sigstore test env

[sallyom]

This PR introduces 2 make targets:

make sigstore-testenv-up
make sigstore-testenv-down

This will enable testing for addition of sigstore image signing/verification

/cc @lukehinds @mtrmac @vrothberg :)

[sallyom]

@vrothberg @mtrmac I've tested this setup by running subset of sigstore integration tests locally like so:

$ cd path/to/containers/skopeo 
$ make sigstore-testenv-up
$ cd  path/to/sigstore
$ curl -o e2e-test.sh https://gist.githubusercontent.com/sallyom/9f828f46a6ade7a98eaefecd56190fa2/raw/6501803c4c3170aa5d41c8acfc0ad643d4a5a912/e2e-test.sh
$ chmod +x e2e-test.sh && ./e2e-test.sh
$ cd back/to/containers/skopeo
$ make sigstore-testenv-down

output:

$ ./e2e-test.sh 
+ echo 'running tests'
running tests
+ export VAULT_TOKEN=testtoken
---env-vars-set
+ go test -tags e2e -count=1 ./...
ok  	github.com/sigstore/sigstore/pkg/cryptoutils	6.619s
?   	github.com/sigstore/sigstore/pkg/oauth	[no test files]
ok  	github.com/sigstore/sigstore/pkg/oauth/internal	0.007s
ok  	github.com/sigstore/sigstore/pkg/oauth/oidc	1.160s
ok  	github.com/sigstore/sigstore/pkg/oauthflow	1.581s
ok  	github.com/sigstore/sigstore/pkg/signature	0.356s
ok  	github.com/sigstore/sigstore/pkg/signature/dsse	0.013s
ok  	github.com/sigstore/sigstore/pkg/signature/kms	0.016s
ok  	github.com/sigstore/sigstore/pkg/signature/kms/aws	0.851s
ok  	github.com/sigstore/sigstore/pkg/signature/kms/azure	0.030s
ok  	github.com/sigstore/sigstore/pkg/signature/kms/fake	0.007s
ok  	github.com/sigstore/sigstore/pkg/signature/kms/gcp	0.009s
ok  	github.com/sigstore/sigstore/pkg/signature/kms/hashivault	0.064s
?   	github.com/sigstore/sigstore/pkg/signature/options	[no test files]
ok  	github.com/sigstore/sigstore/pkg/signature/payload	0.004s
ok  	github.com/sigstore/sigstore/pkg/signature/ssh	0.059s

[sallyom]

To avoid using docker.io images (rate limits) EDIT: I've pushed necessary images the following images should be pushed somewhere like quay.io/libpod/..

docker.io/library/vault:1.9.6
docker.io/library/localstack/localstack:0.12.16
docker.io/dexidp/dex:v2.31.1

latest localstack 0.14.2 but 0.12.6 in use by sigstore atm

The above docker.io images are referenced in this PR

[vrothberg]

Thanks!

Before merging, we should probably push the images to quay.io/libpod/sigstore-testing-*.

[vrothberg]

I think this should be uncommented already to make sure that it's working and that it will continue to work in the future.

[sallyom]

uncommented, thanks

[vrothberg]

Let's avoid using the latest tag. The image may be updated in the future and we need to make sure that old/stable branches continue to work.

[TomSweeneyRedHat]

can we move these images to a common quay.io directory/repo? I know we have one for libpod, do we have one for skopeo?

[vrothberg]

Using the libpod one should be OK given we need these tests in Podman CI as well.

[sallyom]

updated from localstack:latest to localstack:0.12.16 (currently used in sigstore)

[vrothberg]

Do we need this dex-config.yml?

[sallyom]

EDIT: keeping the dex-config.yml & the dex volume in docker-compose.yml nope, I've removed this and also updated the gist test script (not included in this PR but to prove this setup works until skopeo adds sigstore e2es)

[vrothberg]

Should we export the IPs in the Makefile to make them accessible to all tests?

[sallyom]

right, yup - updated/added to Makefile

[sallyom]

@TomSweeneyRedHat @vrothberg thanks for the reviews! I've updated this PR, ptal

[vrothberg]

Tests are failing at the moment as integration/copy_test.go wants to use port 5556 which is now blocked by dex.

[sallyom]

Tests are failing at the moment as integration/copy_test.go wants to use port 5556 which is now blocked by dex.

fixed, updated

[TomSweeneyRedHat]

@sallyom another rebase is needed here

[sallyom]

@sallyom another rebase is needed here

rebased!

[sallyom]

@TomSweeneyRedHat @vrothberg anything else needed? thanks!

[vrothberg]

@sallyom, it would be helpful to document how this can be used integration tests. For instance, which env variables should be used for the local fulcio and recor instance?

@mtrmac WDYT?

[sallyom]

@vrothberg @mtrmac I documented above (and in the Makefile) the env vars required. There's an example for how to use this setup against sigstore/sigstore e2e tests in this gist, too

export VAULT_TOKEN=testtoken
export VAULT_ADDR=http://localhost:8200/

export AWS_ACCESS_KEY_ID=test
export AWS_SECRET_ACCESS_KEY=test
export AWS_REGION=us-east-1
export AWS_ENDPOINT=localhost:4566
export AWS_TLS_INSECURE_SKIP_VERIFY=1
export OIDC_ISSUER=http://127.0.0.1:5556/auth
export OIDC_ID=sigstore

[rhatdan]

@sallyom @mtrmac @vrothberg Where are we with this one? Now most of the sigstore stuff is merged?

[sallyom]

@sallyom @mtrmac @vrothberg Where are we with this one? Now most of the sigstore stuff is merged?

what will help is if there is a WIP/PoC bringing in whatever is necessary from sigstore/cosign - then it will become clear what should be included in/ported to sigstore/sigstore

relevant upstream:
sigstore/signature library: https://github.com/sigstore/sigstore/tree/main/pkg/signature
ongoing work with sigstore/gitsign to move code to sigstore/sigstore
sigstore/gitsign#62
and work to move providers into separate repos:
sigstore/cosign#1867

[github-actions]

A friendly reminder that this PR had no activity for 30 days.

[rhatdan]

@sallyom @vrothberg @mtrmac do we care about this PR at this point? Should it be fixed or closed?

[sallyom]

closing this for now and will reopen if necessary after examining current sigstore implementation