Skip to content

Commit 0ffb7cd

Browse files
committed
Add PKI image policy validation tests
Signed-off-by: Qi Wang <[email protected]>
1 parent c49344f commit 0ffb7cd

File tree

1 file changed

+333
-0
lines changed

1 file changed

+333
-0
lines changed

test/extended/imagepolicy/imagepolicy.go

Lines changed: 333 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,10 @@ import (
2323
)
2424

2525
const (
26+
clusterImagePolicyKind = "ClusterImagePolicy"
27+
imagePolicyKind = "ImagePolicy"
2628
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
29+
testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
2730
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
2831
registriesMasterPoolMachineConfig = "99-master-generated-registries"
2932
testPodName = "signature-validation-test-pod"
@@ -34,6 +37,11 @@ const (
3437
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
3538
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
3639
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
40+
invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
41+
invalidPKIImagePolicyName = "invalid-pki-image-policy"
42+
pkiClusterImagePolicyName = "pki-cluster-image-policy"
43+
pkiImagePolicyName = "pki-image-policy"
44+
invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
3745
)
3846

3947
var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]", g.Ordered, func() {
@@ -142,6 +150,54 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
142150
})
143151
})
144152

153+
var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]", g.Ordered, func() {
154+
defer g.GinkgoRecover()
155+
var (
156+
oc = exutil.NewCLIWithoutNamespace("cluster-image-policy")
157+
tctx = context.Background()
158+
cli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-e2e", admissionapi.LevelBaseline)
159+
clif = cli.KubeFramework()
160+
imgpolicyCli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-imagepolicy-e2e", admissionapi.LevelBaseline)
161+
imgpolicyClif = imgpolicyCli.KubeFramework()
162+
testClusterImagePolicies = generateClusterImagePolicies()
163+
testImagePolicies = generateImagePolicies()
164+
)
165+
166+
g.BeforeAll(func() {
167+
if !exutil.IsTechPreviewNoUpgrade(tctx, oc.AdminConfigClient()) {
168+
g.Skip("skipping, this feature is only supported on TechPreviewNoUpgrade clusters")
169+
}
170+
// skip test on disconnected clusters.
171+
if isDisconnectedCluster(oc) {
172+
g.Skip("skipping test on disconnected platform")
173+
}
174+
})
175+
176+
g.DescribeTable("clusterimagepolicy signature validation tests",
177+
func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
178+
createClusterImagePolicy(oc, testClusterImagePolicies[policyName])
179+
g.DeferCleanup(deleteClusterImagePolicy, oc, policyName)
180+
181+
verifyFunc(tctx, clif, expectPass, testPodName, imageSpec)
182+
},
183+
g.Entry("fail with PKI root of trust does not match the identity in the signature", invalidPKIClusterImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
184+
g.Entry("fail with PKI email does not match", invalidEmailPKIClusterImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
185+
g.Entry("pass with valid PKI", pkiClusterImagePolicyName, true, testPKISignedPolicyScope, verifyPodSignature),
186+
)
187+
188+
g.DescribeTable("imagepolicy signature validation tests",
189+
func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
190+
createImagePolicy(oc, testImagePolicies[policyName], imgpolicyClif.Namespace.Name)
191+
g.DeferCleanup(deleteImagePolicy, oc, policyName, imgpolicyClif.Namespace.Name)
192+
193+
verifyFunc(tctx, imgpolicyClif, expectPass, testPodName, imageSpec)
194+
},
195+
g.Entry("fail with PKI root of trust does not match the identity in the signature", invalidPKIImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
196+
g.Entry("pass with valid PKI", pkiImagePolicyName, true, testPKISignedPolicyScope, verifyPodSignature),
197+
)
198+
199+
})
200+
145201
func updateImageConfig(oc *exutil.CLI, allowedRegistries []string) {
146202
e2e.Logf("Updating image config with allowed registries")
147203
initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
@@ -323,6 +379,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
323379
},
324380
},
325381
},
382+
invalidPKIClusterImagePolicyName: {
383+
TypeMeta: metav1.TypeMeta{
384+
Kind: "ClusterImagePolicy",
385+
APIVersion: configv1.SchemeGroupVersion.String(),
386+
},
387+
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIClusterImagePolicyName},
388+
Spec: configv1.ClusterImagePolicySpec{
389+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
390+
Policy: configv1.Policy{
391+
RootOfTrust: configv1.PolicyRootOfTrust{
392+
PolicyType: configv1.PKIRootOfTrust,
393+
PKI: &configv1.PKI{
394+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
395+
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
396+
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
397+
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
398+
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
399+
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
400+
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
401+
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
402+
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
403+
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
404+
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
405+
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
406+
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
407+
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
408+
-----END CERTIFICATE-----`),
409+
PKICertificateSubject: configv1.PKICertificateSubject{
410+
411+
},
412+
},
413+
},
414+
SignedIdentity: &configv1.PolicyIdentity{
415+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
416+
},
417+
},
418+
},
419+
},
420+
pkiClusterImagePolicyName: {
421+
TypeMeta: metav1.TypeMeta{
422+
Kind: "ClusterImagePolicy",
423+
APIVersion: configv1.SchemeGroupVersion.String(),
424+
},
425+
ObjectMeta: metav1.ObjectMeta{Name: pkiClusterImagePolicyName},
426+
Spec: configv1.ClusterImagePolicySpec{
427+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
428+
Policy: configv1.Policy{
429+
RootOfTrust: configv1.PolicyRootOfTrust{
430+
PolicyType: configv1.PKIRootOfTrust,
431+
PKI: &configv1.PKI{
432+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
433+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
434+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
435+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
436+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
437+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
438+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
439+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
440+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
441+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
442+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
443+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
444+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
445+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
446+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
447+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
448+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
449+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
450+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
451+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
452+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
453+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
454+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
455+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
456+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
457+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
458+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
459+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
460+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
461+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
462+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
463+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
464+
-----END CERTIFICATE-----`),
465+
PKICertificateSubject: configv1.PKICertificateSubject{
466+
467+
},
468+
},
469+
},
470+
SignedIdentity: &configv1.PolicyIdentity{
471+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
472+
},
473+
},
474+
},
475+
},
476+
invalidEmailPKIClusterImagePolicyName: {
477+
TypeMeta: metav1.TypeMeta{
478+
Kind: "ClusterImagePolicy",
479+
APIVersion: configv1.SchemeGroupVersion.String(),
480+
},
481+
ObjectMeta: metav1.ObjectMeta{Name: invalidEmailPKIClusterImagePolicyName},
482+
Spec: configv1.ClusterImagePolicySpec{
483+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
484+
Policy: configv1.Policy{
485+
RootOfTrust: configv1.PolicyRootOfTrust{
486+
PolicyType: configv1.PKIRootOfTrust,
487+
PKI: &configv1.PKI{
488+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
489+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
490+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
491+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
492+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
493+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
494+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
495+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
496+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
497+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
498+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
499+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
500+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
501+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
502+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
503+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
504+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
505+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
506+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
507+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
508+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
509+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
510+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
511+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
512+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
513+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
514+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
515+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
516+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
517+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
518+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
519+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
520+
-----END CERTIFICATE-----`),
521+
PKICertificateSubject: configv1.PKICertificateSubject{
522+
523+
},
524+
},
525+
},
526+
SignedIdentity: &configv1.PolicyIdentity{
527+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
528+
},
529+
},
530+
},
531+
},
326532
}
327533
return testClusterImagePolicies
328534
}
@@ -377,6 +583,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
377583
},
378584
},
379585
},
586+
invalidPKIImagePolicyName: {
587+
TypeMeta: metav1.TypeMeta{
588+
Kind: "ImagePolicy",
589+
APIVersion: configv1.SchemeGroupVersion.String(),
590+
},
591+
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIImagePolicyName},
592+
Spec: configv1.ImagePolicySpec{
593+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
594+
Policy: configv1.Policy{
595+
RootOfTrust: configv1.PolicyRootOfTrust{
596+
PolicyType: configv1.PKIRootOfTrust,
597+
PKI: &configv1.PKI{
598+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
599+
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
600+
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
601+
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
602+
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
603+
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
604+
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
605+
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
606+
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
607+
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
608+
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
609+
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
610+
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
611+
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
612+
-----END CERTIFICATE-----`),
613+
PKICertificateSubject: configv1.PKICertificateSubject{
614+
615+
},
616+
},
617+
},
618+
SignedIdentity: &configv1.PolicyIdentity{
619+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
620+
},
621+
},
622+
},
623+
},
624+
pkiImagePolicyName: {
625+
TypeMeta: metav1.TypeMeta{
626+
Kind: "ImagePolicy",
627+
APIVersion: configv1.SchemeGroupVersion.String(),
628+
},
629+
ObjectMeta: metav1.ObjectMeta{Name: pkiImagePolicyName},
630+
Spec: configv1.ImagePolicySpec{
631+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
632+
Policy: configv1.Policy{
633+
RootOfTrust: configv1.PolicyRootOfTrust{
634+
PolicyType: configv1.PKIRootOfTrust,
635+
PKI: &configv1.PKI{
636+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
637+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
638+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
639+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
640+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
641+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
642+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
643+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
644+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
645+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
646+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
647+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
648+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
649+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
650+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
651+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
652+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
653+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
654+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
655+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
656+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
657+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
658+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
659+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
660+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
661+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
662+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
663+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
664+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
665+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
666+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
667+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
668+
-----END CERTIFICATE-----`),
669+
PKICertificateSubject: configv1.PKICertificateSubject{
670+
671+
},
672+
},
673+
},
674+
SignedIdentity: &configv1.PolicyIdentity{
675+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
676+
},
677+
},
678+
},
679+
},
380680
}
381681
return testImagePolicies
382682
}
@@ -407,3 +707,36 @@ func waitForMCPConfigSpecChangeAndUpdated(oc *exutil.CLI, pool string, initialSp
407707
return machineconfighelper.IsMachineConfigPoolConditionTrue(mcp.Status.Conditions, mcfgv1.MachineConfigPoolUpdated)
408708
}, 20*time.Minute, 10*time.Second).Should(o.BeTrue())
409709
}
710+
711+
func isDisconnectedCluster(oc *exutil.CLI) bool {
712+
networkConfig, err := oc.AdminConfigClient().ConfigV1().Networks().Get(context.Background(), "cluster", metav1.GetOptions{})
713+
if err != nil {
714+
e2e.Failf("unable to get cluster network config: %v", err)
715+
}
716+
usingIPv6 := false
717+
for _, clusterNetworkEntry := range networkConfig.Status.ClusterNetwork {
718+
addr, _, err := net.ParseCIDR(clusterNetworkEntry.CIDR)
719+
if err != nil {
720+
continue
721+
}
722+
if addr.To4() == nil {
723+
usingIPv6 = true
724+
break
725+
}
726+
}
727+
return usingIPv6
728+
}
729+
730+
func verifyPodSignature(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error {
731+
pod, err := launchTestPod(tctx, clif, testPodName, imageSpec)
732+
if err != nil {
733+
return err
734+
}
735+
defer deleteTestPod(tctx, clif, testPodName)
736+
737+
if expectPass {
738+
return e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
739+
} else {
740+
return waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
741+
}
742+
}

0 commit comments

Comments
 (0)