-
Notifications
You must be signed in to change notification settings - Fork 57
172 lines (149 loc) · 6.36 KB
/
test-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Fulcio&Rekor E2E Tests Using Release
on:
pull_request:
branches: [ main ]
paths-ignore:
- 'terraform/**'
defaults:
run:
shell: bash
working-directory: ./
concurrency:
group: fulcio-rekor-kind-using-release-${{ github.head_ref }}
cancel-in-progress: true
jobs:
fulcio-rekor-ctlog-tests-using-release:
name: e2e tests using release
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.25.x
- v1.26.x
- v1.27.x
- v1.28.x
- v1.29.x
leg:
- fulcio rekor ctlog e2e
go-version:
- 1.21.x
env:
RELEASE_VERSION: "v0.6.9"
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko
COSIGN_EXPERIMENTAL: "true"
steps:
- uses: chainguard-dev/actions/setup-mirror@main
- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ matrix.go-version }}
check-latest: true
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Setup Cluster
# TODO: update after next release.
uses: chainguard-dev/actions/setup-kind@main
id: kind
with:
k8s-version: ${{ matrix.k8s-version }}
registry-authority: registry.local:5000
cluster-suffix: cluster.local
service-account-issuer: https://kubernetes.default.svc.cluster.local
- name: Setup Knative
uses: chainguard-dev/actions/setup-knative@main
with:
version: "1.8.x"
serving-features: >
{
"kubernetes.podspec-fieldref": "enabled"
}
- name: Install scaffolding
timeout-minutes: 10
run: |
curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh
chmod u+x /tmp/setup-scaffolding-from-release.sh
/tmp/setup-scaffolding-from-release.sh --release-version ${{ env.RELEASE_VERSION }}
# TODO(vaikas): Figure out how these could be exposed by above.
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')
# Set the endopints
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo-with-release
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=`ko publish -B example.com/demo-with-release`
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Run test jobs on the cluster
run: |
curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl apply -f -
kubectl wait --for=condition=Complete --timeout=240s job/sign-job
kubectl wait --for=condition=Complete --timeout=240s job/verify-job
- name: Get the issuer url endpoint on the cluster
run: |
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=$(curl -s $ISSUER_URL)
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
- name: Initialize cosign with our TUF root
run: cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \
--allow-insecure-registry "${{ env.demoimage }}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
- name: Checkout TSA for testing.
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
repository: sigstore/timestamp-authority
path: ./src/github.com/sigstore/timestamp-authority
- name: Build timestamp-cli
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
go build -o ./timestamp-cli ./cmd/timestamp-cli
- name: Exercise TSA
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem
echo "myblob" > myblob
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then
echo "failed to timestamp artifact"
exit -1
fi
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then
echo "failed to verify timestamp"
exit -1
fi
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then
echo "failed to inspect the timestamp"
exit -1
fi
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main