mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

test: add tests for ghcr private repository (#7791)

Browse source
This commit is contained in:
Vishal Choudhary 2023-07-31 16:42:24 +05:30 committed by GitHub
parent 3b7c938d6f
commit c38a014468
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 91 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/conformance.yaml vendored
View file

@ -35,6 +35,8 @@ jobs:
# runs conformance test suites with configuration:
standard:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
@ -96,6 +98,8 @@ jobs:
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
@ -106,6 +110,8 @@ jobs:
# runs conformance test suites with configuration:
force-failure-policy-ignore:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
@ -152,6 +158,8 @@ jobs:
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
@ -162,6 +170,8 @@ jobs:
# runs conformance test suites with configuration:
default:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
@ -206,6 +216,8 @@ jobs:
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml

40
pkg/notary/notary_test.go
View file

@ -6,9 +6,34 @@ import (
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/kyverno/kyverno/pkg/images"
"github.com/kyverno/kyverno/pkg/registryclient"
"gotest.tools/assert"
)
var (
cert = `-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
-----END CERTIFICATE-----`
)
func TestExtractStatements(t *testing.T) {
imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1"
ref, err := name.ParseReference(imageRef)
@ -30,3 +55,18 @@ func TestExtractStatements(t *testing.T) {
}
}
}
func TestNotaryImageVerification(t *testing.T) {
opts := images.Options{
ImageRef: "ghcr.io/kyverno/test-verify-image:signed",
Cert: cert,
}
rc, err := registryclient.New()
assert.NilError(t, err)
opts.Client = rc
verifier := &notaryVerifier{}
_, err = verifier.VerifySignature(context.TODO(), opts)
assert.NilError(t, err)
}

2
pkg/notary/registry.go
View file

@ -116,7 +116,7 @@ func getRemoteOpts(authenticator authn.Authenticator) ([]gcrremote.Option, error
}
func resolveDigestCrane(repo notationregistry.Repository, remoteOpts []gcrremote.Option, ref name.Reference) error {
_, err := repo.Resolve(context.Background(), ref.Name())
_, err := repo.Resolve(context.Background(), ref.Identifier())
if err != nil {
return err
}

6
pkg/notary/repository.go
View file

@ -31,7 +31,7 @@ func (c *repositoryClient) Resolve(ctx context.Context, reference string) (ocisp
if err != nil {
return ocispec.Descriptor{}, nil
}
head, err := remote.Head(nameRef)
head, err := remote.Head(nameRef, c.remoteOpts...)
if err != nil {
return ocispec.Descriptor{}, nil
}
@ -66,7 +66,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
return nil, ocispec.Descriptor{}, err
}
remoteDesc, err := remote.Get(manifestRef)
remoteDesc, err := remote.Get(manifestRef, c.remoteOpts...)
if err != nil {
return nil, ocispec.Descriptor{}, err
}
@ -86,7 +86,7 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
return nil, ocispec.Descriptor{}, err
}
signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier()))
signatureBlobLayer, err := remote.Layer(signatureBlobRef.Context().Digest(signatureBlobRef.Identifier()), c.remoteOpts...)
if err != nil {
return nil, ocispec.Descriptor{}, err
}

3
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md
View file

@ -1,3 +0,0 @@
# Title
This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret.

15
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml → test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml
View file

@ -34,7 +34,7 @@ data:
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: secret-in-keys
name: secret-in-policy
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
@ -54,7 +54,7 @@ spec:
verifyImages:
- type: Notary
imageReferences:
- "ghcr.io/kyverno/test-verify-image*"
- "ghcr.io/kyverno/test-verify-image-private*"
attestors:
- count: 1
entries:
@ -62,13 +62,4 @@ spec:
cert: "{{ keys.data.certificate }}"
imageRegistryCredentials:
secrets:
- testsecret
---
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0=
kind: Secret
metadata:
name: testsecret
namespace: kyverno
type: kubernetes.io/dockerconfigjson
- regcred

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml → test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml
View file

@ -1,9 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secret-in-keys
name: secret-in-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
type: Ready

12
test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f 06-pod.yaml
then
echo "Tested failed. Pod was created when it shouldn't have been."
exit 1
else
echo "Test succeeded. Pod was not created as intended."
exit 0
fi

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
kubectl create secret docker-registry regcred --docker-username=kyverno --docker-password=$GITHUB_TOKEN --docker-server=ghcr.io -n kyverno

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Secret
metadata:
name: regcred
namespace: kyverno

2
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml → test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: test-verify-images
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed
- image: ghcr.io/kyverno/test-verify-image-private:signed
name: test-secret

0
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-assert.yaml → test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml
View file

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete secret regcred -n kyverno

3
test/conformance/kuttl/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md Normal file
View file

@ -0,0 +1,3 @@
# Title
This test verifies images in private registries, that are signed using notary.