From c305fbc070540a60cdfad6cb7b11f5399d2817a7 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Fri, 14 Jun 2024 19:23:06 +0530 Subject: [PATCH] feat: add custom sigstore conformance tests (#10473) * feat: add custom sigstore conformance tests Signed-off-by: Vishal Choudhary * feat: debug Signed-off-by: Vishal Choudhary * feat: debug Signed-off-by: Vishal Choudhary * feat: debug Signed-off-by: Vishal Choudhary * feat: debug Signed-off-by: Vishal Choudhary * feat: add custom sigstore values back Signed-off-by: Vishal Choudhary * feat: remove debug Signed-off-by: Vishal Choudhary --------- Signed-off-by: Vishal Choudhary Co-authored-by: shuting --- .github/workflows/conformance.yaml | 7 +++++-- .../chainsaw/custom-sigstore/standard/basic/policy.yaml | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index f1fc2592b4..c1386d87c0 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -615,6 +615,7 @@ jobs: - name: custom-sigstore values: - standard + - custom-sigstore k8s-version: - name: v1.27 version: v1.27.x @@ -645,7 +646,7 @@ jobs: uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 # create cluster - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@19922c022ce4d4d5511e0adcd56df6eb2f41b8a6 + uses: sigstore/scaffolding/actions/setup@d9197cb16e744297de67cfeef8a8e247d31206c4 with: version: main k8s-version: ${{ matrix.k8s-version.version }} @@ -684,7 +685,7 @@ jobs: TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json - COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token `curl -s $ISSUER_URL` -y + COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV # run tests - name: Test with Chainsaw @@ -1005,6 +1006,7 @@ jobs: - k8s-version-specific-tests-above-1-28 - validatingadmissionpolicies-reports-v1alpha1 - validatingadmissionpolicies-reports-v1beta1 + - custom-sigstore - default - monitor-helm-secret-size - check-tests @@ -1023,6 +1025,7 @@ jobs: - k8s-version-specific-tests-above-1-28 - validatingadmissionpolicies-reports-v1alpha1 - validatingadmissionpolicies-reports-v1beta1 + - custom-sigstore - default - monitor-helm-secret-size - check-tests diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml index 5513284a81..bbf59ae311 100644 --- a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml @@ -27,7 +27,7 @@ spec: entries: - keyless: issuer: "https://kubernetes.default.svc.cluster.local" - subject: "*" + subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default" rekor: url: "{{ tufvalues.data.REKOR_URL }}" - required: true \ No newline at end of file + required: true