From 8f6f21c5c735a23f6cec27c9cd00d9d5ef85701b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 6 Dec 2023 19:29:51 +0100 Subject: [PATCH] chore: convert chainsaw tests to Test resource (#9099) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .../multiple-attestors/01-policy.yaml | 63 ------------------- .../chainsaw-step-01-apply-1.yaml | 63 +++++++++++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- ...rt.yaml => chainsaw-step-02-assert-1.yaml} | 2 +- .../multiple-attestors/chainsaw-test.yaml | 16 ++++- .../01-manifests.yaml | 54 ---------------- .../chainsaw-step-01-apply-1.yaml | 10 +++ .../chainsaw-step-01-apply-2.yaml | 35 +++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-test.yaml | 15 +++++ .../standard/empty-image/01-policy.yaml | 13 ---- .../standard/empty-image/02-resources.yaml | 11 ---- .../standard/empty-image/chainsaw-test.yaml | 17 +++++ .../01-policy.yaml | 13 ---- .../03-create-bad-pod.yaml | 11 ---- ...ace.yaml => chainsaw-step-02-apply-1.yaml} | 0 .../chainsaw-test.yaml | 21 +++++++ .../00-crd.yaml | 13 ---- .../01-policy.yaml | 13 ---- .../02-task.yaml | 13 ---- .../chainsaw-test.yaml | 25 ++++++++ .../imageExtractors-complex/00-crd.yaml | 13 ---- .../imageExtractors-complex/01-policy.yaml | 13 ---- .../02-create-task.yaml | 14 ----- ...ors.yaml => chainsaw-step-03-error-1.yaml} | 0 .../chainsaw-test.yaml | 30 +++++++++ .../standard/imageExtractors-none/00-crd.yaml | 13 ---- .../imageExtractors-none/01-policy.yaml | 13 ---- .../imageExtractors-none/02-task.yaml | 13 ---- .../imageExtractors-none/chainsaw-test.yaml | 25 ++++++++ .../imageExtractors-simple/00-crd.yaml | 13 ---- .../imageExtractors-simple/01-policy.yaml | 13 ---- .../02-create-task.yaml | 14 ----- .../imageExtractors-simple/chainsaw-test.yaml | 26 ++++++++ .../03-teststep.yaml | 18 ------ .../chainsaw-step-01-apply-1.yaml | 6 ++ .../chainsaw-step-01-apply-2.yaml | 6 ++ ...sts.yaml => chainsaw-step-01-apply-3.yaml} | 30 +++------ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- ...rt.yaml => chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 34 ++++++++++ .../keyed-basic/chainsaw-step-01-apply-1.yaml | 4 ++ ...sts.yaml => chainsaw-step-01-apply-2.yaml} | 21 +++---- ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-step-02-apply-1.yaml} | 2 +- .../chainsaw-step-02-assert-1.yaml} | 2 +- .../standard/keyed-basic/chainsaw-test.yaml | 21 +++++++ .../standard/keyed-secret/01-manifests.yaml | 42 ------------- .../chainsaw-step-01-apply-1.yaml | 4 ++ .../chainsaw-step-01-apply-2.yaml | 28 +++++++++ .../chainsaw-step-01-apply-3.yaml | 8 +++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-step-02-apply-1.yaml} | 2 +- .../chainsaw-step-02-assert-1.yaml} | 2 +- .../standard/keyed-secret/chainsaw-test.yaml | 23 +++++++ .../01-manifests.yaml | 37 ----------- .../chainsaw-step-01-apply-1.yaml | 37 +++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-step-02-apply-1.yaml} | 0 .../chainsaw-step-02-assert-1.yaml} | 0 .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 36 ----------- .../chainsaw-step-01-apply-1.yaml | 37 +++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-step-02-apply-1.yaml} | 2 +- .../chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 36 ----------- .../02-pod.yaml | 14 ----- .../chainsaw-step-01-apply-1.yaml | 37 +++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...ors.yaml => chainsaw-step-03-error-1.yaml} | 2 +- .../chainsaw-test.yaml | 24 +++++++ ...sts.yaml => chainsaw-step-01-apply-1.yaml} | 0 ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-step-02-apply-1.yaml} | 2 +- .../chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 44 ------------- .../chainsaw-step-01-apply-1.yaml | 45 +++++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- .../chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 44 ------------- .../02-pod.yaml | 14 ----- .../chainsaw-step-01-apply-1.yaml | 45 +++++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...ors.yaml => chainsaw-step-03-error-1.yaml} | 2 +- .../chainsaw-test.yaml | 24 +++++++ .../01-manifests.yaml | 43 ------------- .../02-pod.yaml | 14 ----- .../chainsaw-step-01-apply-1.yaml | 44 +++++++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...ors.yaml => chainsaw-step-03-error-1.yaml} | 2 +- .../chainsaw-test.yaml | 24 +++++++ .../01-manifests.yaml | 29 --------- .../chainsaw-step-01-apply-1.yaml | 29 +++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 .../chainsaw-step-02-apply-1.yaml} | 2 +- .../chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 29 --------- .../chainsaw-step-01-apply-1.yaml | 29 +++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- ...rt.yaml => chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 29 --------- .../chainsaw-step-01-apply-1.yaml | 29 +++++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- ...rt.yaml => chainsaw-step-02-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 19 ++++++ .../01-manifests.yaml | 20 ------ .../chainsaw-step-01-apply-1.yaml | 20 ++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 4 +- ...rt.yaml => chainsaw-step-03-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 21 +++++++ .../01-policy.yaml | 13 ---- .../02-create-good-pod.yaml | 15 ----- .../03-create-bad-pod.yaml | 14 ----- .../04-update-policy.yaml | 13 ---- .../05-create-pod-with-configmap.yaml | 13 ---- .../chainsaw-test.yaml | 40 ++++++++++++ .../01-manifests.yaml | 20 ------ .../04-create-badpod.yaml | 14 ----- .../chainsaw-step-01-apply-1.yaml | 20 ++++++ ...rt.yaml => chainsaw-step-01-assert-1.yaml} | 0 ...pod.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- ...rt.yaml => chainsaw-step-03-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 28 +++++++++ .../01-policy.yaml | 13 ---- .../02-resource.yaml | 13 ---- .../chainsaw-test.yaml | 19 ++++++ .../03-bad-pod.yaml | 13 ---- .../04-secret.yaml | 12 ---- .../08-cleanup.yaml | 17 ----- .../chainsaw-step-01-apply-1.yaml | 4 ++ ...sts.yaml => chainsaw-step-01-apply-2.yaml} | 44 +------------ .../chainsaw-step-01-apply-3.yaml | 32 ++++++++++ ...est.yaml => chainsaw-step-02-apply-1.yaml} | 2 +- ...ret.yaml => chainsaw-step-05-apply-1.yaml} | 2 +- ...pod.yaml => chainsaw-step-06-apply-1.yaml} | 2 +- .../chainsaw-step-07-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 52 +++++++++++++++ .../notary-image-verification/01-policy.yaml | 13 ---- .../02-resource.yaml | 13 ---- .../chainsaw-test.yaml | 19 ++++++ .../01-policy.yaml | 13 ---- .../02-resource.yaml | 15 ----- .../rollback-image-verification/03-test.yaml | 11 ---- ...rt.yaml => chainsaw-step-04-assert-1.yaml} | 2 +- .../chainsaw-test.yaml | 29 +++++++++ .../update-multi-containers/01-policy.yaml | 13 ---- .../update-multi-containers/02-resource.yaml | 15 ----- .../chainsaw-test.yaml | 21 +++++++ 160 files changed, 1309 insertions(+), 1146 deletions(-) delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/{02-pod.yaml => chainsaw-step-02-apply-1.yaml} (91%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/{02-assert.yaml => chainsaw-step-02-assert-1.yaml} (84%) mode change 100644 => 100755 delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-1.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/{02-namespace.yaml => chainsaw-step-02-apply-1.yaml} (100%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/{03-errors.yaml => chainsaw-step-03-error-1.yaml} (100%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-1.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-2.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/{01-manifests.yaml => chainsaw-step-01-apply-3.yaml} (71%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/{02-goodpod.yaml => chainsaw-step-02-apply-1.yaml} (88%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/{02-assert.yaml => chainsaw-step-02-assert-1.yaml} (64%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-test.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/{01-manifests.yaml => chainsaw-step-01-apply-2.yaml} (77%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyed-secret/02-goodpod.yaml => keyed-basic/chainsaw-step-02-apply-1.yaml} (88%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyed-secret/02-assert.yaml => keyed-basic/chainsaw-step-02-assert-1.yaml} (64%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-1.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-3.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyed-basic/02-goodpod.yaml => keyed-secret/chainsaw-step-02-apply-1.yaml} (88%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{notary-image-verification-secret-from-policy/07-assert.yaml => keyed-secret/chainsaw-step-02-assert-1.yaml} (64%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-4/02-pod.yaml => keyless-attestations-multiple-subjects-1/chainsaw-step-02-apply-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-4/02-assert.yaml => keyless-attestations-multiple-subjects-1/chainsaw-step-02-assert-1.yaml} (100%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-1/02-pod.yaml => keyless-attestations-multiple-subjects-2/chainsaw-step-02-apply-1.yaml} (89%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-1/02-assert.yaml => keyless-attestations-multiple-subjects-2/chainsaw-step-02-assert-1.yaml} (95%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/{03-errors.yaml => chainsaw-step-03-error-1.yaml} (69%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-test.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/{01-manifests.yaml => chainsaw-step-01-apply-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-mutatedigest-verifydigest-required/02-pod.yaml => keyless-attestations-multiple-subjects-4/chainsaw-step-02-apply-1.yaml} (89%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-2/02-assert.yaml => keyless-attestations-multiple-subjects-4/chainsaw-step-02-assert-1.yaml} (95%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/{02-pod.yaml => chainsaw-step-02-apply-1.yaml} (89%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-mutatedigest-verifydigest-required/02-assert.yaml => keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-assert-1.yaml} (95%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/{03-errors.yaml => chainsaw-step-03-error-1.yaml} (69%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/{03-errors.yaml => chainsaw-step-03-error-1.yaml} (69%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-2/02-pod.yaml => keyless-mutatedigest-verifydigest-required/chainsaw-step-02-apply-1.yaml} (89%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyless-attestations-multiple-subjects-counts-1/02-assert.yaml => keyless-mutatedigest-verifydigest-required/chainsaw-step-02-assert-1.yaml} (95%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/{02-pod.yaml => chainsaw-step-02-apply-1.yaml} (89%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/{02-assert.yaml => chainsaw-step-02-assert-1.yaml} (93%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/{02-pod.yaml => chainsaw-step-02-apply-1.yaml} (89%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/{02-assert.yaml => chainsaw-step-02-assert-1.yaml} (93%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/{02-pod.yaml => chainsaw-step-02-apply-1.yaml} (52%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/{03-assert.yaml => chainsaw-step-03-assert-1.yaml} (91%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/{01-assert.yaml => chainsaw-step-01-assert-1.yaml} (100%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/{02-goodpod.yaml => chainsaw-step-02-apply-1.yaml} (91%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/{03-assert.yaml => chainsaw-step-03-assert-1.yaml} (91%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-1.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/{01-manifests.yaml => chainsaw-step-01-apply-2.yaml} (62%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/{02-assert-manifest.yaml => chainsaw-step-02-apply-1.yaml} (90%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/{05-assert-secret.yaml => chainsaw-step-05-apply-1.yaml} (72%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/{06-pod.yaml => chainsaw-step-06-apply-1.yaml} (88%) mode change 100644 => 100755 rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{keyed-basic/02-assert.yaml => notary-image-verification-secret-from-policy/chainsaw-step-07-assert-1.yaml} (64%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/{04-assert.yaml => chainsaw-step-04-assert-1.yaml} (93%) mode change 100644 => 100755 create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml delete mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml deleted file mode 100644 index 81ad463757..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-signatures - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-1 - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - attestors: - - count: 1 - entries: - - keys: - publicKeys: |- - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM - 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== - -----END PUBLIC KEY----- - rekor: - url: https://rekor.sigstore.dev - ignoreTlog: true - ctlog: - ignoreSCT: true - imageReferences: - - ghcr.io/kyverno/test-verify-image:* - mutateDigest: true - required: true - verifyDigest: true - - name: check-2 - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - attestors: - - count: 1 - entries: - - keys: - publicKeys: |- - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF - zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w== - -----END PUBLIC KEY----- - rekor: - url: https://rekor.sigstore.dev - ignoreTlog: true - ctlog: - ignoreSCT: true - imageReferences: - - my.local.repo/* - mutateDigest: false - required: true - verifyDigest: false \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..53b79ca173 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: validate-signatures +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-1 + verifyImages: + - attestors: + - count: 1 + entries: + - keys: + ctlog: + ignoreSCT: true + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + ignoreTlog: true + url: https://rekor.sigstore.dev + imageReferences: + - ghcr.io/kyverno/test-verify-image:* + mutateDigest: true + required: true + verifyDigest: true + - match: + any: + - resources: + kinds: + - Pod + name: check-2 + verifyImages: + - attestors: + - count: 1 + entries: + - keys: + ctlog: + ignoreSCT: true + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF + zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w== + -----END PUBLIC KEY----- + rekor: + ignoreTlog: true + url: https://rekor.sigstore.dev + imageReferences: + - my.local.repo/* + mutateDigest: false + required: true + verifyDigest: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 91% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-02-apply-1.yaml index 775c9c20c3..b54823a2aa --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-02-apply-1.yaml @@ -7,4 +7,4 @@ spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed imagePullPolicy: IfNotPresent - name: signed \ No newline at end of file + name: signed diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 84% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-02-assert-1.yaml index b1cd0a9ce3..004d58670f --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-02-assert-1.yaml @@ -5,4 +5,4 @@ metadata: namespace: default spec: containers: - - name: signed \ No newline at end of file + - name: signed diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-test.yaml index 178176c3b4..ab8a010a61 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-test.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-test.yaml @@ -1,7 +1,19 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: + creationTimestamp: null name: multiple-attestors spec: - timeouts: - apply: 90s + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml deleted file mode 100644 index 227475e62f..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: default - name: keys -data: - org: |- - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ - 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== - -----END PUBLIC KEY----- - org1: - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ - 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== - -----END PUBLIC KEY----- ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-image-with-multi-keys - annotations: - policies.kyverno.io/title: Verify Image with Multiple Keys - policies.kyverno.io/category: Sample - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.7.0 - kyverno.io/kyverno-version: 1.7.2 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/description: >- - There may be multiple keys used to sign images based on - the parties involved in the creation process. This image - verification policy requires the named image be signed by - two separate keys. It will search for a global "production" - key in a ConfigMap called `key` in the `default` Namespace - and also a Namespace key in the same ConfigMap. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-image-with-two-keys - match: - any: - - resources: - kinds: - - Pod - context: - - name: keys - configMap: - name: keys - namespace: default - verifyImages: - - image: "*" - key: "{{ keys.data.org }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..e12507f874 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + org: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/\n50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==\n-----END + PUBLIC KEY----- " + org1: '-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ + 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== -----END PUBLIC KEY-----' +kind: ConfigMap +metadata: + name: keys + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml new file mode 100755 index 0000000000..d361ec52cc --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.7.2 + policies.kyverno.io/category: Sample + policies.kyverno.io/description: There may be multiple keys used to sign images + based on the parties involved in the creation process. This image verification + policy requires the named image be signed by two separate keys. It will search + for a global "production" key in a ConfigMap called `key` in the `default` Namespace + and also a Namespace key in the same ConfigMap. + policies.kyverno.io/minversion: 1.7.0 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/title: Verify Image with Multiple Keys + name: verify-image-with-multi-keys +spec: + background: true + rules: + - context: + - configMap: + name: keys + namespace: default + name: keys + match: + any: + - resources: + kinds: + - Pod + name: check-image-with-two-keys + verifyImages: + - image: '*' + key: '{{ keys.data.org }}' + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-test.yaml new file mode 100755 index 0000000000..e9c5a52f67 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-test.yaml @@ -0,0 +1,15 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: configmap-context-lookup +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - apply: + file: chainsaw-step-01-apply-2.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml deleted file mode 100644 index 6134698445..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml deleted file mode 100644 index 24dae9ea6d..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: resources -spec: - timeouts: {} - try: - - apply: - file: resource.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/chainsaw-test.yaml new file mode 100755 index 0000000000..f90663ab82 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: empty-image +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml deleted file mode 100644 index 9e0de98696..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-bad-pod -spec: - timeouts: {} - try: - - apply: - file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-step-02-apply-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-test.yaml new file mode 100755 index 0000000000..fb4cc21dab --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: failure-policy-test-noconfigmap-diffimage-success +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - apply: + file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml deleted file mode 100644 index b5096b7a9f..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: crd -spec: - timeouts: {} - try: - - apply: - file: crd.yaml - - assert: - file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml deleted file mode 100644 index 6e15eef2ee..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: task -spec: - timeouts: {} - try: - - apply: - file: task.yaml - - assert: - file: task.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/chainsaw-test.yaml new file mode 100755 index 0000000000..8c507d5e16 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: imageextractors-complex-keyless +spec: + steps: + - name: step-00 + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: task.yaml + - assert: + file: task.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml deleted file mode 100644 index b5096b7a9f..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: crd -spec: - timeouts: {} - try: - - apply: - file: crd.yaml - - assert: - file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml deleted file mode 100644 index 6db2ad0dd9..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-task -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: badtask.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/chainsaw-step-03-error-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/chainsaw-step-03-error-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/chainsaw-test.yaml new file mode 100755 index 0000000000..8db407c75b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/chainsaw-test.yaml @@ -0,0 +1,30 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: imageextractors-complex +spec: + steps: + - name: step-00 + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: badtask.yaml + - name: step-03 + try: + - error: + file: chainsaw-step-03-error-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml deleted file mode 100644 index b5096b7a9f..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: crd -spec: - timeouts: {} - try: - - apply: - file: crd.yaml - - assert: - file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml deleted file mode 100644 index 6e15eef2ee..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: task -spec: - timeouts: {} - try: - - apply: - file: task.yaml - - assert: - file: task.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/chainsaw-test.yaml new file mode 100755 index 0000000000..b213191327 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: imageextractors-none +spec: + steps: + - name: step-00 + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: task.yaml + - assert: + file: task.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml deleted file mode 100644 index b5096b7a9f..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: crd -spec: - timeouts: {} - try: - - apply: - file: crd.yaml - - assert: - file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml deleted file mode 100644 index 6db2ad0dd9..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-task -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: badtask.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/chainsaw-test.yaml new file mode 100755 index 0000000000..5e576d649d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/chainsaw-test.yaml @@ -0,0 +1,26 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: imageextractors-simple +spec: + steps: + - name: step-00 + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: badtask.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml deleted file mode 100644 index 19f9db2011..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: teststep -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: pod-unsigned.yaml - - apply: - file: pod-signed.yaml - - apply: - file: pod-unprotected-ns.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..ee61657a1f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + signed: "true" + name: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-2.yaml new file mode 100755 index 0000000000..e3b620f327 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-2.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + signed: "false" + name: test-verify-images-unprotected diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml old mode 100644 new mode 100755 similarity index 71% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml index 72035aea49..942cc6a542 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml @@ -1,29 +1,12 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test-verify-images - labels: - signed: "true" ---- -apiVersion: v1 -kind: Namespace -metadata: - name: test-verify-images-unprotected - labels: - signed: "false" ---- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: keyed-basic-ns-selector-policy spec: - validationFailureAction: Enforce background: false - webhookTimeoutSeconds: 30 failurePolicy: Fail rules: - - name: keyed-basic-rule - match: + - match: all: - resources: kinds: @@ -34,10 +17,9 @@ spec: operator: In values: - "true" + name: keyed-basic-rule verifyImages: - - imageReferences: - - "ghcr.io/kyverno/test-verify-image:*" - attestors: + - attestors: - entries: - keys: publicKeys: |- @@ -46,5 +28,9 @@ spec: 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- rekor: - url: https://rekor.sigstore.dev ignoreTlog: true + url: https://rekor.sigstore.dev + imageReferences: + - ghcr.io/kyverno/test-verify-image:* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-goodpod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-02-apply-1.yaml index 9caad98758..c6b1dd6d9f --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-goodpod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed - name: test-secret \ No newline at end of file + name: test-secret diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 64% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-02-assert-1.yaml index 639b8513a2..43171479bc --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-02-assert-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: test-signed-pod - namespace: test-verify-images \ No newline at end of file + namespace: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-test.yaml new file mode 100755 index 0000000000..dd41ee132b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyed-basic-namespace-selector +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - apply: + file: chainsaw-step-01-apply-2.yaml + - apply: + file: chainsaw-step-01-apply-3.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod-unsigned.yaml + - apply: + file: pod-signed.yaml + - apply: + file: pod-unprotected-ns.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..54c1efb587 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml old mode 100644 new mode 100755 similarity index 77% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml index d0e96819a4..727c09b992 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml @@ -1,28 +1,19 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test-verify-images ---- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: keyed-basic-policy spec: - validationFailureAction: Enforce background: false - webhookTimeoutSeconds: 30 failurePolicy: Fail rules: - - name: keyed-basic-rule - match: + - match: any: - resources: kinds: - Pod + name: keyed-basic-rule verifyImages: - - imageReferences: - - "ghcr.io/kyverno/test-verify-image:*" - attestors: + - attestors: - entries: - keys: publicKeys: |- @@ -31,5 +22,9 @@ spec: 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- rekor: - url: https://rekor.sigstore.dev ignoreTlog: true + url: https://rekor.sigstore.dev + imageReferences: + - ghcr.io/kyverno/test-verify-image:* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-02-apply-1.yaml index de7987da27..48e0f16b8f --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed - name: test-secret \ No newline at end of file + name: test-secret diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 64% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-02-assert-1.yaml index b736ae3d48..d1b6e4b775 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-02-assert-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: test-secret-pod - namespace: test-verify-images \ No newline at end of file + namespace: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-test.yaml new file mode 100755 index 0000000000..721355fe07 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyed-basic +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - apply: + file: chainsaw-step-01-apply-2.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml deleted file mode 100644 index 3c9d37c7ea..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test-verify-images ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: secret-in-keys -spec: - validationFailureAction: Enforce - background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail - rules: - - name: check-secret-in-keys - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/kyverno/test-verify-image:*" - attestors: - - entries: - - keys: - secret: - name: testsecret - namespace: test-verify-images - rekor: - url: https://rekor.sigstore.dev - ignoreTlog: true ---- -apiVersion: v1 -kind: Secret -metadata: - name: testsecret - namespace: test-verify-images -data: - cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t -type: Opaque diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..54c1efb587 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml new file mode 100755 index 0000000000..3ac61b2c92 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secret-in-keys +spec: + background: false + failurePolicy: Fail + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-secret-in-keys + verifyImages: + - attestors: + - entries: + - keys: + rekor: + ignoreTlog: true + url: https://rekor.sigstore.dev + secret: + name: testsecret + namespace: test-verify-images + imageReferences: + - ghcr.io/kyverno/test-verify-image:* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-3.yaml new file mode 100755 index 0000000000..f7fcfdf7ea --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-3.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t +kind: Secret +metadata: + name: testsecret + namespace: test-verify-images +type: Opaque diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-02-apply-1.yaml index de7987da27..48e0f16b8f --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed - name: test-secret \ No newline at end of file + name: test-secret diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 64% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-02-assert-1.yaml index b736ae3d48..d1b6e4b775 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-02-assert-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: test-secret-pod - namespace: test-verify-images \ No newline at end of file + namespace: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml new file mode 100755 index 0000000000..cf4a48f98a --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyed-secret +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - apply: + file: chainsaw-step-01-apply-2.yaml + - apply: + file: chainsaw-step-01-apply-3.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml deleted file mode 100644 index c076eb8287..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-slsa-attestations-pass-1 - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-builder-id-keyless-pass-1 - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - attestations: - - predicateType: https://slsa.dev/provenance/v0.2 - attestors: - - entries: - - keyless: - subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - conditions: - - all: - - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" - operator: Equals - value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..f74d62ee3e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-pass-1 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless-pass-1 + verifyImages: + - attestations: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main + conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: https://slsa.dev/provenance/v0.2 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-02-apply-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-test.yaml new file mode 100755 index 0000000000..1c4204530c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-1 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml deleted file mode 100644 index cade958935..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-slsa-attestations-pass-2 - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - attestations: - - predicateType: cosign.sigstore.dev/attestation/vuln/v1 - attestors: - - entries: - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - conditions: - - all: - - key: "{{ regex_match('^pkg:github/aquasecurity/trivy@0.34.0','{{ scanner.uri }}') }}" - operator: Equals - value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..5fffbaf808 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-pass-2 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestations: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main + conditions: + - all: + - key: '{{ regex_match(''^pkg:github/aquasecurity/trivy@0.34.0'',''{{ scanner.uri + }}'') }}' + operator: Equals + value: true + predicateType: cosign.sigstore.dev/attestation/vuln/v1 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 89% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-apply-1.yaml index f5619b6873..921f8ee747 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14 - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 95% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-assert-1.yaml index 79cb2b586b..669073222c --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-assert-1.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-test.yaml new file mode 100755 index 0000000000..aad0658ca4 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-2 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml deleted file mode 100644 index 92df5dc734..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-slsa-attestations-fail-1 - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-builder-id-keyless-fail-1 - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - attestations: - - predicateType: cosign.sigstore.dev/attestation/vuln/v1 - attestors: - - entries: - - keyless: - subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - conditions: - - all: - - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" - operator: Equals - value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml deleted file mode 100644 index 92c281d484..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: pod -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..b820b47535 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-fail-1 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless-fail-1 + verifyImages: + - attestations: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main + conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: cosign.sigstore.dev/attestation/vuln/v1 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-03-error-1.yaml old mode 100644 new mode 100755 similarity index 69% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-03-error-1.yaml index 7d6170cd20..e473875218 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-03-error-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: zulu - namespace: default \ No newline at end of file + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-test.yaml new file mode 100755 index 0000000000..a36d57e9c6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-3 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod.yaml + - name: step-03 + try: + - error: + file: chainsaw-step-03-error-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 89% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-apply-1.yaml index f5619b6873..921f8ee747 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14 - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 95% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-assert-1.yaml index 79cb2b586b..669073222c --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-assert-1.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-test.yaml new file mode 100755 index 0000000000..64fdd4b6a2 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-4 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml deleted file mode 100644 index a757ddcd29..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-slsa-attestations-pass-3 - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - attestations: - - predicateType: https://slsa.dev/provenance/v0.2 - attestors: - - entries: - - keyless: - subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - count: 1 - conditions: - - all: - - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" - operator: Equals - value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..05dfa87385 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-pass-3 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestations: + - attestors: + - count: 1 + entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main + conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: https://slsa.dev/provenance/v0.2 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 89% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-apply-1.yaml index f5619b6873..921f8ee747 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14 - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 95% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-assert-1.yaml index 79cb2b586b..669073222c --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-assert-1.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-test.yaml new file mode 100755 index 0000000000..62e64cf749 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-counts-1 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml deleted file mode 100644 index df879b1e2b..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-slsa-attestations-fail-2 - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - attestations: - - predicateType: https://slsa.dev/provenance/v0.2 - attestors: - - entries: - - keyless: - subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - count: 2 - conditions: - - all: - - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" - operator: Equals - value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml deleted file mode 100644 index 92c281d484..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: pod -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..a0d23659dd --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-fail-2 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestations: + - attestors: + - count: 2 + entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main + conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: https://slsa.dev/provenance/v0.2 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-03-error-1.yaml old mode 100644 new mode 100755 similarity index 69% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-03-error-1.yaml index 7d6170cd20..e473875218 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-03-error-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: zulu - namespace: default \ No newline at end of file + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-test.yaml new file mode 100755 index 0000000000..79795a486d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-counts-2 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod.yaml + - name: step-03 + try: + - error: + file: chainsaw-step-03-error-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml deleted file mode 100644 index bb4550eb2d..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-slsa-attestations-fail-3 - annotations: - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - background: false - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - attestations: - - predicateType: https://slsa.dev/provenance/v0.2 - attestors: - - entries: - - keyless: - subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true - conditions: - - all: - - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" - operator: Equals - value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml deleted file mode 100644 index 92c281d484..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: pod -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..6918b9e0cc --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-fail-3 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestations: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main + conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: https://slsa.dev/provenance/v0.2 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-03-error-1.yaml old mode 100644 new mode 100755 similarity index 69% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-03-error-1.yaml index 7d6170cd20..e473875218 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-03-error-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: zulu - namespace: default \ No newline at end of file + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-test.yaml new file mode 100755 index 0000000000..9fc1e9025b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestations-multiple-subjects-counts-3 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod.yaml + - name: step-03 + try: + - error: + file: chainsaw-step-03-error-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml deleted file mode 100644 index d7e3fd1e2a..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: keyless-mutatedigest-verifydigest-required -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu:*" - mutateDigest: true - verifyDigest: true - required: true - attestors: - - entries: - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..64ab6c3f3c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-mutatedigest-verifydigest-required +spec: + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v* + imageReferences: + - ghcr.io/chipzoller/zulu:* + mutateDigest: true + required: true + verifyDigest: true + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 89% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-apply-1.yaml index f5619b6873..921f8ee747 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14 - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 95% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-assert-1.yaml index 79cb2b586b..669073222c --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-assert-1.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-test.yaml new file mode 100755 index 0000000000..1f4ede1bc0 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-mutatedigest-verifydigest-required +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml deleted file mode 100644 index 9c04ebac84..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: keyless-nomutatedigest-noverifydigest-norequired -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - mutateDigest: false - verifyDigest: false - required: false - attestors: - - entries: - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..c64414d589 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-nomutatedigest-noverifydigest-norequired +spec: + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v* + imageReferences: + - ghcr.io/chipzoller/zulu* + mutateDigest: false + required: false + verifyDigest: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 89% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-apply-1.yaml index 5160f6f593..e4046fdba8 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 93% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-assert-1.yaml index 2d32ed3cb6..7d1c2da8fb --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-assert-1.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-test.yaml new file mode 100755 index 0000000000..31d840fdff --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-nomutatedigest-noverifydigest-norequired +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml deleted file mode 100644 index e5b766d233..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: keyless-nomutatedigest-noverifydigest-required -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - rules: - - name: check-builder-id-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/chipzoller/zulu*" - mutateDigest: false - verifyDigest: false - required: true - attestors: - - entries: - - keyless: - subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev - ctlog: - ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..661d6f37e4 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-nomutatedigest-noverifydigest-required +spec: + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestors: + - entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v* + imageReferences: + - ghcr.io/chipzoller/zulu* + mutateDigest: false + required: true + verifyDigest: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 89% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-apply-1.yaml index 5160f6f593..e4046fdba8 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-assert-1.yaml old mode 100644 new mode 100755 similarity index 93% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-assert-1.yaml index 2d32ed3cb6..7d1c2da8fb --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-assert-1.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - image: ghcr.io/chipzoller/zulu - name: zulu \ No newline at end of file + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-test.yaml new file mode 100755 index 0000000000..8198fc605b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-nomutatedigest-noverifydigest-required +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - assert: + file: chainsaw-step-02-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml deleted file mode 100644 index 5c954dafee..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: mutatedigest-policy -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - rules: - - name: mutatedigest-rule - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/kyverno/test-verify-image*" - mutateDigest: true - verifyDigest: false - required: false \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..ad51cf2127 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutatedigest-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - Pod + name: mutatedigest-rule + verifyImages: + - imageReferences: + - ghcr.io/kyverno/test-verify-image* + mutateDigest: true + required: false + verifyDigest: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 52% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-02-apply-1.yaml index 5222b22b49..030c2e85c2 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-02-apply-1.yaml @@ -5,5 +5,5 @@ metadata: namespace: default spec: containers: - - name: container01 - image: ghcr.io/kyverno/test-verify-image:signed-keyless + - image: ghcr.io/kyverno/test-verify-image:signed-keyless + name: container01 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-03-assert-1.yaml old mode 100644 new mode 100755 similarity index 91% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-03-assert-1.yaml index 21a5237632..9b168e09ed --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-03-assert-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1 - name: container01 \ No newline at end of file + name: container01 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-test.yaml new file mode 100755 index 0000000000..c5398c08df --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: mutatedigest-noverifydigest-norequired +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml deleted file mode 100644 index e14deb4fcf..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-good-pod -spec: - timeouts: {} - try: - - apply: - file: namespace.yaml - - apply: - file: good-pod.yaml - - assert: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml deleted file mode 100644 index a932ca68ad..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-bad-pod -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml deleted file mode 100644 index 82d239395e..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: update-policy -spec: - timeouts: {} - try: - - apply: - file: update-policy.yaml - - assert: - file: update-policy.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml deleted file mode 100644 index aafe1238cf..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-pod-with-configmap -spec: - timeouts: {} - try: - - apply: - file: pod-with-configmap.yaml - - assert: - file: pod-with-configmap-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/chainsaw-test.yaml new file mode 100755 index 0000000000..342c2da634 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: noconfigmap-diffimage-success +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: namespace.yaml + - apply: + file: good-pod.yaml + - assert: + file: good-pod.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - name: step-04 + try: + - apply: + file: update-policy.yaml + - assert: + file: update-policy.yaml + - name: step-05 + try: + - apply: + file: pod-with-configmap.yaml + - assert: + file: pod-with-configmap-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml deleted file mode 100644 index a7b88d499c..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: mutatedigest-policy -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - rules: - - name: mutatedigest-rule - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/kyverno/test-verify-image*" - mutateDigest: false - verifyDigest: true - required: false \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml deleted file mode 100644 index 8f7550fefd..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: create-badpod -spec: - timeouts: {} - try: - - apply: - expect: - - check: - ($error != null): true - file: badpod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..b0431c4fde --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutatedigest-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - Pod + name: mutatedigest-rule + verifyImages: + - imageReferences: + - ghcr.io/kyverno/test-verify-image* + mutateDigest: false + required: false + verifyDigest: true + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 91% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-02-apply-1.yaml index 21a5237632..9b168e09ed --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1 - name: container01 \ No newline at end of file + name: container01 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-03-assert-1.yaml old mode 100644 new mode 100755 similarity index 91% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-03-assert-1.yaml index 21a5237632..9b168e09ed --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-03-assert-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1 - name: container01 \ No newline at end of file + name: container01 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-test.yaml new file mode 100755 index 0000000000..19d684b749 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: nomutatedigest-verifydigest-norequired +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1.yaml + - name: step-04 + try: + - apply: + expect: + - check: + ($error != null): true + file: badpod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml deleted file mode 100644 index cb4e511905..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: resource -spec: - timeouts: {} - try: - - apply: - file: pod.yaml - - assert: - file: pod-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/chainsaw-test.yaml new file mode 100755 index 0000000000..ec7903a618 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: notary-attestation-verification +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml deleted file mode 100644 index e51f1b9339..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: bad-pod -spec: - timeouts: {} - try: - - script: - content: "if kubectl apply -f 06-pod.yaml\nthen \n echo \"Tested failed. Pod - was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test - succeeded. Pod was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml deleted file mode 100644 index 69d0faae34..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: secret -spec: - timeouts: {} - try: - - script: - content: | - kubectl create secret docker-registry regcred --docker-username=kyverno --docker-password=$GITHUB_TOKEN --docker-server=ghcr.io -n kyverno diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml deleted file mode 100644 index 09c03dd610..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: cleanup -spec: - timeouts: {} - try: - - command: - args: - - delete - - secret - - regcred - - -n - - kyverno - entrypoint: kubectl diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-1.yaml new file mode 100755 index 0000000000..54c1efb587 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-2.yaml old mode 100644 new mode 100755 similarity index 62% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-2.yaml index 953ef73a79..c438845295 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-2.yaml @@ -1,13 +1,4 @@ apiVersion: v1 -kind: Namespace -metadata: - name: test-verify-images ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: keys - namespace: test-verify-images data: certificate: |- -----BEGIN CERTIFICATE----- @@ -30,36 +21,7 @@ data: 5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0 uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz -----END CERTIFICATE----- ---- -apiVersion: kyverno.io/v2beta1 -kind: ClusterPolicy +kind: ConfigMap metadata: - name: secret-in-policy -spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - failurePolicy: Fail - rules: - - name: verify-signature-notary - context: - - name: keys - configMap: - name: keys - namespace: test-verify-images - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - type: Notary - imageReferences: - - "ghcr.io/kyverno/test-verify-image-private*" - attestors: - - count: 1 - entries: - - certificates: - cert: "{{ keys.data.certificate }}" - imageRegistryCredentials: - secrets: - - regcred \ No newline at end of file + name: keys + namespace: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml new file mode 100755 index 0000000000..0ec78cbc37 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: secret-in-policy +spec: + failurePolicy: Fail + rules: + - context: + - configMap: + name: keys + namespace: test-verify-images + name: keys + match: + any: + - resources: + kinds: + - Pod + name: verify-signature-notary + verifyImages: + - attestors: + - count: 1 + entries: + - certificates: + cert: '{{ keys.data.certificate }}' + imageReferences: + - ghcr.io/kyverno/test-verify-image-private* + imageRegistryCredentials: + secrets: + - regcred + type: Notary + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 90% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-02-apply-1.yaml index 35afee707f..7120012a26 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-02-apply-1.yaml @@ -6,4 +6,4 @@ status: conditions: - reason: Succeeded status: "True" - type: Ready \ No newline at end of file + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-05-apply-1.yaml old mode 100644 new mode 100755 similarity index 72% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-05-apply-1.yaml index 594f33c59e..df748511b0 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-05-apply-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Secret metadata: name: regcred - namespace: kyverno \ No newline at end of file + namespace: kyverno diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-06-apply-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-06-apply-1.yaml index 153d4f2804..7e84dbf721 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-06-apply-1.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - image: ghcr.io/kyverno/test-verify-image-private:signed - name: test-secret \ No newline at end of file + name: test-secret diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-07-assert-1.yaml old mode 100644 new mode 100755 similarity index 64% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-07-assert-1.yaml index b736ae3d48..d1b6e4b775 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-07-assert-1.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Pod metadata: name: test-secret-pod - namespace: test-verify-images \ No newline at end of file + namespace: test-verify-images diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-test.yaml new file mode 100755 index 0000000000..6e4d789247 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-test.yaml @@ -0,0 +1,52 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: notary-image-verification-secret-from-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - apply: + file: chainsaw-step-01-apply-2.yaml + - apply: + file: chainsaw-step-01-apply-3.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - script: + content: "if kubectl apply -f 06-pod.yaml\nthen \n echo \"Tested failed. + Pod was created when it shouldn't have been.\"\n exit 1 \nelse \n echo + \"Test succeeded. Pod was not created as intended.\"\n exit 0\nfi\n" + - name: step-04 + try: + - script: + content: | + kubectl create secret docker-registry regcred --docker-username=kyverno --docker-password=$GITHUB_TOKEN --docker-server=ghcr.io -n kyverno + - name: step-05 + try: + - apply: + file: chainsaw-step-05-apply-1.yaml + - name: step-06 + try: + - apply: + file: chainsaw-step-06-apply-1.yaml + - name: step-07 + try: + - assert: + file: chainsaw-step-07-assert-1.yaml + - name: step-08 + try: + - command: + args: + - delete + - secret + - regcred + - -n + - kyverno + entrypoint: kubectl diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml deleted file mode 100644 index cb4e511905..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: resource -spec: - timeouts: {} - try: - - apply: - file: pod.yaml - - assert: - file: pod-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/chainsaw-test.yaml new file mode 100755 index 0000000000..88e7874d52 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: notary-image-verification +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml deleted file mode 100644 index e521d0d761..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml deleted file mode 100644 index 501b27055d..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: resource -spec: - timeouts: {} - try: - - apply: - file: deployment_old.yaml - - apply: - file: deployment_new.yaml - - assert: - file: deployment-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml deleted file mode 100644 index 1c1bd30fee..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: test -spec: - timeouts: {} - try: - - script: - content: kubectl -n verify-images rollout undo deployment nginx-deployment diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-step-04-assert-1.yaml old mode 100644 new mode 100755 similarity index 93% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-step-04-assert-1.yaml index ca5b8c5451..71a553346e --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-step-04-assert-1.yaml @@ -8,4 +8,4 @@ spec: spec: containers: - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2@sha256:0fc1f3b764be56f7c881a69cbd553ae25a2b5523c6901fbacb8270307c29d0c4 - name: nginx \ No newline at end of file + name: nginx diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-test.yaml new file mode 100755 index 0000000000..5e08150766 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: rollback-image-verification +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: deployment_old.yaml + - apply: + file: deployment_new.yaml + - assert: + file: deployment-assert.yaml + - name: step-03 + try: + - script: + content: kubectl -n verify-images rollout undo deployment nginx-deployment + - name: step-04 + try: + - assert: + file: chainsaw-step-04-assert-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml deleted file mode 100644 index 6134698445..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: policy -spec: - timeouts: {} - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml deleted file mode 100644 index b3a07b0671..0000000000 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: TestStep -metadata: - creationTimestamp: null - name: resource -spec: - timeouts: {} - try: - - apply: - file: resource-v1.yaml - timeout: 90s - - apply: - file: resource-v2.yaml - timeout: 90s diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/chainsaw-test.yaml new file mode 100755 index 0000000000..5294176b29 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: update-multi-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource-v1.yaml + timeout: 1m30s + - apply: + file: resource-v2.yaml + timeout: 1m30s