Use issued certificate in request to Rekor #1491
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Fulcio&Rekor E2E Tests Using Release | |
on: | |
pull_request: | |
branches: [ main ] | |
paths-ignore: | |
- 'terraform/**' | |
defaults: | |
run: | |
shell: bash | |
working-directory: ./ | |
concurrency: | |
group: fulcio-rekor-kind-using-release-${{ github.head_ref }} | |
cancel-in-progress: true | |
jobs: | |
fulcio-rekor-ctlog-tests-using-release: | |
name: e2e tests using release | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false # Keep running if one leg fails. | |
matrix: | |
k8s-version: | |
- v1.23.x | |
- v1.24.x | |
- v1.25.x | |
# TODO: enable after next release. | |
# - 1.26.x | |
leg: | |
- fulcio rekor ctlog e2e | |
go-version: | |
- 1.21.x | |
env: | |
RELEASE_VERSION: "v0.5.1" | |
KO_DOCKER_REPO: registry.local:5000/knative | |
KOCACHE: ~/ko | |
COSIGN_EXPERIMENTAL: "true" | |
steps: | |
- uses: chainguard-dev/actions/setup-mirror@main | |
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Set up Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ matrix.go-version }} | |
check-latest: true | |
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 | |
- name: Setup Cluster | |
# TODO: update after next release. | |
uses: chainguard-dev/actions/setup-kind@main | |
id: kind | |
with: | |
k8s-version: ${{ matrix.k8s-version }} | |
registry-authority: registry.local:5000 | |
cluster-suffix: cluster.local | |
service-account-issuer: https://kubernetes.default.svc.cluster.local | |
- name: Setup Knative | |
uses: chainguard-dev/actions/setup-knative@main | |
with: | |
version: "1.8.x" | |
serving-features: > | |
{ | |
"kubernetes.podspec-fieldref": "enabled" | |
} | |
- name: Install scaffolding | |
timeout-minutes: 10 | |
run: | | |
curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh | |
chmod u+x /tmp/setup-scaffolding-from-release.sh | |
/tmp/setup-scaffolding-from-release.sh --release-version ${{ env.RELEASE_VERSION }} | |
# TODO(vaikas): Figure out how these could be exposed by above. | |
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') | |
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') | |
FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}') | |
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}') | |
# Set the endopints | |
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV | |
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV | |
echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV | |
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV | |
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV | |
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV | |
# Make copy of the tuf root in the default namespace for tests | |
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f - | |
- name: Create sample image | |
run: | | |
pushd $(mktemp -d) | |
go mod init example.com/demo-with-release | |
cat <<EOF > main.go | |
package main | |
import "fmt" | |
func main() { | |
fmt.Println("hello world") | |
} | |
EOF | |
demoimage=`ko publish -B example.com/demo-with-release` | |
echo "demoimage=$demoimage" >> $GITHUB_ENV | |
echo Created image $demoimage | |
popd | |
- name: Run test jobs on the cluster | |
run: | | |
curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl apply -f - | |
kubectl wait --for=condition=Complete --timeout=240s job/sign-job | |
kubectl wait --for=condition=Complete --timeout=240s job/verify-job | |
- name: Get the issuer url endpoint on the cluster | |
run: | | |
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}') | |
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV | |
OIDC_TOKEN=$(curl -s $ISSUER_URL) | |
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV | |
- name: Initialize cosign with our TUF root | |
run: cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json | |
- name: Sign with cosign from the action using k8s token | |
run: | | |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify with cosign from the action using k8s token | |
run: | | |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \ | |
--allow-insecure-registry "${{ env.demoimage }}" \ | |
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ | |
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Checkout TSA for testing. | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
with: | |
repository: sigstore/timestamp-authority | |
path: ./src/github.com/sigstore/timestamp-authority | |
- name: Build timestamp-cli | |
working-directory: ./src/github.com/sigstore/timestamp-authority | |
run: | | |
go build -o ./timestamp-cli ./cmd/timestamp-cli | |
- name: Exercise TSA | |
working-directory: ./src/github.com/sigstore/timestamp-authority | |
run: | | |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem | |
echo "myblob" > myblob | |
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then | |
echo "failed to timestamp artifact" | |
exit -1 | |
fi | |
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then | |
echo "failed to verify timestamp" | |
exit -1 | |
fi | |
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then | |
echo "failed to inspect the timestamp" | |
exit -1 | |
fi | |
- name: Collect diagnostics | |
if: ${{ failure() }} | |
uses: chainguard-dev/actions/kind-diag@main |