OCPNODE-2596: Add SigstoreImageVerification e2e tests #29530
Conversation
QiWang19
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@QiWang19: This pull request references OCPNODE-2596 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@lyman9966 Could you help review the tests? I added some e2e according to the featuregate test requirement: https://github.com/openshift/api/blob/master/README.md#defining-featuregate-e2e-tests |
QiWang19
force-pushed
the
imgpolicy-sigstore-verification
branch
from
81d3b9b to
b0a8122
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
QiWang19
force-pushed
the
imgpolicy-sigstore-verification
branch
2 times, most recently
from
7c824e0 to
687c621
Compare
Signed-off-by: Qi Wang <qiwan@redhat.com>
QiWang19
force-pushed
the
imgpolicy-sigstore-verification
branch
from
687c621 to
029f94e
Compare
|
/test e2e-aws-ovn-single-node-techpreview-serial |
|
@QiWang19: This pull request references OCPNODE-2596 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test e2e-aws-ovn-techpreview-serial |
|
/retest |
| func createClusterImagePolicy(oc *exutil.CLI, fixture string) { | ||
| err := oc.Run("create").Args("-f", fixture).Execute() | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| time.Sleep(10 * time.Second) |
There was a problem hiding this comment.
For what do we need the sleep here and below?
There was a problem hiding this comment.
This sleep waits for the MachineConfigPool status to change to Updating. There is a delay in the status change after the CR is created.
There was a problem hiding this comment.
That's interesting! we don't need this delay in the MCO e2es, but perhaps the oc library is faster/slower for some reason.
| name: public-key-rekor-image-policy | ||
| spec: | ||
| scopes: | ||
| - quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4db234f37ae6712e2f7ed8d13f7fb49971c173d0e4f74613d0121672fa2e01f5 |
There was a problem hiding this comment.
Is the image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:XXXX" signed by sigstore signature ? I remembered this kind of image can't pass signature verification during previous test. The pod can start successfully due to the default image policy "insecureAcceptAnything"
There was a problem hiding this comment.
yes, they are signed by sigstore signature. The image policy insecureAcceptAnything is used when there's no policy enforced on the specific image scope. Once the policy for the specific image scope is applied correctly, the image will be verified using the policy.
$ cosign verify quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:714a42e9eb52ef1bae8a2575ca1a2bfdf733d5a6786f08ceb3b6ff61d59931cf --key cosign.pub --insecure-ignore-tlog=true
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:714a42e9eb52ef1bae8a2575ca1a2bfdf733d5a6786f08ceb3b6ff61d59931cf --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"quay.io/openshift-release-dev/ocp-v4.0-art-dev"},"image":{"docker-manifest-digest":"sha256:714a42e9eb52ef1bae8a2575ca1a2bfdf733d5a6786f08ceb3b6ff61d59931cf"},"type":"cosign container image signature"},"optional":null}]
| // included the given mcName in its config, and returns the new | ||
| // rendered config name. | ||
| func WaitForRenderedConfig(oc *exutil.CLI, pool, mcName string) (string, error) { | ||
| return WaitForRenderedConfigs(oc, pool, mcName) |
There was a problem hiding this comment.
Maybe I'm not familiar with the logic here. Since the parameter "mcName" in func WaitForRenderedConfig is a string type, why do you realize a new func WaitForRenderedConfigs and treat this parameter as ...string type.
Of course you can keep them there, just be confusing.
There was a problem hiding this comment.
I borrowed this function from MCO e2e test package, I guess there might be callers who directly use this method with multiple mcName.
I would also let folks from MCO review.
There was a problem hiding this comment.
Thanks for catching this! I think it is something that was missed when WaitForRenderedConfigs was first added, we'll try to clean it up in the MCO repo.
|
Job Failure Risk Analysis for sha: 029f94e
|
|
@QiWang19: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
lgtm from the MCO side. The helpers are used correctly. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: harche, lyman9966, QiWang19 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR adds e2e tests for Clusterimagepolicy and imagepolicy (
SigstoreImageVerificationtech preview featuregate)