ci: add sigstore e2e test suite#2062
Conversation
stealthybox
force-pushed
the
sigstore-testing
branch
from
4abda3f to
5e8d2e6
Compare
stealthybox
force-pushed
the
sigstore-transport
branch
2 times, most recently
from
211fb0a to
ffa18cc
Compare
stealthybox
force-pushed
the
sigstore-testing
branch
from
5e8d2e6 to
106bf50
Compare
stealthybox
force-pushed
the
sigstore-transport
branch
from
ffa18cc to
b00f7ba
Compare
stealthybox
force-pushed
the
sigstore-testing
branch
3 times, most recently
from
9599840 to
c030efd
Compare
stealthybox
force-pushed
the
sigstore-transport
branch
from
b00f7ba to
34c7c9c
Compare
stealthybox
force-pushed
the
sigstore-testing
branch
from
c030efd to
f40dbee
Compare
stefanprodan
added
area/ci
stealthybox
force-pushed
the
sigstore-testing
branch
from
f40dbee to
0a2b4cf
Compare
|
rebased, if this is green, I don't see a problem merging it I am extending this significantly to test some auto policy features based off of what's in the the trustbundle. The idea is to bridge the gap between our existing heuristic/implicit behaviors for Fulcio/Rekor to also support TSA (which GitHub uses for immutable releases) Once we uniformly implement our existing auto behaviors, Flux users with private/hybrid/third-party sigstore stacks will be able to combine whichever key and trust materials they desire. Realistically, people will be dynamically loading trustBundles/TUF-roots into these SecretRefs which could change how the verify policy evaluates. Flux already supports overriding the global TUF root, so that is a considerable part of this as well. Also, whether we choose to support or not-support per-resource TUF roots. Lastly, there's the topic of TLS/mTLS connections to verification endpoints that are not the OCI registry. We may need to plumb some additional cert fields in. Alternatively, we could load them from a separate, optional data field in the TrustBundle Secret? Not sure if that would violate the spirit of the verification material or not. |
| - name: Setup cosign | ||
| env: | ||
| COSIGN_VERSION: v3.0.6 | ||
| COSIGN_SHA256: c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74 | ||
| run: | | ||
| curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" -o /usr/local/bin/cosign | ||
| echo "${COSIGN_SHA256} /usr/local/bin/cosign" | sha256sum -c - | ||
| chmod +x /usr/local/bin/cosign | ||
| - name: Setup Flux CLI | ||
| run: curl -fsSL https://fluxcd.io/install.sh | bash |
There was a problem hiding this comment.
These should be GH Actions so that dependabot can update them.
| kubectl -n fulcio-system get cm fulcio-server-config -o json | \ | ||
| python3 -c " | ||
| import json, sys | ||
| cm = json.load(sys.stdin) | ||
| config = json.loads(cm['data']['config.json']) | ||
| config['OIDCIssuers']['https://kubernetes.default.svc.cluster.local'] = { | ||
| 'IssuerURL': 'https://kubernetes.default.svc.cluster.local', | ||
| 'ClientID': 'sigstore', | ||
| 'Type': 'kubernetes' | ||
| } | ||
| cm['data']['config.json'] = json.dumps(config, indent=2) | ||
| json.dump(cm, sys.stdout) | ||
| " | kubectl apply -f - |
There was a problem hiding this comment.
Let's rewrite this with yq, no need to introduce python3 in our test suite.
stealthybox
force-pushed
the
sigstore-testing
branch
2 times, most recently
from
c42b70b to
aa541c7
Compare
There was a problem hiding this comment.
The diff in this file should vanish after rebasing, as we split OCIRepositoryVerification into OCIRepositoryVerification and HelmChartVerification
There was a problem hiding this comment.
@stealthybox Are the changes in this file just refactors to allow testing? Are there any significant changes in behavior? If this is safe, we can backport this PR in v1.9.1 so users get the field description improvements in the CRD via k explain ocirepo.spec.verify.trustedRootSecretRef
Add a self-contained harness for exercising cosign verification against a local Sigstore stack on kind. The Makefile drives cluster creation, zot (referrers API) and registry:2 (tag fallback) registries, the sigstore scaffold Helm release, an RFC3161 timestamp authority, the source-controller image build and load, and the cosign CLI fetch. Run the sigstore suite in CI in parallel with the existing e2e job via make targets, installing cosign and the flux CLI through their actions. Assisted-by: GitHub Copilot CLI/gpt-5.5 Assisted-by: Kiro/opus-4.8 Signed-off-by: leigh capili <leigh@null.net>
Signed-off-by: leigh capili <leigh@null.net>
Add test-signing.sh and OCIRepository fixtures exercising the cosign verification flows source-controller already supports: v2/v3 key-pair, v2/v3 keyless with a custom trusted_root.json, v3 key-pair with tlog, combined secretRef plus trustedRootSecretRef, registry auth, and registry:2 tag fallback. Negative cases assert Ready=False with reason VerificationError for a wrong key, wrong identity, and wrong Rekor key. Assisted-by: GitHub Copilot CLI/gpt-5.5 Assisted-by: Kiro/opus-4.8 Signed-off-by: leigh capili <leigh@null.net>
stealthybox
force-pushed
the
sigstore-testing
branch
from
0932699 to
9ad7c6b
Compare
|
/me * takes a deep breath * days_lost_to_mysql_5-7++ |
3 participants
Add a parallel CI job that deploys a local sigstore stack and runs
verification tests against it.
hack infra:
tests:
Runs concurrently with the existing kind-linux-amd64 job -- hopefully i've set this up right