mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 15:37:19 +00:00
test: add tests for ghcr private repository (#7791)
This commit is contained in:
Vishal Choudhary
GitHub
parent
3b7c938d6f
commit
c38a014468
14 changed files with 91 additions and 22 deletions
12
.github/workflows/conformance.yaml
vendored
12
.github/workflows/conformance.yaml
vendored
|
|
@ -35,6 +35,8 @@ jobs:
|
||||||
# runs conformance test suites with configuration:
|
# runs conformance test suites with configuration:
|
||||||
standard:
|
standard:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
packages: read
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
|
|
@ -96,6 +98,8 @@ jobs:
|
||||||
- name: Wait for kyverno ready
|
- name: Wait for kyverno ready
|
||||||
uses: ./.github/actions/kyverno-wait-ready
|
uses: ./.github/actions/kyverno-wait-ready
|
||||||
- name: Test with kuttl
|
- name: Test with kuttl
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
|
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
|
||||||
--config ./test/conformance/kuttl/_config/common.yaml
|
--config ./test/conformance/kuttl/_config/common.yaml
|
||||||
|
|
@ -106,6 +110,8 @@ jobs:
|
||||||
# runs conformance test suites with configuration:
|
# runs conformance test suites with configuration:
|
||||||
force-failure-policy-ignore:
|
force-failure-policy-ignore:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
packages: read
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
|
|
@ -152,6 +158,8 @@ jobs:
|
||||||
- name: Wait for kyverno ready
|
- name: Wait for kyverno ready
|
||||||
uses: ./.github/actions/kyverno-wait-ready
|
uses: ./.github/actions/kyverno-wait-ready
|
||||||
- name: Test with kuttl
|
- name: Test with kuttl
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
|
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
|
||||||
--config ./test/conformance/kuttl/_config/common.yaml
|
--config ./test/conformance/kuttl/_config/common.yaml
|
||||||
|
|
@ -162,6 +170,8 @@ jobs:
|
||||||
# runs conformance test suites with configuration:
|
# runs conformance test suites with configuration:
|
||||||
default:
|
default:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
packages: read
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
|
|
@ -206,6 +216,8 @@ jobs:
|
||||||
- name: Wait for kyverno ready
|
- name: Wait for kyverno ready
|
||||||
uses: ./.github/actions/kyverno-wait-ready
|
uses: ./.github/actions/kyverno-wait-ready
|
||||||
- name: Test with kuttl
|
- name: Test with kuttl
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
|
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
|
||||||
--config ./test/conformance/kuttl/_config/common.yaml
|
--config ./test/conformance/kuttl/_config/common.yaml
|
||||||
|
|
|
||||||
|
|
@ -6,9 +6,34 @@ import (
|
||||||
|
|
||||||
"github.com/google/go-containerregistry/pkg/name"
|
"github.com/google/go-containerregistry/pkg/name"
|
||||||
"github.com/google/go-containerregistry/pkg/v1/remote"
|
"github.com/google/go-containerregistry/pkg/v1/remote"
|
||||||
|
"github.com/kyverno/kyverno/pkg/images"
|
||||||
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||||
"gotest.tools/assert"
|
"gotest.tools/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
cert = `-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
|
||||||
|
BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
|
||||||
|
Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
|
||||||
|
MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
|
||||||
|
dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
|
||||||
|
DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
|
||||||
|
b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
|
||||||
|
hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
|
||||||
|
Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
|
||||||
|
Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
|
||||||
|
ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
|
||||||
|
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
|
||||||
|
CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
|
||||||
|
kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
|
||||||
|
Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
|
||||||
|
ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
|
||||||
|
5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
|
||||||
|
uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
|
||||||
|
-----END CERTIFICATE-----`
|
||||||
|
)
|
||||||
|
|
||||||
func TestExtractStatements(t *testing.T) {
|
func TestExtractStatements(t *testing.T) {
|
||||||
imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1"
|
imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1"
|
||||||
ref, err := name.ParseReference(imageRef)
|
ref, err := name.ParseReference(imageRef)
|
||||||
|
|
@ -30,3 +55,18 @@ func TestExtractStatements(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestNotaryImageVerification(t *testing.T) {
|
||||||
|
opts := images.Options{
|
||||||
|
ImageRef: "ghcr.io/kyverno/test-verify-image:signed",
|
||||||
|
Cert: cert,
|
||||||
|
}
|
||||||
|
|
||||||
|
rc, err := registryclient.New()
|
||||||
|
assert.NilError(t, err)
|
||||||
|
opts.Client = rc
|
||||||
|
|
||||||
|
verifier := ¬aryVerifier{}
|
||||||
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
||||||
|
assert.NilError(t, err)
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -116,7 +116,7 @@ func getRemoteOpts(authenticator authn.Authenticator) ([]gcrremote.Option, error
|
||||||
}
|
}
|
||||||
|
|
||||||
func resolveDigestCrane(repo notationregistry.Repository, remoteOpts []gcrremote.Option, ref name.Reference) error {
|
func resolveDigestCrane(repo notationregistry.Repository, remoteOpts []gcrremote.Option, ref name.Reference) error {
|
||||||
_, err := repo.Resolve(context.Background(), ref.Name())
|
_, err := repo.Resolve(context.Background(), ref.Identifier())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ func (c *repositoryClient) Resolve(ctx context.Context, reference string) (ocisp
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ocispec.Descriptor{}, nil
|
return ocispec.Descriptor{}, nil
|
||||||
}
|
}
|
||||||
head, err := remote.Head(nameRef)
|
head, err := remote.Head(nameRef, c.remoteOpts...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ocispec.Descriptor{}, nil
|
return ocispec.Descriptor{}, nil
|
||||||
}
|
}
|
||||||
|
|
@ -66,7 +66,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
|
||||||
return nil, ocispec.Descriptor{}, err
|
return nil, ocispec.Descriptor{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
remoteDesc, err := remote.Get(manifestRef)
|
remoteDesc, err := remote.Get(manifestRef, c.remoteOpts...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, ocispec.Descriptor{}, err
|
return nil, ocispec.Descriptor{}, err
|
||||||
}
|
}
|
||||||
|
|
@ -86,7 +86,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
|
||||||
return nil, ocispec.Descriptor{}, err
|
return nil, ocispec.Descriptor{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier()))
|
signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier()), c.remoteOpts...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, ocispec.Descriptor{}, err
|
return nil, ocispec.Descriptor{}, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
||||||
# Title
|
|
||||||
|
|
||||||
This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret.
|
|
||||||
|
|
@ -34,7 +34,7 @@ data:
|
||||||
apiVersion: kyverno.io/v2beta1
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: secret-in-keys
|
name: secret-in-policy
|
||||||
spec:
|
spec:
|
||||||
validationFailureAction: Enforce
|
validationFailureAction: Enforce
|
||||||
webhookTimeoutSeconds: 30
|
webhookTimeoutSeconds: 30
|
||||||
|
|
@ -54,7 +54,7 @@ spec:
|
||||||
verifyImages:
|
verifyImages:
|
||||||
- type: Notary
|
- type: Notary
|
||||||
imageReferences:
|
imageReferences:
|
||||||
- "ghcr.io/kyverno/test-verify-image*"
|
- "ghcr.io/kyverno/test-verify-image-private*"
|
||||||
attestors:
|
attestors:
|
||||||
- count: 1
|
- count: 1
|
||||||
entries:
|
entries:
|
||||||
|
|
@ -62,13 +62,4 @@ spec:
|
||||||
cert: "{{ keys.data.certificate }}"
|
cert: "{{ keys.data.certificate }}"
|
||||||
imageRegistryCredentials:
|
imageRegistryCredentials:
|
||||||
secrets:
|
secrets:
|
||||||
- testsecret
|
- regcred
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
.dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0=
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: testsecret
|
|
||||||
namespace: kyverno
|
|
||||||
type: kubernetes.io/dockerconfigjson
|
|
||||||
|
|
@ -1,9 +1,9 @@
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: secret-in-keys
|
name: secret-in-policy
|
||||||
status:
|
status:
|
||||||
conditions:
|
conditions:
|
||||||
- reason: Succeeded
|
- reason: Succeeded
|
||||||
status: "True"
|
status: "True"
|
||||||
type: Ready
|
type: Ready
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- script: |
|
||||||
|
if kubectl apply -f 06-pod.yaml
|
||||||
|
then
|
||||||
|
echo "Tested failed. Pod was created when it shouldn't have been."
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "Test succeeded. Pod was not created as intended."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- script: |
|
||||||
|
kubectl create secret docker-registry regcred --docker-username=kyverno --docker-password=$GITHUB_TOKEN --docker-server=ghcr.io -n kyverno
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: regcred
|
||||||
|
namespace: kyverno
|
||||||
|
|
@ -5,5 +5,5 @@ metadata:
|
||||||
namespace: test-verify-images
|
namespace: test-verify-images
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
- image: ghcr.io/kyverno/test-verify-image-private:signed
|
||||||
name: test-secret
|
name: test-secret
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: kubectl delete secret regcred -n kyverno
|
||||||
|
|
@ -0,0 +1,3 @@
|
||||||
|
# Title
|
||||||
|
|
||||||
|
This test verifies images in private registries, that are signed using notary.
|
||||||
Loading…
Add table
Reference in a new issue