github.com/venafi-iw/cosign@v1.3.4/test/e2e_test_cosigned.sh (about) 1 #!/bin/bash 2 # 3 # Copyright 2021 The Sigstore Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -ex 18 19 20 echo '::group:: publish test image' 21 DIGEST=$(ko publish -B ./cmd/sample) 22 cat > pod.yaml <<EOF 23 apiVersion: v1 24 kind: Pod 25 metadata: 26 generateName: pod-test- 27 spec: 28 restartPolicy: Never 29 containers: 30 - name: sample 31 image: $KO_DOCKER_REPO/sample 32 EOF 33 cat > distroless-pod.yaml <<EOF 34 apiVersion: v1 35 kind: Pod 36 metadata: 37 generateName: pod-test- 38 spec: 39 restartPolicy: Never 40 containers: 41 - name: sample 42 image: gcr.io/distroless/base:debug 43 command: [/busybox/sh, -c] 44 args: 45 - | 46 echo Testing Fulcio verification 47 EOF 48 cat > job.yaml <<EOF 49 apiVersion: batch/v1 50 kind: Job 51 metadata: 52 generateName: job-test- 53 spec: 54 template: 55 spec: 56 restartPolicy: Never 57 containers: 58 - name: sample 59 image: $KO_DOCKER_REPO/sample 60 EOF 61 62 cat > cronjob.yaml <<EOF 63 apiVersion: batch/v1beta1 64 kind: CronJob 65 metadata: 66 generateName: cronjob-test- 67 spec: 68 schedule: "* * * * *" 69 jobTemplate: 70 spec: 71 template: 72 spec: 73 containers: 74 - name: sample 75 image: $KO_DOCKER_REPO/sample 76 restartPolicy: Never 77 EOF 78 echo '::endgroup::' 79 80 cat > manykeys.pem <<EOF 81 -----BEGIN PUBLIC KEY----- 82 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQaXTMA1eCVAGCTWxTe8ZQ0JVNSXV 83 A+6/ffM1bfNnq3AGkhGNfJTI3P0w1Y69gBTF/AfXhYuEc/SxmX0b3PwzWg== 84 -----END PUBLIC KEY----- 85 -----BEGIN PUBLIC KEY----- 86 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE40I8/4Q4k7IhuJvesexymMH4mQa6 87 nD9c9iLu5S/Y5yjCDYtDTB7MzwTy+0RtIdIAv1ePBVGVQ/s7M2QDdrA8SQ== 88 -----END PUBLIC KEY----- 89 EOF 90 91 echo '::endgroup::' 92 93 94 echo '::group:: enable verification' 95 kubectl label namespace default --overwrite cosigned.sigstore.dev/include=true 96 echo '::endgroup::' 97 98 99 echo '::group:: test pod success (Fulcio root)' 100 # This time it should succeed! 101 if ! kubectl create -f distroless-pod.yaml ; then 102 echo Failed to create Pod signed by Fulcio! 103 exit 1 104 else 105 echo Successfully created Pod signed by Fulcio. 106 fi 107 echo '::endgroup::' 108 109 110 echo '::group:: setup verification-key' 111 # Update the cosign verification-key secret with a proper key pair. 112 cosign generate-key-pair k8s://cosign-system/verification-key 113 echo '::endgroup::' 114 115 echo '::group:: setup multiple verification-keys' 116 cosign public-key --key k8s://cosign-system/verification-key >> manykeys.pem 117 118 # Save the old key 119 kubectl get secret -n cosign-system verification-key -o=json | jq -r '.data["cosign.key"]' | base64 --decode > cosign.key 120 kubectl delete secret -n cosign-system verification-key 121 kubectl create secret generic -n cosign-system verification-key --from-file=cosign.pub=manykeys.pem --from-literal=cosign.password=${COSIGN_PASSWORD} --from-file=cosign.key 122 123 echo '::group:: disable verification' 124 kubectl label namespace default --overwrite cosigned.sigstore.dev/include=false 125 echo '::endgroup::' 126 127 128 echo '::group:: test pod success (before labeling)' 129 # This time it should succeed! 130 if ! kubectl create -f pod.yaml ; then 131 echo Failed to create Pod in namespace without label! 132 exit 1 133 else 134 echo Successfully created Pod in namespace without label. 135 fi 136 echo '::endgroup::' 137 138 139 echo '::group:: test job success' 140 # This time it should succeed! 141 if ! kubectl create -f job.yaml ; then 142 echo Failed to create Job in namespace without label! 143 exit 1 144 else 145 echo Successfully created Job in namespace without label. 146 fi 147 echo '::endgroup::' 148 149 echo '::group:: test cronjob success' 150 # This time it should succeed! 151 if ! kubectl create -f cronjob.yaml ; then 152 echo Failed to create CronJob in namespace without label! 153 exit 1 154 else 155 echo Successfully created CronJob in namespace without label. 156 fi 157 echo '::endgroup::' 158 159 echo '::group:: enable verification' 160 kubectl label namespace default --overwrite cosigned.sigstore.dev/include=true 161 echo '::endgroup::' 162 163 164 echo '::group:: test pod rejection' 165 if kubectl create -f pod.yaml ; then 166 echo Failed to block Pod creation! 167 exit 1 168 else 169 echo Successfully blocked Pod creation. 170 fi 171 echo '::endgroup::' 172 173 174 echo '::group:: test job rejection' 175 if kubectl create -f job.yaml ; then 176 echo Failed to block Job creation! 177 exit 1 178 else 179 echo Successfully blocked Job creation. 180 fi 181 echo '::endgroup::' 182 183 echo '::group:: test cronjob rejection' 184 if kubectl create -f cronjob.yaml ; then 185 echo Failed to block CronJob creation! 186 exit 1 187 else 188 echo Successfully blocked CronJob creation. 189 fi 190 echo '::endgroup::' 191 192 echo '::group:: sign test image' 193 cosign sign --key k8s://cosign-system/verification-key $DIGEST 194 echo '::endgroup::' 195 196 197 198 echo '::group:: test pod digest resolution' 199 IMAGE=$(kubectl create --dry-run=server -f pod.yaml -oyaml | yq e '.spec.containers[0].image' -) 200 201 if [ "$IMAGE" != "$DIGEST" ] ; then 202 echo Failed to resolve tag to digest! 203 exit 1 204 else 205 echo Successfully resolved tag to digest. 206 fi 207 echo '::endgroup::' 208 209 echo '::group:: test job digest resolution' 210 IMAGE=$(kubectl create --dry-run=server -f job.yaml -oyaml | yq e '.spec.template.spec.containers[0].image' -) 211 212 if [ "$IMAGE" != "$DIGEST" ] ; then 213 echo Failed to resolve tag to digest! 214 exit 1 215 else 216 echo Successfully resolved tag to digest. 217 fi 218 echo '::endgroup::' 219 220 echo '::group:: test cronjob digest resolution' 221 IMAGE=$(kubectl create --dry-run=server -f cronjob.yaml -oyaml | yq e '.spec.jobTemplate.spec.template.spec.containers[0].image' -) 222 223 if [ "$IMAGE" != "$DIGEST" ] ; then 224 echo Failed to resolve tag to digest! 225 exit 1 226 else 227 echo Successfully resolved tag to digest. 228 fi 229 echo '::endgroup::' 230 231 echo '::group:: test pod success' 232 # This time it should succeed! 233 if ! kubectl create -f pod.yaml ; then 234 echo Failed to create Pod with properly signed image! 235 exit 1 236 else 237 echo Successfully created Pod from signed image. 238 fi 239 echo '::endgroup::' 240 241 242 echo '::group:: test job success' 243 # This time it should succeed! 244 if ! kubectl create -f job.yaml ; then 245 echo Failed to create Job with properly signed image! 246 exit 1 247 else 248 echo Successfully created Job from signed image. 249 fi 250 echo '::endgroup::' 251 252 echo '::group:: test cronjob success' 253 # This time it should succeed! 254 if ! kubectl create -f cronjob.yaml ; then 255 echo Failed to create CronJob with properly signed image! 256 exit 1 257 else 258 echo Successfully created CronJob from signed image. 259 fi 260 echo '::endgroup::'