Merge pull request #355 from vaikas/issue-354

vaikas · web-flow · commit c20735d10000 · 2022-11-08T01:02:36.000-08:00
Fix issue 354.
diff --git a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml
@@ -0,0 +1,100 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Test policy-controller with ClusterImagePolicy TUF disabled
+
+on:
+  pull_request:
+    branches: [ 'main', 'release-*' ]
+
+defaults:
+  run:
+    shell: bash
+
+permissions: read-all
+
+jobs:
+  cip-test-no-tuf:
+    name: ClusterImagePolicy e2e tests TUF disabled
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        k8s-version:
+        - v1.22.x
+        - v1.23.x
+        - v1.24.x
+        - v1.25.x
+
+    env:
+      KO_DOCKER_REPO: "registry.local:5000/policy-controller"
+      SCAFFOLDING_RELEASE_VERSION: "v0.4.12"
+      GO111MODULE: on
+      GOFLAGS: -ldflags=-s -ldflags=-w
+      KOCACHE: ~/ko
+      COSIGN_EXPERIMENTAL: true
+
+    steps:
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v2.4.0
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v2.2.0
+      with:
+        go-version: '1.18'
+        check-latest: true
+
+    # will use the latest release available for ko
+    - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+
+    - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v1.6.1
+
+    - name: Install yq
+      uses: mikefarah/yq@1f0881fb5faf371694bfa108753cda0b824f5037 # v4.27.3
+
+    - name: Setup mirror
+      uses: chainguard-dev/actions/setup-mirror@main
+      with:
+        mirror: mirror.gcr.io
+
+    - uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v1.13.1'
+
+    - name: Install cluster + sigstore
+      uses: sigstore/scaffolding/actions/setup@main
+      with:
+        k8s-version: ${{ matrix.k8s-version}}
+        version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
+
+    - name: Install policy-controller
+      env:
+        GIT_HASH: ${{ github.sha }}
+        GIT_VERSION: ci
+        LDFLAGS: ""
+        POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml
+        KO_PREFIX: registry.local:5000/policy-controller
+        POLICY_CONTROLLER_ARCHS: linux/amd64
+      run: |
+        make ko-policy-controller
+        kustomize build test/kustomize-no-tuf | kubectl apply -f -
+
+        # Wait for the webhook to come up and become Ready
+        kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
+
+    - name: Run Cluster Image Policy Tests that only tests keys, no keyless
+      timeout-minutes: 15
+      run: |
+        ./test/e2e_test_cluster_image_policy_no_tuf.sh
+
+    - name: Collect diagnostics
+      if: ${{ failure() }}
+      uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml
@@ -45,7 +45,7 @@ jobs:
 
     env:
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
-      SCAFFOLDING_RELEASE_VERSION: "v0.4.8"
+      SCAFFOLDING_RELEASE_VERSION: "v0.4.12"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
@@ -71,7 +71,9 @@ jobs:
       with:
         mirror: mirror.gcr.io
 
-    - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.3.0
+    - uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v1.13.1'
 
     - name: Install cluster + sigstore
       uses: sigstore/scaffolding/actions/setup@main
diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
@@ -57,7 +57,9 @@ jobs:
     - name: Install yq
       uses: mikefarah/yq@5e490527de24715db37869037083f7f391dde5a6 # v4.27.3
 
-    - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.3.0
+    - uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v1.13.1'
 
     - name: Setup mirror
       uses: chainguard-dev/actions/setup-mirror@main
diff --git a/.github/workflows/policy-tester-examples.yml b/.github/workflows/policy-tester-examples.yml
@@ -49,8 +49,9 @@ jobs:
       run: |
         make policy-tester
 
-    - name: Install cosign
-      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.5.0
+    - uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v1.13.1'
 
     - name: Setup local registry
       run: |
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -63,6 +63,10 @@ var webhookName = flag.String("webhook-name", "policy.sigstore.dev", "The name o
 var tufMirror = flag.String("tuf-mirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror. If left blank, public sigstore one is used")
 var tufRoot = flag.String("tuf-root", "", "Alternate TUF root.json. If left blank, public sigstore one is used")
 
+// Do not initialize TUF at all.
+// https://github.com/sigstore/policy-controller/issues/354
+var disableTUF = flag.Bool("disable-tuf", false, "Disable TUF support.")
+
 func main() {
 	opts := webhook.Options{
 		ServiceName: "webhook",
@@ -76,18 +80,21 @@ func main() {
 
 	flag.Parse()
 
-	// If they provided an alternate TUF root file to use, read it here.
-	var tufRootBytes []byte
-	var err error
-	if *tufRoot != "" {
-		tufRootBytes, err = os.ReadFile(*tufRoot)
-		if err != nil {
-			logging.FromContext(ctx).Panicf("Failed to read alternate TUF root file %s : %v", *tufRoot, err)
+	// If TUF has been disabled do not try to set it up.
+	if !*disableTUF {
+		// If they provided an alternate TUF root file to use, read it here.
+		var tufRootBytes []byte
+		var err error
+		if *tufRoot != "" {
+			tufRootBytes, err = os.ReadFile(*tufRoot)
+			if err != nil {
+				logging.FromContext(ctx).Panicf("Failed to read alternate TUF root file %s : %v", *tufRoot, err)
+			}
+		}
+		logging.FromContext(ctx).Infof("Initializing TUF root from %s => %s", *tufRoot, *tufMirror)
+		if err := tuf.Initialize(ctx, *tufMirror, tufRootBytes); err != nil {
+			logging.FromContext(ctx).Panicf("Failed to initialize TUF client from %s : %v", *tufRoot, err)
 		}
-	}
-	logging.FromContext(ctx).Infof("Initializing TUF root from %s => %s", *tufRoot, *tufMirror)
-	if err := tuf.Initialize(ctx, *tufMirror, tufRootBytes); err != nil {
-		logging.FromContext(ctx).Panicf("Failed to initialize TUF client from %s : %v", *tufRoot, err)
 	}
 
 	v := version.GetVersionInfo()
diff --git a/test/e2e_test_cluster_image_policy.sh b/test/e2e_test_cluster_image_policy.sh
@@ -545,6 +545,10 @@ kubectl delete cip --all
 kubectl delete ns demo-key-sha512
 echo '::endgroup::'
 
+# These tests have been running for awhile now, so grab a new OIDC_TOKEN since
+# we've seen them expire in the middle of the tests.
+export OIDC_TOKEN=`curl -s ${ISSUER_URL}`
+
 # Publish the first test image
 echo '::group:: publish test image demoEphemeralImage'
 pushd $(mktemp -d)
diff --git a/test/e2e_test_cluster_image_policy_no_tuf.sh b/test/e2e_test_cluster_image_policy_no_tuf.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env bash
+#
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+set -ex
+
+if [[ -z "${KO_DOCKER_REPO}" ]]; then
+  echo "Must specify env variable KO_DOCKER_REPO"
+  exit 1
+fi
+
+if [[ -z "${FULCIO_URL}" ]]; then
+  echo "Must specify env variable FULCIO_URL"
+  exit 1
+fi
+
+if [[ -z "${REKOR_URL}" ]]; then
+  echo "Must specify env variable REKOR_URL"
+  exit 1
+fi
+
+if [[ "${NON_REPRODUCIBLE}"=="1" ]]; then
+  echo "creating non-reproducible build by adding a timestamp"
+  export TIMESTAMP=`date +%s`
+else
+  export TIMESTAMP="TIMESTAMP"
+fi
+
+# To simplify testing failures, use this function to execute a kubectl to create
+# our job and verify that the failure is expected.
+assert_error() {
+  local KUBECTL_OUT_FILE="/tmp/kubectl.failure.out"
+  match="$@"
+  echo looking for ${match}
+  kubectl delete job demo -n ${NS} --ignore-not-found=true
+  if kubectl create -n ${NS} job demo --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then
+    echo Failed to block expected Job failure!
+    exit 1
+  else
+    echo Successfully blocked Job creation with expected error: "${match}"
+    if ! grep -q "${match}" ${KUBECTL_OUT_FILE} ; then
+      echo Did not get expected failure message, wanted "${match}", got
+      cat ${KUBECTL_OUT_FILE}
+      exit 1
+    fi
+  fi
+}
+
+# Publish test image
+echo '::group:: publish test image demoimage'
+pushd $(mktemp -d)
+go mod init example.com/demo
+cat <<EOF > main.go
+package main
+import "fmt"
+func main() {
+  fmt.Println("hello world TIMESTAMP")
+}
+EOF
+
+sed -i'' -e "s@TIMESTAMP@${TIMESTAMP}@g" main.go
+cat main.go
+export demoimage=`ko publish -B example.com/demo`
+echo Created image $demoimage
+popd
+echo '::endgroup::'
+
+echo '::group:: Create and label new namespace for verification'
+kubectl create namespace demo-no-tuf
+kubectl label namespace demo-no-tuf policy.sigstore.dev/include=true
+export NS=demo-no-tuf
+echo '::endgroup::'
+
+echo '::group:: Generate New Signing Key that we use for key-ful signing'
+COSIGN_PASSWORD="" cosign generate-key-pair
+echo '::endgroup::'
+
+# Create CIP that requires a signature with a key.
+echo '::group:: Create CIP that requires a keyful signature'
+yq '. | .spec.authorities[0].key.data |= load_str("cosign.pub")' ./test/testdata/policy-controller/e2e/cip-key-no-rekor.yaml | kubectl apply -f -
+
+# Give the policy controller a moment to update the configmap
+# and pick up the change in the admission controller.
+sleep 5
+echo '::endgroup::'
+
+# This image has not been signed with our key
+# so should fail
+echo '::group:: test job rejection'
+expected_error='no matching signatures'
+assert_error ${expected_error}
+echo '::endgroup::'
+
+# Sign it with key
+echo '::group:: Sign demoimage with key, do not add to rekor'
+COSIGN_PASSWORD="" cosign sign --no-tlog-upload --key cosign.key  --allow-insecure-registry ${demoimage}
+echo '::endgroup::'
+
+# TODO(vaikas): This fails because it doesn't have a Rekor entry. Which it obvs
+# does not because of --no-tlog-upload above.
+#echo '::group:: Verify demoimage with cosign key'
+#cosign verify --key cosign.pub --allow-insecure-registry ${demoimage}
+#echo '::endgroup::'
+
+# Then let's test attestations work too with key.
+echo '::group:: Create CIP that requires a keyful attestation'
+yq '. | .spec.authorities[0].key.data |= load_str("cosign.pub")' ./test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml | kubectl apply -f -
+
+# Give the policy controller a moment to update the configmap
+# and pick up the change in the admission controller.
+sleep 5
+echo '::endgroup::'
+
+# This image has been signed with key, but does not have a key attestation
+# so should fail
+echo '::group:: test job rejection'
+expected_error='no matching attestations'
+assert_error ${expected_error}
+echo '::endgroup::'
+
+# Fine, so create an attestation for it.
+echo '::group:: create keyful attestation, do not add to rekor'
+echo -n 'foobar key e2e test' > ./predicate-file-key-custom
+COSIGN_PASSWORD="" cosign attest --predicate ./predicate-file-key-custom --key ./cosign.key --allow-insecure-registry --no-tlog-upload ${demoimage}
+
+# TODO(vaikas): This again fails though it really shouldn't.
+#cosign verify-attestation --key ./cosign.pub --allow-insecure-registry ${demoimage}
+echo '::endgroup::'
+
+export KUBECTL_SUCCESS_FILE="/tmp/kubectl.success.out"
+echo '::group:: test job success with key signature and key attestation'
+# We signed this with key and it has a key attestation, so should pass.
+if ! kubectl create -n ${NS} job demo2 --image=${demoimage} 2> ${KUBECTL_SUCCESS_FILE} ; then
+  echo Failed to create job with both key signature and attestation
+  cat ${KUBECTL_SUCCESS_FILE}
+  exit 1
+else
+  echo Created the job with key signature and an attestation
+fi
+echo '::endgroup::'
+
+echo '::group::' Cleanup
+kubectl delete cip --all
+kubectl delete ns ${NS}
+rm cosign.key cosign.pub
+echo '::endgroup::'
diff --git a/test/e2e_test_cluster_image_policy_with_attestations.sh b/test/e2e_test_cluster_image_policy_with_attestations.sh
@@ -268,6 +268,6 @@ echo '::endgroup::'
 
 echo '::group::' Cleanup
 kubectl delete cip --all
-kubectl delete ns demo-attestations
+kubectl delete ns ${NS}
 rm cosign.key cosign.pub
 echo '::endgroup::'
diff --git a/test/e2e_test_cluster_image_policy_with_warn.sh b/test/e2e_test_cluster_image_policy_with_warn.sh
@@ -198,5 +198,5 @@ echo '::endgroup::'
 
 echo '::group::' Cleanup
 kubectl delete cip --all
-kubectl delete ns demo-keyless-signing
+kubectl delete ns ${NS}
 echo '::endgroup::'
diff --git a/test/kustomize-no-tuf/kustomization.yaml b/test/kustomize-no-tuf/kustomization.yaml
diff --git a/test/testdata/policy-controller/e2e/cip-key-no-rekor.yaml b/test/testdata/policy-controller/e2e/cip-key-no-rekor.yaml
diff --git a/test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml b/test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml
