First batch of followups to sigstore#1650

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
vaikas · Mar 25, 2022 · fd9ac38 · fd9ac38
1 parent 340b6c6
commit fd9ac38
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 96 deletions.
diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml
@@ -44,13 +44,6 @@ jobs:
       COSIGN_EXPERIMENTAL: true
 
     steps:
-    - name: Configure DockerHub mirror
-      run: |
-        tmp=$(mktemp)
-        jq '."registry-mirrors" = ["https://mirror.gcr.io"]' /etc/docker/daemon.json > "$tmp"
-        sudo mv "$tmp" /etc/docker/daemon.json
-        sudo service docker restart
-
     - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.4.0
     - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
       with:
@@ -59,20 +52,44 @@ jobs:
     # will use the latest release available for ko
     - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
 
-    - name: Setup Cluster
+    - name: Install yq
+      uses: mikefarah/yq@03f57b7034d0330d54663881def67523347dfc9c # v4.16.2
+
+    - name: build cosign
       run: |
-        curl -Lo ./setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/setup-kind.sh
-        chmod u+x ./setup-kind.sh
-        ./setup-kind.sh \
-          --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \
-          --cluster-suffix cluster.local \
-          --k8s-version ${{ matrix.k8s-version }} \
-          --knative-version ${KNATIVE_VERSION}
-
-    - name: Install all the everythings
+        make cosign
+
+    - name: Setup kind cluster
+      uses: chainguard-dev/actions/setup-kind@main
+      with:
+        k8s-version: ${{ matrix.kind-version}}
+        cluster-suffix: ${{ matrix.cluster-suffix }}
+        kind-version: ${{ matrix.kind-version }}
+
+    - name: Install knative
+      uses: chainguard-dev/actions/setup-knative@main
+      with:
+        version: 1.2.0
+        serving-features: >
+          {
+            "kubernetes.podspec-fieldref": "enabled",
+            "kubernetes.podspec-securitycontext": "enabled"
+          }
+        serving-autoscaler: >
+          {
+            "min-scale": "1",
+            "max-scale": "1"
+          }
+
+    - name: Setup mirror
+      uses: chainguard-dev/actions/setup-mirror@main
+      with:
+        mirror: mirror.gcr.io
+
+    - name: Install all the everythings, fulcio, rekor, ctlog...
       timeout-minutes: 10
       run: |
-        curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml | kubectl apply -f -
+        kubectl create -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml
 
         # Wait for all the ksvc to be up.
         kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all
@@ -89,7 +106,7 @@ jobs:
         # so we can verify against it.
         kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
 
-        curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml | kubectl create -f -
+        kubectl create -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml
 
         kubectl wait --for=condition=Complete --timeout=180s job/sign-job job/checktree job/verify-job
 
@@ -146,7 +163,8 @@ jobs:
         sleep 2
         kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken
 
-    # These set up the env variables so that
+    # These set up the env variables so that we can invoke cosign against the
+    # cluster sigstore services (fulcio, rekor, etc.)
     - name: Set the endpoints on the cluster and grab secrets
       run: |
         REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
@@ -173,10 +191,6 @@ jobs:
       run: |
         kubectl apply -f ./test/testdata/cosigned/e2e/cip.yaml
 
-    - name: build cosign
-      run: |
-        make cosign
-
     - name: Sign demoimage with cosign
       run: |
         ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}

diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
@@ -74,76 +74,17 @@ jobs:
       run: |
         go install ./cmd/cosign
 
-    # This KinD setup is based on what we use for knative/serving on GHA, and it includes several "fun"
-    # monkey wrenches (e.g. randomizing cluster suffix: `.svc.cluster.local`) to make sure we don't bake
-    # in any invalid assumptions about a particular Kubernetes configuration.
-    - name: Install KinD
-      run: |
-        set -x
-        # Disable swap otherwise memory enforcement doesn't work
-        # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600009955324200
-        sudo swapoff -a
-        sudo rm -f /swapfile
-        # Use in-memory storage to avoid etcd server timeouts.
-        # https://kubernetes.slack.com/archives/CEKK1KTN2/p1615134111016300
-        # https://github.com/kubernetes-sigs/kind/issues/845
-        sudo mkdir -p /tmp/etcd
-        sudo mount -t tmpfs tmpfs /tmp/etcd
-        go install sigs.k8s.io/kind@${{ matrix.kind-version }}
-
-    - name: Configure KinD Cluster
-      run: |
-        set -x
-        # KinD configuration.
-        cat > kind.yaml <<EOF
-        apiVersion: kind.x-k8s.io/v1alpha4
-        kind: Cluster
-        # Configure registry for KinD.
-        containerdConfigPatches:
-        - |-
-          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"]
-            endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"]
-        # This is needed in order to support projected volumes with service account tokens.
-        # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600268272383600
-        kubeadmConfigPatches:
-          - |
-            apiVersion: kubeadm.k8s.io/v1beta2
-            kind: ClusterConfiguration
-            metadata:
-              name: config
-            apiServer:
-              extraArgs:
-                "service-account-issuer": "kubernetes.default.svc"
-                "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
-            networking:
-              dnsDomain: "${{ matrix.cluster-suffix }}"
-        nodes:
-        - role: control-plane
-          image: kindest/node:${{ matrix.k8s-version }}@${{ matrix.kind-image-sha }}
-          extraMounts:
-          - containerPath: /var/lib/etcd
-            hostPath: /tmp/etcd
-        - role: worker
-          image: kindest/node:${{ matrix.k8s-version }}@${{ matrix.kind-image-sha }}
-        EOF
-
-    - name: Create KinD Cluster
-      run: |
-        set -x
-        kind create cluster --config kind.yaml
-
-    - name: Setup local registry
-      run: |
-        # Run a registry.
-        docker run -d --restart=always \
-          -p $REGISTRY_PORT:$REGISTRY_PORT --name $REGISTRY_NAME registry:2
-
-        # Connect the registry to the KinD network.
-        docker network connect "kind" $REGISTRY_NAME
+    - name: Setup kind cluster
+      uses: chainguard-dev/actions/setup-kind@main
+      with:
+        k8s-version: ${{ matrix.kind-version}}
+        cluster-suffix: ${{ matrix.cluster-suffix }}
+        kind-version: ${{ matrix.kind-version }}
 
-        # Make the $REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
-        # local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image
-        sudo echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts
+    - name: Setup mirror
+      uses: chainguard-dev/actions/setup-mirror@main
+      with:
+        mirror: mirror.gcr.io
 
     - name: Setup local insecure registry
       run: |

diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go
@@ -117,6 +117,7 @@ func TestGetAuthorities(t *testing.T) {
 }
 
 func checkGetMatches(t *testing.T, c map[string][]v1alpha1.Authority, err error) {
+	t.Helper()
 	if err != nil {
 		t.Error("GetMatches Failed =", err)
 	}

diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go
@@ -278,7 +278,7 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K
 				logging.FromContext(ctx).Debugf("Fetching FulcioRoot for %s : From: %s ", ref.Name(), authority.Keyless.URL)
 				fulcioroot, err := getFulcioCert(authority.Keyless.URL)
 				if err != nil {
-					authorityErrors = append(authorityErrors, errors.Wrap(err, "failed to fetch FulcioRoot"))
+					authorityErrors = append(authorityErrors, errors.Wrap(err, "fetching FulcioRoot"))
 					continue
 				}
 				var rekorClient *client.Rekor
@@ -293,8 +293,8 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K
 				}
 				sps, err := validSignaturesWithFulcio(ctx, ref, fulcioroot, rekorClient, opts)
 				if err != nil {
-					logging.FromContext(ctx).Errorf("failed validSignatures for %s: %v", ref.Name(), err)
-					authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures"))
+					logging.FromContext(ctx).Errorf("failed validSignatures with fulcio for %s: %v", ref.Name(), err)
+					authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures with fulcio"))
 				} else {
 					if len(sps) > 0 {
 						logging.FromContext(ctx).Debugf("validated signature for %s, got %d signatures", len(sps))