From fd9ac3808a664a20a6d7615873f8fb3fe283c6b5 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Fri, 25 Mar 2022 11:27:54 -0700 Subject: [PATCH] First batch of followups to #1650 Signed-off-by: Ville Aikas --- .../workflows/kind-cluster-image-policy.yaml | 62 +++++++++------ .github/workflows/kind-e2e-cosigned.yaml | 79 +++---------------- pkg/apis/config/image_policies_test.go | 1 + pkg/cosign/kubernetes/webhook/validator.go | 6 +- 4 files changed, 52 insertions(+), 96 deletions(-) diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml index 463e22764d1..2100a5b918e 100644 --- a/.github/workflows/kind-cluster-image-policy.yaml +++ b/.github/workflows/kind-cluster-image-policy.yaml @@ -44,13 +44,6 @@ jobs: COSIGN_EXPERIMENTAL: true steps: - - name: Configure DockerHub mirror - run: | - tmp=$(mktemp) - jq '."registry-mirrors" = ["https://mirror.gcr.io"]' /etc/docker/daemon.json > "$tmp" - sudo mv "$tmp" /etc/docker/daemon.json - sudo service docker restart - - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.4.0 - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 with: @@ -59,20 +52,44 @@ jobs: # will use the latest release available for ko - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4 - - name: Setup Cluster + - name: Install yq + uses: mikefarah/yq@03f57b7034d0330d54663881def67523347dfc9c # v4.16.2 + + - name: build cosign run: | - curl -Lo ./setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/setup-kind.sh - chmod u+x ./setup-kind.sh - ./setup-kind.sh \ - --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \ - --cluster-suffix cluster.local \ - --k8s-version ${{ matrix.k8s-version }} \ - --knative-version ${KNATIVE_VERSION} - - - name: Install all the everythings + make cosign + + - name: Setup kind cluster + uses: chainguard-dev/actions/setup-kind@main + with: + k8s-version: ${{ matrix.kind-version}} + cluster-suffix: ${{ matrix.cluster-suffix }} + kind-version: ${{ matrix.kind-version }} + + - name: Install knative + uses: chainguard-dev/actions/setup-knative@main + with: + version: 1.2.0 + serving-features: > + { + "kubernetes.podspec-fieldref": "enabled", + "kubernetes.podspec-securitycontext": "enabled" + } + serving-autoscaler: > + { + "min-scale": "1", + "max-scale": "1" + } + + - name: Setup mirror + uses: chainguard-dev/actions/setup-mirror@main + with: + mirror: mirror.gcr.io + + - name: Install all the everythings, fulcio, rekor, ctlog... timeout-minutes: 10 run: | - curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml | kubectl apply -f - + kubectl create -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml # Wait for all the ksvc to be up. kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all @@ -89,7 +106,7 @@ jobs: # so we can verify against it. kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - - curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml | kubectl create -f - + kubectl create -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml kubectl wait --for=condition=Complete --timeout=180s job/sign-job job/checktree job/verify-job @@ -146,7 +163,8 @@ jobs: sleep 2 kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken - # These set up the env variables so that + # These set up the env variables so that we can invoke cosign against the + # cluster sigstore services (fulcio, rekor, etc.) - name: Set the endpoints on the cluster and grab secrets run: | REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` @@ -173,10 +191,6 @@ jobs: run: | kubectl apply -f ./test/testdata/cosigned/e2e/cip.yaml - - name: build cosign - run: | - make cosign - - name: Sign demoimage with cosign run: | ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 749eaf46bef..c54fe627f53 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -74,76 +74,17 @@ jobs: run: | go install ./cmd/cosign - # This KinD setup is based on what we use for knative/serving on GHA, and it includes several "fun" - # monkey wrenches (e.g. randomizing cluster suffix: `.svc.cluster.local`) to make sure we don't bake - # in any invalid assumptions about a particular Kubernetes configuration. - - name: Install KinD - run: | - set -x - # Disable swap otherwise memory enforcement doesn't work - # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600009955324200 - sudo swapoff -a - sudo rm -f /swapfile - # Use in-memory storage to avoid etcd server timeouts. - # https://kubernetes.slack.com/archives/CEKK1KTN2/p1615134111016300 - # https://github.com/kubernetes-sigs/kind/issues/845 - sudo mkdir -p /tmp/etcd - sudo mount -t tmpfs tmpfs /tmp/etcd - go install sigs.k8s.io/kind@${{ matrix.kind-version }} - - - name: Configure KinD Cluster - run: | - set -x - # KinD configuration. - cat > kind.yaml < 127.0.0.1, to tell `ko` to publish to - # local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image - sudo echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts + - name: Setup mirror + uses: chainguard-dev/actions/setup-mirror@main + with: + mirror: mirror.gcr.io - name: Setup local insecure registry run: | diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go index 490c975f5c4..f4cca6b4cfb 100644 --- a/pkg/apis/config/image_policies_test.go +++ b/pkg/apis/config/image_policies_test.go @@ -117,6 +117,7 @@ func TestGetAuthorities(t *testing.T) { } func checkGetMatches(t *testing.T, c map[string][]v1alpha1.Authority, err error) { + t.Helper() if err != nil { t.Error("GetMatches Failed =", err) } diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go index 05e72c66eeb..3171ea215aa 100644 --- a/pkg/cosign/kubernetes/webhook/validator.go +++ b/pkg/cosign/kubernetes/webhook/validator.go @@ -278,7 +278,7 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K logging.FromContext(ctx).Debugf("Fetching FulcioRoot for %s : From: %s ", ref.Name(), authority.Keyless.URL) fulcioroot, err := getFulcioCert(authority.Keyless.URL) if err != nil { - authorityErrors = append(authorityErrors, errors.Wrap(err, "failed to fetch FulcioRoot")) + authorityErrors = append(authorityErrors, errors.Wrap(err, "fetching FulcioRoot")) continue } var rekorClient *client.Rekor @@ -293,8 +293,8 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K } sps, err := validSignaturesWithFulcio(ctx, ref, fulcioroot, rekorClient, opts) if err != nil { - logging.FromContext(ctx).Errorf("failed validSignatures for %s: %v", ref.Name(), err) - authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures")) + logging.FromContext(ctx).Errorf("failed validSignatures with fulcio for %s: %v", ref.Name(), err) + authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures with fulcio")) } else { if len(sps) > 0 { logging.FromContext(ctx).Debugf("validated signature for %s, got %d signatures", len(sps))