Skip to content

Use issued certificate in request to Rekor #1491

Use issued certificate in request to Rekor

Use issued certificate in request to Rekor #1491

Workflow file for this run

name: Fulcio&Rekor E2E Tests Using Release
on:
pull_request:
branches: [ main ]
paths-ignore:
- 'terraform/**'
defaults:
run:
shell: bash
working-directory: ./
concurrency:
group: fulcio-rekor-kind-using-release-${{ github.head_ref }}
cancel-in-progress: true
jobs:
fulcio-rekor-ctlog-tests-using-release:
name: e2e tests using release
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.23.x
- v1.24.x
- v1.25.x
# TODO: enable after next release.
# - 1.26.x
leg:
- fulcio rekor ctlog e2e
go-version:
- 1.21.x
env:
RELEASE_VERSION: "v0.5.1"
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko
COSIGN_EXPERIMENTAL: "true"
steps:
- uses: chainguard-dev/actions/setup-mirror@main
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
check-latest: true
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Setup Cluster
# TODO: update after next release.
uses: chainguard-dev/actions/setup-kind@main
id: kind
with:
k8s-version: ${{ matrix.k8s-version }}
registry-authority: registry.local:5000
cluster-suffix: cluster.local
service-account-issuer: https://kubernetes.default.svc.cluster.local
- name: Setup Knative
uses: chainguard-dev/actions/setup-knative@main
with:
version: "1.8.x"
serving-features: >
{
"kubernetes.podspec-fieldref": "enabled"
}
- name: Install scaffolding
timeout-minutes: 10
run: |
curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh
chmod u+x /tmp/setup-scaffolding-from-release.sh
/tmp/setup-scaffolding-from-release.sh --release-version ${{ env.RELEASE_VERSION }}
# TODO(vaikas): Figure out how these could be exposed by above.
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')
# Set the endopints
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo-with-release
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=`ko publish -B example.com/demo-with-release`
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Run test jobs on the cluster
run: |
curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl apply -f -
kubectl wait --for=condition=Complete --timeout=240s job/sign-job
kubectl wait --for=condition=Complete --timeout=240s job/verify-job
- name: Get the issuer url endpoint on the cluster
run: |
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=$(curl -s $ISSUER_URL)
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
- name: Initialize cosign with our TUF root
run: cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \
--allow-insecure-registry "${{ env.demoimage }}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
- name: Checkout TSA for testing.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
repository: sigstore/timestamp-authority
path: ./src/github.com/sigstore/timestamp-authority
- name: Build timestamp-cli
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
go build -o ./timestamp-cli ./cmd/timestamp-cli
- name: Exercise TSA
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem
echo "myblob" > myblob
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then
echo "failed to timestamp artifact"
exit -1
fi
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then
echo "failed to verify timestamp"
exit -1
fi
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then
echo "failed to inspect the timestamp"
exit -1
fi
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main