From 54c5a4e127289d175cc0b353b8c4a828efe77e55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 27 Mar 2023 18:19:19 +0200 Subject: [PATCH] test: add kuttl tests for manifests verification (#6701) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * test: add kuttl tests for manifests verification Signed-off-by: Charles-Edouard Brétéché * more Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix readme Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/conformance.yaml | 1 + .../multi-signatures/01-policy.yaml | 6 ++++ .../multi-signatures/02-resources.yaml | 9 +++++ .../multi-signatures/README.md | 10 ++++++ .../multi-signatures/policy-assert.yaml | 9 +++++ .../multi-signatures/policy.yaml | 32 ++++++++++++++++++ .../resource-no-signature.yaml | 11 +++++++ .../resource-one-signature.yaml | 14 ++++++++ .../resource-two-signatures.yaml | 15 +++++++++ .../single-signature/01-policy.yaml | 6 ++++ .../single-signature/02-resources.yaml | 9 +++++ .../single-signature/README.md | 10 ++++++ .../single-signature/policy-assert.yaml | 9 +++++ .../single-signature/policy.yaml | 33 +++++++++++++++++++ .../resource-no-signature.yaml | 11 +++++++ .../resource-one-signature.yaml | 14 ++++++++ .../resource-two-signatures.yaml | 15 +++++++++ 17 files changed, 214 insertions(+) create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/01-policy.yaml create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/02-resources.yaml create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/README.md create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/policy-assert.yaml create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/resource-no-signature.yaml create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/resource-one-signature.yaml create mode 100644 test/conformance/kuttl/verify-manifests/multi-signatures/resource-two-signatures.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/01-policy.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/02-resources.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/README.md create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/policy-assert.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/policy.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/resource-no-signature.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/resource-one-signature.yaml create mode 100644 test/conformance/kuttl/verify-manifests/single-signature/resource-two-signatures.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 09c2d87a1a..40e4d40000 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -50,6 +50,7 @@ jobs: - rbac - reports - validate + - verify-manifests - verifyImages - webhooks runs-on: ubuntu-latest diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/01-policy.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/02-resources.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/02-resources.yaml new file mode 100644 index 0000000000..32b2f0df75 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/02-resources.yaml @@ -0,0 +1,9 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: resource-no-signature.yaml + shouldFail: true +- file: resource-one-signature.yaml + shouldFail: true +- file: resource-two-signatures.yaml + shouldFail: false diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/README.md b/test/conformance/kuttl/verify-manifests/multi-signatures/README.md new file mode 100644 index 0000000000..ce47d1280c --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that two signatures are expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be rejected. +Resource with two signatures should be accepted. diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/policy-assert.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/policy-assert.yaml new file mode 100644 index 0000000000..582ac4e67a --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml new file mode 100644 index 0000000000..13e977e840 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/resource-no-signature.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/resource-no-signature.yaml new file mode 100644 index 0000000000..87100c787a --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/resource-one-signature.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/resource-one-signature.yaml new file mode 100644 index 0000000000..3de473b4ee --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/resource-two-signatures.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/resource-two-signatures.yaml new file mode 100644 index 0000000000..50a69cf200 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/kuttl/verify-manifests/single-signature/01-policy.yaml b/test/conformance/kuttl/verify-manifests/single-signature/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/verify-manifests/single-signature/02-resources.yaml b/test/conformance/kuttl/verify-manifests/single-signature/02-resources.yaml new file mode 100644 index 0000000000..09cfa6d968 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/02-resources.yaml @@ -0,0 +1,9 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: resource-no-signature.yaml + shouldFail: true +- file: resource-one-signature.yaml + shouldFail: false +- file: resource-two-signatures.yaml + shouldFail: false diff --git a/test/conformance/kuttl/verify-manifests/single-signature/README.md b/test/conformance/kuttl/verify-manifests/single-signature/README.md new file mode 100644 index 0000000000..cf5eb1c5b2 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that at least one signature is expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be accepted. +Resource with two signatures should be accepted. diff --git a/test/conformance/kuttl/verify-manifests/single-signature/policy-assert.yaml b/test/conformance/kuttl/verify-manifests/single-signature/policy-assert.yaml new file mode 100644 index 0000000000..582ac4e67a --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verify-manifests/single-signature/policy.yaml b/test/conformance/kuttl/verify-manifests/single-signature/policy.yaml new file mode 100644 index 0000000000..156eda52fe --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/verify-manifests/single-signature/resource-no-signature.yaml b/test/conformance/kuttl/verify-manifests/single-signature/resource-no-signature.yaml new file mode 100644 index 0000000000..87100c787a --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/kuttl/verify-manifests/single-signature/resource-one-signature.yaml b/test/conformance/kuttl/verify-manifests/single-signature/resource-one-signature.yaml new file mode 100644 index 0000000000..3de473b4ee --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/kuttl/verify-manifests/single-signature/resource-two-signatures.yaml b/test/conformance/kuttl/verify-manifests/single-signature/resource-two-signatures.yaml new file mode 100644 index 0000000000..50a69cf200 --- /dev/null +++ b/test/conformance/kuttl/verify-manifests/single-signature/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp