Use local rekor and fulcio instances in e2e tests

test/e2e_test.go

@@ -77,8 +77,8 @@ import (
 
 const (
 	serverEnv = "REKOR_SERVER"
-	rekorURL  = "https://rekor.sigstore.dev"
-	fulcioURL = "https://fulcio.sigstore.dev"
+	rekorURL  = "http://127.0.0.1:3000"
+	fulcioURL = "http://127.0.0.1:5555"
 )
 
 var keyPass = []byte("hello")
@@ -1324,6 +1324,11 @@ func TestGenerateKeyPairK8s(t *testing.T) {
 	if v, ok := s.Data["cosign.password"]; !ok || string(v) != password {
 		t.Fatalf("password is incorrect, got %v expected %v", v, "foo")
 	}
+	// Clean up the secret (so tests can be re-run locally)
+	err = client.CoreV1().Secrets(namespace).Delete(ctx, name, metav1.DeleteOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
 }
 
 func TestMultipleSignatures(t *testing.T) {

test/e2e_test.sh

@@ -16,41 +16,58 @@
 
 set -ex
 
-echo "copying rekor repo"
 pushd $HOME
-if [[ ! -d rekor ]]; then
-   git clone https://github.com/sigstore/rekor.git
-else
-   pushd rekor
-   git pull
-   popd
-fi
-cd rekor
 
-echo "starting services"
-docker-compose up -d
-
-count=0
-
-echo -n "waiting up to 60 sec for system to start"
-until [ $(docker-compose ps | grep -c "(healthy)") == 3 ];
-do
-    if [ $count -eq 6 ]; then
-       echo "! timeout reached"
-       exit 1
+echo "downloading service repos"
+for repo in rekor fulcio; do
+    if [[ ! -d $repo ]]; then
+        git clone https://github.com/sigstore/${repo}.git
     else
-       echo -n "."
-       sleep 10
-       let 'count+=1'
+        pushd $repo
+        git pull
+        popd
     fi
 done
 
+echo "starting services"
+export FULCIO_METRICS_PORT=2113
+for repo in rekor fulcio; do
+    pushd $repo
+    docker-compose up -d
+    echo -n "waiting up to 60 sec for system to start"
+    count=0
+    until [ $(docker-compose ps | grep -c "(healthy)") == 3 ];
+    do
+        if [ $count -eq 6 ]; then
+           echo "! timeout reached"
+           exit 1
+        else
+           echo -n "."
+           sleep 10
+           let 'count+=1'
+        fi
+    done
+    popd
+done
+cleanup_services() {
+    echo "cleaning up"
+    for repo in rekor fulcio; do
+        pushd $HOME/$repo
+        docker-compose down
+        popd
+    done
+}
+trap cleanup_services EXIT
+
+curl http://127.0.0.1:3000/api/v1/log/publicKey > rekor.pub
+export SIGSTORE_REKOR_PUBLIC_KEY=$(pwd)/rekor.pub
+
 echo
 echo "running tests"
 
 popd
 go build -o cosign ./cmd/cosign
-go test -tags=e2e -race $(go list ./... | grep -v third_party/)
+go test -tags=e2e -v -race ./test/...
 
 # Test on a private registry
 echo "testing sign/verify/clean on private registry"
@@ -62,6 +79,8 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t
 export COSIGN_TEST_REPO=localhost:5000
 go test -tags=e2e -v ./test/... -run TestSignVerifyClean
 
+# Use the public instance to verify existing images and manifests
+unset SIGSTORE_REKOR_PUBLIC_KEY
 # Test `cosign dockerfile verify`
 ./cosign dockerfile verify ./test/testdata/single_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com
 if (./cosign dockerfile verify ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi
@@ -80,7 +99,3 @@ if (./cosign manifest verify ./test/testdata/unsigned_manifest.yaml --certificat
 make ko-local
 img="ko.local/cosign:$(git rev-parse HEAD)"
 docker run $img version
-
-echo "cleanup"
-cd $HOME/rekor
-docker-compose down