From 458b84e3669eca6764b57893e2fbd94f80b237fa Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 13:31:35 +0000 Subject: [PATCH] fix: expect base64 string in raw tuf root (#11117) (#11128) * fix: expect base64 string in raw tuf root * fix: add tests * fix: rename kyverno yaml file --------- Signed-off-by: Vishal Choudhary Co-authored-by: Vishal Choudhary Co-authored-by: shuting --- .github/workflows/conformance.yaml | 20 +++++++++++++ cmd/internal/tuf.go | 7 ++++- pkg/cosign/sigstore.go | 2 ++ .../config/sigstore-custom-tuf/kyverno.yaml | 5 ++++ test/conformance/chainsaw/e2e-matrix.json | 3 ++ .../README.md | 4 +++ .../chainsaw-test.yaml | 20 +++++++++++++ .../pod-assert.yaml | 6 ++++ .../sigstore-image-verification-test/pod.yaml | 10 +++++++ .../policy-assert.yaml | 10 +++++++ .../policy.yaml | 29 +++++++++++++++++++ 11 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 scripts/config/sigstore-custom-tuf/kyverno.yaml create mode 100644 test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/README.md create mode 100755 test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/chainsaw-test.yaml create mode 100755 test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod-assert.yaml create mode 100755 test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod.yaml create mode 100755 test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy-assert.yaml create mode 100755 test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index bbb82d430679..4bf3391cfd76 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -563,6 +563,26 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} + sigstore-custom-tuf: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] + tests: ${{ fromJSON(needs.define-matrix.outputs.tests).sigstore-custom-tuf }} + needs: [ prepare-images, define-matrix ] + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/run-tests + with: + k8s-version: ${{ matrix.k8s-version }} + kind-config: ./scripts/config/kind/vap-v1beta1.yaml + kyverno-configs: standard,sigstore-custom-tuf + token: ${{ secrets.GITHUB_TOKEN }} + chainsaw-tests: ${{ matrix.tests }} + custom-sigstore: runs-on: ubuntu-latest permissions: diff --git a/cmd/internal/tuf.go b/cmd/internal/tuf.go index 2979c5db53f1..3d6f90e7cfb1 100644 --- a/cmd/internal/tuf.go +++ b/cmd/internal/tuf.go @@ -2,6 +2,7 @@ package internal import ( "context" + "encoding/base64" "fmt" "github.com/go-logr/logr" @@ -24,7 +25,11 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) { checkError(logger, err, fmt.Sprintf("Failed to read alternate TUF root file %s : %v", tufRoot, err)) } } else if tufRootRaw != "" { - tufRootBytes = []byte(tufRootRaw) + root, err := base64.StdEncoding.DecodeString(tufRootRaw) + if err != nil { + checkError(logger, err, fmt.Sprintf("Failed to base64 decode TUF root %s : %v", tufRootRaw, err)) + } + tufRootBytes = root } logger.Info("Initializing TUF root") diff --git a/pkg/cosign/sigstore.go b/pkg/cosign/sigstore.go index ffff30e46a89..7527a80a16f3 100644 --- a/pkg/cosign/sigstore.go +++ b/pkg/cosign/sigstore.go @@ -83,6 +83,8 @@ func verifyBundles(bundles []*Bundle, desc *v1.Descriptor, trustedRoot *root.Tru result, err := verifier.Verify(bundle.ProtoBundle, policy) if err == nil { verificationResults = append(verificationResults, &VerificationResult{Bundle: bundle, Result: result, Desc: desc}) + } else { + logger.V(4).Info("failed to verify sigstore bundle", "err", err.Error(), "bundle", bundle) } } diff --git a/scripts/config/sigstore-custom-tuf/kyverno.yaml b/scripts/config/sigstore-custom-tuf/kyverno.yaml new file mode 100644 index 000000000000..793c437182cf --- /dev/null +++ b/scripts/config/sigstore-custom-tuf/kyverno.yaml @@ -0,0 +1,5 @@ +features: + tuf: + enabled: true + rootRaw: "ewogInNpZ25hdHVyZXMiOiBbCiAgewogICAia2V5aWQiOiAiNGY0ZDFkZDc1ZjJkN2YzODYwZTNhMDY4ZDdiZWQ5MGRlYzVmMGZhYWZjYmUxYWNlN2ZiN2Q5NWQyOWUwNzIyOCIsCiAgICJzaWciOiAiIgogIH0sCiAgewogICAia2V5aWQiOiAiNWUwMWM5YTBiMjY0MWE4OTY1YTRhNzRlN2RmMGJjN2IyZDgyNzhhMmMzY2EwY2Y3YTNmMmY3ODNkM2M2OTgwMCIsCiAgICJzaWciOiAiIgogIH0sCiAgewogICAia2V5aWQiOiAiZWI4ZWZmMzdmOTNhZjJmYWFiYTUxOWYzNDFkZWNlYzNjZWNkM2VlYWZjYWNlMzI5NjZkYjk3MjM4NDJjOGE2MiIsCiAgICJzaWciOiAiIgogIH0sCiAgewogICAia2V5aWQiOiAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICJzaWciOiAiMzA0NTAyMjEwMDg0YzlmMjk2ZWI1YjY3MmU0NDIxMzA5NjY1M2RkN2ZlZGNkMjQ3Nzg1MDQ0ZGVjNjQ4ZjBmM2JlN2IwY2Q1MTAwMjIwNzg2NzgyMmI2ZDFhODU5NjlhNTY5N2U3NzQyNTczMTllM2Q4NzIzZmE2ZDQwM2FlMDcyOTgwYjcyYWNmYTUwZCIKICB9LAogIHsKICAgImtleWlkIjogImQ2YTg5ZTIzZmIyMjgwMWEwZDExODZiZjFiZGQwMDdlMjI4ZjY1YThhYTk5NjRkMjRkMDZjYjVmYmIwY2U5MWMiLAogICAic2lnIjogIjMwNDUwMjIwMGYwZmI0YThiMTEzOWVjOWY4ZDMzNjc2OGZmMWI4M2Y5NWMzOGE4NjEzZmNjZjg4YTE5ZjZlZDNjYTAyMTE5YjAyMjEwMDgyMzU1MTdjMWRkMjdjZmM4NGYzODY3Y2JiYjgyMThmZmFkZGM1ZDczZmNmNjQ5NzEzNTE4YmZhMWE5M2E0YWEiCiAgfSwKICB7CiAgICJrZXlpZCI6ICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIiwKICAgInNpZyI6ICIzMDQ0MDIyMDY4ZTU5Y2JkMGUyNTk4NDVkYThhM2Y1YzBmMDJkODk1YTBiZDBmOGQwMTBjYjk0YTE0YWUzZDRjZTBmNDM2YmYwMjIwMGVjODFkODNmMzkyNGIyNjQ0NTkxZDQ1MmVjNTM5Yjk3MTNkNzA3ZTcxODc4YTllY2ExYWI1NDUyMjY3NjVlNyIKICB9LAogIHsKICAgImtleWlkIjogIjg4NzM3Y2NkYWM3YjQ5Y2MyMzdlOWFhZWFkODFiZTJhNDAyNzhiODg2YTY5M2Q4MTQ5YTE5Y2Y1NDNmMDkzZDMiLAogICAic2lnIjogIjMwNDYwMjIxMDBlMDlmYTZjZWRhYzc0ZDJmY2UwMzg4YzQ2MTZhOTM4ZGQ4MTgyOTZlNWNiMmUxZmJiYmVhMWQxOGE2NjMwOGU5MDIyMTAwYmZlZjMwNmVmNTg5YjZjN2VkNjMzODdmOGMzMzg4NWMwMzc2OTYzNDQ3ODRmZWVhMjJlNGQ2ZjU1ZTg3NmEzZiIKICB9LAogIHsKICAgImtleWlkIjogIjUzOWRkZTQ0MDE0Yzg1MGZlNmVlYjhiMjk5ZWI3ZGFlMmUxZjRiZjgzNDU0Yjk0OWU5OGFhNzM1NDJjZGM2NWEiLAogICAic2lnIjogIjMwNDYwMjIxMDBlZDNjNTk5NzM4OGM5YTA5MjY0ZTdiZWNiNzQ0ODFlOTU2N2FhNTQ2MWVjNjZmM2Q3MzExZTQ2MWFjNjcyNTUxMDIyMTAwYzQ3ODllNDFjNjE4MTA3MTkzZjA0NTdkYzYzYjAwMzczZGEzYmVmMTcxZDY5ZWRhMDcyMzZiNDIyNTQ3MDlmMCIKICB9CiBdLAogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgImNvbnNpc3RlbnRfc25hcHNob3QiOiB0cnVlLAogICJleHBpcmVzIjogIjIwMjQtMTItMjBUMTM6MjU6MTVaIiwKICAia2V5cyI6IHsKICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5raTdhWlZpcHM1U2dSekNkL09tMENHelFLWS9cbm52ODRnaXFWRG1kd2IyeXM4Mlo2c29GTGFzdllZRUVRY3dxYUMxNzBuOWdyOTN3SFVnUGM3OTZ1SkE9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAYXNodG9tIgogICB9LAogICAiNTM5ZGRlNDQwMTRjODUwZmU2ZWViOGIyOTllYjdkYWUyZTFmNGJmODM0NTRiOTQ5ZTk4YWE3MzU0MmNkYzY1YSI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFbEQwbzJzT1pOOW4zUktRN1B0TUxBb1hqKzJBaVxubjRQS1QvcGZuekRsTkxyRDNWVFF3Q2M0c1I0dCtPTHU0S1ErcWsra1hrUjlZdUJzdTNiZEpaMU9Xdz09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBuZXJkbmVoYSIKICAgfSwKICAgIjVlMDFjOWEwYjI2NDFhODk2NWE0YTc0ZTdkZjBiYzdiMmQ4Mjc4YTJjM2NhMGNmN2EzZjJmNzgzZDNjNjk4MDAiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUM5Uk5Bc3VEQ05PNlQ3cUE3WTVGOG9ydzJ0SVdcbnI3clVyNGZmeHZ6VE1yYmtWdGpSL3RydEUwcTArVDB6UThUV0x5STZFWU13Yjk0N2VqMkl0ZmtPeUE9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAamFjb2JkZXByaWVzdCIKICAgfSwKICAgIjg4NzM3Y2NkYWM3YjQ5Y2MyMzdlOWFhZWFkODFiZTJhNDAyNzhiODg2YTY5M2Q4MTQ5YTE5Y2Y1NDNmMDkzZDMiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUJhZ2tza05PcE9UYmV0VFg1Q2Rudk15K0xpV25cbm9uUnJOcnFBSEw0V2dpZWJIN1VpZzdHTGhDM2JrZUEvcWdiOTI2L3ZyOXFoT1BHOUJ1ajJIYXRyUHc9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAZ3JlZ29zZSIKICAgfSwKICAgIjhiNDk4YTgwYTFiN2FmMTg4YzEwYzlhYmRmNmFhZGU4MWQxNGZhYWZmY2RlMmFiY2Q2MDYzYmFhNjczZWJkMTIiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTdJRW9WTndycHJjaFhHaFQ1c0FoU2F4N1NPZDNcbjhkdXVJU2doQ3pmbUhkS0pXU2JWMndKUmFtUmlVVlJ0bUE4M0svcW01Y1QyMFdYTUNUNVFlTS9EM0E9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAdHJldnJvc2VuIgogICB9LAogICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQzJ3SjN4c2N5WHhCTHliSjlGVmp3a3lRTWU1M1xuUkhVejc3QWpNTzhNelZhVDh4dzZadkpxZE5aaXl0WXRpZ1dVTGxJTnh3NmZyTnNXSktiL2Y3bEM4QT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBrb21tZW5kb3JrYXB0ZW4iCiAgIH0sCiAgICJkNmE4OWUyM2ZiMjI4MDFhMGQxMTg2YmYxYmRkMDA3ZTIyOGY2NWE4YWE5OTY0ZDI0ZDA2Y2I1ZmJiMGNlOTFjIjogewogICAgImtleXR5cGUiOiAiZWNkc2EiLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVEZE9Sd2NydVczZ3FBZ2FMakgvbk5kR01CNGtRXG5BdkErd0Q2RHlPNFAvd1I4ZWUyY2U4M05aSHExWkFES2h2ZTBybFlLYUt5M0NxeVE1U21sWjM2Wmh3PT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgogICAgfSwKICAgICJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCiAgICAieC10dWYtb24tY2kta2V5b3duZXIiOiAiQGtydWtvdyIKICAgfSwKICAgImViOGVmZjM3ZjkzYWYyZmFhYmE1MTlmMzQxZGVjZWMzY2VjZDNlZWFmY2FjZTMyOTY2ZGI5NzIzODQyYzhhNjIiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU55blZkUW5NOWg3eFU3MUc3UGlKcFFhRGVtdWJcbmtianNqWXdMbFBKVFFWdXhRTzhXZUlwSmY4TUVoNXJmMDF0MmRESXVDc1o1Z1J4K1F2RHYwVXpmc0E9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAbXBoNCIKICAgfSwKICAgImViOTc5OWI0ODNhZmZhYzlkYTg3ZWY0YzllYTQ2NzkyODQxNWM5NjEzNDllNjA3ZTVlNmU0ODU2NzliMDdmOGYiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5LTmNOY1grZDczbFMxVFJGYjlWbnA4SnZPb2hcbnpZUStpbjQzaUdlbmJHOFJHbzlMLzZGSjJob1JiVlU2eHNrdnl1RXJjZFBiQ2RJNEd4clE1aThoa3c9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1vbmxpbmUtdXJpIjogImF6dXJla21zOi8vcHJvZHVjdGlvbi10dWYtcm9vdC52YXVsdC5henVyZS5uZXQva2V5cy9PbmxpbmUtS2V5L2FhZjM3NWZkOGVkMjRhY2I5NDlhNWNjMTczNzAwYjA1IgogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiLAogICAgICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIiwKICAgICAiNWUwMWM5YTBiMjY0MWE4OTY1YTRhNzRlN2RmMGJjN2IyZDgyNzhhMmMzY2EwY2Y3YTNmMmY3ODNkM2M2OTgwMCIsCiAgICAgImQ2YTg5ZTIzZmIyMjgwMWEwZDExODZiZjFiZGQwMDdlMjI4ZjY1YThhYTk5NjRkMjRkMDZjYjVmYmIwY2U5MWMiLAogICAgICJlYjhlZmYzN2Y5M2FmMmZhYWJhNTE5ZjM0MWRlY2VjM2NlY2QzZWVhZmNhY2UzMjk2NmRiOTcyMzg0MmM4YTYyIiwKICAgICAiOGI0OThhODBhMWI3YWYxODhjMTBjOWFiZGY2YWFkZTgxZDE0ZmFhZmZjZGUyYWJjZDYwNjNiYWE2NzNlYmQxMiIsCiAgICAgIjUzOWRkZTQ0MDE0Yzg1MGZlNmVlYjhiMjk5ZWI3ZGFlMmUxZjRiZjgzNDU0Yjk0OWU5OGFhNzM1NDJjZGM2NWEiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDMKICAgfSwKICAgInNuYXBzaG90IjogewogICAgImtleWlkcyI6IFsKICAgICAiZWI5Nzk5YjQ4M2FmZmFjOWRhODdlZjRjOWVhNDY3OTI4NDE1Yzk2MTM0OWU2MDdlNWU2ZTQ4NTY3OWIwN2Y4ZiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMSwKICAgICJ4LXR1Zi1vbi1jaS1leHBpcnktcGVyaW9kIjogMjEsCiAgICAieC10dWYtb24tY2ktc2lnbmluZy1wZXJpb2QiOiA3CiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiLAogICAgICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIiwKICAgICAiNWUwMWM5YTBiMjY0MWE4OTY1YTRhNzRlN2RmMGJjN2IyZDgyNzhhMmMzY2EwY2Y3YTNmMmY3ODNkM2M2OTgwMCIsCiAgICAgImQ2YTg5ZTIzZmIyMjgwMWEwZDExODZiZjFiZGQwMDdlMjI4ZjY1YThhYTk5NjRkMjRkMDZjYjVmYmIwY2U5MWMiLAogICAgICJlYjhlZmYzN2Y5M2FmMmZhYWJhNTE5ZjM0MWRlY2VjM2NlY2QzZWVhZmNhY2UzMjk2NmRiOTcyMzg0MmM4YTYyIiwKICAgICAiOGI0OThhODBhMWI3YWYxODhjMTBjOWFiZGY2YWFkZTgxZDE0ZmFhZmZjZGUyYWJjZDYwNjNiYWE2NzNlYmQxMiIsCiAgICAgIjUzOWRkZTQ0MDE0Yzg1MGZlNmVlYjhiMjk5ZWI3ZGFlMmUxZjRiZjgzNDU0Yjk0OWU5OGFhNzM1NDJjZGM2NWEiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDMKICAgfSwKICAgInRpbWVzdGFtcCI6IHsKICAgICJrZXlpZHMiOiBbCiAgICAgImViOTc5OWI0ODNhZmZhYzlkYTg3ZWY0YzllYTQ2NzkyODQxNWM5NjEzNDllNjA3ZTVlNmU0ODU2NzliMDdmOGYiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDEsCiAgICAieC10dWYtb24tY2ktZXhwaXJ5LXBlcmlvZCI6IDcsCiAgICAieC10dWYtb24tY2ktc2lnbmluZy1wZXJpb2QiOiA2CiAgIH0KICB9LAogICJzcGVjX3ZlcnNpb24iOiAiMS4wLjMxIiwKICAidmVyc2lvbiI6IDIsCiAgIngtdHVmLW9uLWNpLWV4cGlyeS1wZXJpb2QiOiAyNDAsCiAgIngtdHVmLW9uLWNpLXNpZ25pbmctcGVyaW9kIjogNjAKIH0KfQ==" + mirror: "https://tuf-repo.github.com" diff --git a/test/conformance/chainsaw/e2e-matrix.json b/test/conformance/chainsaw/e2e-matrix.json index bdc3c9c17d29..c5e512883dac 100644 --- a/test/conformance/chainsaw/e2e-matrix.json +++ b/test/conformance/chainsaw/e2e-matrix.json @@ -106,6 +106,9 @@ "reports": [ "^reports$" ], + "sigstore-custom-tuf": [ + "^sigstore-custom-tuf$" + ], "ttl": [ "^ttl$" ], diff --git a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/README.md b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/README.md new file mode 100644 index 000000000000..d34ca198bde4 --- /dev/null +++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/README.md @@ -0,0 +1,4 @@ +## Description + +This test verifies sigstore bundle attached to an image. + diff --git a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/chainsaw-test.yaml b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/chainsaw-test.yaml new file mode 100755 index 000000000000..a98431593f3e --- /dev/null +++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/chainsaw-test.yaml @@ -0,0 +1,20 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: sigstore-image-verification +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml + diff --git a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod-assert.yaml b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod-assert.yaml new file mode 100755 index 000000000000..7ec43e84a5cb --- /dev/null +++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + namespace: default + diff --git a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod.yaml b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod.yaml new file mode 100755 index 000000000000..fb3763d4f2b8 --- /dev/null +++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + namespace: default +spec: + containers: + - image: ghcr.io/nirmata/github-signing-demo:latest + name: test-container + diff --git a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy-assert.yaml b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy-assert.yaml new file mode 100755 index 000000000000..05883ad59158 --- /dev/null +++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sigstore-image-verification +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + diff --git a/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy.yaml b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy.yaml new file mode 100755 index 000000000000..f580a5da41c5 --- /dev/null +++ b/test/conformance/chainsaw/sigstore-custom-tuf/sigstore-image-verification-test/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: sigstore-image-verification +spec: + background: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - match: + any: + - resources: + kinds: + - Pod + name: sigstore-image-verification + verifyImages: + - imageReferences: + - "*" + type: SigstoreBundle + attestors: + - entries: + - keyless: + issuer: https://token.actions.githubusercontent.com + subject: https://github.com/nirmata/github-signing-demo/.github/workflows/build-attested-image.yaml@refs/heads/main + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true