feat: new test case for RSA

Also moved port back to 5000

Signed-off-by: Bruno Bressi <bruno.bressi@telekom.de>

Makefile

@@ -17,9 +17,9 @@ test-unit:
 
 e2e-cluster:
 	@echo "Creating registry..."
-	@k3d registry create registry.localhost --port 13942
+	@k3d registry create registry.localhost --port 5000
 	@echo "Adding registry to cluster..."
-	@k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942
+	@k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000
 	@echo "Create test namespace..."
 	@kubectl create namespace test-cases
 
@@ -33,29 +33,29 @@ e2e-images:
 	@echo "Checking for cosign.key..."
 	@test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1)
 	@echo "Building test image..."
-	@docker build -t k3d-registry.localhost:13942/cosignwebhook:dev .
+	@docker build -t k3d-registry.localhost:5000/cosignwebhook:dev .
 	@echo "Pushing test image..."
-	@docker push k3d-registry.localhost:13942/cosignwebhook:dev
+	@docker push k3d-registry.localhost:5000/cosignwebhook:dev
 	@echo "Signing test image..."
 	@export COSIGN_PASSWORD="" && \
-		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/cosignwebhook:dev
+		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev
 	@echo "Importing test image to cluster..."
-	@k3d image import k3d-registry.localhost:13942/cosignwebhook:dev --cluster cosign-tests
+	@k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests
 	@echo "Building busybox image..."
 	@docker pull busybox:latest
 	@echo "Tagging & pushing busybox images..."
-	@docker tag busybox:latest k3d-registry.localhost:13942/busybox:first
-	@docker tag busybox:latest k3d-registry.localhost:13942/busybox:second
-	@docker push k3d-registry.localhost:13942/busybox --all-tags
+	@docker tag busybox:latest k3d-registry.localhost:5000/busybox:first
+	@docker tag busybox:latest k3d-registry.localhost:5000/busybox:second
+	@docker push k3d-registry.localhost:5000/busybox --all-tags
 	@echo "Signing busybox images..."
 	@export COSIGN_PASSWORD="" && \
-		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/busybox:first && \
-		cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:13942/busybox:second
+		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \
+		cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second
 
 e2e-deploy:
 	@echo "Deploying test image..."
 	@helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \
-		--set image.repository=k3d-registry.localhost:13942/cosignwebhook \
+		--set image.repository=k3d-registry.localhost:5000/cosignwebhook \
 		--set image.tag=dev \
 		--set-file cosign.scwebhook.key=cosign.pub \
 		--set logLevel=debug \

chart/values.yaml

@@ -32,15 +32,15 @@ podAnnotations: {}
 podSecurityContext:
   fsGroup: 1000
   supplementalGroups:
-    - 1000
+  - 1000
 
 # minimal permissions for container
 securityContext:
   readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
     drop:
-      - ALL
+    - ALL
   privileged: false
   runAsUser: 1000
   runAsGroup: 1000

test/framework/cosign.go

@@ -136,7 +136,6 @@ func (f *Framework) SignContainer(t *testing.T, opts SignOptions) {
 		"sign",
 		opts.Image,
 	}
-	t.Setenv("COSIGN_PASSWORD", "")
 	cmd := cli.New()
 	_ = cmd.Flags().Set("timeout", "30s")
 	cmd.SetArgs(args)

test/webhook_test.go

@@ -750,6 +750,80 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) {
 	fw.Cleanup(t)
 }
 
+func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) {
+	fw, err := framework.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a deployment with two containers signed by the same RSA key
+	_, rsaPub := fw.CreateRSAKeyPair(t, "test")
+	fw.SignContainer(t, framework.SignOptions{
+		KeyName:       "test",
+		Image:         "k3d-registry.localhost:5000/busybox:first",
+		SignatureRepo: "k3d-registry.localhost:5000/sigs",
+	})
+	fw.SignContainer(t, framework.SignOptions{
+		KeyName:       "test",
+		Image:         "k3d-registry.localhost:5000/busybox:second",
+		SignatureRepo: "k3d-registry.localhost:5000/sigs",
+	})
+
+	depl := appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "two-containers-single-pubkey-envref",
+			Namespace: "test-cases",
+		},
+		Spec: appsv1.DeploymentSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "two-containers-single-pubkey-envref"},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{"app": "two-containers-single-pubkey-envref"},
+				},
+				Spec: corev1.PodSpec{
+					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
+					Containers: []corev1.Container{
+						{
+							Name:  "two-containers-single-pubkey-envref",
+							Image: "k3d-registry.localhost:5000/busybox:first",
+							Command: []string{
+								"sh", "-c",
+								"echo 'hello world, i am tired and will sleep now'; sleep 60",
+							},
+							Env: []corev1.EnvVar{
+								{
+									Name:  webhook.CosignEnvVar,
+									Value: rsaPub,
+								},
+							},
+						},
+						{
+							Name:  "two-containers-single-pubkey-envref",
+							Image: "k3d-registry.localhost:5000/busybox:second",
+							Command: []string{
+								"sh", "-c",
+								"echo 'hello world, i am tired and will sleep now'; sleep 60",
+							},
+							Env: []corev1.EnvVar{
+								{
+									Name:  webhook.CosignEnvVar,
+									Value: rsaPub,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	fw.CreateDeployment(t, depl)
+	fw.WaitForDeployment(t, depl)
+	fw.Cleanup(t)
+}
+
 // testOneContainerSinglePubKeyNoMatchEnvRef tests that a deployment with a single signed container,
 // with a public key provided via an environment variable, fails if the public key does not match the signature.
 func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) {