diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml index 518c27e8d..d62aba0b1 100644 --- a/.github/workflows/fulcio-rekor-kind.yaml +++ b/.github/workflows/fulcio-rekor-kind.yaml @@ -74,16 +74,7 @@ jobs: with: version: tip - - name: Check out cosign repo so we get the head of the main cosign - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - with: - repository: sigstore/cosign - path: ./src/github.com/sigstore/cosign - - - name: Install cosign - working-directory: ./src/github.com/sigstore/cosign - run: | - go install ./cmd/cosign + - uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # v2.3.0 - name: Setup Cluster uses: chainguard-dev/actions/setup-kind@main diff --git a/.github/workflows/test-action.yaml b/.github/workflows/test-action.yaml index e3039ddff..113119d80 100644 --- a/.github/workflows/test-action.yaml +++ b/.github/workflows/test-action.yaml @@ -1,4 +1,4 @@ -name: Test github reusable action +name: Test github action on: pull_request: @@ -21,9 +21,9 @@ jobs: fail-fast: false # Keep running if one leg fails. matrix: k8s-version: - - v1.21.x - v1.22.x - + release-version: + - "v0.3.0" # Test version without TUF leg: - test github action @@ -34,3 +34,5 @@ jobs: uses: ./actions/setup with: k8s-version: ${{ matrix.k8s-version }} + version: ${{ matrix.release-version }} + diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 592d08fcd..020ae56ca 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -21,20 +21,36 @@ jobs: fail-fast: false # Keep running if one leg fails. matrix: k8s-version: - - v1.21.x - v1.22.x - + - v1.23.x + - v1.24.x leg: - fulcio rekor ctlog e2e + go-version: + - 1.18 env: - RELEASE_VERSION: "v0.3.0" + RELEASE_VERSION: "v0.4.0" KO_DOCKER_REPO: registry.local:5000/knative KOCACHE: ~/ko + COSIGN_EXPERIMENTAL: "true" steps: - uses: chainguard-dev/actions/setup-mirror@main + - uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 # v2.3.0 + + - name: Set up Go + uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v3.2.0 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + + # Setup ko + - uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4 + with: + version: tip + - name: Setup Cluster uses: chainguard-dev/actions/setup-kind@main id: kind @@ -46,44 +62,80 @@ jobs: - name: Setup Knative uses: chainguard-dev/actions/setup-knative@main with: - version: "1.1.0" + version: "1.5.0" + serving-features: > + { + "kubernetes.podspec-fieldref": "enabled" + } + + # Remove after we cut the release that has setup-scaffolding-from-release.sh + - name: Check out our repo + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - - name: Install all the everythings + - name: Install scaffolding timeout-minutes: 10 run: | - curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/release.yaml | kubectl apply -f - + #curl -Lo /tmp/setup-scaffolding-from-release.sh https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/setup-scaffolding-from-release.sh + #chmod u+x /tmp/setup-scaffolding-from-release.sh + #/tmp/setup-scaffolding-from-release.sh + # TODO(vaikas): Once we release this, use the curl above. + ./hack/setup-scaffolding-from-release.sh - # Wait for all the ksvc to be up. - kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all + - name: Initialize cosign with our custom tuf root and make root copy + run: | + kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json + TUF_MIRROR=`kubectl -n tuf-system get --no-headers ksvc tuf | cut -d ' ' -f 4` + echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV + # Then initialize cosign + cosign initialize --mirror $TUF_MIRROR --root ./root.json + # Make copy of the tuf root in the default namespace for tests + kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f - + + - name: Create sample image + run: | + pushd $(mktemp -d) + go mod init example.com/demo-with-release + cat < main.go + package main + import "fmt" + func main() { + fmt.Println("hello world") + } + EOF + demoimage=`ko publish -B example.com/demo-with-release` + echo "demoimage=$demoimage" >> $GITHUB_ENV + echo Created image $demoimage + popd + + - name: Run test jobs on the cluster + run: | + curl -L https://github.com/sigstore/scaffolding/releases/download/v0.4.0/testrelease.yaml | kubectl apply -f - + kubectl wait --for=condition=Complete --timeout=240s job/sign-job + kubectl wait --for=condition=Complete --timeout=240s job/verify-job - - name: Set the endpoints on the cluster + - name: Get the endpoints on the cluster run: | - kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4 REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - - name: Run curl against Rekor - run: | - echo ${{ env.REKOR_URL }} - curl ${{ env.REKOR_URL }}/api/v1/log + FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4` + echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - - name: Run Tests - run: | - # Grab the secret from the ctlog-system namespace and make a copy - # in our namespace so we can get access to the CT Log public key - # so we can verify the SCT coming from there. - kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - + CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4` + echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV - # Also grab the secret from the fulcio-system namespace and make a copy - # in our namespace so we can get access to the Fulcio public key - # so we can verify against it. - kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - + ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4` + echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV + OIDC_TOKEN=`curl -s $ISSUER_URL` + echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV - curl -L https://github.com/sigstore/scaffolding/releases/download/${{ env.RELEASE_VERSION }}/testrelease.yaml | kubectl create -f - + - name: Sign with cosign from the action using k8s token + run: | + cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} - kubectl wait --for=condition=Complete --timeout=180s job/sign-job - kubectl wait --for=condition=Complete --timeout=180s job/checktree - kubectl wait --for=condition=Complete --timeout=180s job/verify-job + - name: Verify with cosign from the action using k8s token + run: | + cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} - name: Collect diagnostics if: ${{ failure() }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 9dd1d49b5..07cff1603 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -27,3 +27,4 @@ release: - glob: "./testrelease.yaml" - glob: "./hack/setup-kind.sh" - glob: "./hack/setup-scaffolding.sh" + - glob: "./hack/setup-scaffolding-from-release.sh" diff --git a/actions/setup/action.yml b/actions/setup/action.yml index 214e2a8f9..02b3dd792 100644 --- a/actions/setup/action.yml +++ b/actions/setup/action.yml @@ -19,13 +19,13 @@ branding: color: green inputs: version: - description: 'Version of scaffolding to install (v0.2.2, v0.2.3 latest-release.)' + description: 'Version of scaffolding to install (v0.4.0, latest-release.)' required: true default: 'latest-release' knative-version: description: 'Version of Knative to install (1.1.0, 1.1.1, etc.)' required: true - default: '1.1.0' + default: '1.5.0' registry-name: description: 'Name of the registry to install (registry.local)' required: true @@ -41,7 +41,7 @@ inputs: k8s-version: description: 'kubernetes version to install (v1.21.x, v1.22.x), default: v1.22.x' required: true - default: 'v1.22.x' + default: 'v1.23.x' runs: using: "composite" steps: @@ -75,48 +75,64 @@ runs: --k8s-version ${{ inputs.k8s-version }} \ --knative-version ${{ inputs.knative-version }} - echo "Installing sigstore scaffolding @ ${tag}" - kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${tag}/release.yaml - - # Wait for all the scaffolding pieces to be up. - echo "waiting for all the knative services to be up and running" - kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all - - # Grab the secret from the ctlog-system namespace and make a copy - # in our namespace so we can get access to the CT Log public key - # so we can verify the SCT coming from there. - kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - - - # Also grab the secret from the fulcio-system namespace and make a copy - # in our namespace so we can get access to the Fulcio public key - # so we can verify against it. - kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - - - echo "Installing and running scaffolding tests to be up and running" - curl -L https://github.com/sigstore/scaffolding/releases/download/${tag}/testrelease.yaml | kubectl create -f - - - kubectl wait --for=condition=Complete --timeout=180s job/sign-job - kubectl wait --for=condition=Complete --timeout=180s job/checktree - kubectl wait --for=condition=Complete --timeout=180s job/verify-job + # At release v0.4.0 we added support for TUF, and rejiggered + # the install process, so check to see if we are running >=4 + MINOR=$(echo $tag | cut -d '.' -f 2) + INSTALL_TUF="false" + if [ ${MINOR} -ge 4 ]; then + INSTALL_TUF="true" + fi - REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` - echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem - - FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4` - echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4` - echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV - - kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem - echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV - - kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem - echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV - - echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV - - ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4` - echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV - OIDC_TOKEN=`curl -s $ISSUER_URL` - echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV + echo "Installing sigstore scaffolding @ ${tag}" + if [ $INSTALL_TUF == "false" ]; then + echo "This version does not have support for TUF. This is deprecated" + kubectl apply -f https://github.com/sigstore/scaffolding/releases/download/${tag}/release.yaml + + # Wait for all the scaffolding pieces to be up. + echo "waiting for all the knative services to be up and running" + kubectl wait --timeout 10m -A --for=condition=Ready ksvc --all + + # Grab the secret from the ctlog-system namespace and make a copy + # in our namespace so we can get access to the CT Log public key + # so we can verify the SCT coming from there. + kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - + + # Also grab the secret from the fulcio-system namespace and make a copy + # in our namespace so we can get access to the Fulcio public key + # so we can verify against it. + kubectl -n fulcio-system get secrets fulcio-secret -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - + + echo "Installing and running scaffolding tests to be up and running" + curl -L https://github.com/sigstore/scaffolding/releases/download/${tag}/testrelease.yaml | kubectl create -f - + + kubectl wait --for=condition=Complete --timeout=180s job/sign-job + kubectl wait --for=condition=Complete --timeout=180s job/checktree + kubectl wait --for=condition=Complete --timeout=180s job/verify-job + + REKOR_URL=`kubectl -n rekor-system get --no-headers ksvc rekor | cut -d ' ' -f 4` + echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV + curl -s $REKOR_URL/api/v1/log/publicKey > ./rekor-public.pem + + FULCIO_URL=`kubectl -n fulcio-system get --no-headers ksvc fulcio | cut -d ' ' -f 4` + echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV + CTLOG_URL=`kubectl -n ctlog-system get --no-headers ksvc ctlog | cut -d ' ' -f 4` + echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV + + kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem + echo "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem" >> $GITHUB_ENV + + kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem + echo "SIGSTORE_ROOT_FILE=./fulcio-root.pem" >> $GITHUB_ENV + + echo "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1" >> $GITHUB_ENV + + ISSUER_URL=`kubectl get --no-headers ksvc gettoken | cut -d ' ' -f 4` + echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV + OIDC_TOKEN=`curl -s $ISSUER_URL` + echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV + else + echo "This version does have support for TUF" + curl -Lo /tmp/setup-scaffolding.sh https://github.com/sigstore/scaffolding/releases/download/${tag}/setup-scaffolding-from-release.sh + chmod u+x /tmp/setup-scaffolding-from-release.sh + /tmp/setup-scaffolding-from-release.sh + fi diff --git a/getting-started.md b/getting-started.md index 7b0134de5..de6bbe769 100644 --- a/getting-started.md +++ b/getting-started.md @@ -31,7 +31,7 @@ cloning the repo): Or by downloading a release version of the script ```shell -curl -Lo /tmp/setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/v0.3.0/setup-kind.sh +curl -Lo /tmp/setup-kind.sh https://github.com/sigstore/scaffolding/releases/download/v0.4.0/setup-kind.sh chmod u+x /tmp/setup-kind.sh /tmp/setup-kind.sh ``` @@ -62,27 +62,22 @@ docker rm -f b1e3f3238f7a # Install sigstore-scaffolding pieces -## From the release (TODO:vaikas Update this before next release for tuf, works now) +## From the release ```shell -curl -L https://github.com/sigstore/scaffolding/releases/download/v0.3.0/release.yaml | kubectl apply -f - +curl -Lo /tmp/setup-scaffolding.sh https://github.com/sigstore/scaffolding/releases/download/v0.4.0/setup-scaffolding-from-release.sh +chmod u+x /tmp/setup-scaffolding-from-release.sh +/tmp/setup-scaffolding-from-release.sh ``` -```shell -kubectl wait --timeout=15m -A --for=condition=Complete jobs --all -``` - -## Then wait for the jobs that setup dependencies to finish +## From checked out repo -Obviously if you have other jobs running, you might have to tune this, for deets -see [below](#outputs) what gets deployed and where. See below for how to -test / use the local instance. If you're deploying to kind cluster created -above, tell `ko` where it is, or change to where you're deploying your images. +If you're deploying to kind cluster created above, tell `ko` where it is, or +change to where you're deploying your images. ```shell export KO_DOCKER_REPO=registry.local:5000/sigstore ``` -## From checked out repo ```shell ./hack/setup-scaffolding.sh ``` @@ -197,12 +192,7 @@ that runs on the cluster and issues OIDC tokens. ko apply -BRf ./testdata/config/gettoken ``` -## Testing Your new Sigstore Kind Cluster (From the release) - -Because we're moving to TUF, the instructions for the older way have been -[archived](https://github.com/sigstore/scaffolding/blob/4512ee2f0dfe6355775dc5efb6105ab52d27d678/getting-started.md) - -## Testing Your new Sigstore Kind Cluster (With TUF) +## Testing Your new Sigstore Kind Cluster Let's first run a quick smoke test that does a cosign sign followed by making sure that the rekor entry is created for it. diff --git a/hack/setup-kind.sh b/hack/setup-kind.sh index b2608ce7e..6ad6e770c 100755 --- a/hack/setup-kind.sh +++ b/hack/setup-kind.sh @@ -82,6 +82,10 @@ case ${K8S_VERSION} in KIND_IMAGE_SHA="sha256:0e34f0d0fd448aa2f2819cfd74e99fe5793a6e4938b328f657c8e3f81ee0dfb9" KIND_IMAGE="kindest/node:v${K8S_VERSION}@${KIND_IMAGE_SHA}" ;; + v1.24.x) + KIND_IMAGE_SHA="sha256:0866296e693efe1fed79d5e6c7af8df71fc73ae45e3679af05342239cdc5bc8e" + KIND_IMAGE=kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA} + ;; *) echo "Unsupported version: ${K8S_VERSION}"; exit 1 ;; esac diff --git a/hack/setup-scaffolding-from-release.sh b/hack/setup-scaffolding-from-release.sh new file mode 100755 index 000000000..175e5e121 --- /dev/null +++ b/hack/setup-scaffolding-from-release.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash +# Copyright 2022 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +# TODO(vaikas): Make this configurable. +RELEASE_VERSION=v0.4.0 +TRILLIAN=https://github.com/sigstore/scaffolding/releases/download/${RELEASE_VERSION}/release-trillian.yaml +REKOR=https://github.com/sigstore/scaffolding/releases/download/${RELEASE_VERSION}/release-rekor.yaml +FULCIO=https://github.com/sigstore/scaffolding/releases/download/${RELEASE_VERSION}/release-fulcio.yaml +CTLOG=https://github.com/sigstore/scaffolding/releases/download/${RELEASE_VERSION}/release-ctlog.yaml +TUF=https://github.com/sigstore/scaffolding/releases/download/${RELEASE_VERSION}/release-tuf.yaml + +# Since the behaviour on oidc is different on k8s <1.23, check to see if we +# need to do some mucking with the Fulcio config +NEED_TO_UPDATE_FULCIO_CONFIG="false" +K8S_SERVER_VERSION=$(kubectl version -ojson | yq '.serverVersion.minor' -) + +if [ "${K8S_SERVER_VERSION}" == "21" ] || [ "${K8S_SERVER_VERSION}" == "22" ]; then + echo "Running on k8s 1.${K8S_SERVER_VERSION}.x will update Fulcio accordingly" + NEED_TO_UPDATE_FULCIO_CONFIG="true" +fi + +# Install Trillian and wait for it to come up +echo '::group:: Install Trillian' +kubectl apply -f ${TRILLIAN} +echo '::endgroup::' + +echo '::group:: Wait for Trillian ready' +kubectl wait --timeout 5m -n trillian-system --for=condition=Complete jobs --all +kubectl wait --timeout 45s -n trillian-system --for=condition=Ready ksvc log-server +kubectl wait --timeout 45s -n trillian-system --for=condition=Ready ksvc log-signer +echo '::endgroup::' + +# Install Rekor and wait for it to come up +echo '::group:: Install Rekor' +kubectl apply -f ${REKOR} +echo '::endgroup::' + +echo '::group:: Wait for Rekor ready' +kubectl wait --timeout 5m -n rekor-system --for=condition=Complete jobs --all +kubectl wait --timeout 45s -n rekor-system --for=condition=Ready ksvc rekor +echo '::endgroup::' + +# Install Fulcio and wait for it to come up +echo '::group:: Install Fulcio' +if [ "${NEED_TO_UPDATE_FULCIO_CONFIG}" == "true" ]; then + echo "Fixing Fulcio config for < 1.23.X Kubernetes" + curl -Ls ${FULCIO} | sed 's@https://kubernetes.default.svc.cluster.local@https://kubernetes.default.svc@' | kubectl apply -f - +else + kubectl apply -f ${FULCIO} +fi + +echo '::group:: Wait for Fulcio ready' +kubectl wait --timeout 5m -n fulcio-system --for=condition=Complete jobs --all +kubectl wait --timeout 45s -n fulcio-system --for=condition=Ready ksvc fulcio +echo '::endgroup::' + +# Install CTlog and wait for it to come up +echo '::group:: Install CTLog' +kubectl apply -f ${CTLOG} +echo '::endgroup::' + +echo '::group:: Wait for CTLog ready' +kubectl wait --timeout 5m -n ctlog-system --for=condition=Complete jobs --all +kubectl wait --timeout 45s -n ctlog-system --for=condition=Ready ksvc ctlog +echo '::endgroup::' + +# Install tuf +echo '::group:: Install TUF' +kubectl apply -f ${TUF} + + +# Then copy the secrets (even though it's all public stuff, certs, public keys) +# to the tuf-system namespace so that we can construct a tuf root out of it. +kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f - +kubectl -n fulcio-system get secrets fulcio-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f - +kubectl -n rekor-system get secrets rekor-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f - +echo '::endgroup::' + +# Make sure the tuf jobs complete +echo '::group:: Wait for TUF ready' +kubectl wait --timeout 4m -n tuf-system --for=condition=Complete jobs --all +kubectl wait --timeout 45s -n tuf-system --for=condition=Ready ksvc tuf +echo '::endgroup::' + +# Grab the trusted root +kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json + +echo "tuf root installed into ./root.json" +