Skip to content

Commit

Permalink
Modify test to use release v0.4.0, update getting-started. (#274)
Browse files Browse the repository at this point in the history
* Modify test to use release, update getting-started.
Remove the pointer to legacy now that release is out.
Get ready for v0.4.1 release testing since we can not
just test the v0.4.0 release without ko, so new release
script needs to be added.
conditional action execution for with/without TUF.

Signed-off-by: Ville Aikas <[email protected]>

* add fieldref featureflag for knative.
Fix correct way to set 1.24 k8s version
install go/ko for building test image

Signed-off-by: Ville Aikas <[email protected]>
  • Loading branch information
vaikas authored Aug 9, 2022
1 parent 9473e9a commit 82de738
Show file tree
Hide file tree
Showing 8 changed files with 268 additions and 107 deletions.
11 changes: 1 addition & 10 deletions .github/workflows/fulcio-rekor-kind.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,16 +74,7 @@ jobs:
with:
version: tip

- name: Check out cosign repo so we get the head of the main cosign
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
with:
repository: sigstore/cosign
path: ./src/github.com/sigstore/cosign

- name: Install cosign
working-directory: ./src/github.com/sigstore/cosign
run: |
go install ./cmd/cosign
- uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # v2.3.0

- name: Setup Cluster
uses: chainguard-dev/actions/setup-kind@main
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/test-action.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Test github reusable action
name: Test github action

on:
pull_request:
Expand All @@ -21,9 +21,9 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.21.x
- v1.22.x

release-version:
- "v0.3.0" # Test version without TUF
leg:
- test github action

Expand All @@ -34,3 +34,5 @@ jobs:
uses: ./actions/setup
with:
k8s-version: ${{ matrix.k8s-version }}
version: ${{ matrix.release-version }}

108 changes: 80 additions & 28 deletions .github/workflows/test-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,36 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.21.x
- v1.22.x

- v1.23.x
- v1.24.x
leg:
- fulcio rekor ctlog e2e
go-version:
- 1.18

env:
RELEASE_VERSION: "v0.3.0"
RELEASE_VERSION: "v0.4.0"
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko
COSIGN_EXPERIMENTAL: "true"

steps:
- uses: chainguard-dev/actions/setup-mirror@main

- uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # v2.3.0

- name: Set up Go
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v3.2.0
with:
go-version: ${{ matrix.go-version }}
check-latest: true

# Setup ko
- uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4
with:
version: tip

- name: Setup Cluster
uses: chainguard-dev/actions/setup-kind@main
id: kind
Expand All @@ -46,44 +62,80 @@ jobs:
- name: Setup Knative
uses: chainguard-dev/actions/setup-knative@main
with:
version: "1.1.0"
version: "1.5.0"
serving-features: >
{
"kubernetes.podspec-fieldref": "enabled"
}
# Remove after we cut the release that has setup-scaffolding-from-release.sh
- name: Check out our repo
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2

- name: Install all the everythings
- name: Install scaffolding
timeout-minutes: 10
run: |
curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/release.yaml | kubectl apply -f -
#curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh
#chmod u+x /tmp/setup-scaffolding-from-release.sh
#/tmp/setup-scaffolding-from-release.sh
# TODO(vaikas): Once we release this, use the curl above.
./hack/setup-scaffolding-from-release.sh
# Wait for all the ksvc to be up.
kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all
- name: Initialize cosign with our custom tuf root and make root copy
run: |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json
TUF_MIRROR=`kubectl -n tuf-system get --no-headers ksvc tuf | cut -d ' ' -f 4`
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV
# Then initialize cosign
cosign initialize --mirror $TUF_MIRROR --root ./root.json
# Make copy of the tuf root in the default namespace for tests
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f -
- name: Create sample image
run: |
pushd $(mktemp -d)
go mod init example.com/demo-with-release
cat <<EOF > main.go
package main
import "fmt"
func main() {
fmt.Println("hello world")
}
EOF
demoimage=`ko publish -B example.com/demo-with-release`
echo "demoimage=$demoimage" >> $GITHUB_ENV
echo Created image $demoimage
popd
- name: Run test jobs on the cluster
run: |
curl -L https://github.com/sigstore/scaffolding/releases/download/v0.4.0/testrelease.yaml | kubectl apply -f -
kubectl wait --for=condition=Complete --timeout=240s job/sign-job
kubectl wait --for=condition=Complete --timeout=240s job/verify-job
- name: Set the endpoints on the cluster
- name: Get the endpoints on the cluster
run: |
kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4
REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
- name: Run curl against Rekor
run: |
echo ${{ env.REKOR_URL }}
curl ${{ env.REKOR_URL }}/api/v1/log
FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4`
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
- name: Run Tests
run: |
# Grab the secret from the ctlog-system namespace and make a copy
# in our namespace so we can get access to the CT Log public key
# so we can verify the SCT coming from there.
kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4`
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
# Also grab the secret from the fulcio-system namespace and make a copy
# in our namespace so we can get access to the Fulcio public key
# so we can verify against it.
kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4`
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl create -f -
- name: Sign with cosign from the action using k8s token
run: |
cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
kubectl wait --for=condition=Complete --timeout=180s job/sign-job
kubectl wait --for=condition=Complete --timeout=180s job/checktree
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
- name: Verify with cosign from the action using k8s token
run: |
cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
- name: Collect diagnostics
if: ${{ failure() }}
Expand Down
1 change: 1 addition & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,4 @@ release:
- glob: "./testrelease.yaml"
- glob: "./hack/setup-kind.sh"
- glob: "./hack/setup-scaffolding.sh"
- glob: "./hack/setup-scaffolding-from-release.sh"
110 changes: 63 additions & 47 deletions actions/setup/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,13 @@ branding:
color: green
inputs:
version:
description: 'Version of scaffolding to install (v0.2.2, v0.2.3 latest-release.)'
description: 'Version of scaffolding to install (v0.4.0, latest-release.)'
required: true
default: 'latest-release'
knative-version:
description: 'Version of Knative to install (1.1.0, 1.1.1, etc.)'
required: true
default: '1.1.0'
default: '1.5.0'
registry-name:
description: 'Name of the registry to install (registry.local)'
required: true
Expand All @@ -41,7 +41,7 @@ inputs:
k8s-version:
description: 'kubernetes version to install (v1.21.x, v1.22.x), default: v1.22.x'
required: true
default: 'v1.22.x'
default: 'v1.23.x'
runs:
using: "composite"
steps:
Expand Down Expand Up @@ -75,48 +75,64 @@ runs:
--k8s-version ${{ inputs.k8s-version }} \
--knative-version ${{ inputs.knative-version }}
echo "Installing sigstore scaffolding @ ${tag}"
kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${tag}/release.yaml
# Wait for all the scaffolding pieces to be up.
echo "waiting for all the knative services to be up and running"
kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all
# Grab the secret from the ctlog-system namespace and make a copy
# in our namespace so we can get access to the CT Log public key
# so we can verify the SCT coming from there.
kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
# Also grab the secret from the fulcio-system namespace and make a copy
# in our namespace so we can get access to the Fulcio public key
# so we can verify against it.
kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
echo "Installing and running scaffolding tests to be up and running"
curl -L https://github.com/sigstore/scaffolding/releases/download/${tag}/testrelease.yaml | kubectl create -f -
kubectl wait --for=condition=Complete --timeout=180s job/sign-job
kubectl wait --for=condition=Complete --timeout=180s job/checktree
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
# At release v0.4.0 we added support for TUF, and rejiggered
# the install process, so check to see if we are running >=4
MINOR=$(echo $tag | cut -d '.' -f 2)
INSTALL_TUF="false"
if [ ${MINOR} -ge 4 ]; then
INSTALL_TUF="true"
fi
REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem
FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4`
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4`
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV
kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV
echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV
ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4`
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
echo "Installing sigstore scaffolding @ ${tag}"
if [ $INSTALL_TUF == "false" ]; then
echo "This version does not have support for TUF. This is deprecated"
kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${tag}/release.yaml
# Wait for all the scaffolding pieces to be up.
echo "waiting for all the knative services to be up and running"
kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all
# Grab the secret from the ctlog-system namespace and make a copy
# in our namespace so we can get access to the CT Log public key
# so we can verify the SCT coming from there.
kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
# Also grab the secret from the fulcio-system namespace and make a copy
# in our namespace so we can get access to the Fulcio public key
# so we can verify against it.
kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
echo "Installing and running scaffolding tests to be up and running"
curl -L https://github.com/sigstore/scaffolding/releases/download/${tag}/testrelease.yaml | kubectl create -f -
kubectl wait --for=condition=Complete --timeout=180s job/sign-job
kubectl wait --for=condition=Complete --timeout=180s job/checktree
kubectl wait --for=condition=Complete --timeout=180s job/verify-job
REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4`
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV
curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem
FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4`
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV
CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4`
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV
kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV
echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV
ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4`
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV
OIDC_TOKEN=`curl -s $ISSUER_URL`
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV
else
echo "This version does have support for TUF"
curl -Lo /tmp/setup-scaffolding.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh
chmod u+x /tmp/setup-scaffolding-from-release.sh
/tmp/setup-scaffolding-from-release.sh
fi
28 changes: 9 additions & 19 deletions getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ cloning the repo):

Or by downloading a release version of the script
```shell
curl -Lo /tmp/setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/v0.3.0/setup-kind.sh
curl -Lo /tmp/setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/v0.4.0/setup-kind.sh
chmod u+x /tmp/setup-kind.sh
/tmp/setup-kind.sh
```
Expand Down Expand Up @@ -62,27 +62,22 @@ docker rm -f b1e3f3238f7a

# Install sigstore-scaffolding pieces

## From the release (TODO:vaikas Update this before next release for tuf, works now)
## From the release
```shell
curl -L https://github.com/sigstore/scaffolding/releases/download/v0.3.0/release.yaml | kubectl apply -f -
curl -Lo /tmp/setup-scaffolding.sh https://github.com/sigstore/scaffolding/releases/download/v0.4.0/setup-scaffolding-from-release.sh
chmod u+x /tmp/setup-scaffolding-from-release.sh
/tmp/setup-scaffolding-from-release.sh
```

```shell
kubectl wait --timeout=15m -A --for=condition=Complete jobs --all
```

## Then wait for the jobs that setup dependencies to finish
## From checked out repo

Obviously if you have other jobs running, you might have to tune this, for deets
see [below](#outputs) what gets deployed and where. See below for how to
test / use the local instance. If you're deploying to kind cluster created
above, tell `ko` where it is, or change to where you're deploying your images.
If you're deploying to kind cluster created above, tell `ko` where it is, or
change to where you're deploying your images.

```shell
export KO_DOCKER_REPO=registry.local:5000/sigstore
```

## From checked out repo
```shell
./hack/setup-scaffolding.sh
```
Expand Down Expand Up @@ -197,12 +192,7 @@ that runs on the cluster and issues OIDC tokens.
ko apply -BRf ./testdata/config/gettoken
```

## Testing Your new Sigstore Kind Cluster (From the release)

Because we're moving to TUF, the instructions for the older way have been
[archived](https://github.com/sigstore/scaffolding/blob/4512ee2f0dfe6355775dc5efb6105ab52d27d678/getting-started.md)

## Testing Your new Sigstore Kind Cluster (With TUF)
## Testing Your new Sigstore Kind Cluster

Let's first run a quick smoke test that does a cosign sign followed by making
sure that the rekor entry is created for it.
Expand Down
4 changes: 4 additions & 0 deletions hack/setup-kind.sh
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ case ${K8S_VERSION} in
KIND_IMAGE_SHA="sha256:0e34f0d0fd448aa2f2819cfd74e99fe5793a6e4938b328f657c8e3f81ee0dfb9"
KIND_IMAGE="kindest/node:v${K8S_VERSION}@${KIND_IMAGE_SHA}"
;;
v1.24.x)
KIND_IMAGE_SHA="sha256:0866296e693efe1fed79d5e6c7af8df71fc73ae45e3679af05342239cdc5bc8e"
KIND_IMAGE=kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}
;;
*) echo "Unsupported version: ${K8S_VERSION}"; exit 1 ;;
esac

Expand Down
Loading

0 comments on commit 82de738

Please sign in to comment.