generated from sigstore/sigstore-project-template
-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'issues_1388' of https://github.com/senanz/policy-contro…
…ller into issues_1388
- Loading branch information
Showing
3 changed files
with
281 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,180 @@ | ||
| # Copyright 2022 The Sigstore Authors. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| name: Test policy-controller with custom resource | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [ 'main', 'release-*' ] | ||
|
|
||
| defaults: | ||
| run: | ||
| shell: bash | ||
|
|
||
| permissions: read-all | ||
|
|
||
| jobs: | ||
| cip-test-trustroot-bring-your-own-keys: | ||
| name: ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false # Keep running if one leg fails. | ||
| matrix: | ||
| k8s-version: | ||
| - v1.27.x | ||
| - v1.28.x | ||
| - v1.29.x | ||
|
|
||
| env: | ||
| KO_DOCKER_REPO: "registry.local:5000/policy-controller" | ||
| SCAFFOLDING_RELEASE_VERSION: "v0.7.2" | ||
| GO111MODULE: on | ||
| GOFLAGS: -ldflags=-s -ldflags=-w | ||
| KOCACHE: ~/ko | ||
|
|
||
| steps: | ||
| - name: free up disk space for the release | ||
| run: | | ||
| rm -rf /usr/share/dotnet/ | ||
| rm -rf "$AGENT_TOOLSDIRECTORY" | ||
| rm -rf "/usr/local/share/boost" | ||
| rm -rf /opt/ghc | ||
| docker rmi $(docker image ls -aq) || true | ||
| swapoff /swapfile || true | ||
| rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true | ||
| apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \ | ||
| clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \ | ||
| clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \ | ||
| esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \ | ||
| google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \ | ||
| ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \ | ||
| cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \ | ||
| libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \ | ||
| mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \ | ||
| mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \ | ||
| libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \ | ||
| php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \ | ||
| php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \ | ||
| php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \ | ||
| php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \ | ||
| php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \ | ||
| php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \ | ||
| php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \ | ||
| php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \ | ||
| php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \ | ||
| php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \ | ||
| php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \ | ||
| php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \ | ||
| php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \ | ||
| php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \ | ||
| php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \ | ||
| php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \ | ||
| php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \ | ||
| php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \ | ||
| php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \ | ||
| php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \ | ||
| php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \ | ||
| php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \ | ||
| php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \ | ||
| php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \ | ||
| sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true | ||
| apt-get remove -y 'php.*' || true | ||
| apt-get autoremove -y >/dev/null 2>&1 || true | ||
| apt-get autoclean -y >/dev/null 2>&1 || true | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | ||
| with: | ||
| go-version-file: './go.mod' | ||
| check-latest: true | ||
|
|
||
| # will use the latest release available for ko | ||
| - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 | ||
|
|
||
| - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 | ||
|
|
||
| - name: Install yq | ||
| uses: mikefarah/yq@bbdd97482f2d439126582a59689eb1c855944955 # v4.44.3 | ||
|
|
||
| - name: Setup mirror | ||
| uses: chainguard-dev/actions/setup-mirror@main | ||
| with: | ||
| mirror: mirror.gcr.io | ||
|
|
||
| - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v2 | ||
|
|
||
| - name: Install cluster + sigstore | ||
| uses: sigstore/scaffolding/actions/setup@main | ||
| env: | ||
| INSTALL_TSA: true | ||
| with: | ||
| k8s-version: ${{ matrix.k8s-version}} | ||
| version: ${{ env.SCAFFOLDING_RELEASE_VERSION }} | ||
|
|
||
| - name: Install policy-controller-with-only-pod-resource | ||
| env: | ||
| GIT_HASH: ${{ github.sha }} | ||
| GIT_VERSION: ci | ||
| LDFLAGS: "" | ||
| POLICY_CONTROLLER_YAML: test/kustomize-custom-resource/policy-controller-e2e.yaml | ||
| KO_PREFIX: registry.local:5000/policy-controller | ||
| POLICY_CONTROLLER_ARCHS: linux/amd64 | ||
| run: | | ||
| make ko-policy-controller | ||
| kustomize build test/kustomize-custom-resource | kubectl apply -f - | ||
| # Wait for the webhook to come up and become Ready | ||
| kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook | ||
| echo "TUF_ROOT_FILE=./root.json" >> $GITHUB_ENV | ||
| - name: Checkout TSA for testing. | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.0.2 | ||
| with: | ||
| repository: sigstore/timestamp-authority | ||
| path: ./src/github.com/sigstore/timestamp-authority | ||
|
|
||
| - name: Build timestamp-cli | ||
| working-directory: ./src/github.com/sigstore/timestamp-authority | ||
| run: | | ||
| go build -o ./timestamp-cli ./cmd/timestamp-cli | ||
| - name: Exercise our local TSA | ||
| working-directory: ./src/github.com/sigstore/timestamp-authority | ||
| run: | | ||
| TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}') | ||
| echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV | ||
| curl $TSA_URL/api/v1/timestamp/certchain > ts_chain.pem | ||
| echo "myblob" > myblob | ||
| if ! ./timestamp-cli --timestamp_server $TSA_URL timestamp --hash sha256 --artifact myblob --out response.tsr ; then | ||
| echo "failed to timestamp artifact" | ||
| exit -1 | ||
| fi | ||
| if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then | ||
| echo "failed to verify timestamp" | ||
| exit -1 | ||
| fi | ||
| if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then | ||
| echo "failed to inspect the timestamp" | ||
| exit -1 | ||
| fi | ||
| - name: Run Custom resources Tests | ||
| timeout-minutes: 5 | ||
| run: | | ||
| ./test/e2e_test_policy_custom_resource.sh | ||
| - name: Collect diagnostics | ||
| if: ${{ failure() }} | ||
| uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| #!/usr/bin/env bash | ||
| # | ||
| # Copyright 2024 The Sigstore Authors. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| set -ex | ||
|
|
||
| if [[ -z "${KO_DOCKER_REPO}" ]]; then | ||
| echo "Must specify env variable KO_DOCKER_REPO" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Variables | ||
| export CUSTOM_RESOURCE="Pods,ReplicaSets" | ||
| export NS=custom-resource-test | ||
| export TIMESTAMP="TIMESTAMP" | ||
|
|
||
| # Helper function to validate webhook configuration | ||
| assert_webhook_configuration() { | ||
| local webhook_name=$1 | ||
| local resource=$2 | ||
|
|
||
| echo "Validating ${webhook_name} for resource ${resource}" | ||
| kubectl get ${webhook_name} -o yaml | grep -q "resources:.*${resource}" || { | ||
| echo "Resource ${resource} not found in ${webhook_name}" | ||
| exit 1 | ||
| } | ||
| echo "Resource ${resource} found in ${webhook_name}" | ||
| } | ||
|
|
||
| echo '::group:: Create and label namespace for testing' | ||
| kubectl create namespace ${NS} | ||
| kubectl label namespace ${NS} policy.sigstore.dev/include=true | ||
| echo '::endgroup::' | ||
|
|
||
| echo '::group:: Validate webhook configurations' | ||
| sleep 5 # Allow webhook configurations to propagate | ||
|
|
||
| for resource in Pods ReplicaSets; do | ||
| assert_webhook_configuration "MutatingWebhookConfiguration" "${resource}" | ||
| assert_webhook_configuration "ValidatingWebhookConfiguration" "${resource}" | ||
| done | ||
|
|
||
| # Ensure a non-monitored resource is NOT included | ||
| if kubectl get MutatingWebhookConfiguration -o yaml | grep -q "resources:.*DaemonSet"; then | ||
| echo "DaemonSet should not be included in MutatingWebhookConfiguration" | ||
| exit 1 | ||
| else | ||
| echo "DaemonSet correctly excluded from MutatingWebhookConfiguration" | ||
| fi | ||
| echo '::endgroup::' | ||
|
|
||
| echo '::group:: Cleanup' | ||
| kubectl delete ns ${NS} | ||
| echo '::endgroup::' | ||
|
|
||
| echo "Custom resource flag test completed successfully!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # Copyright 2022 The Sigstore Authors. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # https://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - policy-controller-e2e.yaml | ||
|
|
||
| # Note we give garbage arguments to tuf-root and tuf-mirror to make it a good | ||
| # test to verify that these paths are not even executed. | ||
| patches: | ||
| - patch: |- | ||
| - op: add | ||
| path: /spec/template/spec/containers/0/args/- | ||
| value: --resource-name='pods' | ||
| - op: add | ||
| path: /spec/template/spec/containers/0/args/- | ||
| value: --resource-name='pods,replicasets' | ||
| target: | ||
| kind: Deployment | ||
| name: webhook |