Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor the github action, test with tuf root. #263

Merged
merged 25 commits into from
Aug 4, 2022
Merged

Refactor the github action, test with tuf root. #263

merged 25 commits into from
Aug 4, 2022

Conversation

vaikas
Copy link
Contributor

@vaikas vaikas commented Aug 3, 2022
edited
Loading

Summary

  • Clean up and unify secret reconcile code.
  • Add Rekor public key so we can have the 'oob' way of getting it. Will update rekor to have fileca (just like Fulcio) in a future PR so that we can use that.
  • Modify e2e tests to use new tuf root
  • Fix the e2e tests flow to work with 1.23, 1.24. But testing with 2[34] also introduced some oidc wonkiness with the k8s cluster because the oidc issuer on the kind cluster behaves differently, so had to work around that.
  • Refactor the e2e tests because now we need to shuffle secrets between namespaces. This will be the basis for the new install-scaffold.
  • Add new make targets for the above.
  • Update README to reflect new reality.
  • Address leftover comments from Add a tuf server as well as repo management for tuf. #262 except one (how to handle tuf server restart), but created issue: Question: What would we expect whenever the server restarts ? It is okay to recreate the repository again and again. #265 for it.

Release Note

Documentation

@vaikas vaikas mentioned this pull request Aug 3, 2022
Merged
asraa and others added 13 commits August 3, 2022 09:10
@asraa @vaikas
draft
cc74320 
Signed-off-by: Asra Ali <[email protected]>
@asraa @vaikas
update script
7438686 
Signed-off-by: Asra Ali <[email protected]>
@vaikas
Create a secret that's used by the tuf server.
24b26b1 
DOES NOT WORK yet.

Signed-off-by: Ville Aikas <[email protected]>
@vaikas
tuf repo / secret are now created, but I'm not sure why the fileserve…
1d1571e 
…r is no worky.

Signed-off-by: Ville Aikas <[email protected]>
@vaikas
oops, forgot to update scaffolding script.
4089fab 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
Duh. was returning successfully before starting to serve :)
e787152 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
Rename ctlog.pub to ctfe.pub. Use AddTargetsWithExpires.
7fd0222 
Serve /repository

Signed-off-by: Ville Aikas <[email protected]>
@vaikas
Address PR feedback.
ee68a99 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
Feature flag. Do not care about the tuf job yet.
ca79456 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
sweet
1a578cf 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
WIP: Various cleanup tasks. Add rekor create secret job.
1d9cf6a 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
babysteps. Break install into smaller chunks.
e4a9301 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
Cleanups, follow up from the previous PR.
9b30853 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas vaikas force-pushed the tuf-for-realsies branch from cd4595a to 9b30853 Compare August 3, 2022 22:09
vaikas added 12 commits August 3, 2022 15:33
@vaikas
Reorder things a little bit.
6276971 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
can't copy secrets before ns is created :)
bb2d7c5 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
longer timeout for jobs to finish and upload matrix logs
4528983 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
use rekor secret instead of client, use secret.reconcilesecret.
484c5b6 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
wrong filename, lasigh.
04f37c6 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
add both .svc and .svc.cluster.local as oidc providers
f299bf7 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
remove plain .svc
cd7833b 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
Increase rekor job limit (mainly for .23 behaviour).
a21bbcc 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
wrong place
b7c35f4 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
work around the oidc behaviour on 1.22 vs. 1.2[34]
723391b 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
sigh, bad cut&paste.
45fd5ba 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas
getting late...
5ebe7cb 
Signed-off-by: Ville Aikas <[email protected]>
@vaikas vaikas changed the title [WIP] Tuf for real. Refactor the github action, test with tuf root. Aug 4, 2022
hectorj2f
hectorj2f reviewed Aug 4, 2022
View reviewed changes
.github/workflows/fulcio-rekor-kind.yaml
kubectl -n rekor-system get secrets rekor-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -

# Make sure the tuf jobs complete
kubectl wait --timeout 2m -n tuf-system --for=condition=Complete jobs --all
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion/question: Shouldn't the timeout be 4m ?

Copy link
Contributor Author

@vaikas vaikas Aug 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one seemed to consistently be quick, but for consistency, I'll change it in a followup PR.

@vaikas vaikas enabled auto-merge (squash) August 4, 2022 14:48
@vaikas vaikas merged commit 4512ee2 into sigstore:main Aug 4, 2022
@vaikas vaikas deleted the tuf-for-realsies branch August 4, 2022 15:19
@vaikas vaikas restored the tuf-for-realsies branch August 4, 2022 15:19
@vaikas vaikas deleted the tuf-for-realsies branch August 4, 2022 15:19
@asraa asraa mentioned this pull request Aug 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@k4leung4 k4leung4 k4leung4 approved these changes

@hectorj2f hectorj2f hectorj2f approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vaikas @hectorj2f @k4leung4 @asraa