diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 3ea1c84e34..46b41d41b9 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -35,6 +35,8 @@ jobs: # runs conformance test suites with configuration: standard: runs-on: ubuntu-latest + permissions: + packages: read strategy: fail-fast: false matrix: @@ -96,6 +98,8 @@ jobs: - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \ --config ./test/conformance/kuttl/_config/common.yaml @@ -106,6 +110,8 @@ jobs: # runs conformance test suites with configuration: force-failure-policy-ignore: runs-on: ubuntu-latest + permissions: + packages: read strategy: fail-fast: false matrix: @@ -152,6 +158,8 @@ jobs: - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \ --config ./test/conformance/kuttl/_config/common.yaml @@ -162,6 +170,8 @@ jobs: # runs conformance test suites with configuration: default: runs-on: ubuntu-latest + permissions: + packages: read strategy: fail-fast: false matrix: @@ -206,6 +216,8 @@ jobs: - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \ --config ./test/conformance/kuttl/_config/common.yaml diff --git a/pkg/notary/notary_test.go b/pkg/notary/notary_test.go index 1dff57232e..92cdd7bee3 100644 --- a/pkg/notary/notary_test.go +++ b/pkg/notary/notary_test.go @@ -6,9 +6,34 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/kyverno/kyverno/pkg/images" + "github.com/kyverno/kyverno/pkg/registryclient" "gotest.tools/assert" ) +var ( + cert = `-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG +Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx +MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0 +dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+ +b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL +hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m +Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0 +Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f +ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG +A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G +CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9 +kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8 +Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF +ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ +5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0 +uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz +-----END CERTIFICATE-----` +) + func TestExtractStatements(t *testing.T) { imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1" ref, err := name.ParseReference(imageRef) @@ -30,3 +55,18 @@ func TestExtractStatements(t *testing.T) { } } } + +func TestNotaryImageVerification(t *testing.T) { + opts := images.Options{ + ImageRef: "ghcr.io/kyverno/test-verify-image:signed", + Cert: cert, + } + + rc, err := registryclient.New() + assert.NilError(t, err) + opts.Client = rc + + verifier := ¬aryVerifier{} + _, err = verifier.VerifySignature(context.TODO(), opts) + assert.NilError(t, err) +} diff --git a/pkg/notary/registry.go b/pkg/notary/registry.go index 95d9ae68c7..a5862a6ab4 100644 --- a/pkg/notary/registry.go +++ b/pkg/notary/registry.go @@ -116,7 +116,7 @@ func getRemoteOpts(authenticator authn.Authenticator) ([]gcrremote.Option, error } func resolveDigestCrane(repo notationregistry.Repository, remoteOpts []gcrremote.Option, ref name.Reference) error { - _, err := repo.Resolve(context.Background(), ref.Name()) + _, err := repo.Resolve(context.Background(), ref.Identifier()) if err != nil { return err } diff --git a/pkg/notary/repository.go b/pkg/notary/repository.go index f2cd821c87..6b02a83a15 100644 --- a/pkg/notary/repository.go +++ b/pkg/notary/repository.go @@ -31,7 +31,7 @@ func (c *repositoryClient) Resolve(ctx context.Context, reference string) (ocisp if err != nil { return ocispec.Descriptor{}, nil } - head, err := remote.Head(nameRef) + head, err := remote.Head(nameRef, c.remoteOpts...) if err != nil { return ocispec.Descriptor{}, nil } @@ -66,7 +66,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec. return nil, ocispec.Descriptor{}, err } - remoteDesc, err := remote.Get(manifestRef) + remoteDesc, err := remote.Get(manifestRef, c.remoteOpts...) if err != nil { return nil, ocispec.Descriptor{}, err } @@ -86,7 +86,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec. return nil, ocispec.Descriptor{}, err } - signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier())) + signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier()), c.remoteOpts...) if err != nil { return nil, ocispec.Descriptor{}, err } diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md deleted file mode 100644 index 83d277621c..0000000000 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Title - -This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret. \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml similarity index 86% rename from test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml rename to test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml index abd848dac3..953ef73a79 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml @@ -34,7 +34,7 @@ data: apiVersion: kyverno.io/v2beta1 kind: ClusterPolicy metadata: - name: secret-in-keys + name: secret-in-policy spec: validationFailureAction: Enforce webhookTimeoutSeconds: 30 @@ -54,7 +54,7 @@ spec: verifyImages: - type: Notary imageReferences: - - "ghcr.io/kyverno/test-verify-image*" + - "ghcr.io/kyverno/test-verify-image-private*" attestors: - count: 1 entries: @@ -62,13 +62,4 @@ spec: cert: "{{ keys.data.certificate }}" imageRegistryCredentials: secrets: - - testsecret ---- -apiVersion: v1 -data: - .dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0= -kind: Secret -metadata: - name: testsecret - namespace: kyverno -type: kubernetes.io/dockerconfigjson \ No newline at end of file + - regcred \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml similarity index 74% rename from test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml rename to test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml index ca9cef7de7..35afee707f 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: secret-in-keys + name: secret-in-policy status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml new file mode 100644 index 0000000000..923180b9e5 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f 06-pod.yaml + then + echo "Tested failed. Pod was created when it shouldn't have been." + exit 1 + else + echo "Test succeeded. Pod was not created as intended." + exit 0 + fi \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml new file mode 100644 index 0000000000..84387a0656 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + kubectl create secret docker-registry regcred --docker-username=kyverno --docker-password=$GITHUB_TOKEN --docker-server=ghcr.io -n kyverno \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml new file mode 100644 index 0000000000..594f33c59e --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: kyverno \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml similarity index 68% rename from test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml rename to test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml index de7987da27..153d4f2804 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml @@ -5,5 +5,5 @@ metadata: namespace: test-verify-images spec: containers: - - image: ghcr.io/kyverno/test-verify-image:signed + - image: ghcr.io/kyverno/test-verify-image-private:signed name: test-secret \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml similarity index 100% rename from test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-assert.yaml rename to test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml new file mode 100644 index 0000000000..061ed6865a --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete secret regcred -n kyverno \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md new file mode 100644 index 0000000000..3db2e729d0 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md @@ -0,0 +1,3 @@ +# Title + +This test verifies images in private registries, that are signed using notary. \ No newline at end of file