From 640448bb27346a4c51b66ef6775c48f59cb5d6be Mon Sep 17 00:00:00 2001 From: Ville Aikas <11279988+vaikas@users.noreply.github.com> Date: Tue, 9 Aug 2022 23:07:33 +0300 Subject: [PATCH] FIX Broken main action . Test with 0.4.1 release (#277) * Test with 0.4.1 release, also add a new action that tests with tuf. Clean up some code. Signed-off-by: Ville Aikas * Actually build the demo image. Signed-off-by: Ville Aikas * need go / ko too. Signed-off-by: Ville Aikas --- .github/workflows/test-action-tuf.yaml | 96 ++++++++++++++++++++++++++ .github/workflows/test-action.yaml | 6 +- .github/workflows/test-release.yaml | 50 ++++++-------- actions/setup/action.yml | 66 +++++++++++++----- hack/setup-scaffolding-from-release.sh | 11 ++- hack/setup-scaffolding.sh | 10 +++ 6 files changed, 190 insertions(+), 49 deletions(-) create mode 100644 .github/workflows/test-action-tuf.yaml diff --git a/.github/workflows/test-action-tuf.yaml b/.github/workflows/test-action-tuf.yaml new file mode 100644 index 000000000..b9cca75c6 --- /dev/null +++ b/.github/workflows/test-action-tuf.yaml @@ -0,0 +1,96 @@ +name: Test github action with TUF + +on: + pull_request: + branches: [ main ] + +defaults: + run: + shell: bash + working-directory: ./ + +concurrency: + group: test-github-action-with-tuf${{ github.head_ref }} + cancel-in-progress: true + +jobs: + test-github-action: + name: Test github action with TUF + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + k8s-version: + - v1.22.x + - v1.23.x + - v1.24.x + + release-version: + - "latest-release" # Test explicitly with latest + - "v0.4.1" # Test version with TUF + + go-version: + - 1.18 + + leg: + - test github action + env: + KO_DOCKER_REPO: registry.local:5000/knative + COSIGN_EXPERIMENTAL: "true" + + steps: + - name: Checkout the current action + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 + - name: Test running the action + uses: ./actions/setup + with: + k8s-version: ${{ matrix.k8s-version }} + version: ${{ matrix.release-version }} + + # Install cosign + - name: Install cosign + uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # v2.3.0 + + - name: Set up Go + uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v3.2.0 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + + # Setup ko + - uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4 + with: + version: tip + + - name: Create sample image + run: | + pushd $(mktemp -d) + go mod init example.com/demo-action-with-tuf + cat < main.go + package main + import "fmt" + func main() { + fmt.Println("hello world") + } + EOF + demoimage=`ko publish -B example.com/demo-action-with-tuf` + echo "demoimage=$demoimage" >> $GITHUB_ENV + echo Created image $demoimage + popd + + - name: Initialize cosign with TUF root + run: | + kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json + cosign initialize --mirror ${{ env.TUF_MIRROR }} --root ./root.json + + - name: Sign with cosign from the action using k8s token + run: | + cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} + + - name: Verify with cosign from the action using k8s token + run: | + cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} + + - name: Collect diagnostics + if: ${{ failure() }} + uses: chainguard-dev/actions/kind-diag@main diff --git a/.github/workflows/test-action.yaml b/.github/workflows/test-action.yaml index 113119d80..cb3d977f4 100644 --- a/.github/workflows/test-action.yaml +++ b/.github/workflows/test-action.yaml @@ -21,7 +21,9 @@ jobs: fail-fast: false # Keep running if one leg fails. matrix: k8s-version: + - v1.21.x - v1.22.x + # 1.23 missing nb: https://github.com/sigstore/scaffolding/issues/81 release-version: - "v0.3.0" # Test version without TUF leg: @@ -35,4 +37,6 @@ jobs: with: k8s-version: ${{ matrix.k8s-version }} version: ${{ matrix.release-version }} - + - name: Collect diagnostics + if: ${{ failure() }} + uses: chainguard-dev/actions/kind-diag@main diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 020ae56ca..c9cb46690 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -30,7 +30,7 @@ jobs: - 1.18 env: - RELEASE_VERSION: "v0.4.0" + RELEASE_VERSION: "v0.4.1" KO_DOCKER_REPO: registry.local:5000/knative KOCACHE: ~/ko COSIGN_EXPERIMENTAL: "true" @@ -62,32 +62,33 @@ jobs: - name: Setup Knative uses: chainguard-dev/actions/setup-knative@main with: - version: "1.5.0" + version: "1.2.0" serving-features: > { "kubernetes.podspec-fieldref": "enabled" } - # Remove after we cut the release that has setup-scaffolding-from-release.sh - - name: Check out our repo - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - - name: Install scaffolding timeout-minutes: 10 run: | - #curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh - #chmod u+x /tmp/setup-scaffolding-from-release.sh - #/tmp/setup-scaffolding-from-release.sh - # TODO(vaikas): Once we release this, use the curl above. - ./hack/setup-scaffolding-from-release.sh + curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh + chmod u+x /tmp/setup-scaffolding-from-release.sh + /tmp/setup-scaffolding-from-release.sh - - name: Initialize cosign with our custom tuf root and make root copy - run: | - kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json - TUF_MIRROR=`kubectl -n tuf-system get --no-headers ksvc tuf | cut -d ' ' -f 4` + # TODO(vaikas): Remove these after 0.4.2 once these get set by script. + REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') + FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') + CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') + TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') + + # Set the endopints + echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV + echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV + echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV - # Then initialize cosign + cosign initialize --mirror $TUF_MIRROR --root ./root.json + # Make copy of the tuf root in the default namespace for tests kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f - @@ -109,24 +110,15 @@ jobs: - name: Run test jobs on the cluster run: | - curl -L https://github.com/sigstore/scaffolding/releases/download/v0.4.0/testrelease.yaml | kubectl apply -f - + curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl apply -f - kubectl wait --for=condition=Complete --timeout=240s job/sign-job kubectl wait --for=condition=Complete --timeout=240s job/verify-job - - name: Get the endpoints on the cluster + - name: Get the issuer url endpoint on the cluster run: | - REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` - echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - - FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4` - echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - - CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4` - echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV - - ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4` + ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}') echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV - OIDC_TOKEN=`curl -s $ISSUER_URL` + OIDC_TOKEN=$(curl -s $ISSUER_URL) echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV - name: Sign with cosign from the action using k8s token diff --git a/actions/setup/action.yml b/actions/setup/action.yml index 02b3dd792..36598871c 100644 --- a/actions/setup/action.yml +++ b/actions/setup/action.yml @@ -25,7 +25,7 @@ inputs: knative-version: description: 'Version of Knative to install (1.1.0, 1.1.1, etc.)' required: true - default: '1.5.0' + default: '1.2.0' registry-name: description: 'Name of the registry to install (registry.local)' required: true @@ -39,9 +39,9 @@ inputs: required: true default: 'cluster.local' k8s-version: - description: 'kubernetes version to install (v1.21.x, v1.22.x), default: v1.22.x' + description: 'kubernetes version to install (v1.21.x, v1.22.x), default: v1.24.x' required: true - default: 'v1.23.x' + default: 'v1.24.x' runs: using: "composite" steps: @@ -109,15 +109,6 @@ runs: kubectl wait --for=condition=Complete --timeout=180s job/checktree kubectl wait --for=condition=Complete --timeout=180s job/verify-job - REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` - echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem - - FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4` - echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4` - echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV - kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV @@ -125,14 +116,53 @@ runs: echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV - - ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4` - echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV - OIDC_TOKEN=`curl -s $ISSUER_URL` - echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV else echo "This version does have support for TUF" - curl -Lo /tmp/setup-scaffolding.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh + curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh chmod u+x /tmp/setup-scaffolding-from-release.sh /tmp/setup-scaffolding-from-release.sh + # We set this here because the other leg doesn't have it. + TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') + echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV + + # Make copy of the tuf root in the default namespace for tests + kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f - + + echo "Installing and running scaffolding tests to be up and running" + curl -L https://github.com/sigstore/scaffolding/releases/download/${tag}/testrelease.yaml | kubectl create -f - + + kubectl wait --for=condition=Complete --timeout=180s job/sign-job + kubectl wait --for=condition=Complete --timeout=180s job/verify-job + + # For backward compatibility, add in the old env variables + # TODO(vaikas): Remove the rest of this block. + kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - + + # Also grab the secret from the fulcio-system namespace and make a copy + # in our namespace so we can get access to the Fulcio public key + # so we can verify against it. + kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - + + kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem + echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV + + kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem + echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV + echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV fi + + REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') + FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') + CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') + ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}') + + # Grab an OIDC token too. + OIDC_TOKEN=$(curl -s $ISSUER_URL) + echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV + + # And set the env variables for Github action visibility + echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV + echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV + echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV + echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV + diff --git a/hack/setup-scaffolding-from-release.sh b/hack/setup-scaffolding-from-release.sh index 175e5e121..3a8addd19 100755 --- a/hack/setup-scaffolding-from-release.sh +++ b/hack/setup-scaffolding-from-release.sh @@ -84,7 +84,6 @@ echo '::endgroup::' echo '::group:: Install TUF' kubectl apply -f ${TUF} - # Then copy the secrets (even though it's all public stuff, certs, public keys) # to the tuf-system namespace so that we can construct a tuf root out of it. kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f - @@ -103,3 +102,13 @@ kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d echo "tuf root installed into ./root.json" +# Get the endpoints for various services and expose them +# as env vars. +REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') +export REKOR_URL +FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') +export FULCIO_URL +CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') +export CTLOG_URL +TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') +export TUF_MIRROR diff --git a/hack/setup-scaffolding.sh b/hack/setup-scaffolding.sh index c12086aeb..80cbaf72d 100755 --- a/hack/setup-scaffolding.sh +++ b/hack/setup-scaffolding.sh @@ -102,3 +102,13 @@ kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d echo "tuf root installed into ./root.json" +# Get the endpoints for various services and expose them +# as env vars. +REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') +export REKOR_URL +FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') +export FULCIO_URL +CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') +export CTLOG_URL +TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') +export TUF_MIRROR