ci: add sigstore e2e test suite#2062
Conversation
stealthybox
force-pushed
the
sigstore-testing
branch
from
4abda3f to
5e8d2e6
Compare
stealthybox
force-pushed
the
sigstore-transport
branch
2 times, most recently
from
211fb0a to
ffa18cc
Compare
stealthybox
force-pushed
the
sigstore-testing
branch
from
5e8d2e6 to
106bf50
Compare
stealthybox
force-pushed
the
sigstore-transport
branch
from
ffa18cc to
b00f7ba
Compare
stealthybox
force-pushed
the
sigstore-testing
branch
3 times, most recently
from
9599840 to
c030efd
Compare
stealthybox
force-pushed
the
sigstore-transport
branch
from
b00f7ba to
34c7c9c
Compare
stealthybox
force-pushed
the
sigstore-testing
branch
from
c030efd to
f40dbee
Compare
stefanprodan
added
area/ci
Scripts and testdata for running cosign verification tests against a local sigstore stack on kind. Uses zot (referrers API) and registry:2 (tag fallback) with the scaffold Helm chart. Covers v2/v3 key-pair, v2/v3 keyless with trustedRootSecretRef, tlog, combined refs, wrong key/identity/rekor material, and registry auth. Signed-off-by: leigh capili <leigh@null.net>
New sigstore-linux-amd64 job deploys a local sigstore stack and runs the verification test suite concurrently with kind-linux-amd64. Signed-off-by: leigh capili <leigh@null.net>
stealthybox
force-pushed
the
sigstore-testing
branch
from
f40dbee to
0a2b4cf
Compare
|
rebased, if this is green, I don't see a problem merging it I am extending this significantly to test some auto policy features based off of what's in the the trustbundle. The idea is to bridge the gap between our existing heuristic/implicit behaviors for Fulcio/Rekor to also support TSA (which GitHub uses for immutable releases) Once we uniformly implement our existing auto behaviors, Flux users with private/hybrid/third-party sigstore stacks will be able to combine whichever key and trust materials they desire. Realistically, people will be dynamically loading trustBundles/TUF-roots into these SecretRefs which could change how the verify policy evaluates. Flux already supports overriding the global TUF root, so that is a considerable part of this as well. Also, whether we choose to support or not-support per-resource TUF roots. Lastly, there's the topic of TLS/mTLS connections to verification endpoints that are not the OCI registry. We may need to plumb some additional cert fields in. Alternatively, we could load them from a separate, optional data field in the TrustBundle Secret? Not sure if that would violate the spirit of the verification material or not. |
| - name: Setup cosign | ||
| env: | ||
| COSIGN_VERSION: v3.0.6 | ||
| COSIGN_SHA256: c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74 | ||
| run: | | ||
| curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" -o /usr/local/bin/cosign | ||
| echo "${COSIGN_SHA256} /usr/local/bin/cosign" | sha256sum -c - | ||
| chmod +x /usr/local/bin/cosign | ||
| - name: Setup Flux CLI | ||
| run: curl -fsSL https://fluxcd.io/install.sh | bash |
There was a problem hiding this comment.
These should be GH Actions so that dependabot can update them.
| kubectl -n fulcio-system get cm fulcio-server-config -o json | \ | ||
| python3 -c " | ||
| import json, sys | ||
| cm = json.load(sys.stdin) | ||
| config = json.loads(cm['data']['config.json']) | ||
| config['OIDCIssuers']['https://kubernetes.default.svc.cluster.local'] = { | ||
| 'IssuerURL': 'https://kubernetes.default.svc.cluster.local', | ||
| 'ClientID': 'sigstore', | ||
| 'Type': 'kubernetes' | ||
| } | ||
| cm['data']['config.json'] = json.dumps(config, indent=2) | ||
| json.dump(cm, sys.stdout) | ||
| " | kubectl apply -f - |
There was a problem hiding this comment.
Let's rewrite this with yq, no need to introduce python3 in our test suite.
3 participants
Add a parallel CI job that deploys a local sigstore stack and runs
verification tests against it.
hack infra:
tests:
Runs concurrently with the existing kind-linux-amd64 job -- hopefully i've set this up right