Image signature verification workflow test #14124
Conversation
|
[test][testextended][extended:core(image signature workflow)] |
mfojtik
changed the title
mfojtik
force-pushed
the
signature-test
branch
2 times, most recently
from
bbe0ef2
to
d09429f
Compare
test/extended/registry/signature.go
Outdated
|
|
||
| g.It("can push a signed image to openshift registry and verify it", func() { | ||
| g.By("building an signer image that know how to sign images") | ||
| _, err := oc.Run("new-build").Args("--docker-image", "openshift/origin:latest", "--to", "signer:latest", "-D", "-").InputString(`FROM openshift/origin:latest |
There was a problem hiding this comment.
@bparees @smarterclayton is there a way to create a build config without creating an image stream?
The intent of this 'rebuild' is to add skopeo and generate gpg keys on top of the current openshift/origin:latest image that is already present on the node (we build it using make release...).
I think the new-build here will create image stream and import the openshift/origin:latest from the dockerhub which is not what I want ;-)
There was a problem hiding this comment.
also I thought the --docker-image will do what I want, but it still creates the image stream for the builder...
There was a problem hiding this comment.
you can do it, but not via new-build/new-app. you'd have to define the build yourself using a dockerimage reference.
There was a problem hiding this comment.
We should have oc create buildconfig :D
There was a problem hiding this comment.
i will create the fixture for now :-)
There was a problem hiding this comment.
Can this include some negative scenarios? To name a few: verifying with a different key, verifying with different expected-identity, verifying with no key, tagging another image over the verified istag (which is present in expected-identity) and verifying again, serving a wrong manifest to the verifier, …
test/extended/registry/signature.go
Outdated
| e2e "k8s.io/kubernetes/test/e2e/framework" | ||
| ) | ||
|
|
||
| var _ = g.Describe("image signature workflow", func() { |
test/extended/registry/signature.go
Outdated
| ENV GNUPGHOME="/var/lib/origin/gnupg" | ||
| RUN yum install -y skopeo && yum clean all | ||
| RUN chmod 0777 -R /var/lib/origin && mkdir -p $GNUPGHOME && chmod 0600 $GNUPGHOME && \ | ||
| rm -f /dev/random; ln -sf /dev/urandom /dev/random && \ |
There was a problem hiding this comment.
@miminar containers lack entropy ;-)
test/extended/registry/signature.go
Outdated
| err = exutil.WaitForAnImageStreamTag(oc, oc.Namespace(), "signed", "latest") | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
|
|
||
| g.By("checking the signature is present on the image and it state is unverified") |
test/extended/registry/signature.go
Outdated
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
|
|
||
| g.By("signing the origin-pod:latest image and pushing it into signed:latest") | ||
| // TODO: Note that the skopeo command is expecting the KUBERNETES_MASTER and the |
There was a problem hiding this comment.
This should either go without TODO: or state what needs to be done.
test/extended/registry/signature.go
Outdated
| // image-signer and image-auditor roles. | ||
| signAndPushCmd := fmt.Sprintf(`export KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT;`+ | ||
| `oc login --token=%s $KUBERNETES_MASTER --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt && `+ | ||
| `skopeo --debug --tls-verify=false copy --sign-by joe@foo.bar --dest-creds %s:%s --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:%s/%s/signed:latest`, |
There was a problem hiding this comment.
Why is this signing docker.io/openshift/origin-pod:latest? Can we use some local image? Is this pulling the image or just a manifest?
There was a problem hiding this comment.
@miminar this pod does not have access to local docker (!) it uses skopeo transport. i don't want it to have privileged access.
mfojtik
force-pushed
the
signature-test
branch
5 times, most recently
from
0c1998c
to
1833540
Compare
test/extended/registry/signature.go
Outdated
|
|
||
| g.It("can push a signed image to openshift registry and verify it", func() { | ||
| g.By("building an signer image that know how to sign images") | ||
| _, err := oc.Run("new-build").Args("--docker-image", "openshift/origin:latest", "--to", "signer:latest", "-D", "-").InputString(`FROM openshift/origin:latest |
There was a problem hiding this comment.
We should have oc create buildconfig :D
| // Note that we need to replace the /dev/random with /dev/urandom to get more entropy | ||
| // into container so we can successfully generate the GPG keypair. | ||
| g.By("creating dummy GPG key") | ||
| out, err := pod.Exec("rm -f /dev/random; ln -sf /dev/urandom /dev/random && " + |
There was a problem hiding this comment.
@soltysh without this the container will just hang forever as it does not have enough entropy... the same hack is used in the skopeo integration testing...
There was a problem hiding this comment.
I'm not saying you can't do this, I'm just expressing my level of sadness with this hack, sigh...
test/extended/util/framework.go
Outdated
| waitErr := wait.PollImmediate(1*time.Second, 3*time.Minute, func() (bool, error) { | ||
| var err error | ||
| out, err = r.client.Run("exec").Args(r.podName, "--", "/bin/bash", "-c", script).Output() | ||
| framework.Logf("output:\n%s\n", out) |
There was a problem hiding this comment.
Drop this line, not needed here. If you want to log it, make sure the caller does that for you, since you're returning that output.
There was a problem hiding this comment.
sure. (this was for debugging the test only)
test/extended/registry/signature.go
Outdated
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| o.Expect(out).To(o.ContainSubstring("Logged in")) | ||
|
|
||
| // Sign and copy the origin-pod image into targed image stream tag |
test/extended/registry/signature.go
Outdated
| // TODO: Fix skopeo to pickup the Kubernetes environment variables (remove the $KUBERNETES_MASTER) | ||
| g.By("signing the origin-pod:latest image and pushing it into openshift registry") | ||
| _, err = pod.Exec("KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT GNUPGHOME=/var/lib/origin/gnupg " + | ||
| "skopeo --debug --tls-verify=false copy --sign-by joe@foo.bar --dest-creds " + user + ":" + token + " --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:" + signedImage) |
There was a problem hiding this comment.
Now that the pod is privileged, you could sign a local image instead of remote one.
There was a problem hiding this comment.
@miminar i have no idea how to plumb the docker socket to skopeo in container... i guess it will make the test pretty complicated...
There was a problem hiding this comment.
@miminar also skopeo does not use the docker to transport images, it has custom functions to deal with that.
test/extended/util/framework.go
Outdated
| // Exec executes a single command or a script in the running pod. It returns the command | ||
| // output and error if the command finished with non-zero status code or the command took | ||
| // longer then 3 minutes to run. | ||
| func (r *podExecutor) Exec(script string) (string, error) { |
There was a problem hiding this comment.
The godoc could mention that the script is a script interpreted by bash.
| @@ -0,0 +1,120 @@ | |||
| package registry | |||
There was a problem hiding this comment.
IMHO this should belong rather to test/extended/imageapis. But I admit it's ambiguous. Tests in the imageapis directories work with registry as well. And the same goes for tests in images and builds directory.
There was a problem hiding this comment.
yeah, i don't think either of these packages is a great location for this test, but I would like to have it in registry as the verification fetching manifest from registry and I want to add additional test in (near) future for the signature endpoint in registry (don't want to have the signature test splitted in two packages)
test/extended/registry/signature.go
Outdated
| e2e "k8s.io/kubernetes/test/e2e/framework" | ||
| ) | ||
|
|
||
| var _ = g.Describe("[imageapis] image signature workflow", func() { |
There was a problem hiding this comment.
Since it involves registry, there's no harm adding [registry] as well. Sorry I missed that earlier.
|
continuous-integration/openshift-jenkins/test Waiting: Determining build queue position |
|
@miminar success \o/ |
|
Evaluated for origin testextended up to 1abda05 |
|
continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/393/) (Base Commit: b581bfe) (Extended Tests: core(image signature workflow)) |
|
[merge] |
|
[test] |
|
Evaluated for origin test up to 1abda05 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1523/) (Base Commit: 71b89dc) |
|
flake #14241 [merge] |
|
flake: #14236 (fixed) [merge] |
|
Evaluated for origin merge up to 1abda05 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/704/) (Base Commit: ff5f7c5) (Image: devenv-rhel7_6240) |
@miminar @soltysh as promised
This will basically:
origin:latestimage (which should be the local image we built usingmake releaseskopeointo it and generate dummy GPG keys and commit it as "signer" imagesigned:latestis present, check the signature using describeoc adm verify-image-signatureand verify the identity of the imageI'm pretty hesitating to add this into "comformance" as the test takes ~1minute to run, thoughts?