diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml index 463e22764d1..bc62fef0151 100644 --- a/.github/workflows/kind-cluster-image-policy.yaml +++ b/.github/workflows/kind-cluster-image-policy.yaml @@ -33,10 +33,14 @@ jobs: matrix: k8s-version: - v1.21.x + - v1.22.x + # Try without this one now, might have problems with job restartings + # may require upstream changes. + #- v1.23.x env: KNATIVE_VERSION: "1.1.0" - KO_DOCKER_REPO: "registry.local:5000/knative" + KO_DOCKER_REPO: "registry.local:5000/cosigned" SCAFFOLDING_RELEASE_VERSION: "v0.2.2" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w @@ -44,13 +48,6 @@ jobs: COSIGN_EXPERIMENTAL: true steps: - - name: Configure DockerHub mirror - run: | - tmp=$(mktemp) - jq '."registry-mirrors" = ["https://mirror.gcr.io"]' /etc/docker/daemon.json > "$tmp" - sudo mv "$tmp" /etc/docker/daemon.json - sudo service docker restart - - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.4.0 - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 with: @@ -59,20 +56,34 @@ jobs: # will use the latest release available for ko - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4 - - name: Setup Cluster + - name: Install yq + uses: mikefarah/yq@03f57b7034d0330d54663881def67523347dfc9c # v4.16.2 + + - name: Setup mirror + uses: chainguard-dev/actions/setup-mirror@main + with: + mirror: mirror.gcr.io + + - name: build cosign run: | - curl -Lo ./setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/setup-kind.sh - chmod u+x ./setup-kind.sh - ./setup-kind.sh \ - --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \ - --cluster-suffix cluster.local \ - --k8s-version ${{ matrix.k8s-version }} \ - --knative-version ${KNATIVE_VERSION} - - - name: Install all the everythings + make cosign + + - name: Setup kind cluster + uses: chainguard-dev/actions/setup-kind@main + with: + k8s-version: "${{ matrix.k8s-version }}" + cluster-suffix: "${{ matrix.cluster-suffix }}" + + - name: Install knative + uses: chainguard-dev/actions/setup-knative@main + with: + serving-features: '{"kubernetes.podspec-fieldref":"enabled", "kubernetes.podspec-volumes-emptydir":"enabled", "kubernetes.podspec-init-containers": "enabled", "kubernetes.podspec-securitycontext":"enabled"}' + serving-autoscaler: '{"min-scale":"1","max-scale":"1"}' + + - name: Install all the everythings, fulcio, rekor, ctlog... timeout-minutes: 10 run: | - curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml | kubectl apply -f - + kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/release.yaml # Wait for all the ksvc to be up. kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all @@ -89,7 +100,7 @@ jobs: # so we can verify against it. kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - - curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml | kubectl create -f - + kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${{ env.SCAFFOLDING_RELEASE_VERSION }}/testrelease.yaml kubectl wait --for=condition=Complete --timeout=180s job/sign-job job/checktree job/verify-job @@ -146,7 +157,8 @@ jobs: sleep 2 kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken - # These set up the env variables so that + # These set up the env variables so that we can invoke cosign against the + # cluster sigstore services (fulcio, rekor, etc.) - name: Set the endpoints on the cluster and grab secrets run: | REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` @@ -173,10 +185,6 @@ jobs: run: | kubectl apply -f ./test/testdata/cosigned/e2e/cip.yaml - - name: build cosign - run: | - make cosign - - name: Sign demoimage with cosign run: | ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 749eaf46bef..dc4c77edc92 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -29,26 +29,9 @@ jobs: fail-fast: false # Keep running if one leg fails. matrix: k8s-version: - - v1.21.2 - - v1.22.4 - - v1.23.0 - - include: - # Map between K8s and KinD versions. - # This is attempting to make it a bit clearer what's being tested. - # See: https://github.com/kubernetes-sigs/kind/releases - - k8s-version: v1.21.2 - kind-version: v0.11.1 - kind-image-sha: sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6 - cluster-suffix: c${{ github.run_id }}.local - - k8s-version: v1.22.4 - kind-version: v0.11.1 - kind-image-sha: sha256:ca3587e6e545a96c07bf82e2c46503d9ef86fc704f44c17577fca7bcabf5f978 - cluster-suffix: c${{ github.run_id }}.local - - k8s-version: v1.23.0 - kind-version: v0.11.1 - kind-image-sha: sha256:2f93d3c7b12a3e93e6c1f34f331415e105979961fcddbe69a4e3ab5a93ccbb35 - cluster-suffix: c${{ github.run_id }}.local + - v1.21.x + - v1.22.x + - v1.23.x env: # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for @@ -74,76 +57,16 @@ jobs: run: | go install ./cmd/cosign - # This KinD setup is based on what we use for knative/serving on GHA, and it includes several "fun" - # monkey wrenches (e.g. randomizing cluster suffix: `.svc.cluster.local`) to make sure we don't bake - # in any invalid assumptions about a particular Kubernetes configuration. - - name: Install KinD - run: | - set -x - # Disable swap otherwise memory enforcement doesn't work - # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600009955324200 - sudo swapoff -a - sudo rm -f /swapfile - # Use in-memory storage to avoid etcd server timeouts. - # https://kubernetes.slack.com/archives/CEKK1KTN2/p1615134111016300 - # https://github.com/kubernetes-sigs/kind/issues/845 - sudo mkdir -p /tmp/etcd - sudo mount -t tmpfs tmpfs /tmp/etcd - go install sigs.k8s.io/kind@${{ matrix.kind-version }} - - - name: Configure KinD Cluster - run: | - set -x - # KinD configuration. - cat > kind.yaml <<EOF - apiVersion: kind.x-k8s.io/v1alpha4 - kind: Cluster - # Configure registry for KinD. - containerdConfigPatches: - - |- - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"] - endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"] - # This is needed in order to support projected volumes with service account tokens. - # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600268272383600 - kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" - networking: - dnsDomain: "${{ matrix.cluster-suffix }}" - nodes: - - role: control-plane - image: kindest/node:${{ matrix.k8s-version }}@${{ matrix.kind-image-sha }} - extraMounts: - - containerPath: /var/lib/etcd - hostPath: /tmp/etcd - - role: worker - image: kindest/node:${{ matrix.k8s-version }}@${{ matrix.kind-image-sha }} - EOF - - - name: Create KinD Cluster - run: | - set -x - kind create cluster --config kind.yaml - - - name: Setup local registry - run: | - # Run a registry. - docker run -d --restart=always \ - -p $REGISTRY_PORT:$REGISTRY_PORT --name $REGISTRY_NAME registry:2 - - # Connect the registry to the KinD network. - docker network connect "kind" $REGISTRY_NAME + - name: Setup mirror + uses: chainguard-dev/actions/setup-mirror@main + with: + mirror: mirror.gcr.io - # Make the $REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to - # local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image - sudo echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts + - name: Setup kind cluster + uses: chainguard-dev/actions/setup-kind@main + with: + k8s-version: ${{ matrix.k8s-version }} + cluster-suffix: c${{ github.run_id }}.local - name: Setup local insecure registry run: | diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go index 490c975f5c4..f4cca6b4cfb 100644 --- a/pkg/apis/config/image_policies_test.go +++ b/pkg/apis/config/image_policies_test.go @@ -117,6 +117,7 @@ func TestGetAuthorities(t *testing.T) { } func checkGetMatches(t *testing.T, c map[string][]v1alpha1.Authority, err error) { + t.Helper() if err != nil { t.Error("GetMatches Failed =", err) } diff --git a/pkg/cosign/kubernetes/webhook/validator.go b/pkg/cosign/kubernetes/webhook/validator.go index 05e72c66eeb..3171ea215aa 100644 --- a/pkg/cosign/kubernetes/webhook/validator.go +++ b/pkg/cosign/kubernetes/webhook/validator.go @@ -278,7 +278,7 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K logging.FromContext(ctx).Debugf("Fetching FulcioRoot for %s : From: %s ", ref.Name(), authority.Keyless.URL) fulcioroot, err := getFulcioCert(authority.Keyless.URL) if err != nil { - authorityErrors = append(authorityErrors, errors.Wrap(err, "failed to fetch FulcioRoot")) + authorityErrors = append(authorityErrors, errors.Wrap(err, "fetching FulcioRoot")) continue } var rekorClient *client.Rekor @@ -293,8 +293,8 @@ func validatePolicies(ctx context.Context, ref name.Reference, defaultKC authn.K } sps, err := validSignaturesWithFulcio(ctx, ref, fulcioroot, rekorClient, opts) if err != nil { - logging.FromContext(ctx).Errorf("failed validSignatures for %s: %v", ref.Name(), err) - authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures")) + logging.FromContext(ctx).Errorf("failed validSignatures with fulcio for %s: %v", ref.Name(), err) + authorityErrors = append(authorityErrors, errors.Wrap(err, "validate signatures with fulcio")) } else { if len(sps) > 0 { logging.FromContext(ctx).Debugf("validated signature for %s, got %d signatures", len(sps)) diff --git a/test/testdata/cosigned/e2e/cip.yaml b/test/testdata/cosigned/e2e/cip.yaml index 432e92c688f..fffd246b8cc 100644 --- a/test/testdata/cosigned/e2e/cip.yaml +++ b/test/testdata/cosigned/e2e/cip.yaml @@ -18,7 +18,7 @@ metadata: name: image-policy spec: images: - - glob: registry.local:5000/knative/demo* + - glob: registry.local:5000/cosigned/demo* authorities: - keyless: url: http://fulcio.fulcio-system.svc