From 83480731fe58dbad1b2d88c04c73152d41db5b41 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 12 Jan 2024 14:42:26 -0800 Subject: [PATCH 1/3] Clean up e2e test script - Use -v for clearer output - All the tests tagged 'e2e' are in ./test, no need to search the whole tree - There's no third_party directory, no need to grep it out - Clean up services no matter when the script exits Signed-off-by: Colleen Murphy --- test/e2e_test.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/test/e2e_test.sh b/test/e2e_test.sh index b1aabd164e9..df585c8766e 100755 --- a/test/e2e_test.sh +++ b/test/e2e_test.sh @@ -29,6 +29,13 @@ cd rekor echo "starting services" docker-compose up -d +cleanup_services() { + echo "cleaning up" + pushd $HOME/rekor + docker-compose down + popd +} +trap cleanup_services EXIT count=0 @@ -50,7 +57,7 @@ echo "running tests" popd go build -o cosign ./cmd/cosign -go test -tags=e2e -race $(go list ./... | grep -v third_party/) +go test -tags=e2e -v -race ./test/... # Test on a private registry echo "testing sign/verify/clean on private registry" @@ -80,7 +87,3 @@ if (./cosign manifest verify ./test/testdata/unsigned_manifest.yaml --certificat make ko-local img="ko.local/cosign:$(git rev-parse HEAD)" docker run $img version - -echo "cleanup" -cd $HOME/rekor -docker-compose down From 2cc3a10794f2bdd41b7fd81d0825dee2497516af Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 12 Jan 2024 14:43:51 -0800 Subject: [PATCH 2/3] test: Clean up cosign-secret Clean up the key pair secret after the test so that the test suite can be re-run locally if desired. Without this, the secret is set to 'immutable' and can't be overwritten by the next test run. Signed-off-by: Colleen Murphy --- test/e2e_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/e2e_test.go b/test/e2e_test.go index 9dcf277eea8..f91e0fddb96 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -1324,6 +1324,11 @@ func TestGenerateKeyPairK8s(t *testing.T) { if v, ok := s.Data["cosign.password"]; !ok || string(v) != password { t.Fatalf("password is incorrect, got %v expected %v", v, "foo") } + // Clean up the secret (so tests can be re-run locally) + err = client.CoreV1().Secrets(namespace).Delete(ctx, name, metav1.DeleteOptions{}) + if err != nil { + t.Fatal(err) + } } func TestMultipleSignatures(t *testing.T) { From 2fa0a82d0f999e4d964f6c8b47273e22aa3087d0 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 12 Jan 2024 16:07:21 -0800 Subject: [PATCH 3/3] Use local rekor and fulcio instances in e2e tests In 70683571 the e2e tests moved from running on the locally-spun-up rekor instance to the public instance. This means test signatures are piling up in the public instance, and the tests may be taking longer than they need to since they are using an external service. This change moves back to using the local rekor instance, which the e2e has still been spinning up even though it has been going unused. Also now do the same for fulcio. Signed-off-by: Colleen Murphy --- test/e2e_test.go | 4 +-- test/e2e_test.sh | 66 ++++++++++++++++++++++++++++-------------------- 2 files changed, 41 insertions(+), 29 deletions(-) diff --git a/test/e2e_test.go b/test/e2e_test.go index f91e0fddb96..09c397eb176 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -77,8 +77,8 @@ import ( const ( serverEnv = "REKOR_SERVER" - rekorURL = "https://rekor.sigstore.dev" - fulcioURL = "https://fulcio.sigstore.dev" + rekorURL = "http://127.0.0.1:3000" + fulcioURL = "http://127.0.0.1:5555" ) var keyPass = []byte("hello") diff --git a/test/e2e_test.sh b/test/e2e_test.sh index df585c8766e..7fb9a1310df 100755 --- a/test/e2e_test.sh +++ b/test/e2e_test.sh @@ -16,41 +16,51 @@ set -ex -echo "copying rekor repo" pushd $HOME -if [[ ! -d rekor ]]; then - git clone https://github.com/sigstore/rekor.git -else - pushd rekor - git pull - popd -fi -cd rekor + +echo "downloading service repos" +for repo in rekor fulcio; do + if [[ ! -d $repo ]]; then + git clone https://github.com/sigstore/${repo}.git + else + pushd $repo + git pull + popd + fi +done echo "starting services" -docker-compose up -d +export FULCIO_METRICS_PORT=2113 +for repo in rekor fulcio; do + pushd $repo + docker-compose up -d + echo -n "waiting up to 60 sec for system to start" + count=0 + until [ $(docker-compose ps | grep -c "(healthy)") == 3 ]; + do + if [ $count -eq 6 ]; then + echo "! timeout reached" + exit 1 + else + echo -n "." + sleep 10 + let 'count+=1' + fi + done + popd +done cleanup_services() { echo "cleaning up" - pushd $HOME/rekor - docker-compose down - popd + for repo in rekor fulcio; do + pushd $HOME/$repo + docker-compose down + popd + done } trap cleanup_services EXIT -count=0 - -echo -n "waiting up to 60 sec for system to start" -until [ $(docker-compose ps | grep -c "(healthy)") == 3 ]; -do - if [ $count -eq 6 ]; then - echo "! timeout reached" - exit 1 - else - echo -n "." - sleep 10 - let 'count+=1' - fi -done +curl http://127.0.0.1:3000/api/v1/log/publicKey > rekor.pub +export SIGSTORE_REKOR_PUBLIC_KEY=$(pwd)/rekor.pub echo echo "running tests" @@ -69,6 +79,8 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t export COSIGN_TEST_REPO=localhost:5000 go test -tags=e2e -v ./test/... -run TestSignVerifyClean +# Use the public instance to verify existing images and manifests +unset SIGSTORE_REKOR_PUBLIC_KEY # Test `cosign dockerfile verify` ./cosign dockerfile verify ./test/testdata/single_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com if (./cosign dockerfile verify ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi