Skip to content

Commit

Permalink
FIX Broken main action . Test with 0.4.1 release (#277)
Browse files Browse the repository at this point in the history
* Test with 0.4.1 release, also add a new action that
tests with tuf.
Clean up some code.

Signed-off-by: Ville Aikas <[email protected]>

* Actually build the demo image.

Signed-off-by: Ville Aikas <[email protected]>

* need go / ko too.

Signed-off-by: Ville Aikas <[email protected]>
  • Loading branch information
vaikas authored Aug 9, 2022
1 parent 00a3794 commit 640448b
Show file tree
Hide file tree
Showing 6 changed files with 190 additions and 49 deletions.
96 changes: 96 additions & 0 deletions .github/workflows/test-action-tuf.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
name: Test github action with TUF

on:
pull_request:
branches: [ main ]

defaults:
run:
shell: bash
working-directory: ./

concurrency:
group: test-github-action-with-tuf${{ github.head_ref }}
cancel-in-progress: true

jobs:
test-github-action:
name: Test github action with TUF
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.22.x
- v1.23.x
- v1.24.x

release-version:
- "latest-release" # Test explicitly with latest
- "v0.4.1" # Test version with TUF

go-version:
- 1.18

leg:
- test github action
env:
KO_DOCKER_REPO: registry.local:5000/knative
COSIGN_EXPERIMENTAL: "true"

steps:
- name: Checkout the current action
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
- name: Test running the action
uses: ./actions/setup
with:
k8s-version: ${{ matrix.k8s-version }}
version: ${{ matrix.release-version }}

# Install cosign
- name: Install cosign
uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # v2.3.0

- name: Set up Go
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v3.2.0
with:
go-version: ${{ matrix.go-version }}
check-latest: true

# Setup ko
- uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4
with:
version: tip

- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo-action-with-tuf
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=`ko publish -B example.com/demo-action-with-tuf`
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Initialize cosign with TUF root
run: |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json
cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main
6 changes: 5 additions & 1 deletion .github/workflows/test-action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.21.x
- v1.22.x
# 1.23 missing nb: https://github.com/sigstore/scaffolding/issues/81
release-version:
- "v0.3.0" # Test version without TUF
leg:
Expand All @@ -35,4 +37,6 @@ jobs:
with:
k8s-version: ${{ matrix.k8s-version }}
version: ${{ matrix.release-version }}

- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@main
50 changes: 21 additions & 29 deletions .github/workflows/test-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
- 1.18

env:
RELEASE_VERSION: "v0.4.0"
RELEASE_VERSION: "v0.4.1"
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko
COSIGN_EXPERIMENTAL: "true"
Expand Down Expand Up @@ -62,32 +62,33 @@ jobs:
- name: Setup Knative
uses: chainguard-dev/actions/setup-knative@main
with:
version: "1.5.0"
version: "1.2.0"
serving-features: >
{
"kubernetes.podspec-fieldref": "enabled"
}
# Remove after we cut the release that has setup-scaffolding-from-release.sh
- name: Check out our repo
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2

- name: Install scaffolding
timeout-minutes: 10
run: |
#curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh
#chmod u+x /tmp/setup-scaffolding-from-release.sh
#/tmp/setup-scaffolding-from-release.sh
# TODO(vaikas): Once we release this, use the curl above.
./hack/setup-scaffolding-from-release.sh
curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh
chmod u+x /tmp/setup-scaffolding-from-release.sh
/tmp/setup-scaffolding-from-release.sh
- name: Initialize cosign with our custom tuf root and make root copy
run: |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json
TUF_MIRROR=`kubectl -n tuf-system get --no-headers ksvc tuf | cut -d ' ' -f 4`
# TODO(vaikas): Remove these after 0.4.2 once these get set by script.
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
# Set the endopints
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
# Then initialize cosign
cosign initialize --mirror $TUF_MIRROR --root ./root.json
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
Expand All @@ -109,24 +110,15 @@ jobs:
- name: Run test jobs on the cluster
run: |
curl -L https://github.com/sigstore/scaffolding/releases/download/v0.4.0/testrelease.yaml | kubectl apply -f -
curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl apply -f -
kubectl wait --for=condition=Complete --timeout=240s job/sign-job
kubectl wait --for=condition=Complete --timeout=240s job/verify-job
- name: Get the endpoints on the cluster
- name: Get the issuer url endpoint on the cluster
run: |
REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4`
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4`
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4`
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
OIDC_TOKEN=$(curl -s $ISSUER_URL)
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
- name: Sign with cosign from the action using k8s token
Expand Down
66 changes: 48 additions & 18 deletions actions/setup/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ inputs:
knative-version:
description: 'Version of Knative to install (1.1.0, 1.1.1, etc.)'
required: true
default: '1.5.0'
default: '1.2.0'
registry-name:
description: 'Name of the registry to install (registry.local)'
required: true
Expand All @@ -39,9 +39,9 @@ inputs:
required: true
default: 'cluster.local'
k8s-version:
description: 'kubernetes version to install (v1.21.x, v1.22.x), default: v1.22.x'
description: 'kubernetes version to install (v1.21.x, v1.22.x), default: v1.24.x'
required: true
default: 'v1.23.x'
default: 'v1.24.x'
runs:
using: "composite"
steps:
Expand Down Expand Up @@ -109,30 +109,60 @@ runs:
kubectl wait --for=condition=Complete --timeout=180s job/checktree
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem
FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4`
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4`
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV
kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV
echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV
ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4`
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
else
echo "This version does have support for TUF"
curl -Lo /tmp/setup-scaffolding.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh
curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh
chmod u+x /tmp/setup-scaffolding-from-release.sh
/tmp/setup-scaffolding-from-release.sh
# We set this here because the other leg doesn't have it.
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
echo "Installing and running scaffolding tests to be up and running"
curl -L https://github.com/sigstore/scaffolding/releases/download/${tag}/testrelease.yaml | kubectl create -f -
kubectl wait --for=condition=Complete --timeout=180s job/sign-job
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
# For backward compatibility, add in the old env variables
# TODO(vaikas): Remove the rest of this block.
kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
# Also grab the secret from the fulcio-system namespace and make a copy
# in our namespace so we can get access to the Fulcio public key
# so we can verify against it.
kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV
kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV
echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV
fi
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}')
# Grab an OIDC token too.
OIDC_TOKEN=$(curl -s $ISSUER_URL)
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
# And set the env variables for Github action visibility
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
11 changes: 10 additions & 1 deletion hack/setup-scaffolding-from-release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,6 @@ echo '::endgroup::'
echo '::group:: Install TUF'
kubectl apply -f ${TUF}


# Then copy the secrets (even though it's all public stuff, certs, public keys)
# to the tuf-system namespace so that we can construct a tuf root out of it.
kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
Expand All @@ -103,3 +102,13 @@ kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d

echo "tuf root installed into ./root.json"

# Get the endpoints for various services and expose them
# as env vars.
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
export REKOR_URL
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
export FULCIO_URL
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
export CTLOG_URL
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
export TUF_MIRROR
10 changes: 10 additions & 0 deletions hack/setup-scaffolding.sh
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,13 @@ kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d

echo "tuf root installed into ./root.json"

# Get the endpoints for various services and expose them
# as env vars.
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}')
export REKOR_URL
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}')
export FULCIO_URL
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}')
export CTLOG_URL
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
export TUF_MIRROR

0 comments on commit 640448b

Please sign in to comment.