-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image signature verification workflow test #14124
Conversation
[test][testextended][extended:core(image signature workflow)] |
bbe0ef2
to
d09429f
Compare
test/extended/registry/signature.go
Outdated
|
||
g.It("can push a signed image to openshift registry and verify it", func() { | ||
g.By("building an signer image that know how to sign images") | ||
_, err := oc.Run("new-build").Args("--docker-image", "openshift/origin:latest", "--to", "signer:latest", "-D", "-").InputString(`FROM openshift/origin:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees @smarterclayton is there a way to create a build config without creating an image stream?
The intent of this 'rebuild' is to add skopeo and generate gpg keys on top of the current openshift/origin:latest
image that is already present on the node (we build it using make release...).
I think the new-build
here will create image stream and import the openshift/origin:latest
from the dockerhub which is not what I want ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also I thought the --docker-image
will do what I want, but it still creates the image stream for the builder...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can do it, but not via new-build/new-app. you'd have to define the build yourself using a dockerimage reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have oc create buildconfig
:D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've created #14138.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i will create the fixture for now :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this include some negative scenarios? To name a few: verifying with a different key, verifying with different expected-identity
, verifying with no key, tagging another image over the verified istag (which is present in expected-identity) and verifying again, serving a wrong manifest to the verifier, …
test/extended/registry/signature.go
Outdated
e2e "k8s.io/kubernetes/test/e2e/framework" | ||
) | ||
|
||
var _ = g.Describe("image signature workflow", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add '[imageapis]
.
test/extended/registry/signature.go
Outdated
ENV GNUPGHOME="/var/lib/origin/gnupg" | ||
RUN yum install -y skopeo && yum clean all | ||
RUN chmod 0777 -R /var/lib/origin && mkdir -p $GNUPGHOME && chmod 0600 $GNUPGHOME && \ | ||
rm -f /dev/random; ln -sf /dev/urandom /dev/random && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh?
Maybe worth a comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@miminar containers lack entropy ;-)
test/extended/registry/signature.go
Outdated
err = exutil.WaitForAnImageStreamTag(oc, oc.Namespace(), "signed", "latest") | ||
o.Expect(err).NotTo(o.HaveOccurred()) | ||
|
||
g.By("checking the signature is present on the image and it state is unverified") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/on/in/
s/it/its/
test/extended/registry/signature.go
Outdated
o.Expect(err).NotTo(o.HaveOccurred()) | ||
|
||
g.By("signing the origin-pod:latest image and pushing it into signed:latest") | ||
// TODO: Note that the skopeo command is expecting the KUBERNETES_MASTER and the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should either go without TODO:
or state what needs to be done.
test/extended/registry/signature.go
Outdated
// image-signer and image-auditor roles. | ||
signAndPushCmd := fmt.Sprintf(`export KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT;`+ | ||
`oc login --token=%s $KUBERNETES_MASTER --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt && `+ | ||
`skopeo --debug --tls-verify=false copy --sign-by joe@foo.bar --dest-creds %s:%s --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:%s/%s/signed:latest`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this signing docker.io/openshift/origin-pod:latest
? Can we use some local image? Is this pulling the image or just a manifest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@miminar this pod does not have access to local docker (!) it uses skopeo transport. i don't want it to have privileged access.
0c1998c
to
1833540
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, lgtm
test/extended/registry/signature.go
Outdated
|
||
g.It("can push a signed image to openshift registry and verify it", func() { | ||
g.By("building an signer image that know how to sign images") | ||
_, err := oc.Run("new-build").Args("--docker-image", "openshift/origin:latest", "--to", "signer:latest", "-D", "-").InputString(`FROM openshift/origin:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have oc create buildconfig
:D
// Note that we need to replace the /dev/random with /dev/urandom to get more entropy | ||
// into container so we can successfully generate the GPG keypair. | ||
g.By("creating dummy GPG key") | ||
out, err := pod.Exec("rm -f /dev/random; ln -sf /dev/urandom /dev/random && " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😟
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@soltysh without this the container will just hang forever as it does not have enough entropy... the same hack is used in the skopeo integration testing...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not saying you can't do this, I'm just expressing my level of sadness with this hack, sigh...
test/extended/util/framework.go
Outdated
waitErr := wait.PollImmediate(1*time.Second, 3*time.Minute, func() (bool, error) { | ||
var err error | ||
out, err = r.client.Run("exec").Args(r.podName, "--", "/bin/bash", "-c", script).Output() | ||
framework.Logf("output:\n%s\n", out) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drop this line, not needed here. If you want to log it, make sure the caller does that for you, since you're returning that output.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure. (this was for debugging the test only)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few more nits.
test/extended/registry/signature.go
Outdated
o.Expect(err).NotTo(o.HaveOccurred()) | ||
o.Expect(out).To(o.ContainSubstring("Logged in")) | ||
|
||
// Sign and copy the origin-pod image into targed image stream tag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/targed/target/
test/extended/registry/signature.go
Outdated
// TODO: Fix skopeo to pickup the Kubernetes environment variables (remove the $KUBERNETES_MASTER) | ||
g.By("signing the origin-pod:latest image and pushing it into openshift registry") | ||
_, err = pod.Exec("KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT GNUPGHOME=/var/lib/origin/gnupg " + | ||
"skopeo --debug --tls-verify=false copy --sign-by joe@foo.bar --dest-creds " + user + ":" + token + " --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:" + signedImage) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that the pod is privileged, you could sign a local image instead of remote one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@miminar i have no idea how to plumb the docker socket to skopeo in container... i guess it will make the test pretty complicated...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@miminar also skopeo does not use the docker to transport images, it has custom functions to deal with that.
test/extended/util/framework.go
Outdated
// Exec executes a single command or a script in the running pod. It returns the command | ||
// output and error if the command finished with non-zero status code or the command took | ||
// longer then 3 minutes to run. | ||
func (r *podExecutor) Exec(script string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The godoc could mention that the script
is a script interpreted by bash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -0,0 +1,120 @@ | |||
package registry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO this should belong rather to test/extended/imageapis
. But I admit it's ambiguous. Tests in the imageapis
directories work with registry as well. And the same goes for tests in images
and builds
directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, i don't think either of these packages is a great location for this test, but I would like to have it in registry as the verification fetching manifest from registry and I want to add additional test in (near) future for the signature endpoint in registry (don't want to have the signature test splitted in two packages)
test/extended/registry/signature.go
Outdated
e2e "k8s.io/kubernetes/test/e2e/framework" | ||
) | ||
|
||
var _ = g.Describe("[imageapis] image signature workflow", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it involves registry, there's no harm adding [registry]
as well. Sorry I missed that earlier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure.
continuous-integration/openshift-jenkins/test Waiting: Determining build queue position |
@miminar success \o/ |
Evaluated for origin testextended up to 1abda05 |
continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/393/) (Base Commit: b581bfe) (Extended Tests: core(image signature workflow)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[merge] |
[test] |
Evaluated for origin test up to 1abda05 |
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1523/) (Base Commit: 71b89dc) |
flake #14241 [merge] |
flake: #14236 (fixed) [merge] |
Evaluated for origin merge up to 1abda05 |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/704/) (Base Commit: ff5f7c5) (Image: devenv-rhel7_6240) |
@miminar @soltysh as promised
This will basically:
origin:latest
image (which should be the local image we built usingmake release
skopeo
into it and generate dummy GPG keys and commit it as "signer" imagesigned:latest
is present, check the signature using describeoc adm verify-image-signature
and verify the identity of the imageI'm pretty hesitating to add this into "comformance" as the test takes ~1minute to run, thoughts?