we also have e2e tests to start building more complex policy validations. |
vaikas
added a commit
to vaikas/cosign
that referenced
this pull request
Mar 25, 2022
Signed-off-by: Ville Aikas <[email protected]>
vaikas
added a commit
that referenced
this pull request
Mar 25, 2022
* First batch of followups to #1650 Signed-off-by: Ville Aikas <[email protected]> * Fix few typos. Signed-off-by: Ville Aikas <[email protected]> * remove some unnecessary cruft since the actions handle them. Signed-off-by: Ville Aikas <[email protected]> * kubectl apply vs. create Signed-off-by: Ville Aikas <[email protected]> * try harder Signed-off-by: Ville Aikas <[email protected]> * registry before installations. Signed-off-by: Ville Aikas <[email protected]> * Remove trying with 1.23 which might have different job retry behaviour. Signed-off-by: Ville Aikas <[email protected]>
vaikas
added a commit
to vaikas/cosign
that referenced
this pull request
Mar 28, 2022
Signed-off-by: Ville Aikas <[email protected]>
dlorenc
pushed a commit
that referenced
this pull request
Mar 28, 2022
* Refactor based on discussions in #1650 Signed-off-by: Ville Aikas <[email protected]> * Simplify return signature. Signed-off-by: Ville Aikas <[email protected]> * pr feedback. Signed-off-by: Ville Aikas <[email protected]> * remove now unnecessary var. Signed-off-by: Ville Aikas <[email protected]>
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this pull request
May 6, 2022
…gstore#1650) * Just setting up the cluster tests. Signed-off-by: Ville Aikas <[email protected]> * Sign/verify a simple container. Signed-off-by: Ville Aikas <[email protected]> * Plumb Keyless with Fulcio / Rekor through. Signed-off-by: Ville Aikas <[email protected]> * Start wiring tests together. Not complete. Signed-off-by: Ville Aikas <[email protected]> * Ok, now the test should work, last run should've failed, it did. woot! Signed-off-by: Ville Aikas <[email protected]> * Return policies instead of all the authorities in one fell swoop since we need to make sure that all policies have at least one validating authority. Signed-off-by: Ville Aikas <[email protected]> * Cleanup, add keyless unit tests. For now just failure cases, need to understand how to test fully with both rekor/fulcio the good case. Signed-off-by: Ville Aikas <[email protected]> * Removed the API path portion of the test CIP as no longer necessary. Signed-off-by: Ville Aikas <[email protected]>
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this pull request
May 6, 2022
* First batch of followups to sigstore#1650 Signed-off-by: Ville Aikas <[email protected]> * Fix few typos. Signed-off-by: Ville Aikas <[email protected]> * remove some unnecessary cruft since the actions handle them. Signed-off-by: Ville Aikas <[email protected]> * kubectl apply vs. create Signed-off-by: Ville Aikas <[email protected]> * try harder Signed-off-by: Ville Aikas <[email protected]> * registry before installations. Signed-off-by: Ville Aikas <[email protected]> * Remove trying with 1.23 which might have different job retry behaviour. Signed-off-by: Ville Aikas <[email protected]>
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this pull request
May 6, 2022
* Refactor based on discussions in sigstore#1650 Signed-off-by: Ville Aikas <[email protected]> * Simplify return signature. Signed-off-by: Ville Aikas <[email protected]> * pr feedback. Signed-off-by: Ville Aikas <[email protected]> * remove now unnecessary var. Signed-off-by: Ville Aikas <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Ticket Link
Fixes
Release Note