@@ -23,7 +23,10 @@ import (
23
23
)
24
24
25
25
const (
26
+ clusterImagePolicyKind = "ClusterImagePolicy"
27
+ imagePolicyKind = "ImagePolicy"
26
28
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
29
+ testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
27
30
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
28
31
registriesMasterPoolMachineConfig = "99-master-generated-registries"
29
32
testPodName = "signature-validation-test-pod"
@@ -34,6 +37,11 @@ const (
34
37
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
35
38
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
36
39
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
40
+ invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
41
+ invalidPKIImagePolicyName = "invalid-pki-image-policy"
42
+ pkiClusterImagePolicyName = "pki-cluster-image-policy"
43
+ pkiImagePolicyName = "pki-image-policy"
44
+ invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
37
45
)
38
46
39
47
var _ = g .Describe ("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]" , g .Ordered , func () {
@@ -142,6 +150,54 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
142
150
})
143
151
})
144
152
153
+ var _ = g .Describe ("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]" , g .Ordered , func () {
154
+ defer g .GinkgoRecover ()
155
+ var (
156
+ oc = exutil .NewCLIWithoutNamespace ("cluster-image-policy" )
157
+ tctx = context .Background ()
158
+ cli = exutil .NewCLIWithPodSecurityLevel ("verifysigstore-e2e" , admissionapi .LevelBaseline )
159
+ clif = cli .KubeFramework ()
160
+ imgpolicyCli = exutil .NewCLIWithPodSecurityLevel ("verifysigstore-imagepolicy-e2e" , admissionapi .LevelBaseline )
161
+ imgpolicyClif = imgpolicyCli .KubeFramework ()
162
+ testClusterImagePolicies = generateClusterImagePolicies ()
163
+ testImagePolicies = generateImagePolicies ()
164
+ )
165
+
166
+ g .BeforeAll (func () {
167
+ if ! exutil .IsTechPreviewNoUpgrade (tctx , oc .AdminConfigClient ()) {
168
+ g .Skip ("skipping, this feature is only supported on TechPreviewNoUpgrade clusters" )
169
+ }
170
+ // skip test on disconnected clusters.
171
+ if isDisconnectedCluster (oc ) {
172
+ g .Skip ("skipping test on disconnected platform" )
173
+ }
174
+ })
175
+
176
+ g .DescribeTable ("clusterimagepolicy signature validation tests" ,
177
+ func (policyName string , expectPass bool , imageSpec string , verifyFunc func (tctx context.Context , clif * e2e.Framework , expectPass bool , testPodName string , imageSpec string ) error ) {
178
+ createClusterImagePolicy (oc , testClusterImagePolicies [policyName ])
179
+ g .DeferCleanup (deleteClusterImagePolicy , oc , policyName )
180
+
181
+ verifyFunc (tctx , clif , expectPass , testPodName , imageSpec )
182
+ },
183
+ g .Entry ("fail with PKI root of trust does not match the identity in the signature" , invalidPKIClusterImagePolicyName , false , testPKISignedPolicyScope , verifyPodSignature ),
184
+ g .Entry ("fail with PKI email does not match" , invalidEmailPKIClusterImagePolicyName , false , testPKISignedPolicyScope , verifyPodSignature ),
185
+ g .Entry ("pass with valid PKI" , pkiClusterImagePolicyName , true , testPKISignedPolicyScope , verifyPodSignature ),
186
+ )
187
+
188
+ g .DescribeTable ("imagepolicy signature validation tests" ,
189
+ func (policyName string , expectPass bool , imageSpec string , verifyFunc func (tctx context.Context , clif * e2e.Framework , expectPass bool , testPodName string , imageSpec string ) error ) {
190
+ createImagePolicy (oc , testImagePolicies [policyName ], imgpolicyClif .Namespace .Name )
191
+ g .DeferCleanup (deleteImagePolicy , oc , policyName , imgpolicyClif .Namespace .Name )
192
+
193
+ verifyFunc (tctx , imgpolicyClif , expectPass , testPodName , imageSpec )
194
+ },
195
+ g .Entry ("fail with PKI root of trust does not match the identity in the signature" , invalidPKIImagePolicyName , false , testPKISignedPolicyScope , verifyPodSignature ),
196
+ g .Entry ("pass with valid PKI" , pkiImagePolicyName , true , testPKISignedPolicyScope , verifyPodSignature ),
197
+ )
198
+
199
+ })
200
+
145
201
func updateImageConfig (oc * exutil.CLI , allowedRegistries []string ) {
146
202
e2e .Logf ("Updating image config with allowed registries" )
147
203
initialWorkerSpec := getMCPCurrentSpecConfigName (oc , workerPool )
@@ -323,6 +379,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
323
379
},
324
380
},
325
381
},
382
+ invalidPKIClusterImagePolicyName : {
383
+ TypeMeta : metav1.TypeMeta {
384
+ Kind : "ClusterImagePolicy" ,
385
+ APIVersion : configv1 .SchemeGroupVersion .String (),
386
+ },
387
+ ObjectMeta : metav1.ObjectMeta {Name : invalidPKIClusterImagePolicyName },
388
+ Spec : configv1.ClusterImagePolicySpec {
389
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
390
+ Policy : configv1.Policy {
391
+ RootOfTrust : configv1.PolicyRootOfTrust {
392
+ PolicyType : configv1 .PKIRootOfTrust ,
393
+ PKI : & configv1.PKI {
394
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
395
+ MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
396
+ fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
397
+ WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
398
+ AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
399
+ MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
400
+ BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
401
+ BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
402
+ ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
403
+ RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
404
+ DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
405
+ dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
406
+ BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
407
+ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
408
+ -----END CERTIFICATE-----` ),
409
+ PKICertificateSubject : configv1.PKICertificateSubject {
410
+
411
+ },
412
+ },
413
+ },
414
+ SignedIdentity : & configv1.PolicyIdentity {
415
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
416
+ },
417
+ },
418
+ },
419
+ },
420
+ pkiClusterImagePolicyName : {
421
+ TypeMeta : metav1.TypeMeta {
422
+ Kind : "ClusterImagePolicy" ,
423
+ APIVersion : configv1 .SchemeGroupVersion .String (),
424
+ },
425
+ ObjectMeta : metav1.ObjectMeta {Name : pkiClusterImagePolicyName },
426
+ Spec : configv1.ClusterImagePolicySpec {
427
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
428
+ Policy : configv1.Policy {
429
+ RootOfTrust : configv1.PolicyRootOfTrust {
430
+ PolicyType : configv1 .PKIRootOfTrust ,
431
+ PKI : & configv1.PKI {
432
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
433
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
434
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
435
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
436
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
437
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
438
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
439
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
440
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
441
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
442
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
443
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
444
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
445
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
446
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
447
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
448
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
449
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
450
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
451
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
452
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
453
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
454
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
455
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
456
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
457
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
458
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
459
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
460
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
461
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
462
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
463
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
464
+ -----END CERTIFICATE-----` ),
465
+ PKICertificateSubject : configv1.PKICertificateSubject {
466
+
467
+ },
468
+ },
469
+ },
470
+ SignedIdentity : & configv1.PolicyIdentity {
471
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
472
+ },
473
+ },
474
+ },
475
+ },
476
+ invalidEmailPKIClusterImagePolicyName : {
477
+ TypeMeta : metav1.TypeMeta {
478
+ Kind : "ClusterImagePolicy" ,
479
+ APIVersion : configv1 .SchemeGroupVersion .String (),
480
+ },
481
+ ObjectMeta : metav1.ObjectMeta {Name : invalidEmailPKIClusterImagePolicyName },
482
+ Spec : configv1.ClusterImagePolicySpec {
483
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
484
+ Policy : configv1.Policy {
485
+ RootOfTrust : configv1.PolicyRootOfTrust {
486
+ PolicyType : configv1 .PKIRootOfTrust ,
487
+ PKI : & configv1.PKI {
488
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
489
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
490
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
491
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
492
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
493
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
494
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
495
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
496
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
497
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
498
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
499
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
500
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
501
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
502
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
503
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
504
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
505
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
506
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
507
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
508
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
509
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
510
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
511
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
512
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
513
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
514
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
515
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
516
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
517
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
518
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
519
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
520
+ -----END CERTIFICATE-----` ),
521
+ PKICertificateSubject : configv1.PKICertificateSubject {
522
+
523
+ },
524
+ },
525
+ },
526
+ SignedIdentity : & configv1.PolicyIdentity {
527
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
528
+ },
529
+ },
530
+ },
531
+ },
326
532
}
327
533
return testClusterImagePolicies
328
534
}
@@ -377,6 +583,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
377
583
},
378
584
},
379
585
},
586
+ invalidPKIImagePolicyName : {
587
+ TypeMeta : metav1.TypeMeta {
588
+ Kind : "ImagePolicy" ,
589
+ APIVersion : configv1 .SchemeGroupVersion .String (),
590
+ },
591
+ ObjectMeta : metav1.ObjectMeta {Name : invalidPKIImagePolicyName },
592
+ Spec : configv1.ImagePolicySpec {
593
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
594
+ Policy : configv1.Policy {
595
+ RootOfTrust : configv1.PolicyRootOfTrust {
596
+ PolicyType : configv1 .PKIRootOfTrust ,
597
+ PKI : & configv1.PKI {
598
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
599
+ MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
600
+ fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
601
+ WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
602
+ AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
603
+ MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
604
+ BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
605
+ BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
606
+ ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
607
+ RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
608
+ DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
609
+ dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
610
+ BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
611
+ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
612
+ -----END CERTIFICATE-----` ),
613
+ PKICertificateSubject : configv1.PKICertificateSubject {
614
+
615
+ },
616
+ },
617
+ },
618
+ SignedIdentity : & configv1.PolicyIdentity {
619
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
620
+ },
621
+ },
622
+ },
623
+ },
624
+ pkiImagePolicyName : {
625
+ TypeMeta : metav1.TypeMeta {
626
+ Kind : "ImagePolicy" ,
627
+ APIVersion : configv1 .SchemeGroupVersion .String (),
628
+ },
629
+ ObjectMeta : metav1.ObjectMeta {Name : pkiImagePolicyName },
630
+ Spec : configv1.ImagePolicySpec {
631
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
632
+ Policy : configv1.Policy {
633
+ RootOfTrust : configv1.PolicyRootOfTrust {
634
+ PolicyType : configv1 .PKIRootOfTrust ,
635
+ PKI : & configv1.PKI {
636
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
637
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
638
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
639
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
640
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
641
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
642
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
643
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
644
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
645
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
646
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
647
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
648
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
649
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
650
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
651
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
652
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
653
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
654
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
655
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
656
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
657
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
658
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
659
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
660
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
661
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
662
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
663
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
664
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
665
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
666
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
667
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
668
+ -----END CERTIFICATE-----` ),
669
+ PKICertificateSubject : configv1.PKICertificateSubject {
670
+
671
+ },
672
+ },
673
+ },
674
+ SignedIdentity : & configv1.PolicyIdentity {
675
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
676
+ },
677
+ },
678
+ },
679
+ },
380
680
}
381
681
return testImagePolicies
382
682
}
@@ -407,3 +707,36 @@ func waitForMCPConfigSpecChangeAndUpdated(oc *exutil.CLI, pool string, initialSp
407
707
return machineconfighelper .IsMachineConfigPoolConditionTrue (mcp .Status .Conditions , mcfgv1 .MachineConfigPoolUpdated )
408
708
}, 20 * time .Minute , 10 * time .Second ).Should (o .BeTrue ())
409
709
}
710
+
711
+ func isDisconnectedCluster (oc * exutil.CLI ) bool {
712
+ networkConfig , err := oc .AdminConfigClient ().ConfigV1 ().Networks ().Get (context .Background (), "cluster" , metav1.GetOptions {})
713
+ if err != nil {
714
+ e2e .Failf ("unable to get cluster network config: %v" , err )
715
+ }
716
+ usingIPv6 := false
717
+ for _ , clusterNetworkEntry := range networkConfig .Status .ClusterNetwork {
718
+ addr , _ , err := net .ParseCIDR (clusterNetworkEntry .CIDR )
719
+ if err != nil {
720
+ continue
721
+ }
722
+ if addr .To4 () == nil {
723
+ usingIPv6 = true
724
+ break
725
+ }
726
+ }
727
+ return usingIPv6
728
+ }
729
+
730
+ func verifyPodSignature (tctx context.Context , clif * e2e.Framework , expectPass bool , testPodName string , imageSpec string ) error {
731
+ pod , err := launchTestPod (tctx , clif , testPodName , imageSpec )
732
+ if err != nil {
733
+ return err
734
+ }
735
+ defer deleteTestPod (tctx , clif , testPodName )
736
+
737
+ if expectPass {
738
+ return e2epod .WaitForPodSuccessInNamespace (tctx , clif .ClientSet , pod .Name , pod .Namespace )
739
+ } else {
740
+ return waitForTestPodContainerToFailSignatureValidation (tctx , clif , pod )
741
+ }
742
+ }
0 commit comments