Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor insecure registry E2E tests #3701

Merged
merged 6 commits into from
May 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions .github/workflows/e2e-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -107,3 +107,109 @@ jobs:

- name: Acceptance Tests
run: go test -tags=e2e,kms -v ./test/...

e2e-registry:
runs-on: ubuntu-latest

env:
SCAFFOLDING_RELEASE_VERSION: "v0.6.17"

steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.21'
check-latest: true

- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@main
with:
mirror: mirror.gcr.io

- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
with:
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}

- name: Setup local insecure registry
run: |
# Create a self-signed SSL cert
mkdir -p insecure-certs
openssl req \
-subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
-newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
-x509 -days 365 -out insecure-certs/domain.crt
# Run a registry.
docker run -d --restart=always \
--name $INSECURE_REGISTRY_NAME \
-v "$(pwd)"/insecure-certs:/insecure-certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:$INSECURE_REGISTRY_PORT \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/insecure-certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/insecure-certs/domain.key \
-p $INSECURE_REGISTRY_PORT:$INSECURE_REGISTRY_PORT \
registry:2
sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames.
INSECURE_REGISTRY_NAME: insecure-registry.notlocal
INSECURE_REGISTRY_PORT: 5001

- name: Run Insecure Registry Tests
run: go test -tags=e2e,registry -v ./test/...
env:
COSIGN_TEST_REPO: insecure-registry.notlocal:5001

- name: Setup local insecure OCI 1.1 registry
run: |
# Create a self-signed SSL cert
mkdir -p insecure-certs
openssl req \
-subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
-newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
-x509 -days 365 -out insecure-certs/domain.crt
cat > config.json << EOF
{
"distSpecVersion": "1.1.0-dev",
"storage": {
"rootDirectory": "/tmp/zot"
},
"http": {
"address": "0.0.0.0",
"port": "5002",
"realm": "zot",
"tls": {
"cert": "/insecure-certs/domain.crt",
"key": "/insecure-certs/domain.key"
}
},
"log": {
"level": "debug"
}
}
EOF
# Run a registry.
docker run -d --restart=always \
--name $INSECURE_OCI_REGISTRY_NAME \
-v "$(pwd)"/insecure-certs:/insecure-certs \
-v "$(pwd)"/config.json:/etc/zot/config.json \
-p $INSECURE_OCI_REGISTRY_PORT:$INSECURE_OCI_REGISTRY_PORT \
ghcr.io/project-zot/zot-minimal-linux-amd64:$ZOT_VERSION
sudo echo "127.0.0.1 $INSECURE_OCI_REGISTRY_NAME" | sudo tee -a /etc/hosts
env:
ZOT_VERSION: v2.0.0-rc6
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames.
INSECURE_OCI_REGISTRY_NAME: insecure-oci-registry.notlocal
INSECURE_OCI_REGISTRY_PORT: 5002


- name: Run Insecure OCI 1.1 Registry Tests
run: go test -tags=e2e,registry -v ./test/...
env:
OCI11: yes
COSIGN_TEST_REPO: insecure-oci-registry.notlocal:5002

- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
155 changes: 0 additions & 155 deletions .github/workflows/kind-e2e-insecure-registry.yaml

This file was deleted.

125 changes: 125 additions & 0 deletions test/e2e_insecure_registry_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//go:build e2e && registry

package test

import (
"context"
"crypto/tls"
"net/http"
"os"
"path"
"testing"

"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/random"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
"github.com/sigstore/cosign/v2/pkg/cosign/env"
ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
)

const (
oci11Var = "OCI11"
rekorURLVar = "REKOR_URL"
)

func TestInsecureRegistry(t *testing.T) {
if os.Getenv("COSIGN_TEST_REPO") == "" {
t.Fatal("COSIGN_TEST_REPO must be set to an insecure registry for this test")
}
repo, stop := reg(t)
defer stop()
td := t.TempDir()

imgName := path.Join(repo, "cosign-registry-e2e")
cleanup := makeImageIndexWithInsecureRegistry(t, imgName)
defer cleanup()

_, privKey, pubKey := keypair(t, td)

useOCI11 := os.Getenv("oci11Var") != ""

rekorURL := os.Getenv(rekorURLVar)
must(downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td), t)

ko := options.KeyOpts{
KeyRef: privKey,
PassFunc: passFunc,
RekorURL: rekorURL,
SkipConfirmation: true,
}
so := options.SignOptions{
Upload: true,
TlogUpload: true,
}
mustErr(sign.SignCmd(ro, ko, so, []string{imgName}), t)
so.Registry = options.RegistryOptions{
AllowInsecure: true,
}
if useOCI11 {
so.RegistryExperimental = options.RegistryExperimentalOptions{
RegistryReferrersMode: options.RegistryReferrersModeOCI11,
}
}
must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
mustErr(verify(pubKey, imgName, true, nil, "", false), t)
cmd := cliverify.VerifyCommand{
KeyRef: pubKey,
CheckClaims: true,
RegistryOptions: options.RegistryOptions{
AllowInsecure: true,
},
}
if useOCI11 {
cmd.ExperimentalOCI11 = true
}
must(cmd.Exec(context.Background(), []string{imgName}), t)
}

func makeImageIndexWithInsecureRegistry(t *testing.T, n string) func() {
ref, err := name.ParseReference(n, name.WeakValidation)
if err != nil {
t.Fatal(err)
}
index, err := random.Index(512, 1, 0)
if err != nil {
t.Fatal(err)
}
regClientOpts := registryClientOpts(context.Background())
// Add TLS config to allow us to push the image to the insecure registry
insecureTransport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
}
regClientOpts = append(regClientOpts, remote.WithTransport(insecureTransport))
if err := remote.WriteIndex(ref, index, regClientOpts...); err != nil {
t.Fatal(err)
}
remoteImage, err := remote.Get(ref, regClientOpts...)
if err != nil {
t.Fatal(err)
}
cleanup := func() {
_ = remote.Delete(ref, regClientOpts...)
ref, _ := ociremote.SignatureTag(ref.Context().Digest(remoteImage.Descriptor.Digest.String()), ociremote.WithRemoteOptions(regClientOpts...))
_ = remote.Delete(ref, regClientOpts...)
}
return cleanup
}
Loading
Loading