Skip to content

Commit

Permalink
feat: new test case for RSA
Browse files Browse the repository at this point in the history
Also moved port back to 5000

Signed-off-by: Bruno Bressi <[email protected]>
  • Loading branch information
puffitos committed Sep 12, 2024
1 parent ca6c2e9 commit 9df1f41
Show file tree
Hide file tree
Showing 4 changed files with 88 additions and 15 deletions.
24 changes: 12 additions & 12 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ test-unit:

e2e-cluster:
@echo "Creating registry..."
@k3d registry create registry.localhost --port 13942
@k3d registry create registry.localhost --port 5000
@echo "Adding registry to cluster..."
@k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942
@k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000
@echo "Create test namespace..."
@kubectl create namespace test-cases

Expand All @@ -33,29 +33,29 @@ e2e-images:
@echo "Checking for cosign.key..."
@test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1)
@echo "Building test image..."
@docker build -t k3d-registry.localhost:13942/cosignwebhook:dev .
@docker build -t k3d-registry.localhost:5000/cosignwebhook:dev .
@echo "Pushing test image..."
@docker push k3d-registry.localhost:13942/cosignwebhook:dev
@docker push k3d-registry.localhost:5000/cosignwebhook:dev
@echo "Signing test image..."
@export COSIGN_PASSWORD="" && \
cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/cosignwebhook:dev
cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev
@echo "Importing test image to cluster..."
@k3d image import k3d-registry.localhost:13942/cosignwebhook:dev --cluster cosign-tests
@k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests
@echo "Building busybox image..."
@docker pull busybox:latest
@echo "Tagging & pushing busybox images..."
@docker tag busybox:latest k3d-registry.localhost:13942/busybox:first
@docker tag busybox:latest k3d-registry.localhost:13942/busybox:second
@docker push k3d-registry.localhost:13942/busybox --all-tags
@docker tag busybox:latest k3d-registry.localhost:5000/busybox:first
@docker tag busybox:latest k3d-registry.localhost:5000/busybox:second
@docker push k3d-registry.localhost:5000/busybox --all-tags
@echo "Signing busybox images..."
@export COSIGN_PASSWORD="" && \
cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/busybox:first && \
cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:13942/busybox:second
cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \
cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second

e2e-deploy:
@echo "Deploying test image..."
@helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \
--set image.repository=k3d-registry.localhost:13942/cosignwebhook \
--set image.repository=k3d-registry.localhost:5000/cosignwebhook \
--set image.tag=dev \
--set-file cosign.scwebhook.key=cosign.pub \
--set logLevel=debug \
Expand Down
4 changes: 2 additions & 2 deletions chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,15 @@ podAnnotations: {}
podSecurityContext:
fsGroup: 1000
supplementalGroups:
- 1000
- 1000

# minimal permissions for container
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- ALL
privileged: false
runAsUser: 1000
runAsGroup: 1000
Expand Down
1 change: 0 additions & 1 deletion test/framework/cosign.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,6 @@ func (f *Framework) SignContainer(t *testing.T, opts SignOptions) {
"sign",
opts.Image,
}
t.Setenv("COSIGN_PASSWORD", "")
cmd := cli.New()
_ = cmd.Flags().Set("timeout", "30s")
cmd.SetArgs(args)
Expand Down
74 changes: 74 additions & 0 deletions test/webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -750,6 +750,80 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) {
fw.Cleanup(t)
}

func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) {
fw, err := framework.New()
if err != nil {
t.Fatal(err)
}

// Create a deployment with two containers signed by the same RSA key
_, rsaPub := fw.CreateRSAKeyPair(t, "test")
fw.SignContainer(t, framework.SignOptions{
KeyName: "test",
Image: "k3d-registry.localhost:5000/busybox:first",
SignatureRepo: "k3d-registry.localhost:5000/sigs",
})
fw.SignContainer(t, framework.SignOptions{
KeyName: "test",
Image: "k3d-registry.localhost:5000/busybox:second",
SignatureRepo: "k3d-registry.localhost:5000/sigs",
})

depl := appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: "two-containers-single-pubkey-envref",
Namespace: "test-cases",
},
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"app": "two-containers-single-pubkey-envref"},
},
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{"app": "two-containers-single-pubkey-envref"},
},
Spec: corev1.PodSpec{
TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
Containers: []corev1.Container{
{
Name: "two-containers-single-pubkey-envref",
Image: "k3d-registry.localhost:5000/busybox:first",
Command: []string{
"sh", "-c",
"echo 'hello world, i am tired and will sleep now'; sleep 60",
},
Env: []corev1.EnvVar{
{
Name: webhook.CosignEnvVar,
Value: rsaPub,
},
},
},
{
Name: "two-containers-single-pubkey-envref",
Image: "k3d-registry.localhost:5000/busybox:second",
Command: []string{
"sh", "-c",
"echo 'hello world, i am tired and will sleep now'; sleep 60",
},
Env: []corev1.EnvVar{
{
Name: webhook.CosignEnvVar,
Value: rsaPub,
},
},
},
},
},
},
},
}

fw.CreateDeployment(t, depl)
fw.WaitForDeployment(t, depl)
fw.Cleanup(t)
}

// testOneContainerSinglePubKeyNoMatchEnvRef tests that a deployment with a single signed container,
// with a public key provided via an environment variable, fails if the public key does not match the signature.
func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) {
Expand Down

0 comments on commit 9df1f41

Please sign in to comment.