cosigned: Test unsupported KMS providers (sigstore#1820)

This adds a test case to cover the case where a specified KMS provider
isn't supported; in this case, we fire an event describing the error.

Signed-off-by: Jason Hall <[email protected]>

go.sum

@@ -235,8 +235,6 @@ github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdII
 github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM=
 github.com/PaesslerAG/gval v1.0.0 h1:GEKnRwkWDdf9dOmKcNrar9EA1bz1z9DqPIO1+iLzhd8=
 github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
-github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
-github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
 github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
 github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk=
 github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY=

pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go

@@ -155,16 +155,14 @@ func (r *Reconciler) inlinePublicKeys(ctx context.Context, cip *v1alpha1.Cluster
 				return nil, err
 			}
 		}
-		if authority.Key != nil && authority.Key.KMS != "" {
-			if strings.Contains(authority.Key.KMS, "://") {
-				pubKeyString, err := getKMSPublicKey(ctx, authority.Key.KMS)
-				if err != nil {
-					return nil, err
-				}
-
-				authority.Key.Data = pubKeyString
-				authority.Key.KMS = ""
+		if authority.Key != nil && strings.Contains(authority.Key.KMS, "://") {
+			pubKeyString, err := getKMSPublicKey(ctx, authority.Key.KMS)
+			if err != nil {
+				return nil, err
 			}
+
+			authority.Key.Data = pubKeyString
+			authority.Key.KMS = ""
 		}
 	}
 	return ret, nil

pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go

@@ -511,8 +511,9 @@ func TestReconcile(t *testing.T) {
 				AssertTrackingSecret(system.Namespace(), keylessSecretName),
 			},
 		}, {
-			Name:                    "ClusterImagePolicy with glob and KMS key, added the data after querying the fake signer",
-			Key:                     cipKMSName,
+			Name: "ClusterImagePolicy with glob and KMS key, added the data after querying the fake signer",
+			Key:  cipKMSName,
+
 			SkipNamespaceValidation: true, // Cluster scoped
 			Objects: []runtime.Object{
 				NewClusterImagePolicy(cipKMSName,
@@ -557,7 +558,35 @@ func TestReconcile(t *testing.T) {
 			WantPatches: []clientgotesting.PatchActionImpl{
 				makePatch(replaceCIPKeySourcePatch),
 			},
-		}, {}}
+		}, {
+			Name: "ClusterImagePolicy with glob and KMS key, for unsupported KMS provider",
+			Key:  cipKMSName,
+
+			// gcpkms:// is not enabled in tests; this test serves
+			// as an extra check that "real" KMS providers like GCP
+			// aren't enabled in dependencies of this test.
+			SkipNamespaceValidation: true, // Cluster scoped
+			Objects: []runtime.Object{
+				NewClusterImagePolicy(cipKMSName,
+					WithImagePattern(v1alpha1.ImagePattern{
+						Glob: glob,
+					}),
+					WithAuthority(v1alpha1.Authority{
+						Key: &v1alpha1.KeyRef{
+							KMS: "gcpkms://blah",
+						}},
+					)),
+				makeEmptyConfigMap(), // Make the existing configmap
+			},
+			WantErr: true,
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(system.Namespace(), cipKMSName),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", `Updated "test-kms-cip" finalizers`),
+				Eventf(corev1.EventTypeWarning, "InternalError", `no kms provider found for key reference: gcpkms://blah`),
+			},
+		}}
 
 	logger := logtesting.TestLogger(t)
 	table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler {