Skip to content

Add gRPC calls for Fulcio on prober #1800

Add gRPC calls for Fulcio on prober

Add gRPC calls for Fulcio on prober #1800

name: Fulcio&Rekor E2E Tests
on:
pull_request:
branches: [ main ]
paths-ignore:
- 'terraform/**'
permissions: read-all
defaults:
run:
shell: bash
working-directory: ./src/github.com/sigstore/scaffolding
concurrency:
group: fulcio-rekor-kind-${{ github.head_ref }}
cancel-in-progress: true
jobs:
fulcio-rekor-ctlog-tests:
name: e2e tests
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.25.x
- v1.26.x
- v1.27.x
- v1.28.x
- v1.29.x
leg:
- fulcio rekor ctlog e2e
go-version:
- 1.21.x
env:
GOPATH: ${{ github.workspace }}
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko
COSIGN_EXPERIMENTAL: true
steps:
- uses: chainguard-dev/actions/setup-mirror@main
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ matrix.go-version }}
check-latest: true
- name: Check out our repo
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
path: ./src/github.com/sigstore/scaffolding
- uses: actions/cache@v4
with:
# In order:
# * Module download cache
# * Build cache (Linux)
path: |
~/go/pkg/mod
~/.cache/go-build
${{ env.KOCACHE }}
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ matrix.go-version }}-
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Setup Cluster
uses: chainguard-dev/actions/setup-kind@main
id: kind
with:
k8s-version: ${{ matrix.k8s-version }}
registry-authority: registry.local:5000
cluster-suffix: cluster.local
service-account-issuer: https://kubernetes.default.svc.cluster.local
- name: Setup Knative
uses: chainguard-dev/actions/setup-knative@main
with:
version: "1.8.x"
serving-features: >
{
"kubernetes.podspec-fieldref": "enabled"
}
- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=`ko publish -B example.com/demo`
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Install scaffolding
run: |
./hack/setup-scaffolding.sh
- name: Initialize cosign with our custom tuf root and make root copy
run: |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json
# Also grab the compressed repository for airgap testing.
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
# Then initialize cosign
cosign initialize --mirror $TUF_MIRROR --root ./root.json
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
- name: Run signing job in k8s using kubernetes tokens in the cluster
run: |
make ko-apply-sign-job
kubectl wait --for=condition=Complete --timeout=90s job/sign-job
- name: Verify the image with cosign using kubernetes tokens in the cluster
run: |
make ko-apply-verify-job
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
- name: Install a Knative service for fetch tokens off the cluster
run: |
make ko-apply-gettoken
sleep 2
kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken
- name: Get the endpoints on the cluster
run: |
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
#FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
#echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \
--allow-insecure-registry "${{ env.demoimage }}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
# Test with cosign in 'airgapped mode'
# Uncomment these once modified cosign goes in.
#- name: Checkout modified cosign for testing.
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
# with:
# repository: vaikas/cosign
# ref: air-gap
# path: ./src/github.com/sigstore/cosign
#- name: Build cosign
# working-directory: ./src/github.com/sigstore/cosign
# run: |
# go build -o ./cosign ./cmd/cosign/main.go
#- name: Untar the repository from the fetched secret, initialize and verify with it
# working-directory: ./src/github.com/sigstore/cosign
# run: |
# # Also grab the compressed repository for airgap testing.
# kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz
# tar -zxvf ./repository.tar.gz
# PWD=$(pwd)
# ROOT=${PWD}/repository/1.root.json
# REPOSITORY=${PWD}/repository
# ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY}
# ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
- name: Checkout TSA for testing.
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
repository: sigstore/timestamp-authority
path: ./src/github.com/sigstore/timestamp-authority
- name: Build timestamp-cli
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
go build -o ./timestamp-cli ./cmd/timestamp-cli
- name: Exercise TSA
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem
echo "myblob" > myblob
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then
echo "failed to timestamp artifact"
exit -1
fi
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then
echo "failed to verify timestamp"
exit -1
fi
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then
echo "failed to inspect the timestamp"
exit -1
fi
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main
with:
artifact-name: logs.${{ matrix.k8s-version }}