-
Notifications
You must be signed in to change notification settings - Fork 57
230 lines (190 loc) · 7.73 KB
/
add-remove-new-fulcio.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
name: Key rotation for Fulcio E2E Tests
on:
pull_request:
branches: [ main ]
paths-ignore:
- 'terraform/**'
permissions: read-all
defaults:
run:
shell: bash
working-directory: ./src/github.com/sigstore/scaffolding
concurrency:
group: fulcio-key-rotation-${{ github.head_ref }}
cancel-in-progress: true
jobs:
fulcio-key-rotation:
name: e2e tests for fulcio key rotation
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.27.x
- v1.28.x
- v1.29.x
- v1.30.x
leg:
- fulcio-key-rotation
go-version:
- 1.23.x
env:
GOPATH: ${{ github.workspace }}
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko
steps:
- uses: chainguard-dev/actions/setup-mirror@main
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ matrix.go-version }}
check-latest: true
- name: Check out our repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ./src/github.com/sigstore/scaffolding
- uses: actions/cache@v4
with:
# In order:
# * Module download cache
# * Build cache (Linux)
path: |
~/go/pkg/mod
~/.cache/go-build
${{ env.KOCACHE }}
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ matrix.go-version }}-
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Setup Cluster
uses: chainguard-dev/actions/setup-kind@main
id: kind
with:
k8s-version: ${{ matrix.k8s-version }}
registry-authority: registry.local:5000
cluster-suffix: cluster.local
service-account-issuer: https://kubernetes.default.svc.cluster.local
- name: Setup Knative
uses: chainguard-dev/actions/setup-knative@main
with:
version: "1.11.x"
serving-features: >
{
"kubernetes.podspec-fieldref": "enabled"
}
- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=`ko publish -B example.com/demo`
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Install scaffolding
run: |
./hack/setup-scaffolding.sh
- name: Initialize cosign with our custom tuf root and make root copy
run: |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
# Then initialize cosign
cosign initialize --mirror $TUF_MIRROR --root ./root.json
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
- name: Run signing job in k8s using kubernetes tokens in the cluster
run: |
make ko-apply-sign-job
kubectl wait --for=condition=Complete --timeout=90s job/sign-job
- name: Verify the image with cosign using kubernetes tokens in the cluster
run: |
make ko-apply-verify-job
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
- name: Install a Knative service for fetch tokens off the cluster
run: |
make ko-apply-gettoken
sleep 2
kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken
- name: Get the endpoints on the cluster
run: |
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
#FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}')
#echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \
--allow-insecure-registry "${{ env.demoimage }}" \
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
- name: Spin up a new Fulcio with new keys
run: |
ko apply -BRf ./testdata/config/new-fulcio
kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio-new
NEW_FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio-new -ojsonpath='{.status.url}')
echo "NEW_FULCIO_URL=$NEW_FULCIO_URL" >> $GITHUB_ENV
- name: Add new Fulcio to ctlog as trusted Fulcio
run: |
ko apply -BRf ./testdata/config/add-new-fulcio
sleep 2
kubectl -n ctlog-system wait --for=condition=Complete --timeout=180s job/add-fulcio
- name: Restart ctlog pod
run: |
kubectl -n ctlog-system get pods -oname | xargs kubectl -n ctlog-system delete
sleep 10
- name: Dump the trusted certs
run: |
curl ${{ env.CTLOG_URL }}/sigstorescaffolding/ct/v1/get-roots | jq .certificates
- name: Verify both Fulcio certs are there
run: |
go run ./cmd/ctlog/verifyfulcio/main.go \
--ctlog-url ${{ env.CTLOG_URL }} \
--log-prefix sigstorescaffolding \
--fulcio ${{ env.FULCIO_URL }} \
--fulcio ${{ env.NEW_FULCIO_URL }}
- name: Remove old Fulcio from ctlog as trusted Fulcio
run: |
ko apply -BRf ./testdata/config/remove-old-fulcio
sleep 2
kubectl -n ctlog-system wait --for=condition=Complete --timeout=180s job/remove-fulcio
- name: Restart ctlog pod again to pick up the changes
run: |
kubectl -n ctlog-system get pods -oname | xargs kubectl -n ctlog-system delete
sleep 10
- name: Dump the trusted certs
run: |
curl ${{ env.CTLOG_URL }}/sigstorescaffolding/ct/v1/get-roots | jq .certificates
- name: Verify that only new Fulcio cert is there
run: |
go run ./cmd/ctlog/verifyfulcio/main.go \
--ctlog-url ${{ env.CTLOG_URL }} \
--log-prefix sigstorescaffolding \
--fulcio ${{ env.NEW_FULCIO_URL }}
# TODO: Add the new Fulcio to TUF root, sign & verify.
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main
with:
artifact-name: logs.${{ matrix.k8s-version }}