upgrade default & add new k8s versions to improve coverage #819
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Key rotation for Fulcio E2E Tests | |
on: | |
pull_request: | |
branches: [ main ] | |
paths-ignore: | |
- 'terraform/**' | |
permissions: read-all | |
defaults: | |
run: | |
shell: bash | |
working-directory: ./src/github.com/sigstore/scaffolding | |
concurrency: | |
group: fulcio-key-rotation-${{ github.head_ref }} | |
cancel-in-progress: true | |
jobs: | |
fulcio-key-rotation: | |
name: e2e tests for fulcio key rotation | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false # Keep running if one leg fails. | |
matrix: | |
k8s-version: | |
- v1.26.x | |
leg: | |
- fulcio-key-rotation | |
go-version: | |
- 1.21.x | |
env: | |
GOPATH: ${{ github.workspace }} | |
GO111MODULE: on | |
GOFLAGS: -ldflags=-s -ldflags=-w | |
KO_DOCKER_REPO: registry.local:5000/knative | |
KOCACHE: ~/ko | |
COSIGN_EXPERIMENTAL: true | |
steps: | |
- uses: chainguard-dev/actions/setup-mirror@main | |
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds | |
- name: Set up Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ matrix.go-version }} | |
check-latest: true | |
- name: Check out our repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
path: ./src/github.com/sigstore/scaffolding | |
- uses: actions/cache@v3 | |
with: | |
# In order: | |
# * Module download cache | |
# * Build cache (Linux) | |
path: | | |
~/go/pkg/mod | |
~/.cache/go-build | |
${{ env.KOCACHE }} | |
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-${{ matrix.go-version }}- | |
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 | |
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Setup Cluster | |
uses: chainguard-dev/actions/setup-kind@main | |
id: kind | |
with: | |
k8s-version: ${{ matrix.k8s-version }} | |
registry-authority: registry.local:5000 | |
cluster-suffix: cluster.local | |
service-account-issuer: https://kubernetes.default.svc.cluster.local | |
- name: Setup Knative | |
uses: chainguard-dev/actions/setup-knative@main | |
with: | |
version: "1.8.x" | |
serving-features: > | |
{ | |
"kubernetes.podspec-fieldref": "enabled" | |
} | |
- name: Create sample image | |
run: | | |
pushd $(mktemp -d) | |
go mod init example.com/demo | |
cat <<EOF > main.go | |
package main | |
import "fmt" | |
func main() { | |
fmt.Println("hello world") | |
} | |
EOF | |
demoimage=`ko publish -B example.com/demo` | |
echo "demoimage=$demoimage" >> $GITHUB_ENV | |
echo Created image $demoimage | |
popd | |
- name: Install scaffolding | |
run: | | |
./hack/setup-scaffolding.sh | |
- name: Initialize cosign with our custom tuf root and make root copy | |
run: | | |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV | |
# Then initialize cosign | |
cosign initialize --mirror $TUF_MIRROR --root ./root.json | |
# Make copy of the tuf root in the default namespace for tests | |
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f - | |
- name: Run signing job in k8s using kubernetes tokens in the cluster | |
run: | | |
make ko-apply-sign-job | |
kubectl wait --for=condition=Complete --timeout=90s job/sign-job | |
- name: Verify the image with cosign using kubernetes tokens in the cluster | |
run: | | |
make ko-apply-verify-job | |
kubectl wait --for=condition=Complete --timeout=180s job/verify-job | |
- name: Install a Knative service for fetch tokens off the cluster | |
run: | | |
make ko-apply-gettoken | |
sleep 2 | |
kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken | |
- name: Get the endpoints on the cluster | |
run: | | |
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') | |
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV | |
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') | |
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV | |
#FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}') | |
#echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV | |
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') | |
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV | |
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}') | |
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV | |
OIDC_TOKEN=`curl -s $ISSUER_URL` | |
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV | |
- name: Sign with cosign from the action using k8s token | |
run: | | |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify with cosign from the action using k8s token | |
run: | | |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \ | |
--allow-insecure-registry "${{ env.demoimage }}" \ | |
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ | |
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Spin up a new Fulcio with new keys | |
run: | | |
ko apply -BRf ./testdata/config/new-fulcio | |
kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio-new | |
NEW_FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio-new -ojsonpath='{.status.url}') | |
echo "NEW_FULCIO_URL=$NEW_FULCIO_URL" >> $GITHUB_ENV | |
- name: Add new Fulcio to ctlog as trusted Fulcio | |
run: | | |
ko apply -BRf ./testdata/config/add-new-fulcio | |
sleep 2 | |
kubectl -n ctlog-system wait --for=condition=Complete --timeout=180s job/add-fulcio | |
- name: Restart ctlog pod | |
run: | | |
kubectl -n ctlog-system get pods -oname | xargs kubectl -n ctlog-system delete | |
sleep 10 | |
- name: Dump the trusted certs | |
run: | | |
curl ${{ env.CTLOG_URL }}/sigstorescaffolding/ct/v1/get-roots | jq .certificates | |
- name: Verify both Fulcio certs are there | |
run: | | |
go run ./cmd/ctlog/verifyfulcio/main.go \ | |
--ctlog-url ${{ env.CTLOG_URL }} \ | |
--log-prefix sigstorescaffolding \ | |
--fulcio ${{ env.FULCIO_URL }} \ | |
--fulcio ${{ env.NEW_FULCIO_URL }} | |
- name: Remove old Fulcio from ctlog as trusted Fulcio | |
run: | | |
ko apply -BRf ./testdata/config/remove-old-fulcio | |
sleep 2 | |
kubectl -n ctlog-system wait --for=condition=Complete --timeout=180s job/remove-fulcio | |
- name: Restart ctlog pod again to pick up the changes | |
run: | | |
kubectl -n ctlog-system get pods -oname | xargs kubectl -n ctlog-system delete | |
sleep 10 | |
- name: Dump the trusted certs | |
run: | | |
curl ${{ env.CTLOG_URL }}/sigstorescaffolding/ct/v1/get-roots | jq .certificates | |
- name: Verify that only new Fulcio cert is there | |
run: | | |
go run ./cmd/ctlog/verifyfulcio/main.go \ | |
--ctlog-url ${{ env.CTLOG_URL }} \ | |
--log-prefix sigstorescaffolding \ | |
--fulcio ${{ env.NEW_FULCIO_URL }} | |
# TODO: Add the new Fulcio to TUF root, sign & verify. | |
- name: Collect diagnostics | |
if: ${{ failure() }} | |
uses: chainguard-dev/actions/kind-diag@main | |
with: | |
artifact-name: logs.${{ matrix.k8s-version }} |