From 9df1f41b728a0812a53faab50abcf596bfc89f01 Mon Sep 17 00:00:00 2001 From: Bruno Bressi Date: Thu, 12 Sep 2024 19:10:03 +0200 Subject: [PATCH] feat: new test case for RSA Also moved port back to 5000 Signed-off-by: Bruno Bressi --- Makefile | 24 ++++++------- chart/values.yaml | 4 +-- test/framework/cosign.go | 1 - test/webhook_test.go | 74 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 88 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index b335428..f418c73 100644 --- a/Makefile +++ b/Makefile @@ -17,9 +17,9 @@ test-unit: e2e-cluster: @echo "Creating registry..." - @k3d registry create registry.localhost --port 13942 + @k3d registry create registry.localhost --port 5000 @echo "Adding registry to cluster..." - @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:13942 + @k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000 @echo "Create test namespace..." @kubectl create namespace test-cases @@ -33,29 +33,29 @@ e2e-images: @echo "Checking for cosign.key..." @test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1) @echo "Building test image..." - @docker build -t k3d-registry.localhost:13942/cosignwebhook:dev . + @docker build -t k3d-registry.localhost:5000/cosignwebhook:dev . @echo "Pushing test image..." - @docker push k3d-registry.localhost:13942/cosignwebhook:dev + @docker push k3d-registry.localhost:5000/cosignwebhook:dev @echo "Signing test image..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/cosignwebhook:dev + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev @echo "Importing test image to cluster..." - @k3d image import k3d-registry.localhost:13942/cosignwebhook:dev --cluster cosign-tests + @k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests @echo "Building busybox image..." @docker pull busybox:latest @echo "Tagging & pushing busybox images..." - @docker tag busybox:latest k3d-registry.localhost:13942/busybox:first - @docker tag busybox:latest k3d-registry.localhost:13942/busybox:second - @docker push k3d-registry.localhost:13942/busybox --all-tags + @docker tag busybox:latest k3d-registry.localhost:5000/busybox:first + @docker tag busybox:latest k3d-registry.localhost:5000/busybox:second + @docker push k3d-registry.localhost:5000/busybox --all-tags @echo "Signing busybox images..." @export COSIGN_PASSWORD="" && \ - cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:13942/busybox:first && \ - cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:13942/busybox:second + cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \ + cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second e2e-deploy: @echo "Deploying test image..." @helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \ - --set image.repository=k3d-registry.localhost:13942/cosignwebhook \ + --set image.repository=k3d-registry.localhost:5000/cosignwebhook \ --set image.tag=dev \ --set-file cosign.scwebhook.key=cosign.pub \ --set logLevel=debug \ diff --git a/chart/values.yaml b/chart/values.yaml index 2430212..3c602a6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -32,7 +32,7 @@ podAnnotations: {} podSecurityContext: fsGroup: 1000 supplementalGroups: - - 1000 + - 1000 # minimal permissions for container securityContext: @@ -40,7 +40,7 @@ securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false runAsUser: 1000 runAsGroup: 1000 diff --git a/test/framework/cosign.go b/test/framework/cosign.go index aafbd47..bbd3be3 100644 --- a/test/framework/cosign.go +++ b/test/framework/cosign.go @@ -136,7 +136,6 @@ func (f *Framework) SignContainer(t *testing.T, opts SignOptions) { "sign", opts.Image, } - t.Setenv("COSIGN_PASSWORD", "") cmd := cli.New() _ = cmd.Flags().Set("timeout", "30s") cmd.SetArgs(args) diff --git a/test/webhook_test.go b/test/webhook_test.go index 8b37653..5b4f096 100644 --- a/test/webhook_test.go +++ b/test/webhook_test.go @@ -750,6 +750,80 @@ func testOneContainerSinglePubKeyEnvRefRSA(t *testing.T) { fw.Cleanup(t) } +func TestTwoContainersSinglePubKeyEnvRefRSA(t *testing.T) { + fw, err := framework.New() + if err != nil { + t.Fatal(err) + } + + // Create a deployment with two containers signed by the same RSA key + _, rsaPub := fw.CreateRSAKeyPair(t, "test") + fw.SignContainer(t, framework.SignOptions{ + KeyName: "test", + Image: "k3d-registry.localhost:5000/busybox:first", + SignatureRepo: "k3d-registry.localhost:5000/sigs", + }) + fw.SignContainer(t, framework.SignOptions{ + KeyName: "test", + Image: "k3d-registry.localhost:5000/busybox:second", + SignatureRepo: "k3d-registry.localhost:5000/sigs", + }) + + depl := appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "two-containers-single-pubkey-envref", + Namespace: "test-cases", + }, + Spec: appsv1.DeploymentSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "two-containers-single-pubkey-envref"}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{"app": "two-containers-single-pubkey-envref"}, + }, + Spec: corev1.PodSpec{ + TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, + Containers: []corev1.Container{ + { + Name: "two-containers-single-pubkey-envref", + Image: "k3d-registry.localhost:5000/busybox:first", + Command: []string{ + "sh", "-c", + "echo 'hello world, i am tired and will sleep now'; sleep 60", + }, + Env: []corev1.EnvVar{ + { + Name: webhook.CosignEnvVar, + Value: rsaPub, + }, + }, + }, + { + Name: "two-containers-single-pubkey-envref", + Image: "k3d-registry.localhost:5000/busybox:second", + Command: []string{ + "sh", "-c", + "echo 'hello world, i am tired and will sleep now'; sleep 60", + }, + Env: []corev1.EnvVar{ + { + Name: webhook.CosignEnvVar, + Value: rsaPub, + }, + }, + }, + }, + }, + }, + }, + } + + fw.CreateDeployment(t, depl) + fw.WaitForDeployment(t, depl) + fw.Cleanup(t) +} + // testOneContainerSinglePubKeyNoMatchEnvRef tests that a deployment with a single signed container, // with a public key provided via an environment variable, fails if the public key does not match the signature. func testOneContainerSinglePubKeyNoMatchEnvRef(t *testing.T) {