From f9f548fad95af6674820845f28456e0b829f9ae8 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sun, 8 Sep 2024 18:33:32 +0200 Subject: [PATCH 01/17] test: added rsa generation This allows the test framework to generate RSA keys Signed-off-by: Bruno Bressi --- test/framework/client.go | 3 +- test/framework/cosign.go | 63 +++++++++++++++++++++++++++++++++++ test/framework/cosign_test.go | 40 ++++++++++++++++++++++ 3 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 test/framework/cosign_test.go diff --git a/test/framework/client.go b/test/framework/client.go index ae6edae..eb2973e 100644 --- a/test/framework/client.go +++ b/test/framework/client.go @@ -51,8 +51,7 @@ func createClientSet() (k8sClient *kubernetes.Clientset, err error) { } // Cleanup removes all resources created by the framework -// and cleans up the testing directory. If an error is passed, -// the test will fail but the cleanup will still be executed. +// and cleans up the testing directory. func (f *Framework) Cleanup(t testing.TB) { cleanupKeys(t) f.cleanupDeployments(t) diff --git a/test/framework/cosign.go b/test/framework/cosign.go index 53c9198..d0fa2d8 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -1,6 +1,10 @@ package framework import ( + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "encoding/pem" "fmt" "os" "regexp" @@ -59,6 +63,65 @@ func (f *Framework) CreateKeys(t testing.TB, name string) (private string, publi return string(privateKey), string(pubKey) } +// CreateRSAKeyPair creates an RSA keypair for signing with the provided name +// The keypair is generated using openssl, as cosign doesn't support RSA keypairs +func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, public string) { + + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + f.Cleanup(t) + t.Fatal(err) + } + + privFile, err := os.Create(fmt.Sprintf("%s.key", name)) + if err != nil { + f.Cleanup(t) + t.Fatal(err) + } + defer func(privFile *os.File) { + _ = privFile.Close() + }(privFile) + + privPEM := &pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(priv), + } + + if err = pem.Encode(privFile, privPEM); err != nil { + f.Cleanup(t) + t.Fatal(err) + } + + // Generate and save the public key to a PEM file + pub := &priv.PublicKey + pubFile, err := os.Create(fmt.Sprintf("%s.pub", name)) + if err != nil { + f.Cleanup(t) + t.Fatal(err) + } + defer func(pubFile *os.File) { + _ = pubFile.Close() + }(pubFile) + + pubASN1, err := x509.MarshalPKIXPublicKey(pub) + if err != nil { + f.Cleanup(t) + t.Fatal(err) + } + + publicKeyPEM := &pem.Block{ + Type: "PUBLIC KEY", + Bytes: pubASN1, + } + + if err = pem.Encode(pubFile, publicKeyPEM); err != nil { + f.Cleanup(t) + t.Fatal(err) + } + + return string(privPEM.Bytes), string(publicKeyPEM.Bytes) +} + // SignOptions is a struct to hold the options for signing a container type SignOptions struct { KeyName string diff --git a/test/framework/cosign_test.go b/test/framework/cosign_test.go new file mode 100644 index 0000000..5a45310 --- /dev/null +++ b/test/framework/cosign_test.go @@ -0,0 +1,40 @@ +package framework + +import ( + "os" + "testing" +) + +func TestFramework_CreateRSAKeyPair(t *testing.T) { + + tests := []struct { + name string + }{ + { + name: "success", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + + f := &Framework{} + priv, pub := f.CreateRSAKeyPair(t, tt.name) + + if priv == "" || pub == "" { + t.Fatal("failed to create RSA key pair") + } + + privStat, err := os.Stat(tt.name + ".key") + if err != nil || privStat.Size() == 0 { + t.Fatal("failed to create private key") + } + pubStat, err := os.Stat(tt.name + ".pub") + if err != nil || pubStat.Size() == 0 { + t.Fatal("failed to create public key") + } + + _ = os.Remove(tt.name + ".key") + _ = os.Remove(tt.name + ".pub") + }) + } +} From c9421a25d5e06811e4efd22a00b2bb5ce10bdd90 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Mon, 9 Sep 2024 23:02:05 +0200 Subject: [PATCH 02/17] chore: use another port for k3d registry The port 5000 is used in mac for some other server. --- Makefile | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index 1621b2e..6f7ae93 100644 --- a/Makefile +++ b/Makefile @@ -17,9 +17,9 @@ test-unit: e2e-cluster: @echo "Creating registry..." - @k3d registry create registry.localhost --port 5000 + @k3d registry create registry.localhost --port 13942 @echo "Adding registry to cluster..." - @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000 + @K3D_FIX_DNS=0 k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942 @echo "Create test namespace..." @kubectl create namespace test-cases @@ -33,29 +33,29 @@ e2e-images: @echo "Checking for cosign.key..." @test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1) @echo "Building test image..." - @docker build -t k3d-registry.localhost:5000/cosignwebhook:dev . + @docker build -t k3d-registry.localhost:13942/cosignwebhook:dev . @echo "Pushing test image..." - @docker push k3d-registry.localhost:5000/cosignwebhook:dev + @docker push k3d-registry.localhost:13942/cosignwebhook:dev @echo "Signing test image..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/cosignwebhook:dev @echo "Importing test image to cluster..." - @k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests + @k3d image import k3d-registry.localhost:13942/cosignwebhook:dev --cluster cosign-tests @echo "Building busybox image..." @docker pull busybox:latest @echo "Tagging & pushing busybox images..." - @docker tag busybox:latest k3d-registry.localhost:5000/busybox:first - @docker tag busybox:latest k3d-registry.localhost:5000/busybox:second - @docker push k3d-registry.localhost:5000/busybox --all-tags + @docker tag busybox:latest k3d-registry.localhost:13942/busybox:first + @docker tag busybox:latest k3d-registry.localhost:13942/busybox:second + @docker push k3d-registry.localhost:13942/busybox --all-tags @echo "Signing busybox images..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \ - cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/busybox:first && \ + cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:13942/busybox:second e2e-deploy: @echo "Deploying test image..." @helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \ - --set image.repository=k3d-registry.localhost:5000/cosignwebhook \ + --set image.repository=k3d-registry.localhost:13942/cosignwebhook \ --set image.tag=dev \ --set-file cosign.scwebhook.key=cosign.pub \ --set logLevel=debug \ @@ -65,7 +65,7 @@ e2e-prep: e2e-cluster e2e-keys e2e-images e2e-deploy e2e-cleanup: @echo "Cleaning up..." - @helm uninstall cosignwebhook -n cosignwebhook @k3d registry delete k3d-registry.localhost @k3d cluster delete cosign-tests + @helm uninstall cosignwebhook -n cosignwebhook @rm -f cosign.pub cosign.key second.pub second.key From 1af3d067c1dfa2adba4bab2735cefee23906d376 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Thu, 12 Sep 2024 14:55:24 +0200 Subject: [PATCH 03/17] feat: new rsa E2E test Additionally bumped dependencies & code to go 1.23 --- .dockerignore | 8 + .github/workflows/build.yaml | 6 +- .golangci.yaml | 24 +- Dockerfile | 2 +- Makefile | 15 +- chart/values.yaml | 22 +- go.mod | 188 ++++++------ go.sum | 528 ++++++++++++++++++---------------- main.go | 5 +- test/framework/cosign.go | 2 - test/framework/cosign_test.go | 2 - test/main_test.go | 1 + test/webhook_test.go | 57 ++++ webhook/cosignwebhook.go | 1 - 14 files changed, 475 insertions(+), 386 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..ef6c7ab --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +Makefile +*.key +*.pub +*.png +hack/ +manifests/ +chart/ +README.md diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c89ac0a..ac7df1b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,8 +4,8 @@ on: push: branches: - main - tags: - - '*' + tags: + - "*" jobs: build: @@ -28,7 +28,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v2.2.0' + cosign-release: "v2.4.0" - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx diff --git a/.golangci.yaml b/.golangci.yaml index cc547b3..bc4fed8 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -23,8 +23,8 @@ linters-settings: min-complexity: 15 gofmt: rewrite-rules: - - pattern: 'interface{}' - replacement: 'any' + - pattern: "interface{}" + replacement: "any" goimports: local-prefixes: github.com/golangci/golangci-lint gomnd: @@ -35,15 +35,14 @@ linters-settings: - condition - return ignored-numbers: - - '0' - - '1' - - '2' - - '3' + - "0" + - "1" + - "2" + - "3" ignored-functions: - strings.SplitN govet: - check-shadowing: true settings: printf: funcs: @@ -72,7 +71,7 @@ linters: - dogsled - dupl - errcheck - - exportloopref + - copyloopvar - funlen - gocheckcompilerdirectives - gochecknoinits @@ -81,7 +80,7 @@ linters: - gocyclo - gofmt - goimports - - gomnd + - mnd - goprintffuncname - gosec - gosimple @@ -99,9 +98,8 @@ linters: - unused - whitespace -run: - timeout: 5m - skip-files: +issues: + exclude-files: - .*_test\.go - skip-dirs: + exclude-dirs: - test/ diff --git a/Dockerfile b/Dockerfile index e12cfbe..139073f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # build stage -FROM golang:1.21 AS build-env +FROM golang:1.23 AS build-env WORKDIR /app COPY . /app RUN useradd -u 10001 webhook && \ diff --git a/Makefile b/Makefile index 6f7ae93..b335428 100644 --- a/Makefile +++ b/Makefile @@ -19,7 +19,7 @@ e2e-cluster: @echo "Creating registry..." @k3d registry create registry.localhost --port 13942 @echo "Adding registry to cluster..." - @K3D_FIX_DNS=0 k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942 + @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942 @echo "Create test namespace..." @kubectl create namespace test-cases @@ -59,13 +59,14 @@ e2e-deploy: --set image.tag=dev \ --set-file cosign.scwebhook.key=cosign.pub \ --set logLevel=debug \ - --wait --debug + --wait --debug --atomic e2e-prep: e2e-cluster e2e-keys e2e-images e2e-deploy e2e-cleanup: - @echo "Cleaning up..." - @k3d registry delete k3d-registry.localhost - @k3d cluster delete cosign-tests - @helm uninstall cosignwebhook -n cosignwebhook - @rm -f cosign.pub cosign.key second.pub second.key + @echo "Cleaning up test env..." + @k3d registry delete k3d-registry || echo "Deleting k3d registry failed. Continuing..." + @helm uninstall cosignwebhook -n cosignwebhook || echo "Uninstalling cosignwebhook helm release failed. Continuing..." + @k3d cluster delete cosign-tests || echo "Deleting cosign tests k3d cluster failed. Continuing..." + @rm -f cosign.pub cosign.key second.pub second.key || echo "Removing files failed. Continuing..." + @echo "Done." diff --git a/chart/values.yaml b/chart/values.yaml index 7d2e8ff..2430212 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -32,7 +32,7 @@ podAnnotations: {} podSecurityContext: fsGroup: 1000 supplementalGroups: - - 1000 + - 1000 # minimal permissions for container securityContext: @@ -40,7 +40,7 @@ securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false runAsUser: 1000 runAsGroup: 1000 @@ -103,17 +103,17 @@ affinity: {} cosign: image: repository: ghcr.io/sigstore/cosign/cosign - tag: v2.0.0 + tag: v2.4.0 pullPolicy: IfNotPresent sccosign: key: | - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt - IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== - -----END PUBLIC KEY----- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt + IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== + -----END PUBLIC KEY----- scwebhook: key: | - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENDN3HpXY2weMYRuuJbZnNczrOyns - ZvVnR15G9EILCH8+elXkYy+4U70mR++XIL0iD8NhZ3kxfpFjxyHlnG5Snw== - -----END PUBLIC KEY----- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENDN3HpXY2weMYRuuJbZnNczrOyns + ZvVnR15G9EILCH8+elXkYy+4U70mR++XIL0iD8NhZ3kxfpFjxyHlnG5Snw== + -----END PUBLIC KEY----- diff --git a/go.mod b/go.mod index f6f671d..3eff4d4 100644 --- a/go.mod +++ b/go.mod @@ -1,24 +1,27 @@ module github.com/eumel8/cosignwebhook -go 1.21 +go 1.23 + +toolchain go1.23.1 require ( - github.com/google/go-containerregistry v0.19.1 - github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240129192428-8dadbe76ff8c - github.com/gookit/slog v0.5.4 - github.com/prometheus/client_golang v1.19.0 - github.com/sigstore/cosign/v2 v2.2.4 - github.com/sigstore/sigstore v1.8.3 - k8s.io/api v0.29.1 - k8s.io/apimachinery v0.29.1 - k8s.io/client-go v0.29.1 + github.com/google/go-containerregistry v0.20.2 + github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240826191751-a07d1cab8700 + github.com/gookit/slog v0.5.6 + github.com/prometheus/client_golang v1.20.3 + github.com/sigstore/cosign/v2 v2.4.0 + github.com/sigstore/sigstore v1.8.9 + k8s.io/api v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/client-go v0.31.1 ) require ( - cloud.google.com/go/compute v1.25.0 // indirect - cloud.google.com/go/compute/metadata v0.2.3 // indirect - cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e // indirect - cuelang.org/go v0.8.1 // indirect + cloud.google.com/go/auth v0.7.3 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.3 // indirect + cloud.google.com/go/compute/metadata v0.5.0 // indirect + cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 // indirect + cuelang.org/go v0.9.2 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect @@ -31,9 +34,9 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect - github.com/ProtonMail/go-crypto v1.0.0 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect @@ -43,61 +46,61 @@ require ( github.com/alibabacloud-go/debug v1.0.0 // indirect github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect github.com/alibabacloud-go/openapi-util v0.1.0 // indirect - github.com/alibabacloud-go/tea v1.2.2 // indirect + github.com/alibabacloud-go/tea v1.2.1 // indirect github.com/alibabacloud-go/tea-utils v1.4.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect - github.com/aliyun/credentials-go v1.3.2 // indirect + github.com/aliyun/credentials-go v1.3.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect - github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect - github.com/aws/smithy-go v1.20.1 // indirect - github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect + github.com/aws/smithy-go v1.20.3 // indirect + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect - github.com/buildkite/agent/v3 v3.62.0 // indirect - github.com/buildkite/go-pipeline v0.3.2 // indirect - github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/buildkite/agent/v3 v3.76.2 // indirect + github.com/buildkite/go-pipeline v0.10.0 // indirect + github.com/buildkite/interpolate v0.1.3 // indirect + github.com/buildkite/roko v1.2.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect github.com/cloudflare/circl v1.3.7 // indirect github.com/cockroachdb/apd/v3 v3.2.1 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect - github.com/coreos/go-oidc/v3 v3.10.0 // indirect - github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect + github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect + github.com/coreos/go-oidc/v3 v3.11.0 // indirect + github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect - github.com/docker/cli v25.0.1+incompatible // indirect + github.com/docker/cli v27.1.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v26.1.5+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.1 // indirect + github.com/docker/docker-credential-helpers v0.8.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/emicklei/go-restful/v3 v3.11.2 // indirect - github.com/emicklei/proto v1.13.2 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/emicklei/proto v1.12.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-jose/go-jose/v3 v3.0.3 // indirect - github.com/go-jose/go-jose/v4 v4.0.1 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/go-jose/go-jose/v4 v4.0.2 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect github.com/go-openapi/errors v0.22.0 // indirect @@ -116,14 +119,14 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/google/certificate-transparency-go v1.1.8 // indirect + github.com/google/certificate-transparency-go v1.2.1 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect - github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240129192428-8dadbe76ff8c // indirect + github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa // indirect github.com/google/go-github/v55 v55.0.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/s2a-go v0.1.7 // indirect + github.com/google/s2a-go v0.1.8 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/gookit/color v1.5.4 // indirect @@ -140,8 +143,8 @@ require ( github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.5 // indirect - github.com/letsencrypt/boulder v0.0.0-20240130193413-14a8378dd0dc // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/manifoldco/promptui v0.9.0 // indirect @@ -157,17 +160,17 @@ require ( github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/oleiade/reflections v1.0.1 // indirect - github.com/open-policy-agent/opa v0.63.0 // indirect + github.com/open-policy-agent/opa v0.67.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pborman/uuid v1.2.1 // indirect - github.com/pelletier/go-toml/v2 v2.1.1 // indirect + github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_model v0.6.0 // indirect - github.com/prometheus/common v0.51.1 // indirect - github.com/prometheus/procfs v0.12.0 // indirect - github.com/protocolbuffers/txtpbfmt v0.0.0-20240116145035-ef3ab179eed6 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -176,30 +179,34 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - github.com/sigstore/fulcio v1.4.5 // indirect + github.com/sigstore/fulcio v1.5.1 // indirect + github.com/sigstore/protobuf-specs v0.3.2 // indirect github.com/sigstore/rekor v1.3.6 // indirect + github.com/sigstore/sigstore-go v0.5.1 // indirect github.com/sigstore/timestamp-authority v1.2.2 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect - github.com/spf13/cobra v1.8.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/spf13/viper v1.18.2 // indirect - github.com/spiffe/go-spiffe/v2 v2.2.0 // indirect + github.com/spf13/viper v1.19.0 // indirect + github.com/spiffe/go-spiffe/v2 v2.3.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect + github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 // indirect - github.com/xanzy/go-gitlab v0.102.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + github.com/xanzy/go-gitlab v0.107.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect @@ -207,42 +214,39 @@ require ( github.com/zeebo/errs v1.3.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect - go.opentelemetry.io/otel v1.24.0 // indirect - go.opentelemetry.io/otel/metric v1.24.0 // indirect - go.opentelemetry.io/otel/sdk v1.24.0 // indirect - go.opentelemetry.io/otel/trace v1.24.0 // indirect - go.step.sm/crypto v0.44.2 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.step.sm/crypto v0.51.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.22.0 // indirect - golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect - golang.org/x/mod v0.16.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/oauth2 v0.19.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/crypto v0.25.0 // indirect + golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect + golang.org/x/mod v0.19.0 // indirect + golang.org/x/net v0.27.0 // indirect + golang.org/x/oauth2 v0.22.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.22.0 // indirect + golang.org/x/term v0.22.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.19.0 // indirect - google.golang.org/api v0.172.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect - google.golang.org/grpc v1.62.1 // indirect - google.golang.org/protobuf v1.33.0 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect + google.golang.org/api v0.190.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf // indirect + google.golang.org/grpc v1.65.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/release-utils v0.7.7 // indirect + sigs.k8s.io/release-utils v0.8.4 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) - -// replace github.com/sigstore/cosign => ./cosign -//replace github.com/sigstore/cosign/v2 v2.0.0-rc.0 => github.com/sigstore/cosign v1.12.1 diff --git a/go.sum b/go.sum index 56e034d..174d396 100644 --- a/go.sum +++ b/go.sum @@ -1,17 +1,22 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= -cloud.google.com/go/compute v1.25.0 h1:H1/4SqSUhjPFE7L5ddzHOfY2bCAvjwNRZPNl6Ni5oYU= -cloud.google.com/go/compute v1.25.0/go.mod h1:GR7F0ZPZH8EhChlMo9FkLd7eUTwEymjqQagxzilIxIE= -cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= -cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= -cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI= -cloud.google.com/go/kms v1.15.8 h1:szIeDCowID8th2i8XE4uRev5PMxQFqW+JjwYxL9h6xs= -cloud.google.com/go/kms v1.15.8/go.mod h1:WoUHcDjD9pluCg7pNds131awnH429QGvRM3N/4MyoVs= -cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxwdsEYnlUcJ6PJxOjTeFFCKOh6QWg4oAzQ= -cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24= -cuelang.org/go v0.8.1 h1:VFYsxIFSPY5KgSaH1jQ2GxHOrbu6Ga3kEI70yCZwnOg= -cuelang.org/go v0.8.1/go.mod h1:CoDbYolfMms4BhWUlhD+t5ORnihR7wvjcfgyO9lL5FI= +cloud.google.com/go v0.115.0 h1:CnFSK6Xo3lDYRoBKEcAtia6VSC837/ZkJuRduSFnr14= +cloud.google.com/go v0.115.0/go.mod h1:8jIM5vVgoAEoiVxQ/O4BFTfHqulPZgs/ufEzMcFMdWU= +cloud.google.com/go/auth v0.7.3 h1:98Vr+5jMaCZ5NZk6e/uBgf60phTk/XN84r8QEWB9yjY= +cloud.google.com/go/auth v0.7.3/go.mod h1:HJtWUx1P5eqjy/f6Iq5KeytNpbAcGolPhOgyop2LlzA= +cloud.google.com/go/auth/oauth2adapt v0.2.3 h1:MlxF+Pd3OmSudg/b1yZ5lJwoXCEaeedAguodky1PcKI= +cloud.google.com/go/auth/oauth2adapt v0.2.3/go.mod h1:tMQXOfZzFuNuUxOypHlQEXgdfX5cuhwU+ffUuXRJE8I= +cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY= +cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY= +cloud.google.com/go/iam v1.1.12 h1:JixGLimRrNGcxvJEQ8+clfLxPlbeZA6MuRJ+qJNQ5Xw= +cloud.google.com/go/iam v1.1.12/go.mod h1:9LDX8J7dN5YRyzVHxwQzrQs9opFFqn0Mxs9nAeB+Hhg= +cloud.google.com/go/kms v1.18.4 h1:dYN3OCsQ6wJLLtOnI8DGUwQ5shMusXsWCCC+s09ATsk= +cloud.google.com/go/kms v1.18.4/go.mod h1:SG1bgQ3UWW6/KdPo9uuJnzELXY5YTTMJtDYvajiQ22g= +cloud.google.com/go/longrunning v0.5.11 h1:Havn1kGjz3whCfoD8dxMLP73Ph5w+ODyZB9RUsDxtGk= +cloud.google.com/go/longrunning v0.5.11/go.mod h1:rDn7//lmlfWV1Dx6IB4RatCPenTwwmqXuiP0/RgoEO4= +cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w= +cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo= +cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs= +cuelang.org/go v0.9.2/go.mod h1:qpAYsLOf7gTM1YdEg6cxh553uZ4q9ZDWlPbtZr9q1Wk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg= @@ -20,12 +25,12 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 h1:n1DH8TPV4qqPTje2RcUBYwtrTWlabVp4n46+74X2pn4= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0/go.mod h1:HDcZnuGbiyppErN6lB+idp4CKhjbc8gwjto6OPpyggM= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 h1:GJHeeA2N7xrG3q30L2UXDyuWRzDM900/65j70wcM4Ww= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= @@ -58,12 +63,12 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= -github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= -github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78= -github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE= +github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= @@ -99,8 +104,8 @@ github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeG github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= github.com/alibabacloud-go/tea v1.1.19/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= -github.com/alibabacloud-go/tea v1.2.2 h1:aTsR6Rl3ANWPfqeQugPglfurloyBJY85eFy7Gc1+8oU= -github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk= +github.com/alibabacloud-go/tea v1.2.1 h1:rFF1LnrAdhaiPmKwH5xwYOKlMh66CqRwPUTzIK74ask= +github.com/alibabacloud-go/tea v1.2.1/go.mod h1:qbzof29bM/IFhLMtJPrgTGK3eauV5J2wSyEUo4OEmnA= github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= github.com/alibabacloud-go/tea-utils v1.3.9/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE= github.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw= @@ -110,70 +115,76 @@ github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0= github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= -github.com/aliyun/credentials-go v1.3.2 h1:L4WppI9rctC8PdlMgyTkF8bBsy9pyKQEzBD1bHMRl+g= -github.com/aliyun/credentials-go v1.3.2/go.mod h1:tlpz4uys4Rn7Ik4/piGRrTbXy2uLKvePgQJJduE+Y5c= +github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/xWDTE28= +github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU= -github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= -github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= -github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= -github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48= +github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= +github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= +github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY= +github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc= +github.com/aws/aws-sdk-go-v2/config v1.27.27 h1:HdqgGt1OAP0HkEDDShEl0oSYa9ZZBSOmKpdpsDMdO90= +github.com/aws/aws-sdk-go-v2/config v1.27.27/go.mod h1:MVYamCg76dFNINkZFu4n4RjDixhVr51HLj4ErWzrVwg= +github.com/aws/aws-sdk-go-v2/credentials v1.17.27 h1:2raNba6gr2IfA0eqqiP2XiQ0UVOpGPgDSi0I9iAP+UI= +github.com/aws/aws-sdk-go-v2/credentials v1.17.27/go.mod h1:gniiwbGahQByxan6YjQUMcW4Aov6bLC3m+evgcoN4r4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= -github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 h1:3iaT/LnGV6jNtbBkvHZDlzz7Ky3wMHDJAyFtGd5GUJI= -github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7/go.mod h1:mtzCLxk6M+KZbkJdq3cUH9GCrudw8qCy5C3EHO+5vLc= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 h1:h+r5/diSwztgKgxUrntt6AOI5lBYY0ZJv+yzeulGZSU= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6/go.mod h1:7+5MHFC52LC85xKCjCuWDHmIncOOvWnll10OT9EAN/g= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU= -github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU= -github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0= -github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= -github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f h1:mM9Ic3+hujxWGfpEf3E0fp12Lu7Xg2u2YsNb9WeliZQ= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f/go.mod h1:IPG+64HFPgPEx/vXYjqVpZ4lUgmzt1afdmi7ykS2Qjg= +github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII= +github.com/aws/aws-sdk-go-v2/service/kms v1.35.3 h1:UPTdlTOwWUX49fVi7cymEN6hDqCwe3LNv1vi7TXUutk= +github.com/aws/aws-sdk-go-v2/service/kms v1.35.3/go.mod h1:gjDP16zn+WWalyaUqwCCioQ8gU8lzttCCc9jYsiQI/8= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 h1:BXx0ZIxvrJdSgSvKTZ+yRBeSqqgPM89VPlulEcl37tM= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.4/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 h1:yiwVzJW2ZxZTurVbYWA7QOrAaCYQR72t0wrSBfoesUE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5hB7H69YUpFiI1tql6Q6Ne+1bCw= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ= +github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE= +github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/buildkite/agent/v3 v3.62.0 h1:yvzSjI8Lgifw883I8m9u8/L/Thxt4cLFd5aWPn3gg70= -github.com/buildkite/agent/v3 v3.62.0/go.mod h1:jN6SokGXrVNNIpI0BGQ+j5aWeI3gin8F+3zwA5Q6gqM= -github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKCLjWGtM= -github.com/buildkite/go-pipeline v0.3.2/go.mod h1:iY5jzs3Afc8yHg6KDUcu3EJVkfaUkd9x/v/OH98qyUA= -github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 h1:k6UDF1uPYOs0iy1HPeotNa155qXRWrzKnqAaGXHLZCE= -github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gbPR1gPu9dB96mucYIR7T3B7p/78hRVSOuzIWLHK2Y4= +github.com/buildkite/agent/v3 v3.76.2 h1:SweFq3e0N20RikWsVeOXzTjfr0AoOskxm9c0bcNyI0E= +github.com/buildkite/agent/v3 v3.76.2/go.mod h1:9ffbmJD7d7C/nOcElj6Qm+uIj1QoYh3NNvka4rkKkss= +github.com/buildkite/go-pipeline v0.10.0 h1:EDffu+LfMY2k5u+iEdo6Jn3obGKsrL5wicc1O/yFeRs= +github.com/buildkite/go-pipeline v0.10.0/go.mod h1:eMH1kiav5VeiTiu0Mk2/M7nZhKyFeL4iGj7Y7rj4f3w= +github.com/buildkite/interpolate v0.1.3 h1:OFEhqji1rNTRg0u9DsSodg63sjJQEb1uWbENq9fUOBM= +github.com/buildkite/interpolate v0.1.3/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8= +github.com/buildkite/roko v1.2.0 h1:hbNURz//dQqNl6Eo9awjQOVOZwSDJ8VEbBDxSfT9rGQ= +github.com/buildkite/roko v1.2.0/go.mod h1:23R9e6nHxgedznkwwfmqZ6+0VJZJZ2Sg/uVcp2cP46I= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= -github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= -github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -199,17 +210,17 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUo github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= -github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= -github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU= -github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0= -github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM= -github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= -github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= +github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= +github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= +github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= +github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.19 h1:tUN6H7LWqNx4hQVxomd0CVsDwaDr9gaRQaI4GpSmrsA= +github.com/creack/pty v1.1.19/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= +github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= +github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= +github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -229,26 +240,22 @@ github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1G github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= -github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbTO1lpcGSkU= -github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g= -github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= -github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= +github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= -github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/proto v1.13.2 h1:z/etSFO3uyXeuEsVPzfl56WNgzcvIr42aQazXaQmFZY= -github.com/emicklei/proto v1.13.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE= +github.com/emicklei/proto v1.12.1/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -264,17 +271,19 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= -github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= +github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= @@ -301,13 +310,16 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= -github.com/go-rod/rod v0.114.7 h1:h4pimzSOUnw7Eo41zdJA788XsawzHjJMyzCE3BrBww0= -github.com/go-rod/rod v0.114.7/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw= +github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= +github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= -github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= -github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= +github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= @@ -321,8 +333,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68= -github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4= +github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -344,8 +356,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to= -github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= +github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME= +github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE= github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= @@ -358,15 +370,16 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY= -github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= -github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240129192428-8dadbe76ff8c h1:TC9wSvps7asCE7GefVZfdbDoJv6cZ+wAEEJ81k4XRjQ= -github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240129192428-8dadbe76ff8c/go.mod h1:Ek+8PQrShkA7aHEj3/zSW33wU0V/Bx3zW/gFh7l21xY= -github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240129192428-8dadbe76ff8c h1:kTvQam8K98GB13IABdbPUt9QCUq55OPlpmyPeKUi2/g= -github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240129192428-8dadbe76ff8c/go.mod h1:5sSbf/SbGGvjWIlMlt2bkEqOq+ufOIBYrBevLuxbfSs= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= +github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240826191751-a07d1cab8700 h1:5Fj+qP/sqw8OLuSy7qkyrYqhFtqv1Iodx8o8ddrXbuI= +github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240826191751-a07d1cab8700/go.mod h1:RB6ySfigDZP2t4gpmGD16CCTRxZRnB3MzoVQC1NxG18= +github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa h1:+MG+Q2Q7mtW6kCIbUPZ9ZMrj7xOWDKI1hhy1qp0ygI0= +github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa/go.mod h1:KdL98/Va8Dy1irB6lTxIRIQ7bQj4lbrlvqUzKEQ+ZBU= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -375,10 +388,10 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= -github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= +github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4= @@ -389,23 +402,23 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= -github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= -github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= +github.com/googleapis/gax-go/v2 v2.13.0 h1:yitjD5f7jQHhyDsnhKEBU52NdvvdSeGzlAnDPT0hH1s= +github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A= github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= github.com/gookit/goutil v0.6.15 h1:mMQ0ElojNZoyPD0eVROk5QXJPh2uKR4g06slgPDF5Jo= github.com/gookit/goutil v0.6.15/go.mod h1:qdKdYEHQdEtyH+4fNdQNZfJHhI0jUZzHxQVAV3DaMDY= github.com/gookit/gsr v0.1.0 h1:0gadWaYGU4phMs0bma38t+Do5OZowRMEVlHv31p0Zig= github.com/gookit/gsr v0.1.0/go.mod h1:7wv4Y4WCnil8+DlDYHBjidzrEzfHhXEoFjEA0pPPWpI= -github.com/gookit/slog v0.5.4 h1:EMctf/kap/SR8cnhkUucL0D3YZwUAJJ+WKQ/DN6kS5s= -github.com/gookit/slog v0.5.4/go.mod h1:awroa12zroMvjFpS7tdpTX12AqIzVewUlC10tsj4TYY= +github.com/gookit/slog v0.5.6 h1:fmh+7bfOK8CjidMCwE+M3S8G766oHJpT/1qdmXGALCI= +github.com/gookit/slog v0.5.6/go.mod h1:RfIwzoaQ8wZbKdcqG7+3EzbkMqcp2TUn3mcaSZAw2EQ= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= @@ -424,10 +437,13 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU= github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= -github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE= -github.com/hashicorp/vault/api v1.12.2/go.mod h1:LSGf1NGT1BnvFFnKVtnvcaLBM2Lz+gJdpL6HUYed8KE= +github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= +github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -456,8 +472,8 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.5 h1:d4vBd+7CHydUqpFBgUEKkSdtSugf9YFmSkvUYPquI5E= -github.com/klauspost/compress v1.17.5/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -466,8 +482,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= -github.com/letsencrypt/boulder v0.0.0-20240130193413-14a8378dd0dc h1:vKsREdHBrP6a3apVkacBYK97DmLyGLnEz9zC8OYBHpM= -github.com/letsencrypt/boulder v0.0.0-20240130193413-14a8378dd0dc/go.mod h1:9SC12sRytSBV00C26tvlj7GY131IVUQI0qo4v3U/3Mo= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= @@ -480,8 +496,8 @@ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxec github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= -github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= +github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4= +github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU= github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= @@ -521,16 +537,15 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= -github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= -github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= -github.com/open-policy-agent/opa v0.63.0 h1:ztNNste1v8kH0/vJMJNquE45lRvqwrM5mY9Ctr9xIXw= -github.com/open-policy-agent/opa v0.63.0/go.mod h1:9VQPqEfoB2N//AToTxzZ1pVTVPUoF2Mhd64szzjWPpU= +github.com/open-policy-agent/opa v0.67.0 h1:FOdsO9yNhfmrh+72oVK7ImWmzruG+VSpfbr5IBqEWVs= +github.com/open-policy-agent/opa v0.67.0/go.mod h1:aqKlHc8E2VAAylYE9x09zJYr/fYzGX+JKne89UGqFzk= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -539,8 +554,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+ github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= -github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI= -github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= +github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= +github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -549,17 +564,17 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= -github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= +github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= -github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= -github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= -github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/protocolbuffers/txtpbfmt v0.0.0-20240116145035-ef3ab179eed6 h1:MAzmm+JtFxQwTPb1cVMLkemw2OxLy5AB/d/rxtAwGQQ= -github.com/protocolbuffers/txtpbfmt v0.0.0-20240116145035-ef3ab179eed6/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62zIzQwvoD7Ekj3ePDF5bv9Xxy0w6AZk0qYbjUk= +github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= @@ -579,24 +594,30 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= -github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDFJro= -github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y= -github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc= -github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8= +github.com/sigstore/cosign/v2 v2.4.0 h1:2NdidNgClg+oXr/fDIr37E/BE6j00gqgUhSiBK2kjSQ= +github.com/sigstore/cosign/v2 v2.4.0/go.mod h1:j+fH1DCUkcn92qp6ezDj4JbGMri6eG1nLJC+hs64rvc= +github.com/sigstore/fulcio v1.5.1 h1:Iasy1zfNjaq8BV4S8o6pXspLDU28PQC2z07GmOu9zpM= +github.com/sigstore/fulcio v1.5.1/go.mod h1:W1A/UHrTopy1IBZPMtHmxg7GPYAu+vt5dRXM3W6yjPo= +github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo= +github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA= github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= -github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= -github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3/go.mod h1:9uOJXbXEXj+M6QjMKH5PaL5WDMu43rHfbIMgXzA8eKI= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 h1:h9G8j+Ds21zqqulDbA/R/ft64oQQIyp8S7wJYABYSlg= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3/go.mod h1:zgCeHOuqF6k7A7TTEvftcA9V3FRzB7mrPtHOhXAQBnc= +github.com/sigstore/sigstore v1.8.9 h1:NiUZIVWywgYuVTxXmRoTT4O4QAGiTEKup4N1wdxFadk= +github.com/sigstore/sigstore v1.8.9/go.mod h1:d9ZAbNDs8JJfxJrYmulaTazU3Pwr8uLL9+mii4BNR3w= +github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y= +github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 h1:2zHmUvaYCwV6LVeTo+OAkTm8ykOGzA9uFlAjwDPAUWM= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8/go.mod h1:OEhheBplZinUsm7W9BupafztVZV3ldkAxEHbpAeC0Pk= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 h1:RKk4Z+qMaLORUdT7zntwMqKiYAej1VQlCswg0S7xNSY= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8/go.mod h1:dMJdlBWKHMu2xf0wIKpbo7+QfG+RzVkBB3nHP8EMM5o= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8 h1:89Xtxj8oqZt3UlSpCP4wApFvnQ2Z/dgowW5QOVhQigI= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8/go.mod h1:Wa4xn/H3pU/yW/6tHiMXTpObBtBSGC5q29KYFEPKN6o= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8 h1:Zte3Oogkd8m+nu2oK3yHtGmN++TZWh2Lm6q2iSprT1M= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8/go.mod h1:j00crVw6ki4/WViXflw0zWgNALrAzZT+GbIK8v7Xlz4= github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= @@ -614,18 +635,19 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= -github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk= -github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY= -github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU= +github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= +github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= +github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8= +github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -648,6 +670,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= +github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs= +github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= @@ -661,8 +685,10 @@ github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinC github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 h1:+dBg5k7nuTE38VVdoroRsT0Z88fmvdYrI2EjzJst35I= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1/go.mod h1:nmuySobZb4kFgFy6BptpXp/BBw+xFSyvVPP6auoJB4k= -github.com/xanzy/go-gitlab v0.102.0 h1:ExHuJ1OTQ2yt25zBMMj0G96ChBirGYv8U7HyUiYkZ+4= -github.com/xanzy/go-gitlab v0.102.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y= +github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= @@ -675,12 +701,12 @@ github.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ= github.com/ysmood/fetchup v0.2.3/go.mod h1:xhibcRKziSvol0H1/pj33dnKrYyI2ebIvz5cOOkYGns= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= github.com/ysmood/goob v0.4.0/go.mod h1:u6yx7ZhS4Exf2MwciFr6nIM8knHQIE22lFpWHnfql18= -github.com/ysmood/got v0.34.1 h1:IrV2uWLs45VXNvZqhJ6g2nIhY+pgIG1CUoOcqfXFl1s= -github.com/ysmood/got v0.34.1/go.mod h1:yddyjq/PmAf08RMLSwDjPyCvHvYed+WjHnQxpH851LM= +github.com/ysmood/got v0.40.0 h1:ZQk1B55zIvS7zflRrkGfPDrPG3d7+JOza1ZkNxcc74Q= +github.com/ysmood/got v0.40.0/go.mod h1:W7DdpuX6skL3NszLmAsC5hT7JAhuLZhByVzHTq874Qg= github.com/ysmood/gson v0.7.3 h1:QFkWbTH8MxyUTKPkVWAENJhxqdBa4lYTQWqZCiLG6kE= github.com/ysmood/gson v0.7.3/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= -github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= -github.com/ysmood/leakless v0.8.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= +github.com/ysmood/leakless v0.9.0 h1:qxCG5VirSBvmi3uynXFkcnLMzkphdh3xx5FtrORwDCU= +github.com/ysmood/leakless v0.9.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -693,26 +719,26 @@ go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= -go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= -go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0 h1:H2JFgRcGiyHg7H7bwcwaQJYrNFqCqrbTQ8K4p1OvDu8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0/go.mod h1:WfCWp1bGoYK8MeULtI15MmQVczfR+bFkk0DF3h06QmQ= -go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= -go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= -go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= -go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= -go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= -go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= -go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= -go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk= -go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.step.sm/crypto v0.51.1 h1:ktUg/2hetEMiBAqgz502ktZDGoDoGrcHFg3XpkmkvvA= +go.step.sm/crypto v0.51.1/go.mod h1:PdrhttNU/tG9/YsVd4fdlysBN+UV503p0o2irFZQlAw= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -731,14 +757,13 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= -golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= +golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -746,8 +771,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -769,15 +794,15 @@ golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= -golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= +golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= +golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -786,8 +811,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -816,22 +841,20 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -841,9 +864,10 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -859,34 +883,34 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= -golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= -google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis= +google.golang.org/api v0.190.0 h1:ASM+IhLY1zljNdLu19W1jTmU6A+gMk6M46Wlur61s+Q= +google.golang.org/api v0.190.0/go.mod h1:QIr6I9iedBLnfqoD6L6Vze1UvS5Hzj5r2aUBOaZnLHo= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s= -google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U= -google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 h1:oqta3O3AnlWbmIE3bFnWbu4bRxZjfbWCp0cKSuZh01E= -google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/genproto v0.0.0-20240730163845-b1a4ccb954bf h1:OqdXDEakZCVtDiZTjcxfwbHPCT11ycCEsTKesBVKvyY= +google.golang.org/genproto v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:mCr1K1c8kX+1iSBREvU3Juo11CB+QOEWxbRS01wWl5M= +google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f h1:b1Ln/PG8orm0SsBbHZWke8dDp2lrCD4jSmfglFpTZbk= +google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:AHT0dDg3SoMOgZGnZk29b5xTbPHMoEC8qthmBLJCpys= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf h1:liao9UHurZLtiEwBgT9LMOnKYsHze6eA6w1KQCMVN2Q= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= -google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -898,15 +922,15 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= -gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= @@ -927,22 +951,22 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= -k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= -k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= -k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= -k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec h1:iGTel2aR8vCZdxJDgmbeY0zrlXy9Qcvyw4R2sB4HLrA= -k8s.io/kube-openapi v0.0.0-20240126223410-2919ad4fcfec/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU= -sigs.k8s.io/release-utils v0.7.7/go.mod h1:iU7DGVNi3umZJ8q6aHyUFzsDUIaYwNnNKGHo3YE5E3s= +sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw= +sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/main.go b/main.go index e361301..9964b0d 100644 --- a/main.go +++ b/main.go @@ -22,6 +22,7 @@ const ( port = "8080" mport = "8081" logTemplate = "[{{datetime}}] [{{level}}] {{caller}} {{message}} \n" + timeout = 10 * time.Second ) var tlscert, tlskey string @@ -64,12 +65,12 @@ func main() { Certificates: []tls.Certificate{certs}, MinVersion: tls.VersionTLS12, }, - ReadHeaderTimeout: 10 * time.Second, + ReadHeaderTimeout: timeout, } mserver := &http.Server{ Addr: fmt.Sprintf(":%v", mport), - ReadHeaderTimeout: 10 * time.Second, + ReadHeaderTimeout: timeout, } // define http server and server handler diff --git a/test/framework/cosign.go b/test/framework/cosign.go index d0fa2d8..aafbd47 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -64,9 +64,7 @@ func (f *Framework) CreateKeys(t testing.TB, name string) (private string, publi } // CreateRSAKeyPair creates an RSA keypair for signing with the provided name -// The keypair is generated using openssl, as cosign doesn't support RSA keypairs func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, public string) { - priv, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { f.Cleanup(t) diff --git a/test/framework/cosign_test.go b/test/framework/cosign_test.go index 5a45310..e27cc2e 100644 --- a/test/framework/cosign_test.go +++ b/test/framework/cosign_test.go @@ -6,7 +6,6 @@ import ( ) func TestFramework_CreateRSAKeyPair(t *testing.T) { - tests := []struct { name string }{ @@ -16,7 +15,6 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - f := &Framework{} priv, pub := f.CreateRSAKeyPair(t, tt.name) diff --git a/test/main_test.go b/test/main_test.go index 1649baa..183018c 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -16,6 +16,7 @@ func TestPassingDeployments(t *testing.T) { "EventEmittedOnSignatureVerification": testEventEmittedOnSignatureVerification, "EventEmittedOnNoSignatureVerification": testEventEmittedOnNoSignatureVerification, "OneContainerWIthCosignRepository": testOneContainerWithCosignRepository, + "OneContainerSinglePubKeyEnvRefRSA": testOneContainerSinglePubKeyEnvRefRSA, } for name, tf := range testFuncs { diff --git a/test/webhook_test.go b/test/webhook_test.go index 998671a..8b37653 100644 --- a/test/webhook_test.go +++ b/test/webhook_test.go @@ -693,6 +693,63 @@ func testOneContainerWithCosignRepository(t *testing.T) { fw.Cleanup(t) } +// testOneContainerSinglePubKeyEnvRefRSA tests that a deployment with a single signed container, +// with a public key provided via an environment variable, succeeds. The keypair used for this test is an RSA keypair. +func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { + fw, err := framework.New() + if err != nil { + t.Fatal(err) + } + + _, pub := fw.CreateRSAKeyPair(t, "test") + fw.SignContainer(t, framework.SignOptions{ + KeyName: "test", + Image: "k3d-registry.localhost:5000/busybox:first", + }) + + // create a deployment with a single signed container and a public key provided via an environment variable + depl := appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "one-container-env-ref-rsa", + Namespace: "test-cases", + }, + Spec: appsv1.DeploymentSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "one-container-env-ref-rsa"}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{"app": "one-container-env-ref-rsa"}, + }, + Spec: corev1.PodSpec{ + TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, + Containers: []corev1.Container{ + { + Name: "one-container-env-ref-rsa", + Image: "k3d-registry.localhost:5000/busybox:first", + Command: []string{ + "sh", + "-c", + "while true; do echo 'hello world, i am tired and will sleep now'; sleep 60; done", + }, + Env: []corev1.EnvVar{ + { + Name: webhook.CosignEnvVar, + Value: pub, + }, + }, + }, + }, + }, + }, + }, + } + + fw.CreateDeployment(t, depl) + fw.WaitForDeployment(t, depl) + fw.Cleanup(t) +} + // testOneContainerSinglePubKeyNoMatchEnvRef tests that a deployment with a single signed container, // with a public key provided via an environment variable, fails if the public key does not match the signature. func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { diff --git a/webhook/cosignwebhook.go b/webhook/cosignwebhook.go index 4ef2db5..b8e3846 100644 --- a/webhook/cosignwebhook.go +++ b/webhook/cosignwebhook.go @@ -368,7 +368,6 @@ func (csh *CosignServerHandler) verifyContainer(c corev1.Container, pubKey strin IgnoreSCT: true, IgnoreTlog: true, }) - if err != nil { log.Errorf("Error verifying signature: %v", err) return fmt.Errorf("signature for %q couldn't be verified", image) From e9a369068e28c36d11bbcfdaaecd5563fede64ac Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Thu, 12 Sep 2024 18:36:16 +0200 Subject: [PATCH 04/17] feat: added RSA key support in verification process Signed-off-by: Bruno Bressi --- webhook/cosignwebhook.go | 26 ++++++++++--- webhook/cosignwebhook_test.go | 69 +++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 6 deletions(-) diff --git a/webhook/cosignwebhook.go b/webhook/cosignwebhook.go index b8e3846..323f1c9 100644 --- a/webhook/cosignwebhook.go +++ b/webhook/cosignwebhook.go @@ -4,8 +4,8 @@ import ( "context" "crypto" "crypto/ecdsa" + "crypto/rsa" "encoding/json" - "errors" "fmt" "io" "net/http" @@ -127,7 +127,7 @@ func getPod(b []byte) (*corev1.Pod, *v1.AdmissionReview, error) { return &pod, &arRequest, nil } -// getPubKeyFromEnv procures the public key from the container's nth container, if present. +// getPubKeyFromEnv procures the public key from the container's environment section, if present. // Else it returns an empty string and an error. func (csh *CosignServerHandler) getPubKeyFromEnv(c *corev1.Container, ns string) (string, error) { for _, envVar := range c.Env { @@ -337,11 +337,12 @@ func (csh *CosignServerHandler) verifyContainer(c corev1.Container, pubKey strin return fmt.Errorf("public key for image %q malformed", image) } + // depending on key algorithm, we need to load the key differently + // currently only ECDSA and RSA are supported // Load public key to verify - cosignLoadKey, err := signature.LoadECDSAVerifier(publicKey.(*ecdsa.PublicKey), crypto.SHA256) + verifier, err := csh.newVerifierForKey(publicKey) if err != nil { - log.Errorf("Error loading ECDSA verifier: %v", err) - return errors.New("failed creating key verifier") + return err } // Verify signature on remote image with the presented public key @@ -364,7 +365,7 @@ func (csh *CosignServerHandler) verifyContainer(c corev1.Container, pubKey strin refImage, &cosign.CheckOpts{ RegistryClientOpts: remoteOpts, - SigVerifier: cosignLoadKey, + SigVerifier: verifier, IgnoreSCT: true, IgnoreTlog: true, }) @@ -378,6 +379,19 @@ func (csh *CosignServerHandler) verifyContainer(c corev1.Container, pubKey strin return nil } +// newVerifierForKey creates a new signature verifier for the given public key. +func (*CosignServerHandler) newVerifierForKey(publicKey crypto.PublicKey) (signature.Verifier, error) { + switch pub := publicKey.(type) { + case *ecdsa.PublicKey: + return signature.LoadECDSAVerifier(pub, crypto.SHA256) + case *rsa.PublicKey: + return signature.LoadRSAPKCS1v15Verifier(pub, crypto.SHA256) + default: + log.Errorf("Unsupported public key type: %t", publicKey) + return nil, fmt.Errorf("unsupported public key type: %t", publicKey) + } +} + // getCosignRepository returns the repository specified by the COSIGN_REPOSITORY environment variable // of the container, or nil if not set. func getCosignRepository(env []corev1.EnvVar) string { diff --git a/webhook/cosignwebhook_test.go b/webhook/cosignwebhook_test.go index 2e216fc..e8c1a51 100644 --- a/webhook/cosignwebhook_test.go +++ b/webhook/cosignwebhook_test.go @@ -1,6 +1,11 @@ package webhook import ( + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" "testing" corev1 "k8s.io/api/core/v1" @@ -139,3 +144,67 @@ func Test_getPubKeyFromEnv(t *testing.T) { }) } } + +func TestCosignServerHandler_newVerifierForKey(t *testing.T) { + tests := []struct { + name string + pubkey crypto.PublicKey + wantErr bool + }{ + { + name: "success RSA", + pubkey: testRSAPubKey(t), + }, + { + name: "success ECDSA", + pubkey: testECDSAPubKey(t), + }, + { + name: "fail empty public key", + pubkey: "", + wantErr: true, + }, + { + name: "fail: malformed key", + pubkey: "i'm not a key!", + wantErr: true, + }, + } + + for _, tt := range tests { + + csh := &CosignServerHandler{} + t.Run(tt.name, func(t *testing.T) { + got, err := csh.newVerifierForKey(tt.pubkey) + + if (err != nil) != tt.wantErr { + t.Fatalf("verifySignature() error = %v, wantErr %v", err, tt.wantErr) + } + + if !tt.wantErr && got == nil { + t.Fatal("expected key to produce verifier") + } + }) + } +} + +// testECDSAPubKey creates an ECDSA keypair and returns the public key +func testECDSAPubKey(t testing.TB) crypto.PublicKey { + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Errorf("failed generating ECDSA key: %v", err) + return nil + } + return &key.PublicKey +} + +// testRSAPubKey creates an RSA keypair and returns the public key +func testRSAPubKey(t testing.TB) crypto.PublicKey { + key, err := rsa.GenerateKey(rand.Reader, 256) + if err != nil { + t.Errorf("failed generating RSA key: %v", err) + return nil + } + + return &key.PublicKey +} From ca6c2e9f0ff0926ca9faeaddaacbff0080998b50 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Thu, 12 Sep 2024 18:44:10 +0200 Subject: [PATCH 05/17] chore: formatting Signed-off-by: Bruno Bressi --- webhook/cosignwebhook.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/webhook/cosignwebhook.go b/webhook/cosignwebhook.go index 323f1c9..126cb21 100644 --- a/webhook/cosignwebhook.go +++ b/webhook/cosignwebhook.go @@ -337,15 +337,11 @@ func (csh *CosignServerHandler) verifyContainer(c corev1.Container, pubKey strin return fmt.Errorf("public key for image %q malformed", image) } - // depending on key algorithm, we need to load the key differently - // currently only ECDSA and RSA are supported - // Load public key to verify verifier, err := csh.newVerifierForKey(publicKey) if err != nil { return err } - // Verify signature on remote image with the presented public key remoteOpts := []ociremote.Option{ ociremote.WithRemoteOptions(remote.WithAuthFromKeychain(csh.kc)), } @@ -368,7 +364,8 @@ func (csh *CosignServerHandler) verifyContainer(c corev1.Container, pubKey strin SigVerifier: verifier, IgnoreSCT: true, IgnoreTlog: true, - }) + }, + ) if err != nil { log.Errorf("Error verifying signature: %v", err) return fmt.Errorf("signature for %q couldn't be verified", image) From 9df1f41b728a0812a53faab50abcf596bfc89f01 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Thu, 12 Sep 2024 19:10:03 +0200 Subject: [PATCH 06/17] feat: new test case for RSA Also moved port back to 5000 Signed-off-by: Bruno Bressi --- Makefile | 24 ++++++------- chart/values.yaml | 4 +-- test/framework/cosign.go | 1 - test/webhook_test.go | 74 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 88 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index b335428..f418c73 100644 --- a/Makefile +++ b/Makefile @@ -17,9 +17,9 @@ test-unit: e2e-cluster: @echo "Creating registry..." - @k3d registry create registry.localhost --port 13942 + @k3d registry create registry.localhost --port 5000 @echo "Adding registry to cluster..." - @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942 + @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000 @echo "Create test namespace..." @kubectl create namespace test-cases @@ -33,29 +33,29 @@ e2e-images: @echo "Checking for cosign.key..." @test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1) @echo "Building test image..." - @docker build -t k3d-registry.localhost:13942/cosignwebhook:dev . + @docker build -t k3d-registry.localhost:5000/cosignwebhook:dev . @echo "Pushing test image..." - @docker push k3d-registry.localhost:13942/cosignwebhook:dev + @docker push k3d-registry.localhost:5000/cosignwebhook:dev @echo "Signing test image..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/cosignwebhook:dev + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev @echo "Importing test image to cluster..." - @k3d image import k3d-registry.localhost:13942/cosignwebhook:dev --cluster cosign-tests + @k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests @echo "Building busybox image..." @docker pull busybox:latest @echo "Tagging & pushing busybox images..." - @docker tag busybox:latest k3d-registry.localhost:13942/busybox:first - @docker tag busybox:latest k3d-registry.localhost:13942/busybox:second - @docker push k3d-registry.localhost:13942/busybox --all-tags + @docker tag busybox:latest k3d-registry.localhost:5000/busybox:first + @docker tag busybox:latest k3d-registry.localhost:5000/busybox:second + @docker push k3d-registry.localhost:5000/busybox --all-tags @echo "Signing busybox images..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/busybox:first && \ - cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:13942/busybox:second + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \ + cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second e2e-deploy: @echo "Deploying test image..." @helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \ - --set image.repository=k3d-registry.localhost:13942/cosignwebhook \ + --set image.repository=k3d-registry.localhost:5000/cosignwebhook \ --set image.tag=dev \ --set-file cosign.scwebhook.key=cosign.pub \ --set logLevel=debug \ diff --git a/chart/values.yaml b/chart/values.yaml index 2430212..3c602a6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -32,7 +32,7 @@ podAnnotations: {} podSecurityContext: fsGroup: 1000 supplementalGroups: - - 1000 + - 1000 # minimal permissions for container securityContext: @@ -40,7 +40,7 @@ securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false runAsUser: 1000 runAsGroup: 1000 diff --git a/test/framework/cosign.go b/test/framework/cosign.go index aafbd47..bbd3be3 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -136,7 +136,6 @@ func (f *Framework) SignContainer(t *testing.T, opts SignOptions) { "sign", opts.Image, } - t.Setenv("COSIGN_PASSWORD", "") cmd := cli.New() _ = cmd.Flags().Set("timeout", "30s") cmd.SetArgs(args) diff --git a/test/webhook_test.go b/test/webhook_test.go index 8b37653..5b4f096 100644 --- a/test/webhook_test.go +++ b/test/webhook_test.go @@ -750,6 +750,80 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { fw.Cleanup(t) } +func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { + fw, err := framework.New() + if err != nil { + t.Fatal(err) + } + + // Create a deployment with two containers signed by the same RSA key + _, rsaPub := fw.CreateRSAKeyPair(t, "test") + fw.SignContainer(t, framework.SignOptions{ + KeyName: "test", + Image: "k3d-registry.localhost:5000/busybox:first", + SignatureRepo: "k3d-registry.localhost:5000/sigs", + }) + fw.SignContainer(t, framework.SignOptions{ + KeyName: "test", + Image: "k3d-registry.localhost:5000/busybox:second", + SignatureRepo: "k3d-registry.localhost:5000/sigs", + }) + + depl := appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "two-containers-single-pubkey-envref", + Namespace: "test-cases", + }, + Spec: appsv1.DeploymentSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "two-containers-single-pubkey-envref"}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{"app": "two-containers-single-pubkey-envref"}, + }, + Spec: corev1.PodSpec{ + TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, + Containers: []corev1.Container{ + { + Name: "two-containers-single-pubkey-envref", + Image: "k3d-registry.localhost:5000/busybox:first", + Command: []string{ + "sh", "-c", + "echo 'hello world, i am tired and will sleep now'; sleep 60", + }, + Env: []corev1.EnvVar{ + { + Name: webhook.CosignEnvVar, + Value: rsaPub, + }, + }, + }, + { + Name: "two-containers-single-pubkey-envref", + Image: "k3d-registry.localhost:5000/busybox:second", + Command: []string{ + "sh", "-c", + "echo 'hello world, i am tired and will sleep now'; sleep 60", + }, + Env: []corev1.EnvVar{ + { + Name: webhook.CosignEnvVar, + Value: rsaPub, + }, + }, + }, + }, + }, + }, + }, + } + + fw.CreateDeployment(t, depl) + fw.WaitForDeployment(t, depl) + fw.Cleanup(t) +} + // testOneContainerSinglePubKeyNoMatchEnvRef tests that a deployment with a single signed container, // with a public key provided via an environment variable, fails if the public key does not match the signature. func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { From 390ad92d783d393686e189ce3147eb510c1bcdb7 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sat, 14 Sep 2024 18:13:29 +0200 Subject: [PATCH 07/17] refactor: use port variable To make the tests easier to maintain, a variable was introduced for the port used in the ephemeral private registry used. --- Makefile | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index f418c73..86ea820 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,9 @@ +PORT := 5000 + ############# ### TESTS ### ############# + .PHONY: test-e2e test-e2e: @echo "Running e2e tests..." @@ -17,9 +20,9 @@ test-unit: e2e-cluster: @echo "Creating registry..." - @k3d registry create registry.localhost --port 5000 + @k3d registry create registry.localhost --port $(PORT) @echo "Adding registry to cluster..." - @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000 + @@uname -m | grep -q 'Darwin' && export K3D_FIX_DNS=0; k3d cluster create cosign-tests --registry-use k3d-registry.localhost:$(PORT) @echo "Create test namespace..." @kubectl create namespace test-cases @@ -33,29 +36,30 @@ e2e-images: @echo "Checking for cosign.key..." @test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1) @echo "Building test image..." - @docker build -t k3d-registry.localhost:5000/cosignwebhook:dev . + @docker build -t k3d-registry.localhost:$(PORT)/cosignwebhook:dev . @echo "Pushing test image..." - @docker push k3d-registry.localhost:5000/cosignwebhook:dev + @docker push k3d-registry.localhost:$(PORT)/cosignwebhook:dev @echo "Signing test image..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:$(PORT)/cosignwebhook:dev @echo "Importing test image to cluster..." - @k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests + @k3d image import k3d-registry.localhost:$(PORT)/cosignwebhook:dev --cluster cosign-tests @echo "Building busybox image..." @docker pull busybox:latest @echo "Tagging & pushing busybox images..." - @docker tag busybox:latest k3d-registry.localhost:5000/busybox:first - @docker tag busybox:latest k3d-registry.localhost:5000/busybox:second - @docker push k3d-registry.localhost:5000/busybox --all-tags + @docker tag busybox:latest k3d-registry.localhost:$(PORT)/busybox:first + @docker tag busybox:latest k3d-registry.localhost:$(PORT)/busybox:second + @docker push k3d-registry.localhost:$(PORT)/busybox --all-tags @echo "Signing busybox images..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \ - cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:$(PORT)/busybox:first && \ + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:$(PORT)/busybox:first && \ + cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:$(PORT)/busybox:second e2e-deploy: @echo "Deploying test image..." @helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \ - --set image.repository=k3d-registry.localhost:5000/cosignwebhook \ + --set image.repository=k3d-registry.localhost:$(PORT)/cosignwebhook \ --set image.tag=dev \ --set-file cosign.scwebhook.key=cosign.pub \ --set logLevel=debug \ @@ -65,7 +69,7 @@ e2e-prep: e2e-cluster e2e-keys e2e-images e2e-deploy e2e-cleanup: @echo "Cleaning up test env..." - @k3d registry delete k3d-registry || echo "Deleting k3d registry failed. Continuing..." + @k3d registry delete registry.localhost || echo "Deleting k3d registry failed. Continuing..." @helm uninstall cosignwebhook -n cosignwebhook || echo "Uninstalling cosignwebhook helm release failed. Continuing..." @k3d cluster delete cosign-tests || echo "Deleting cosign tests k3d cluster failed. Continuing..." @rm -f cosign.pub cosign.key second.pub second.key || echo "Removing files failed. Continuing..." From 899c8e24508d830def2ab393f9c7111e9ed675e8 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sat, 14 Sep 2024 18:16:10 +0200 Subject: [PATCH 08/17] refactor: use constants for images This makes the tests somewhat easier to maintain and read. --- test/webhook_test.go | 101 +++++++++++++++++++++++-------------------- 1 file changed, 54 insertions(+), 47 deletions(-) diff --git a/test/webhook_test.go b/test/webhook_test.go index 5b4f096..700f9d3 100644 --- a/test/webhook_test.go +++ b/test/webhook_test.go @@ -1,6 +1,7 @@ package test import ( + "fmt" "testing" "github.com/eumel8/cosignwebhook/test/framework" @@ -13,6 +14,12 @@ import ( // terminationGracePeriodSeconds is the termination grace period for the test deployments var terminationGracePeriodSeconds int64 = 3 +const ( + busyboxOne = "k3d-registry.localhost:5000/busybox:first" + busyboxTwo = "k3d-registry.localhost:5000/busybox:second" + signatureRepo = "k3d-registry.localhost:5000" +) + // testOneContainerSinglePubKeyEnvRef tests that a deployment with a single signed container, // with a public key provided via an environment variable, succeeds. func testOneContainerSinglePubKeyEnvRef(t *testing.T) { @@ -24,7 +31,7 @@ func testOneContainerSinglePubKeyEnvRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) // create a deployment with a single signed container and a public key provided via an environment variable @@ -46,7 +53,7 @@ func testOneContainerSinglePubKeyEnvRef(t *testing.T) { Containers: []corev1.Container{ { Name: "one-container-env-ref", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -81,11 +88,11 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, }) // create a deployment with two signed containers and a public key provided via an environment variable @@ -107,7 +114,7 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { Containers: []corev1.Container{ { Name: "two-containers-same-pub-key-env-ref-first", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -122,7 +129,7 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { }, { Name: "two-containers-same-pub-key-env-ref-second", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, Command: []string{ "sh", "-c", @@ -157,7 +164,7 @@ func testOneContainerSinglePubKeySecretRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) // create a secret with the public key @@ -190,7 +197,7 @@ func testOneContainerSinglePubKeySecretRef(t *testing.T) { Containers: []corev1.Container{ { Name: "one-container-secret-ref", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -234,11 +241,11 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { _, pub2 := fw.CreateKeys(t, "test2") fw.SignContainer(t, framework.SignOptions{ KeyName: "test1", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ KeyName: "test2", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, }) // create a secret with the public key @@ -271,7 +278,7 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { Containers: []corev1.Container{ { Name: "two-containers-mixed-pub-keyrefs-first", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -293,7 +300,7 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { }, { Name: "two-containers-mixed-pub-keyrefs-second", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, Command: []string{ "sh", "-c", @@ -329,11 +336,11 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, }) // create a secret with the public key @@ -366,7 +373,7 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { Containers: []corev1.Container{ { Name: "two-containers-onekey-mixed-ref-first", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -388,7 +395,7 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { }, { Name: "two-containers-onekey-mixed-ref-second", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, Command: []string{ "sh", "-c", @@ -424,11 +431,11 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, }) // create a secret with the public key @@ -461,7 +468,7 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { InitContainers: []corev1.Container{ { Name: "two-containers-init-singlekey-mixed-ref-first", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -485,7 +492,7 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { Containers: []corev1.Container{ { Name: "two-containers-init-singlekey-mixed-ref-second", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, Command: []string{ "sh", "-c", @@ -521,7 +528,7 @@ func testEventEmittedOnSignatureVerification(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) // create a deployment with a single signed container and a public key provided via an environment variable @@ -543,7 +550,7 @@ func testEventEmittedOnSignatureVerification(t *testing.T) { Containers: []corev1.Container{ { Name: "event-emitted-on-verify", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -594,7 +601,7 @@ func testEventEmittedOnNoSignatureVerification(t *testing.T) { Containers: []corev1.Container{ { Name: "event-emitted-on-no-verify-needed", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{"sh", "-c", "echo 'hello world, i am tired and will sleep now, for a bit...'; sleep 60"}, }, }, @@ -623,8 +630,8 @@ func testOneContainerWithCosignRepository(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", - SignatureRepo: "k3d-registry.localhost:5000/sigs", + Image: busyboxOne, + SignatureRepo: signatureRepo, }) // create a secret with the public key @@ -657,7 +664,7 @@ func testOneContainerWithCosignRepository(t *testing.T) { Containers: []corev1.Container{ { Name: "one-container-cosign-repo", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -677,7 +684,7 @@ func testOneContainerWithCosignRepository(t *testing.T) { }, { Name: webhook.CosignRepositoryEnvVar, - Value: "k3d-registry.localhost:5000/sigs", + Value: signatureRepo, }, }, }, @@ -703,8 +710,8 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { _, pub := fw.CreateRSAKeyPair(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + KeyName: fmt.Sprintf("test-%s", framework.ImportKeySuffix), + Image: busyboxOne, }) // create a deployment with a single signed container and a public key provided via an environment variable @@ -726,7 +733,7 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { Containers: []corev1.Container{ { Name: "one-container-env-ref-rsa", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -759,14 +766,14 @@ func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { // Create a deployment with two containers signed by the same RSA key _, rsaPub := fw.CreateRSAKeyPair(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", - SignatureRepo: "k3d-registry.localhost:5000/sigs", + KeyName: fmt.Sprintf("test-%s", framework.ImportKeySuffix), + Image: busyboxOne, + SignatureRepo: signatureRepo, }) fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:second", - SignatureRepo: "k3d-registry.localhost:5000/sigs", + KeyName: fmt.Sprintf("test-%s", framework.ImportKeySuffix), + Image: busyboxTwo, + SignatureRepo: signatureRepo, }) depl := appsv1.Deployment{ @@ -787,7 +794,7 @@ func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { Containers: []corev1.Container{ { Name: "two-containers-single-pubkey-envref", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", "echo 'hello world, i am tired and will sleep now'; sleep 60", @@ -801,7 +808,7 @@ func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { }, { Name: "two-containers-single-pubkey-envref", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, Command: []string{ "sh", "-c", "echo 'hello world, i am tired and will sleep now'; sleep 60", @@ -836,7 +843,7 @@ func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { _, other := fw.CreateKeys(t, "other") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) // create a deployment with a single signed container and a public key provided via an environment variable @@ -858,7 +865,7 @@ func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { Containers: []corev1.Container{ { Name: "no-match-env-ref", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -893,7 +900,7 @@ func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, }) // create a deployment with two signed containers and a public key provided via an environment variable @@ -915,7 +922,7 @@ func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { Containers: []corev1.Container{ { Name: "malformed-env-ref-first", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -930,7 +937,7 @@ func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { }, { Name: "malformed-env-ref-second", - Image: "k3d-registry.localhost:5000/busybox:second", + Image: busyboxTwo, Command: []string{ "sh", "-c", @@ -980,7 +987,7 @@ func testOneContainerSinglePubKeyMalformedEnvRef(t *testing.T) { Containers: []corev1.Container{ { Name: "single-malformed-env-ref", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", @@ -1016,8 +1023,8 @@ func testOneContainerWithCosingRepoVariableMissing(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ KeyName: "test", - Image: "k3d-registry.localhost:5000/busybox:first", - SignatureRepo: "k3d-registry.localhost:5000/sigs", + Image: busyboxOne, + SignatureRepo: signatureRepo, }) depl := appsv1.Deployment{ @@ -1038,7 +1045,7 @@ func testOneContainerWithCosingRepoVariableMissing(t *testing.T) { Containers: []corev1.Container{ { Name: "one-container-with-cosign-repo-missing", - Image: "k3d-registry.localhost:5000/busybox:first", + Image: busyboxOne, Command: []string{ "sh", "-c", "echo 'hello world, i can't start because I'm missing an env var...'; sleep 60", From 418485cebde2873e57a49627dd003ecc6d124bab Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sat, 14 Sep 2024 18:17:19 +0200 Subject: [PATCH 09/17] chore: more resilient cleanup The cleanup method can now be called always when a test is run using the framework, as it cleans up whatever is there and ignores the rest. --- test/framework/client.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/framework/client.go b/test/framework/client.go index eb2973e..dc95225 100644 --- a/test/framework/client.go +++ b/test/framework/client.go @@ -61,6 +61,12 @@ func (f *Framework) Cleanup(t testing.TB) { // cleanupDeployments removes all deployments from the testing namespace // if they exist func (f *Framework) cleanupDeployments(t testing.TB) { + + if f.k8s == nil { + t.Logf("k8s client is nil") + return + } + t.Logf("cleaning up deployments") deployments, err := f.k8s.AppsV1().Deployments("test-cases").List(context.Background(), metav1.ListOptions{}) if err != nil { @@ -98,6 +104,12 @@ func (f *Framework) cleanupDeployments(t testing.TB) { // cleanupSecrets removes all secrets from the testing namespace func (f *Framework) cleanupSecrets(t testing.TB) { + + if f.k8s == nil { + t.Logf("k8s client is nil") + return + } + t.Logf("cleaning up secrets") secrets, err := f.k8s.CoreV1().Secrets("test-cases").List(context.Background(), metav1.ListOptions{}) if err != nil { From 9cfc6afe044769c5e099f04a3cc51d65218e1341 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sat, 14 Sep 2024 18:20:13 +0200 Subject: [PATCH 10/17] fix: rsa keys now properly generated The keys had to be also imported to the cosign format to be usable for signing containers. Additionally, this commit refactors the signing method to use the CLI directly and not the cobra command, which was kind of unintuitive. An additional test, which doesn't run per default was added to test whether the sign method really works. --- test/framework/cosign.go | 84 +++++++++++++++++------------------ test/framework/cosign_test.go | 48 ++++++++++++++++++-- 2 files changed, 84 insertions(+), 48 deletions(-) diff --git a/test/framework/cosign.go b/test/framework/cosign.go index bbd3be3..d073a5a 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -1,18 +1,25 @@ package framework import ( + "context" "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/importkeypair" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "os" "regexp" "testing" + "time" "github.com/sigstore/cosign/v2/cmd/cosign/cli" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" ) +const ImportKeySuffix = "imported" + // cleanupKeys removes all keypair files from the testing directory func cleanupKeys(t testing.TB) { t.Logf("cleaning up keypair files") @@ -76,19 +83,15 @@ func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, f.Cleanup(t) t.Fatal(err) } - defer func(privFile *os.File) { - _ = privFile.Close() - }(privFile) - - privPEM := &pem.Block{ + privBytes := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv), - } - - if err = pem.Encode(privFile, privPEM); err != nil { + }) + if _, err = privFile.Write(privBytes); err != nil { f.Cleanup(t) t.Fatal(err) } + _ = privFile.Close() // Generate and save the public key to a PEM file pub := &priv.PublicKey @@ -97,27 +100,29 @@ func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, f.Cleanup(t) t.Fatal(err) } - defer func(pubFile *os.File) { - _ = pubFile.Close() - }(pubFile) - pubASN1, err := x509.MarshalPKIXPublicKey(pub) - if err != nil { - f.Cleanup(t) - t.Fatal(err) - } - - publicKeyPEM := &pem.Block{ + pubASN1 := x509.MarshalPKCS1PublicKey(pub) + pubBytes := pem.EncodeToMemory(&pem.Block{ Type: "PUBLIC KEY", Bytes: pubASN1, - } - - if err = pem.Encode(pubFile, publicKeyPEM); err != nil { + }) + if _, err = pubFile.Write(pubBytes); err != nil { f.Cleanup(t) t.Fatal(err) } + _ = pubFile.Close() - return string(privPEM.Bytes), string(publicKeyPEM.Bytes) + t.Setenv("COSIGN_PASSWORD", "") + // import the keypair into cosign for signing + err = importkeypair.ImportKeyPairCmd(context.Background(), options.ImportKeyPairOptions{ + Key: fmt.Sprintf("%s.key", name), + OutputKeyPrefix: fmt.Sprintf("%s-%s", name, ImportKeySuffix), + }, []string{}) + if err != nil { + return "", "" + } + + return string(privBytes), string(pubBytes) } // SignOptions is a struct to hold the options for signing a container @@ -129,36 +134,27 @@ type SignOptions struct { // SignContainer signs the container with the provided private key func (f *Framework) SignContainer(t *testing.T, opts SignOptions) { - // TODO: find a way to simplify this function - maybe use cosing CLI directly? // get SHA of the container image t.Setenv("COSIGN_PASSWORD", "") - args := []string{ - "sign", - opts.Image, - } - cmd := cli.New() - _ = cmd.Flags().Set("timeout", "30s") - cmd.SetArgs(args) - - // find the sign subcommand in the commands slice - for _, c := range cmd.Commands() { - if c.Name() == "sign" { - cmd = c - break - } - } // if the signature repository is different from the image, set the COSIGN_REPOSITORY environment variable // to push the signature to the specified repository if opts.SignatureRepo != opts.Image { t.Setenv("COSIGN_REPOSITORY", opts.SignatureRepo) } - - _ = cmd.Flags().Set("key", fmt.Sprintf("%s.key", opts.KeyName)) - _ = cmd.Flags().Set("tlog-upload", "false") - _ = cmd.Flags().Set("yes", "true") - _ = cmd.Flags().Set("allow-http-registry", "true") - err := cmd.Execute() + err := sign.SignCmd( + &options.RootOptions{ + Timeout: 30 * time.Second, + }, + options.KeyOpts{ + KeyRef: fmt.Sprintf("%s.key", opts.KeyName), + }, + options.SignOptions{ + Key: fmt.Sprintf("%s.key", opts.KeyName), + TlogUpload: false, + }, + []string{opts.Image}, + ) if err != nil { f.Cleanup(t) t.Fatal(err) diff --git a/test/framework/cosign_test.go b/test/framework/cosign_test.go index e27cc2e..9dc1397 100644 --- a/test/framework/cosign_test.go +++ b/test/framework/cosign_test.go @@ -1,6 +1,7 @@ package framework import ( + "fmt" "os" "testing" ) @@ -17,22 +18,61 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { t.Run(tt.name, func(t *testing.T) { f := &Framework{} priv, pub := f.CreateRSAKeyPair(t, tt.name) + defer f.Cleanup(t) if priv == "" || pub == "" { t.Fatal("failed to create RSA key pair") } - privStat, err := os.Stat(tt.name + ".key") + privStat, err := os.Stat(fmt.Sprintf("%s.key", tt.name)) if err != nil || privStat.Size() == 0 { t.Fatal("failed to create private key") } - pubStat, err := os.Stat(tt.name + ".pub") + pubStat, err := os.Stat(fmt.Sprintf("%s.pub", tt.name)) if err != nil || pubStat.Size() == 0 { t.Fatal("failed to create public key") } - _ = os.Remove(tt.name + ".key") - _ = os.Remove(tt.name + ".pub") + coPrivStat, err := os.Stat("import-cosign.key") + if err != nil || coPrivStat.Size() == 0 { + t.Fatal("failed to create cosign private key") + } + coPubStat, err := os.Stat("import-cosign.pub") + if err != nil || coPubStat.Size() == 0 { + t.Fatal("failed to create cosign public key") + } + }) } } + +// TestFramework_SignContainer_RSA generates an RSA keypair and signs a container image +// with the private key. The key is generated using the CreateRSAKeyPair function. +func TestFramework_SignContainer_RSA(t *testing.T) { + + if os.Getenv("COSIGN_INTEGRATION") == "" { + t.Skip() + } + + f := &Framework{} + name := "testkey" + priv, pub := f.CreateRSAKeyPair(t, name) + defer f.Cleanup(t) + if priv == "" || pub == "" { + t.Fatal("failed to create RSA key pair") + } + + privStat, err := os.Stat(fmt.Sprintf("%s.key", name)) + if err != nil || privStat.Size() == 0 { + t.Fatal("failed to create private key") + } + pubStat, err := os.Stat(fmt.Sprintf("%s.pub", name)) + if err != nil || pubStat.Size() == 0 { + t.Fatal("failed to create public key") + } + + f.SignContainer(t, SignOptions{ + KeyName: fmt.Sprintf("%s-%s", name, ImportKeySuffix), + Image: "busybox", + }) +} From 3eb2a0e44fb4992936e7b90a102a173456152f41 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sat, 14 Sep 2024 18:20:53 +0200 Subject: [PATCH 11/17] chore: formatting Signed-off-by: Bruno Bressi --- test/framework/client.go | 2 -- test/framework/cosign.go | 5 +++-- test/framework/cosign_test.go | 2 -- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/test/framework/client.go b/test/framework/client.go index dc95225..0b2c073 100644 --- a/test/framework/client.go +++ b/test/framework/client.go @@ -61,7 +61,6 @@ func (f *Framework) Cleanup(t testing.TB) { // cleanupDeployments removes all deployments from the testing namespace // if they exist func (f *Framework) cleanupDeployments(t testing.TB) { - if f.k8s == nil { t.Logf("k8s client is nil") return @@ -104,7 +103,6 @@ func (f *Framework) cleanupDeployments(t testing.TB) { // cleanupSecrets removes all secrets from the testing namespace func (f *Framework) cleanupSecrets(t testing.TB) { - if f.k8s == nil { t.Logf("k8s client is nil") return diff --git a/test/framework/cosign.go b/test/framework/cosign.go index d073a5a..5d37fc1 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -7,13 +7,14 @@ import ( "crypto/x509" "encoding/pem" "fmt" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/importkeypair" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "os" "regexp" "testing" "time" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/importkeypair" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/cmd/cosign/cli" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" ) diff --git a/test/framework/cosign_test.go b/test/framework/cosign_test.go index 9dc1397..76742e6 100644 --- a/test/framework/cosign_test.go +++ b/test/framework/cosign_test.go @@ -41,7 +41,6 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { if err != nil || coPubStat.Size() == 0 { t.Fatal("failed to create cosign public key") } - }) } } @@ -49,7 +48,6 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { // TestFramework_SignContainer_RSA generates an RSA keypair and signs a container image // with the private key. The key is generated using the CreateRSAKeyPair function. func TestFramework_SignContainer_RSA(t *testing.T) { - if os.Getenv("COSIGN_INTEGRATION") == "" { t.Skip() } From 4f21ff34136a83054ba9bb13ff10c36aeebbc81f Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sun, 15 Sep 2024 13:19:55 +0200 Subject: [PATCH 12/17] fix: signing and RSA public key fixes Since the switch to the `sign` module, the signatures of the ephemeral images being used in tests were not uploaded to the repository. This resulted in test failure, as the public key had no signature to verify. Additionally, the errors with the RSA private key not being suited for image signing and verification are also solved in this commit. The proper encoding algorithms are now used and the the correct values are returned. The imported public key and the generated one are now the same, and the signing private key has the correct header now. WIP. --- test/framework/cosign.go | 48 ++++++++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/test/framework/cosign.go b/test/framework/cosign.go index 5d37fc1..dc05d4c 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -79,39 +79,34 @@ func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, t.Fatal(err) } - privFile, err := os.Create(fmt.Sprintf("%s.key", name)) - if err != nil { - f.Cleanup(t) - t.Fatal(err) - } privBytes := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv), }) - if _, err = privFile.Write(privBytes); err != nil { - f.Cleanup(t) - t.Fatal(err) + + err = os.WriteFile(fmt.Sprintf("%s.key", name), privBytes, 0o644) + if err != nil { + t.Errorf("failed to write private key to file: %v", err) + return "", "" } - _ = privFile.Close() // Generate and save the public key to a PEM file pub := &priv.PublicKey - pubFile, err := os.Create(fmt.Sprintf("%s.pub", name)) + + pubASN1, err := x509.MarshalPKIXPublicKey(pub) if err != nil { f.Cleanup(t) t.Fatal(err) } - - pubASN1 := x509.MarshalPKCS1PublicKey(pub) pubBytes := pem.EncodeToMemory(&pem.Block{ Type: "PUBLIC KEY", Bytes: pubASN1, }) - if _, err = pubFile.Write(pubBytes); err != nil { - f.Cleanup(t) - t.Fatal(err) + err = os.WriteFile(fmt.Sprintf("%s.pub", name), pubBytes, 0o644) + if err != nil { + t.Errorf("failed to write public key to file: %v", err) + return "", "" } - _ = pubFile.Close() t.Setenv("COSIGN_PASSWORD", "") // import the keypair into cosign for signing @@ -120,15 +115,29 @@ func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, OutputKeyPrefix: fmt.Sprintf("%s-%s", name, ImportKeySuffix), }, []string{}) if err != nil { + t.Errorf("failed to import keypair to cosign: %v", err) return "", "" } + // read private key and public key from the current directory + privBytes, err = os.ReadFile(fmt.Sprintf("%s-%s.key", name, ImportKeySuffix)) + if err != nil { + f.Cleanup(t) + t.Fatal(err) + } + + pubBytes, err = os.ReadFile(fmt.Sprintf("%s-%s.pub", name, ImportKeySuffix)) + if err != nil { + f.Cleanup(t) + t.Fatal(err) + } + return string(privBytes), string(pubBytes) } // SignOptions is a struct to hold the options for signing a container type SignOptions struct { - KeyName string + KeyPath string Image string SignatureRepo string } @@ -148,11 +157,12 @@ func (f *Framework) SignContainer(t *testing.T, opts SignOptions) { Timeout: 30 * time.Second, }, options.KeyOpts{ - KeyRef: fmt.Sprintf("%s.key", opts.KeyName), + KeyRef: opts.KeyPath, }, options.SignOptions{ - Key: fmt.Sprintf("%s.key", opts.KeyName), + Key: opts.KeyPath, TlogUpload: false, + Upload: true, }, []string{opts.Image}, ) From 769ac73f081dc13979d3acfa137cc1688d2b31d9 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sun, 15 Sep 2024 14:57:14 +0200 Subject: [PATCH 13/17] test: added signImage test for RSA A simple test locke behind an env variable to test whether an RSA key can be used to sign a container image. In the future, this test should be an autonomous integration test and not be connected to the busybox image created during the E2E preparation --- test/framework/cosign_test.go | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/test/framework/cosign_test.go b/test/framework/cosign_test.go index 76742e6..83754fe 100644 --- a/test/framework/cosign_test.go +++ b/test/framework/cosign_test.go @@ -33,14 +33,29 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { t.Fatal("failed to create public key") } - coPrivStat, err := os.Stat("import-cosign.key") + coPrivStat, err := os.Stat(fmt.Sprintf("%s-%s.key", tt.name, ImportKeySuffix)) + if err != nil || coPrivStat.Size() == 0 { t.Fatal("failed to create cosign private key") } - coPubStat, err := os.Stat("import-cosign.pub") + coPubStat, err := os.Stat(fmt.Sprintf("%s-%s.pub", tt.name, ImportKeySuffix)) + if err != nil || coPubStat.Size() == 0 { t.Fatal("failed to create cosign public key") } + + // pub keys should be the same + pubBytes, err := os.ReadFile(fmt.Sprintf("%s.pub", tt.name)) + if err != nil { + t.Fatal(err) + } + coPubBytes, err := os.ReadFile(fmt.Sprintf("%s-%s.pub", tt.name, ImportKeySuffix)) + if err != nil { + t.Fatal(err) + } + if string(pubBytes) != string(coPubBytes) { + t.Fatal("public keys do not match. expected: ", string(pubBytes), " got: ", string(coPubBytes)) + } }) } } @@ -48,7 +63,7 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { // TestFramework_SignContainer_RSA generates an RSA keypair and signs a container image // with the private key. The key is generated using the CreateRSAKeyPair function. func TestFramework_SignContainer_RSA(t *testing.T) { - if os.Getenv("COSIGN_INTEGRATION") == "" { + if os.Getenv("COSIGN_E2E") == "" { t.Skip() } @@ -70,7 +85,7 @@ func TestFramework_SignContainer_RSA(t *testing.T) { } f.SignContainer(t, SignOptions{ - KeyName: fmt.Sprintf("%s-%s", name, ImportKeySuffix), - Image: "busybox", + KeyPath: fmt.Sprintf("%s-%s.key", name, ImportKeySuffix), + Image: "k3d-registry.localhost:5000/busybox:first", }) } From 956662adba36d629bc5ea6839f476dd2449fa400 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Sun, 15 Sep 2024 15:00:18 +0200 Subject: [PATCH 14/17] chore: fixed E2E test Housekeeping commit to refactor the tests so they use the new keypath argument, which allows them more flexibility and opens up for a future refactoring to simplify the test suite and allow to run the same test suite for multiple input keys (ECDSA, RSA). --- test/main_test.go | 1 + test/webhook_test.go | 48 +++++++++++++++++++++----------------------- 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/test/main_test.go b/test/main_test.go index 183018c..43aa93c 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -17,6 +17,7 @@ func TestPassingDeployments(t *testing.T) { "EventEmittedOnNoSignatureVerification": testEventEmittedOnNoSignatureVerification, "OneContainerWIthCosignRepository": testOneContainerWithCosignRepository, "OneContainerSinglePubKeyEnvRefRSA": testOneContainerSinglePubKeyEnvRefRSA, + "TwoContainersSinglePubKeyEnvRefRSA": TestTwoContainersSinglePubKeyEnvRefRSA, } for name, tf := range testFuncs { diff --git a/test/webhook_test.go b/test/webhook_test.go index 700f9d3..b2da4e7 100644 --- a/test/webhook_test.go +++ b/test/webhook_test.go @@ -17,7 +17,7 @@ var terminationGracePeriodSeconds int64 = 3 const ( busyboxOne = "k3d-registry.localhost:5000/busybox:first" busyboxTwo = "k3d-registry.localhost:5000/busybox:second" - signatureRepo = "k3d-registry.localhost:5000" + signatureRepo = "k3d-registry.localhost:5000/sigs" ) // testOneContainerSinglePubKeyEnvRef tests that a deployment with a single signed container, @@ -30,7 +30,7 @@ func testOneContainerSinglePubKeyEnvRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) @@ -87,11 +87,11 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxTwo, }) @@ -163,7 +163,7 @@ func testOneContainerSinglePubKeySecretRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) @@ -240,11 +240,11 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { _, pub1 := fw.CreateKeys(t, "test1") _, pub2 := fw.CreateKeys(t, "test2") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test1", + KeyPath: "test1.key", Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ - KeyName: "test2", + KeyPath: "test2.key", Image: busyboxTwo, }) @@ -335,11 +335,11 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxTwo, }) @@ -430,11 +430,11 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxTwo, }) @@ -527,7 +527,7 @@ func testEventEmittedOnSignatureVerification(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) @@ -629,7 +629,7 @@ func testOneContainerWithCosignRepository(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, SignatureRepo: signatureRepo, }) @@ -710,7 +710,7 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { _, pub := fw.CreateRSAKeyPair(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: fmt.Sprintf("test-%s", framework.ImportKeySuffix), + KeyPath: fmt.Sprintf("test-%s.key", framework.ImportKeySuffix), Image: busyboxOne, }) @@ -766,14 +766,12 @@ func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { // Create a deployment with two containers signed by the same RSA key _, rsaPub := fw.CreateRSAKeyPair(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: fmt.Sprintf("test-%s", framework.ImportKeySuffix), - Image: busyboxOne, - SignatureRepo: signatureRepo, + KeyPath: fmt.Sprintf("test-%s.key", framework.ImportKeySuffix), + Image: busyboxOne, }) fw.SignContainer(t, framework.SignOptions{ - KeyName: fmt.Sprintf("test-%s", framework.ImportKeySuffix), - Image: busyboxTwo, - SignatureRepo: signatureRepo, + KeyPath: fmt.Sprintf("test-%s.key", framework.ImportKeySuffix), + Image: busyboxTwo, }) depl := appsv1.Deployment{ @@ -793,7 +791,7 @@ func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, Containers: []corev1.Container{ { - Name: "two-containers-single-pubkey-envref", + Name: "two-containers-same-rsa-pub-key-env-ref-first", Image: busyboxOne, Command: []string{ "sh", "-c", @@ -807,7 +805,7 @@ func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { }, }, { - Name: "two-containers-single-pubkey-envref", + Name: "two-containers-same-rsa-pub-key-env-ref-second", Image: busyboxTwo, Command: []string{ "sh", "-c", @@ -842,7 +840,7 @@ func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { _, _ = fw.CreateKeys(t, "test") _, other := fw.CreateKeys(t, "other") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) @@ -899,7 +897,7 @@ func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, }) @@ -1022,7 +1020,7 @@ func testOneContainerWithCosingRepoVariableMissing(t *testing.T) { _, pub := fw.CreateKeys(t, "test") fw.SignContainer(t, framework.SignOptions{ - KeyName: "test", + KeyPath: "test.key", Image: busyboxOne, SignatureRepo: signatureRepo, }) From 5683ab281eadc1d54ce3441c88869ffc6f45cb39 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Mon, 16 Sep 2024 17:49:18 +0200 Subject: [PATCH 15/17] chore: removed double @@ This was a typo Signed-off-by: Bruno Bressi --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 86ea820..fc1669e 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ e2e-cluster: @echo "Creating registry..." @k3d registry create registry.localhost --port $(PORT) @echo "Adding registry to cluster..." - @@uname -m | grep -q 'Darwin' && export K3D_FIX_DNS=0; k3d cluster create cosign-tests --registry-use k3d-registry.localhost:$(PORT) + @uname -m | grep -q 'Darwin' && export K3D_FIX_DNS=0; k3d cluster create cosign-tests --registry-use k3d-registry.localhost:$(PORT) @echo "Create test namespace..." @kubectl create namespace test-cases From abe5e4113eec786b3079ee11069c9501c033e32e Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Mon, 16 Sep 2024 17:52:42 +0200 Subject: [PATCH 16/17] docs: explanation of dns flag in e2e tests [skip ci] Signed-off-by: Bruno Bressi --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0633959..08e1cf6 100644 --- a/README.md +++ b/README.md @@ -150,12 +150,12 @@ make test-e2e ### E2E tests The E2E tests require a running kubernetes cluster. Currently, the namespace and webhook are deployed via helper make -targets. To run the tests the following is required: +targets. To only run the tests, the following is required: * docker * cosign (v2) -To run the E2E tests, the following steps are required (in order): +To run the whole E2E tests, the following steps are required (in order): * create a k3d local cluster for the tests and a local iamge registry (`make e2e-cluster`) * signing keys are generated (`make e2e-keys`) @@ -167,6 +167,8 @@ up the E2E setup, run `make e2e-cleanup`. This will delete everything created by the E2E preparation. If you've already created the cluster and the keys, and you're actively testing new code, you may run `make e2e-images e2e-deploy test-e2e` to test your changes. +In case you're running the tests on Apple devices, you may need to use deactivate the k3s dns fix (already implemented in the makefile). If your containers in the cluster don't start by skipping the fix, you may set `K3S_FIX_DNS` back to `1` in the `e2e-cluster` target. + ## Local build ```bash From 6b3f0ca9cb9c7d76b2aeec25d6e0aa5f8724e8cb Mon Sep 17 00:00:00 2001 From: Bruno Bressi <52347078+puffitos@users.noreply.github.com> Date: Fri, 20 Sep 2024 10:31:34 +0200 Subject: [PATCH 17/17] Refactor E2E test suite + add RSA tests (#60) * refactor: own struct for keys The tests have been refactored to use a dedicated struct for the private and public keys, which contains the key itself and the path to it. This will allow a bigger refactoring of the E2E tests, so that each test case can be run independently of what type of key is used for signing & validation Signed-off-by: Bruno Bressi * refactor: use private key variable Instead of hardcoding the path in all tests, the value is derived from the previously unused private key variable returned. This way, the tests can now be refactored to run by only passing the key creation function Signed-off-by: Bruno Bressi * refactor: [WIP] framework wraps testing.T The framework struct has been refactored to abstract the golang testing framework. This allows the E2E test cases to be written without having to create a new framework for each test. The framework functions now do not have to do a lot of micromanagement and cleanup; they just check whether an error has happened and they return. This allows for new functions to be written without having to think about whether to fail the test or not. The cleanup function takes care of the final step; cleaning up everything and then deciding whether the test failed or passed. Additionally, a new type is introduced, which will be used to wrap the tests cases, so they can be run used t.Run. * refactor: use new testing schema The test cases are now refactored to accept a signing function, so that the same test can be run regardless of RSA/ECDSA key without having to write too much duplicate code. The new fuction type is used for the signing function and each test case must now return the set of actions required for the use case to be tested, wrapped in a func which returns testing.T, so it may be run by the t.Run method. * chore: added E2E variable Added variable so that the additional E2E test is also executed. This test must be refactored in a future commit/ removed, as it depends on an image already being present on the machine running the test. * test: added rsa tests cases Each case tests for ECDSA keys is now also tested for RSA keys. The tests were also accelerated by reducing the delay between checks from 5s to 500m Signed-off-by: Bruno Bressi --------- Signed-off-by: Bruno Bressi --- Makefile | 2 +- test/framework/client.go | 196 ++++++++------ test/framework/cosign.go | 146 +++++++---- test/framework/cosign_test.go | 22 +- test/main_test.go | 31 ++- test/webhook_test.go | 471 +++++++++++----------------------- 6 files changed, 399 insertions(+), 469 deletions(-) diff --git a/Makefile b/Makefile index fc1669e..eb6a832 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ PORT := 5000 .PHONY: test-e2e test-e2e: @echo "Running e2e tests..." - @go test -v -race -count 1 ./test/ + @export COSIGN_E2E="42" && go test -v -race -count 1 ./test/ .PHONY: test-unit test-unit: diff --git a/test/framework/client.go b/test/framework/client.go index 0b2c073..301926c 100644 --- a/test/framework/client.go +++ b/test/framework/client.go @@ -18,9 +18,16 @@ import ( // the cosignwebhook in a k8s cluster type Framework struct { k8s *kubernetes.Clientset + t *testing.T + err error } -func New() (*Framework, error) { +// New creates a new Framework +func New(t *testing.T) (*Framework, error) { + if t == nil { + return nil, fmt.Errorf("test object must not be nil") + } + k8s, err := createClientSet() if err != nil { return nil, err @@ -28,6 +35,7 @@ func New() (*Framework, error) { return &Framework{ k8s: k8s, + t: t, }, nil } @@ -37,7 +45,6 @@ func createClientSet() (k8sClient *kubernetes.Clientset, err error) { kubeconfig = os.Getenv("HOME") + "/.kube/config" } - // create restconfig from kubeconfig config, err := clientcmd.BuildConfigFromFlags("", kubeconfig) if err != nil { return nil, err @@ -52,31 +59,33 @@ func createClientSet() (k8sClient *kubernetes.Clientset, err error) { // Cleanup removes all resources created by the framework // and cleans up the testing directory. -func (f *Framework) Cleanup(t testing.TB) { - cleanupKeys(t) - f.cleanupDeployments(t) - f.cleanupSecrets(t) +func (f *Framework) Cleanup() { + f.cleanupKeys() + f.cleanupDeployments() + f.cleanupSecrets() + if f.err != nil { + f.t.Fatal(f.err) + } } // cleanupDeployments removes all deployments from the testing namespace // if they exist -func (f *Framework) cleanupDeployments(t testing.TB) { +func (f *Framework) cleanupDeployments() { if f.k8s == nil { - t.Logf("k8s client is nil") return } - t.Logf("cleaning up deployments") + f.t.Logf("cleaning up deployments") deployments, err := f.k8s.AppsV1().Deployments("test-cases").List(context.Background(), metav1.ListOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } for _, d := range deployments.Items { err = f.k8s.AppsV1().Deployments("test-cases").Delete(context.Background(), d.Name, metav1.DeleteOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } } @@ -84,84 +93,102 @@ func (f *Framework) cleanupDeployments(t testing.TB) { for { select { case <-timeout: - f.Cleanup(t) + f.err = fmt.Errorf("timeout reached while waiting for deployments to be deleted") default: pods, err := f.k8s.CoreV1().Pods("test-cases").List(context.Background(), metav1.ListOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } if len(pods.Items) == 0 { - t.Logf("All pods are deleted") + f.t.Logf("All pods are deleted") return } - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) } } } // cleanupSecrets removes all secrets from the testing namespace -func (f *Framework) cleanupSecrets(t testing.TB) { +func (f *Framework) cleanupSecrets() { if f.k8s == nil { - t.Logf("k8s client is nil") return } - t.Logf("cleaning up secrets") + f.t.Logf("cleaning up secrets") secrets, err := f.k8s.CoreV1().Secrets("test-cases").List(context.Background(), metav1.ListOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } if len(secrets.Items) == 0 { + f.t.Log("no secrets to delete") return } for _, s := range secrets.Items { err = f.k8s.CoreV1().Secrets("test-cases").Delete(context.Background(), s.Name, metav1.DeleteOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } } + f.t.Log("all secrets are deleted") } // GetPods returns the pod(s) of the deployment. The fetch is done by label selector (app=) // If the get request fails, the test will fail and the framework will be cleaned up -func (f *Framework) GetPods(t *testing.T, d appsv1.Deployment) *corev1.PodList { - pods, err := f.k8s.CoreV1().Pods("test-cases").List(context.Background(), metav1.ListOptions{ +func (f *Framework) GetPods(d appsv1.Deployment) *corev1.PodList { + if f.err != nil { + return nil + } + + pods, err := f.k8s.CoreV1().Pods(d.Namespace).List(context.Background(), metav1.ListOptions{ LabelSelector: fmt.Sprintf("app=%s", d.Name), }) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err } return pods } // CreateDeployment creates a deployment in the testing namespace -func (f *Framework) CreateDeployment(t testing.TB, d appsv1.Deployment) { - _, err := f.k8s.AppsV1().Deployments("test-cases").Create(context.Background(), &d, metav1.CreateOptions{}) +func (f *Framework) CreateDeployment(d appsv1.Deployment) { + if f.err != nil { + return + } + + f.t.Logf("creating deployment %s", d.Name) + _, err := f.k8s.AppsV1().Deployments(d.Namespace).Create(context.Background(), &d, metav1.CreateOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } + f.t.Logf("deployment %s created", d.Name) } // CreateSecret creates a secret in the testing namespace -func (f *Framework) CreateSecret(t *testing.T, secret corev1.Secret) { - t.Logf("creating secret %s", secret.Name) - s, err := f.k8s.CoreV1().Secrets("test-cases").Create(context.Background(), &secret, metav1.CreateOptions{}) +func (f *Framework) CreateSecret(s corev1.Secret) { + if f.err != nil { + return + } + + f.t.Logf("creating secret %s", s.Name) + _, err := f.k8s.CoreV1().Secrets(s.Namespace).Create(context.Background(), &s, metav1.CreateOptions{}) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } - t.Logf("created secret %s", s.Name) + f.t.Logf("secret %s created", s.Name) } // WaitForDeployment waits until the deployment is ready -func (f *Framework) WaitForDeployment(t *testing.T, d appsv1.Deployment) { - t.Logf("waiting for deployment %s to be ready", d.Name) +func (f *Framework) WaitForDeployment(d appsv1.Deployment) { + if f.err != nil { + return + } + + f.t.Logf("waiting for deployment %s to be ready", d.Name) // wait until the deployment is ready ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() @@ -169,39 +196,42 @@ func (f *Framework) WaitForDeployment(t *testing.T, d appsv1.Deployment) { FieldSelector: fmt.Sprintf("metadata.name=%s", d.Name), }) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } for { select { case <-ctx.Done(): - f.Cleanup(t) - t.Fatal("timeout reached while waiting for deployment to be ready") + f.err = fmt.Errorf("timeout reached while waiting for deployment to be ready") case event := <-w.ResultChan(): deployment, ok := event.Object.(*appsv1.Deployment) if !ok { - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) continue } if deployment.Status.ReadyReplicas == 1 { - t.Logf("deployment %s is ready", d.Name) + f.t.Logf("deployment %s is ready", d.Name) return } - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) } } } // waitForReplicaSetCreation waits for the replicaset of the given deployment to be created -func (f *Framework) waitForReplicaSetCreation(t *testing.T, d appsv1.Deployment) (string, error) { - rs, err := f.k8s.AppsV1().ReplicaSets("test-cases").Watch(context.Background(), metav1.ListOptions{ +func (f *Framework) waitForReplicaSetCreation(d appsv1.Deployment) string { + if f.err != nil { + return "" + } + + rs, err := f.k8s.AppsV1().ReplicaSets(d.Namespace).Watch(context.Background(), metav1.ListOptions{ LabelSelector: fmt.Sprintf("app=%s", d.Name), }) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return "" } ctx, done := context.WithTimeout(context.Background(), 30*time.Second) @@ -210,37 +240,39 @@ func (f *Framework) waitForReplicaSetCreation(t *testing.T, d appsv1.Deployment) for { select { case <-ctx.Done(): - f.Cleanup(t) - t.Fatal("timeout reached while waiting for replicaset to be created") + f.err = fmt.Errorf("timeout reached while waiting for replicaset to be created") case event := <-rs.ResultChan(): rs, ok := event.Object.(*appsv1.ReplicaSet) if ok { - t.Logf("replicaset %s created", rs.Name) - return rs.Name, nil + f.t.Logf("replicaset %s created", rs.Name) + return rs.Name } - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) } } } // AssertDeploymentFailed asserts that the deployment cannot start -func (f *Framework) AssertDeploymentFailed(t *testing.T, d appsv1.Deployment) { - t.Logf("waiting for deployment %s to fail", d.Name) +func (f *Framework) AssertDeploymentFailed(d appsv1.Deployment) { + if f.err != nil { + return + } + + f.t.Logf("waiting for deployment %s to fail", d.Name) // watch for replicasets of the deployment - rsName, err := f.waitForReplicaSetCreation(t, d) - if err != nil { - f.Cleanup(t) - t.Fatal(err) + rsName := f.waitForReplicaSetCreation(d) + if rsName == "" { + return } // get warning events of deployment's namespace and check if the deployment failed - w, err := f.k8s.CoreV1().Events("test-cases").Watch(context.Background(), metav1.ListOptions{ + w, err := f.k8s.CoreV1().Events(d.Namespace).Watch(context.Background(), metav1.ListOptions{ FieldSelector: fmt.Sprintf("involvedObject.name=%s", rsName), }) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } ctx, done := context.WithTimeout(context.Background(), 30*time.Second) @@ -249,34 +281,37 @@ func (f *Framework) AssertDeploymentFailed(t *testing.T, d appsv1.Deployment) { for { select { case <-ctx.Done(): - f.Cleanup(t) - t.Fatal("timeout reached while waiting for deployment to fail") + f.err = fmt.Errorf("timeout reached while waiting for deployment to fail") case event := <-w.ResultChan(): e, ok := event.Object.(*corev1.Event) if !ok { - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) continue } if e.Reason == "FailedCreate" { - t.Logf("deployment %s failed: %s", d.Name, e.Message) + f.t.Logf("deployment %s failed: %s", d.Name, e.Message) return } - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) } } } // AssertEventForPod asserts that a PodVerified event is created -func (f *Framework) AssertEventForPod(t *testing.T, reason string, p corev1.Pod) { - t.Logf("waiting for %s event to be created for pod %s", reason, p.Name) +func (f *Framework) AssertEventForPod(reason string, p corev1.Pod) { + if f.err != nil { + return + } + + f.t.Logf("waiting for %s event to be created for pod %s", reason, p.Name) // watch for events of deployment's namespace and check if the podverified event is created - w, err := f.k8s.CoreV1().Events("test-cases").Watch(context.Background(), metav1.ListOptions{ + w, err := f.k8s.CoreV1().Events(p.Namespace).Watch(context.Background(), metav1.ListOptions{ FieldSelector: fmt.Sprintf("involvedObject.name=%s", p.Name), }) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = err + return } ctx, done := context.WithTimeout(context.Background(), 30*time.Second) @@ -285,19 +320,18 @@ func (f *Framework) AssertEventForPod(t *testing.T, reason string, p corev1.Pod) for { select { case <-ctx.Done(): - f.Cleanup(t) - t.Fatal("timeout reached while waiting for podverified event") + f.err = fmt.Errorf("timeout reached while waiting for event to be created") case event := <-w.ResultChan(): e, ok := event.Object.(*corev1.Event) if !ok { - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) continue } if e.Reason == reason { - t.Logf("%s event created for pod %s", reason, p.Name) + f.t.Logf("%s event created for pod %s", reason, p.Name) return } - time.Sleep(5 * time.Second) + time.Sleep(500 * time.Millisecond) } } } diff --git a/test/framework/cosign.go b/test/framework/cosign.go index dc05d4c..4a56beb 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -9,7 +9,6 @@ import ( "fmt" "os" "regexp" - "testing" "time" "github.com/sigstore/cosign/v2/cmd/cosign/cli/importkeypair" @@ -21,82 +20,123 @@ import ( const ImportKeySuffix = "imported" +// Pub contains the public key and its path +type Pub struct { + Key string + Path string +} + +// Priv contains the private key and its path +type Priv struct { + Key string + Path string +} + +// SignOptions is a struct to hold the options for signing a container +type SignOptions struct { + KeyPath string + Image string + SignatureRepo string +} + +// KeyFunc is a function that generates a keypair by using the testing framework +type KeyFunc func(f *Framework, name string) (Priv, Pub) + // cleanupKeys removes all keypair files from the testing directory -func cleanupKeys(t testing.TB) { - t.Logf("cleaning up keypair files") +func (f *Framework) cleanupKeys() { + f.t.Logf("cleaning up keypair files") files, err := os.ReadDir(".") if err != nil { - t.Fatalf("failed reading directory: %v", err) + f.err = fmt.Errorf("failed reading directory: %v", err) + return } - for _, f := range files { - if f.IsDir() { + for _, file := range files { + if file.IsDir() { continue } reKey := regexp.MustCompile(".*.key") rePub := regexp.MustCompile(".*.pub") - if reKey.MatchString(f.Name()) || rePub.MatchString(f.Name()) { - err = os.Remove(f.Name()) + if reKey.MatchString(file.Name()) || rePub.MatchString(file.Name()) { + err = os.Remove(file.Name()) if err != nil { - t.Fatalf("failed removing file %s: %v", f.Name(), err) + f.err = fmt.Errorf("failed to remove file: %v", err) + return } } } - t.Logf("cleaned up keypair files") + f.t.Logf("cleaned up keypair files") } -// CreateKeys creates a signing keypair for cosing with the provided name -func (f *Framework) CreateKeys(t testing.TB, name string) (private string, public string) { +// CreateECDSAKeyPair generates an ECDSA keypair and saves the keys to the current directory +func CreateECDSAKeyPair(f *Framework, name string) (Priv, Pub) { + if f.err != nil { + return Priv{}, Pub{} + } + args := []string{fmt.Sprintf("--output-key-prefix=%s", name)} err := os.Setenv("COSIGN_PASSWORD", "") if err != nil { - t.Fatalf("failed setting COSIGN_PASSWORD: %v", err) + f.err = err + return Priv{}, Pub{} } cmd := cli.GenerateKeyPair() cmd.SetArgs(args) err = cmd.Execute() if err != nil { - f.Cleanup(t) + f.err = err + return Priv{}, Pub{} } // read private key and public key from the current directory privateKey, err := os.ReadFile(fmt.Sprintf("%s.key", name)) if err != nil { - f.Cleanup(t) + f.err = err + return Priv{}, Pub{} } pubKey, err := os.ReadFile(fmt.Sprintf("%s.pub", name)) if err != nil { - f.Cleanup(t) + f.err = err + return Priv{}, Pub{} } - return string(privateKey), string(pubKey) + return Priv{ + Key: string(privateKey), + Path: fmt.Sprintf("%s.key", name), + }, Pub{ + Key: string(pubKey), + Path: fmt.Sprintf("%s.pub", name), + } } -// CreateRSAKeyPair creates an RSA keypair for signing with the provided name -func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, public string) { - priv, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - f.Cleanup(t) - t.Fatal(err) +// CreateRSAKeyPair generates an RSA keypair and saves the keys to the current directory +func CreateRSAKeyPair(f *Framework, name string) (Priv, Pub) { + if f.err != nil { + return Priv{}, Pub{} } + pkey, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + f.err = fmt.Errorf("failed to generate RSA key: %v", err) + return Priv{}, Pub{} + } privBytes := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(priv), + Bytes: x509.MarshalPKCS1PrivateKey(pkey), }) err = os.WriteFile(fmt.Sprintf("%s.key", name), privBytes, 0o644) if err != nil { - t.Errorf("failed to write private key to file: %v", err) - return "", "" + f.err = fmt.Errorf("failed to write private key to file: %v", err) + return Priv{}, Pub{} } // Generate and save the public key to a PEM file - pub := &priv.PublicKey + pubKey := &pkey.PublicKey - pubASN1, err := x509.MarshalPKIXPublicKey(pub) + pubASN1, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = fmt.Errorf("failed to marshal public key: %v", err) + return Priv{}, Pub{} } pubBytes := pem.EncodeToMemory(&pem.Block{ Type: "PUBLIC KEY", @@ -104,53 +144,56 @@ func (f *Framework) CreateRSAKeyPair(t *testing.T, name string) (private string, }) err = os.WriteFile(fmt.Sprintf("%s.pub", name), pubBytes, 0o644) if err != nil { - t.Errorf("failed to write public key to file: %v", err) - return "", "" + f.err = fmt.Errorf("failed to write public key to file: %v", err) + return Priv{}, Pub{} } - t.Setenv("COSIGN_PASSWORD", "") + f.t.Setenv("COSIGN_PASSWORD", "") // import the keypair into cosign for signing err = importkeypair.ImportKeyPairCmd(context.Background(), options.ImportKeyPairOptions{ Key: fmt.Sprintf("%s.key", name), OutputKeyPrefix: fmt.Sprintf("%s-%s", name, ImportKeySuffix), }, []string{}) if err != nil { - t.Errorf("failed to import keypair to cosign: %v", err) - return "", "" + f.err = fmt.Errorf("failed to import keypair: %v", err) + return Priv{}, Pub{} } // read private key and public key from the current directory privBytes, err = os.ReadFile(fmt.Sprintf("%s-%s.key", name, ImportKeySuffix)) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = fmt.Errorf("failed reading private key: %v", err) + return Priv{}, Pub{} } pubBytes, err = os.ReadFile(fmt.Sprintf("%s-%s.pub", name, ImportKeySuffix)) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = fmt.Errorf("failed reading public key: %v", err) + return Priv{}, Pub{} } - return string(privBytes), string(pubBytes) + return Priv{ + Key: string(privBytes), + Path: fmt.Sprintf("%s-%s.key", name, ImportKeySuffix), + }, Pub{ + Key: string(pubBytes), + Path: fmt.Sprintf("%s-%s.pub", name, ImportKeySuffix), + } } -// SignOptions is a struct to hold the options for signing a container -type SignOptions struct { - KeyPath string - Image string - SignatureRepo string -} +// SignContainer signs the container using the provided SignOptions +func (f *Framework) SignContainer(opts SignOptions) { + if f.err != nil { + return + } -// SignContainer signs the container with the provided private key -func (f *Framework) SignContainer(t *testing.T, opts SignOptions) { // get SHA of the container image - t.Setenv("COSIGN_PASSWORD", "") + f.t.Setenv("COSIGN_PASSWORD", "") // if the signature repository is different from the image, set the COSIGN_REPOSITORY environment variable // to push the signature to the specified repository if opts.SignatureRepo != opts.Image { - t.Setenv("COSIGN_REPOSITORY", opts.SignatureRepo) + f.t.Setenv("COSIGN_REPOSITORY", opts.SignatureRepo) } err := sign.SignCmd( &options.RootOptions{ @@ -167,7 +210,6 @@ func (f *Framework) SignContainer(t *testing.T, opts SignOptions) { []string{opts.Image}, ) if err != nil { - f.Cleanup(t) - t.Fatal(err) + f.err = fmt.Errorf("failed to sign container: %v", err) } } diff --git a/test/framework/cosign_test.go b/test/framework/cosign_test.go index 83754fe..a156b99 100644 --- a/test/framework/cosign_test.go +++ b/test/framework/cosign_test.go @@ -16,11 +16,13 @@ func TestFramework_CreateRSAKeyPair(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - f := &Framework{} - priv, pub := f.CreateRSAKeyPair(t, tt.name) - defer f.Cleanup(t) + f := &Framework{ + t: t, + } + defer f.Cleanup() + private, public := CreateRSAKeyPair(f, tt.name) - if priv == "" || pub == "" { + if private.Key == "" || public.Key == "" { t.Fatal("failed to create RSA key pair") } @@ -67,11 +69,13 @@ func TestFramework_SignContainer_RSA(t *testing.T) { t.Skip() } - f := &Framework{} + f := &Framework{ + t: t, + } + defer f.Cleanup() name := "testkey" - priv, pub := f.CreateRSAKeyPair(t, name) - defer f.Cleanup(t) - if priv == "" || pub == "" { + private, public := CreateRSAKeyPair(f, name) + if private.Key == "" || public.Key == "" { t.Fatal("failed to create RSA key pair") } @@ -84,7 +88,7 @@ func TestFramework_SignContainer_RSA(t *testing.T) { t.Fatal("failed to create public key") } - f.SignContainer(t, SignOptions{ + f.SignContainer(SignOptions{ KeyPath: fmt.Sprintf("%s-%s.key", name, ImportKeySuffix), Image: "k3d-registry.localhost:5000/busybox:first", }) diff --git a/test/main_test.go b/test/main_test.go index 43aa93c..32fa1d0 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -1,13 +1,16 @@ package test import ( + "fmt" "testing" + + "github.com/eumel8/cosignwebhook/test/framework" ) -// TestPassingDeployments tests deployments that should pass signature verification -func TestPassingDeployments(t *testing.T) { - testFuncs := map[string]func(t *testing.T){ - "OneContainerSinglePubKeyEnvRef": testOneContainerSinglePubKeyEnvRef, +// TestPassECDSA tests deployments that should pass signature verification +func TestPassECDSA(t *testing.T) { + testFuncs := map[string]func(fw *framework.Framework, kf framework.KeyFunc, key string) func(t *testing.T){ + "OneContainerSinglePubKeyEnvRef": oneContainerSinglePubKeyEnvRef, "TwoContainersSinglePubKeyEnvRef": testTwoContainersSinglePubKeyEnvRef, "OneContainerSinglePubKeySecretRef": testOneContainerSinglePubKeySecretRef, "TwoContainersSinglePubKeyMixedRef": testTwoContainersSinglePubKeyMixedRef, @@ -16,25 +19,35 @@ func TestPassingDeployments(t *testing.T) { "EventEmittedOnSignatureVerification": testEventEmittedOnSignatureVerification, "EventEmittedOnNoSignatureVerification": testEventEmittedOnNoSignatureVerification, "OneContainerWIthCosignRepository": testOneContainerWithCosignRepository, - "OneContainerSinglePubKeyEnvRefRSA": testOneContainerSinglePubKeyEnvRefRSA, - "TwoContainersSinglePubKeyEnvRefRSA": TestTwoContainersSinglePubKeyEnvRefRSA, + } + + fw, err := framework.New(t) + if err != nil { + t.Fatal(err) } for name, tf := range testFuncs { - t.Run(name, tf) + t.Run(fmt.Sprintf("[%s] %s", "ECDSA", name), tf(fw, framework.CreateECDSAKeyPair, name)) + t.Run(fmt.Sprintf("[%s] %s", "RSA", name), tf(fw, framework.CreateRSAKeyPair, name)) } } // TestFailingDeployments tests deployments that should fail signature verification func TestFailingDeployments(t *testing.T) { - testFuncs := map[string]func(t *testing.T){ + testFuncs := map[string]func(fw *framework.Framework, kf framework.KeyFunc, key string) func(t *testing.T){ "OneContainerSinglePubKeyMalformedEnvRef": testOneContainerSinglePubKeyMalformedEnvRef, "TwoContainersSinglePubKeyMalformedEnvRef": testTwoContainersSinglePubKeyMalformedEnvRef, "OneContainerSinglePubKeyNoMatchEnvRef": testOneContainerSinglePubKeyNoMatchEnvRef, "OneContainerWithCosingRepoVariableMissing": testOneContainerWithCosingRepoVariableMissing, } + fw, err := framework.New(t) + if err != nil { + t.Fatal(err) + } + for name, tf := range testFuncs { - t.Run(name, tf) + t.Run(name, tf(fw, framework.CreateECDSAKeyPair, name)) + t.Run(name, tf(fw, framework.CreateRSAKeyPair, name)) } } diff --git a/test/webhook_test.go b/test/webhook_test.go index b2da4e7..ee4a8d7 100644 --- a/test/webhook_test.go +++ b/test/webhook_test.go @@ -1,7 +1,6 @@ package test import ( - "fmt" "testing" "github.com/eumel8/cosignwebhook/test/framework" @@ -20,17 +19,12 @@ const ( signatureRepo = "k3d-registry.localhost:5000/sigs" ) -// testOneContainerSinglePubKeyEnvRef tests that a deployment with a single signed container, +// oneContainerSinglePubKeyEnvRef tests that a deployment with a single signed container, // with a public key provided via an environment variable, succeeds. -func testOneContainerSinglePubKeyEnvRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func oneContainerSinglePubKeyEnvRef(fw *framework.Framework, keyFunc framework.KeyFunc, key string) func(t *testing.T) { + priv, pub := keyFunc(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) @@ -62,7 +56,7 @@ func testOneContainerSinglePubKeyEnvRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -72,26 +66,23 @@ func testOneContainerSinglePubKeyEnvRef(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) + return func(t *testing.T) { + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() + } } // testTwoContainersSinglePubKeyEnvRef tests that a deployment with two signed containers, // with a public key provided via an environment variable, succeeds. -func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testTwoContainersSinglePubKeyEnvRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxTwo, }) @@ -123,7 +114,7 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -138,7 +129,7 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -148,22 +139,19 @@ func testTwoContainersSinglePubKeyEnvRef(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) + return func(*testing.T) { + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() + } } // testOneContainerPubKeySecret tests that a deployment with a single signed container, // with a public key provided via a secret, succeeds. -func testOneContainerSinglePubKeySecretRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testOneContainerSinglePubKeySecretRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) @@ -174,7 +162,7 @@ func testOneContainerSinglePubKeySecretRef(t *testing.T) { Namespace: "test-cases", }, StringData: map[string]string{ - "cosign.pub": pub, + "cosign.pub": pub.Key, }, } @@ -223,28 +211,25 @@ func testOneContainerSinglePubKeySecretRef(t *testing.T) { }, } - fw.CreateSecret(t, secret) - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) + return func(*testing.T) { + fw.CreateSecret(secret) + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() + } } // testTwoContainersMixedPubKeyMixedRef tests that a deployment with two signed containers with two different public keys, // with the keys provided by a secret and an environment variable, succeeds. -func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub1 := fw.CreateKeys(t, "test1") - _, pub2 := fw.CreateKeys(t, "test2") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test1.key", +func testTwoContainersMixedPubKeyMixedRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv1, pub1 := framework.CreateECDSAKeyPair(fw, "test1") + priv2, pub2 := framework.CreateECDSAKeyPair(fw, "test2") + fw.SignContainer(framework.SignOptions{ + KeyPath: priv1.Path, Image: busyboxOne, }) - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test2.key", + fw.SignContainer(framework.SignOptions{ + KeyPath: priv2.Path, Image: busyboxTwo, }) @@ -255,7 +240,7 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { Namespace: "test-cases", }, StringData: map[string]string{ - "cosign.pub": pub1, + "cosign.pub": pub1.Key, }, } @@ -277,7 +262,7 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, Containers: []corev1.Container{ { - Name: "two-containers-mixed-pub-keyrefs-first", + Name: "two-containers-mixed-pub-keyrefs-from-secret", Image: busyboxOne, Command: []string{ "sh", @@ -299,7 +284,7 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { }, }, { - Name: "two-containers-mixed-pub-keyrefs-second", + Name: "two-containers-mixed-pub-keyrefs-second-from-env", Image: busyboxTwo, Command: []string{ "sh", @@ -309,7 +294,7 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub2, + Value: pub2.Key, }, }, }, @@ -319,27 +304,24 @@ func testTwoContainersMixedPubKeyMixedRef(t *testing.T) { }, } - fw.CreateSecret(t, secret) - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) + return func(*testing.T) { + fw.CreateSecret(secret) + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() + } } // testTwoContainersSinglePubKeyMixedRef tests that a deployment with two signed containers, // with a public key provided via a secret and an environment variable, succeeds. -func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testTwoContainersSinglePubKeyMixedRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxTwo, }) @@ -350,7 +332,7 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { Namespace: "test-cases", }, StringData: map[string]string{ - "cosign.pub": pub, + "cosign.pub": pub.Key, }, } @@ -404,7 +386,7 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -414,27 +396,24 @@ func testTwoContainersSinglePubKeyMixedRef(t *testing.T) { }, } - fw.CreateSecret(t, secret) - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) + return func(*testing.T) { + fw.CreateSecret(secret) + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() + } } // testTwoContainersSinglePubKeyMixedRef tests that a deployment with two signed containers, // with a public key provided via a secret and an environment variable, succeeds. -func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testTwoContainersWithInitSinglePubKeyMixedRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxTwo, }) @@ -445,7 +424,7 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { Namespace: "test-cases", }, StringData: map[string]string{ - "cosign.pub": pub, + "cosign.pub": pub.Key, }, } @@ -501,7 +480,7 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -511,23 +490,20 @@ func testTwoContainersWithInitSinglePubKeyMixedRef(t *testing.T) { }, } - fw.CreateSecret(t, secret) - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) + return func(*testing.T) { + fw.CreateSecret(secret) + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() + } } // testEventEmittedOnSignatureVerification tests // that an event is emitted when a deployment passes signature verification -func testEventEmittedOnSignatureVerification(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testEventEmittedOnSignatureVerification(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) @@ -559,7 +535,7 @@ func testEventEmittedOnSignatureVerification(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -569,19 +545,16 @@ func testEventEmittedOnSignatureVerification(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - pod := fw.GetPods(t, depl) - fw.AssertEventForPod(t, "PodVerified", pod.Items[0]) - fw.Cleanup(t) -} - -func testEventEmittedOnNoSignatureVerification(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) + return func(*testing.T) { + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + pod := fw.GetPods(depl) + fw.AssertEventForPod("PodVerified", pod.Items[0]) + fw.Cleanup() } +} +func testEventEmittedOnNoSignatureVerification(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { // create a deployment with a single unsigned container depl := appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -610,26 +583,23 @@ func testEventEmittedOnNoSignatureVerification(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - pl := fw.GetPods(t, depl) - fw.AssertEventForPod(t, "NoVerification", pl.Items[0]) - fw.Cleanup(t) + return func(t *testing.T) { + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + pl := fw.GetPods(depl) + fw.AssertEventForPod("NoVerification", pl.Items[0]) + fw.Cleanup() + } } // testOneContainerWithCosignRepository tests that a deployment with a single signed container, // with a public key provided via a secret succeeds. // The signature for the container is present in the repository // defined in the environment variables of the container. -func testOneContainerWithCosignRepository(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testOneContainerWithCosignRepository(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, SignatureRepo: signatureRepo, }) @@ -641,7 +611,7 @@ func testOneContainerWithCosignRepository(t *testing.T) { Namespace: "test-cases", }, StringData: map[string]string{ - "cosign.pub": pub, + "cosign.pub": pub.Key, }, } @@ -694,153 +664,21 @@ func testOneContainerWithCosignRepository(t *testing.T) { }, } - fw.CreateSecret(t, secret) - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) -} - -// testOneContainerSinglePubKeyEnvRefRSA tests that a deployment with a single signed container, -// with a public key provided via an environment variable, succeeds. The keypair used for this test is an RSA keypair. -func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateRSAKeyPair(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: fmt.Sprintf("test-%s.key", framework.ImportKeySuffix), - Image: busyboxOne, - }) - - // create a deployment with a single signed container and a public key provided via an environment variable - depl := appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "one-container-env-ref-rsa", - Namespace: "test-cases", - }, - Spec: appsv1.DeploymentSpec{ - Selector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"app": "one-container-env-ref-rsa"}, - }, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{"app": "one-container-env-ref-rsa"}, - }, - Spec: corev1.PodSpec{ - TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, - Containers: []corev1.Container{ - { - Name: "one-container-env-ref-rsa", - Image: busyboxOne, - Command: []string{ - "sh", - "-c", - "while true; do echo 'hello world, i am tired and will sleep now'; sleep 60; done", - }, - Env: []corev1.EnvVar{ - { - Name: webhook.CosignEnvVar, - Value: pub, - }, - }, - }, - }, - }, - }, - }, - } - - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) -} - -func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - // Create a deployment with two containers signed by the same RSA key - _, rsaPub := fw.CreateRSAKeyPair(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: fmt.Sprintf("test-%s.key", framework.ImportKeySuffix), - Image: busyboxOne, - }) - fw.SignContainer(t, framework.SignOptions{ - KeyPath: fmt.Sprintf("test-%s.key", framework.ImportKeySuffix), - Image: busyboxTwo, - }) - - depl := appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "two-containers-single-pubkey-envref", - Namespace: "test-cases", - }, - Spec: appsv1.DeploymentSpec{ - Selector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"app": "two-containers-single-pubkey-envref"}, - }, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{"app": "two-containers-single-pubkey-envref"}, - }, - Spec: corev1.PodSpec{ - TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, - Containers: []corev1.Container{ - { - Name: "two-containers-same-rsa-pub-key-env-ref-first", - Image: busyboxOne, - Command: []string{ - "sh", "-c", - "echo 'hello world, i am tired and will sleep now'; sleep 60", - }, - Env: []corev1.EnvVar{ - { - Name: webhook.CosignEnvVar, - Value: rsaPub, - }, - }, - }, - { - Name: "two-containers-same-rsa-pub-key-env-ref-second", - Image: busyboxTwo, - Command: []string{ - "sh", "-c", - "echo 'hello world, i am tired and will sleep now'; sleep 60", - }, - Env: []corev1.EnvVar{ - { - Name: webhook.CosignEnvVar, - Value: rsaPub, - }, - }, - }, - }, - }, - }, - }, + return func(*testing.T) { + fw.CreateSecret(secret) + fw.CreateDeployment(depl) + fw.WaitForDeployment(depl) + fw.Cleanup() } - - fw.CreateDeployment(t, depl) - fw.WaitForDeployment(t, depl) - fw.Cleanup(t) } // testOneContainerSinglePubKeyNoMatchEnvRef tests that a deployment with a single signed container, // with a public key provided via an environment variable, fails if the public key does not match the signature. -func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, _ = fw.CreateKeys(t, "test") - _, other := fw.CreateKeys(t, "other") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testOneContainerSinglePubKeyNoMatchEnvRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, _ := kf(fw, key) + _, otherPub := framework.CreateECDSAKeyPair(fw, "other") + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) @@ -872,7 +710,7 @@ func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: other, + Value: otherPub.Key, }, }, }, @@ -882,22 +720,19 @@ func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.AssertDeploymentFailed(t, depl) - fw.Cleanup(t) + return func(t *testing.T) { + fw.CreateDeployment(depl) + fw.AssertDeploymentFailed(depl) + fw.Cleanup() + } } // testTwoContainersSinglePubKeyNoMatchEnvRef tests that a deployment with two signed containers, -// with a public key provided via an environment variable, fails if one of the container's pub key is malformed. -func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +// with a public key provided via an environment variable, fails if one of the containers public key is malformed. +func testTwoContainersSinglePubKeyMalformedEnvRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, }) @@ -929,7 +764,7 @@ func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -954,18 +789,21 @@ func testTwoContainersSinglePubKeyMalformedEnvRef(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.AssertDeploymentFailed(t, depl) - fw.Cleanup(t) + return func(t *testing.T) { + fw.CreateDeployment(depl) + fw.AssertDeploymentFailed(depl) + fw.Cleanup() + } } // testOneContainerSinglePubKeyMalformedEnvRef tests that a deployment with a single signed container, -// // with a public key provided via an environment variable, fails if the public key has an incorrect format. -func testOneContainerSinglePubKeyMalformedEnvRef(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } +// with a public key provided via an environment variable, fails if the public key has an incorrect format. +func testOneContainerSinglePubKeyMalformedEnvRef(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, _ := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, + Image: busyboxOne, + }) depl := appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -1004,23 +842,20 @@ func testOneContainerSinglePubKeyMalformedEnvRef(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.AssertDeploymentFailed(t, depl) - fw.Cleanup(t) + return func(t *testing.T) { + fw.CreateDeployment(depl) + fw.AssertDeploymentFailed(depl) + fw.Cleanup() + } } // testOneContainerSinglePubKeyNoMatchSecretRef tests that a deployment with a single signed container, // with a public key provided via a secret, fails if the public key does not match the signature, which // is uploaded in a different repository as the image itself -func testOneContainerWithCosingRepoVariableMissing(t *testing.T) { - fw, err := framework.New() - if err != nil { - t.Fatal(err) - } - - _, pub := fw.CreateKeys(t, "test") - fw.SignContainer(t, framework.SignOptions{ - KeyPath: "test.key", +func testOneContainerWithCosingRepoVariableMissing(fw *framework.Framework, kf framework.KeyFunc, key string) func(*testing.T) { + priv, pub := kf(fw, key) + fw.SignContainer(framework.SignOptions{ + KeyPath: priv.Path, Image: busyboxOne, SignatureRepo: signatureRepo, }) @@ -1051,7 +886,7 @@ func testOneContainerWithCosingRepoVariableMissing(t *testing.T) { Env: []corev1.EnvVar{ { Name: webhook.CosignEnvVar, - Value: pub, + Value: pub.Key, }, }, }, @@ -1061,7 +896,9 @@ func testOneContainerWithCosingRepoVariableMissing(t *testing.T) { }, } - fw.CreateDeployment(t, depl) - fw.AssertDeploymentFailed(t, depl) - fw.Cleanup(t) + return func(t *testing.T) { + fw.CreateDeployment(depl) + fw.AssertDeploymentFailed(depl) + fw.Cleanup() + } }