add remainder of e2e verifyImages tests (#5229)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-keyless
+status:
+  ready: true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-manifests.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tekton-test
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: tasks.tekton.dev
+spec:
+  group: tekton.dev
+  preserveUnknownFields: false
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    subresources:
+      status: {}
+  names:
+    kind: Task
+    plural: tasks
+    categories:
+    - tekton
+    - tekton-pipelines
+  scope: Namespaced
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-keyless
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  rules:
+  - name: verify-images
+    match:
+      any:
+      - resources:
+          kinds:
+          - tekton.dev/v1beta1/Task
+    preconditions:
+    - key: "{{request.operation}}"
+      operator: NotEquals
+      value: DELETE
+    imageExtractors:
+      Task:
+        - path: /spec/steps/*/image
+    verifyImages:
+    - imageReferences:
+      - "ghcr.io/*"
+      attestors:
+      - count: 1
+        entries:
+        - keyless:
+            issuer: "https://token.actions.githubusercontent.com"
+            subject: "https://github.com/*"
+            rekor:
+              url: https://rekor.sigstore.dev
+      required: true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml

@@ -0,0 +1,9 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test
+spec:
+  steps:
+    - name: cosign
+      image: ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/03-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test
+  annotations:
+    kyverno.io/verify-images: '{"ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6":true}'

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-task.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md

@@ -0,0 +1,3 @@
+# Title
+
+Checks that more complex image extraction with keyless verification and required=true is working by submitting a Task which uses a verified container image. The Task should be created and the annotation `kyverno.io/verify-images` written which contains the image with digest and `true` indicating it was verified.

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-complex
+status:
+  ready: true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-manifests.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tekton-test
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: tasks.tekton.dev
+spec:
+  group: tekton.dev
+  preserveUnknownFields: false
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    subresources:
+      status: {}
+  names:
+    kind: Task
+    plural: tasks
+    categories:
+    - tekton
+    - tekton-pipelines
+  scope: Namespaced
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-complex
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: verify-images
+    match:
+      any:
+      - resources:
+          kinds:
+          - tekton.dev/v1beta1/Task
+    preconditions:
+    - key: "{{request.operation}}"
+      operator: NotEquals
+      value: DELETE
+    imageExtractors:
+      Task:
+        - path: /spec/steps/*
+          name: steps
+          value: image
+          key: name
+    verifyImages:
+    - image: "*"
+      key: |-
+        -----BEGIN PUBLIC KEY-----
+        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+        5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+        -----END PUBLIC KEY----- 

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml

@@ -0,0 +1,14 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f badtask.yaml
+    then 
+      echo "Tested failed. Task was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Task was not created as intended."
+      exit 0
+    fi

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml

@@ -0,0 +1,5 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md

@@ -0,0 +1,3 @@
+# Title
+
+Checks that more complex image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned).

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml

@@ -0,0 +1,9 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test
+spec:
+  steps:
+    - name: ubuntu-example
+      image: ubuntu:bionic

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-no-extractor
+status:
+  ready: true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-manifests.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tekton-test
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: tasks.tekton.dev
+spec:
+  group: tekton.dev
+  preserveUnknownFields: false
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    subresources:
+      status: {}
+  names:
+    kind: Task
+    plural: tasks
+    categories:
+    - tekton
+    - tekton-pipelines
+  scope: Namespaced
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-no-extractor
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: verify-images
+    match:
+      any:
+      - resources:
+          kinds:
+          - tekton.dev/v1beta1/Task
+    preconditions:
+    - key: "{{request.operation}}"
+      operator: NotEquals
+      value: DELETE
+    verifyImages:
+    - image: "*"
+      key: |-
+        -----BEGIN PUBLIC KEY-----
+        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+        5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+        -----END PUBLIC KEY----- 

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml

@@ -0,0 +1,9 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test
+spec:
+  steps:
+    - name: ubuntu-example
+      image: ubuntu:bionic

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/03-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-task.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md

@@ -0,0 +1,3 @@
+# Title
+
+Checks that a ClusterPolicy without defining an imageExtractor causes a CustomResource to pass through. Since the ClusterPolicy does not name a field from which to extract the image, no verification can be performed. Expected result is the Task is created even though the image within is not verified.

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-simple
+status:
+  ready: true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-manifests.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tekton-test
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: tasks.tekton.dev
+spec:
+  group: tekton.dev
+  preserveUnknownFields: false
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
+    subresources:
+      status: {}
+  names:
+    kind: Task
+    plural: tasks
+    categories:
+    - tekton
+    - tekton-pipelines
+  scope: Namespaced
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: tasks-simple
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: verify-images
+    match:
+      any:
+      - resources:
+          kinds:
+          - tekton.dev/v1beta1/Task
+    preconditions:
+    - key: "{{request.operation}}"
+      operator: NotEquals
+      value: DELETE
+    imageExtractors:
+      Task:
+        - path: /spec/steps/*/image
+    verifyImages:
+    - image: "*"
+      key: |-
+        -----BEGIN PUBLIC KEY-----
+        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+        5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+        -----END PUBLIC KEY----- 
+---

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml

@@ -0,0 +1,14 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f badtask.yaml
+    then 
+      echo "Tested failed. Task was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Task was not created as intended."
+      exit 0
+    fi

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/03-errors.yaml

@@ -0,0 +1,5 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md

@@ -0,0 +1,3 @@
+# Title
+
+Checks that simple image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned).

test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml

@@ -0,0 +1,9 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: example-task-name
+  namespace: tekton-test
+spec:
+  steps:
+    - name: ubuntu-example
+      image: ubuntu:bionic