Skip to content

Commit 2ade46e

Browse files
committed
Add PKI image policy validation tests
Signed-off-by: Qi Wang <[email protected]>
1 parent c49344f commit 2ade46e

File tree

1 file changed

+335
-0
lines changed

1 file changed

+335
-0
lines changed

test/extended/imagepolicy/imagepolicy.go

Lines changed: 335 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,10 @@ import (
2323
)
2424

2525
const (
26+
clusterImagePolicyKind = "ClusterImagePolicy"
27+
imagePolicyKind = "ImagePolicy"
2628
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
29+
testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
2730
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
2831
registriesMasterPoolMachineConfig = "99-master-generated-registries"
2932
testPodName = "signature-validation-test-pod"
@@ -34,6 +37,11 @@ const (
3437
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
3538
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
3639
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
40+
invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
41+
invalidPKIImagePolicyName = "invalid-pki-image-policy"
42+
pkiClusterImagePolicyName = "pki-cluster-image-policy"
43+
pkiImagePolicyName = "pki-image-policy"
44+
invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
3745
)
3846

3947
var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]", g.Ordered, func() {
@@ -142,6 +150,56 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
142150
})
143151
})
144152

153+
var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]", g.Ordered, func() {
154+
defer g.GinkgoRecover()
155+
var (
156+
oc = exutil.NewCLIWithoutNamespace("cluster-image-policy")
157+
tctx = context.Background()
158+
cli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-e2e", admissionapi.LevelBaseline)
159+
clif = cli.KubeFramework()
160+
imgpolicyCli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-imagepolicy-e2e", admissionapi.LevelBaseline)
161+
imgpolicyClif = imgpolicyCli.KubeFramework()
162+
testClusterImagePolicies = generateClusterImagePolicies()
163+
testImagePolicies = generateImagePolicies()
164+
)
165+
166+
g.BeforeAll(func() {
167+
if !exutil.IsTechPreviewNoUpgrade(tctx, oc.AdminConfigClient()) {
168+
g.Skip("skipping, this feature is only supported on TechPreviewNoUpgrade clusters")
169+
}
170+
// skip test on disconnected clusters.
171+
if isDisconnectedCluster(oc) {
172+
g.Skip("skipping test on disconnected platform")
173+
}
174+
})
175+
176+
g.DescribeTable("clusterimagepolicy signature validation tests",
177+
func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
178+
createClusterImagePolicy(oc, testClusterImagePolicies[policyName])
179+
g.DeferCleanup(deleteClusterImagePolicy, oc, policyName)
180+
181+
err := verifyFunc(tctx, clif, expectPass, testPodName, imageSpec)
182+
o.Expect(err).NotTo(o.HaveOccurred())
183+
},
184+
g.Entry("fail with PKI root of trust does not match the identity in the signature", invalidPKIClusterImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
185+
g.Entry("fail with PKI email does not match", invalidEmailPKIClusterImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
186+
g.Entry("pass with valid PKI", pkiClusterImagePolicyName, true, testPKISignedPolicyScope, verifyPodSignature),
187+
)
188+
189+
g.DescribeTable("imagepolicy signature validation tests",
190+
func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
191+
createImagePolicy(oc, testImagePolicies[policyName], imgpolicyClif.Namespace.Name)
192+
g.DeferCleanup(deleteImagePolicy, oc, policyName, imgpolicyClif.Namespace.Name)
193+
194+
err := verifyFunc(tctx, imgpolicyClif, expectPass, testPodName, imageSpec)
195+
o.Expect(err).NotTo(o.HaveOccurred())
196+
},
197+
g.Entry("fail with PKI root of trust does not match the identity in the signature", invalidPKIImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
198+
g.Entry("pass with valid PKI", pkiImagePolicyName, true, testPKISignedPolicyScope, verifyPodSignature),
199+
)
200+
201+
})
202+
145203
func updateImageConfig(oc *exutil.CLI, allowedRegistries []string) {
146204
e2e.Logf("Updating image config with allowed registries")
147205
initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
@@ -323,6 +381,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
323381
},
324382
},
325383
},
384+
invalidPKIClusterImagePolicyName: {
385+
TypeMeta: metav1.TypeMeta{
386+
Kind: clusterImagePolicyKind,
387+
APIVersion: configv1.SchemeGroupVersion.String(),
388+
},
389+
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIClusterImagePolicyName},
390+
Spec: configv1.ClusterImagePolicySpec{
391+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
392+
Policy: configv1.Policy{
393+
RootOfTrust: configv1.PolicyRootOfTrust{
394+
PolicyType: configv1.PKIRootOfTrust,
395+
PKI: &configv1.PKI{
396+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
397+
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
398+
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
399+
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
400+
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
401+
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
402+
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
403+
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
404+
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
405+
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
406+
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
407+
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
408+
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
409+
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
410+
-----END CERTIFICATE-----`),
411+
PKICertificateSubject: configv1.PKICertificateSubject{
412+
413+
},
414+
},
415+
},
416+
SignedIdentity: &configv1.PolicyIdentity{
417+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
418+
},
419+
},
420+
},
421+
},
422+
pkiClusterImagePolicyName: {
423+
TypeMeta: metav1.TypeMeta{
424+
Kind: clusterImagePolicyKind,
425+
APIVersion: configv1.SchemeGroupVersion.String(),
426+
},
427+
ObjectMeta: metav1.ObjectMeta{Name: pkiClusterImagePolicyName},
428+
Spec: configv1.ClusterImagePolicySpec{
429+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
430+
Policy: configv1.Policy{
431+
RootOfTrust: configv1.PolicyRootOfTrust{
432+
PolicyType: configv1.PKIRootOfTrust,
433+
PKI: &configv1.PKI{
434+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
435+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
436+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
437+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
438+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
439+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
440+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
441+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
442+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
443+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
444+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
445+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
446+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
447+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
448+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
449+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
450+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
451+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
452+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
453+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
454+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
455+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
456+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
457+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
458+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
459+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
460+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
461+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
462+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
463+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
464+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
465+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
466+
-----END CERTIFICATE-----`),
467+
PKICertificateSubject: configv1.PKICertificateSubject{
468+
469+
},
470+
},
471+
},
472+
SignedIdentity: &configv1.PolicyIdentity{
473+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
474+
},
475+
},
476+
},
477+
},
478+
invalidEmailPKIClusterImagePolicyName: {
479+
TypeMeta: metav1.TypeMeta{
480+
Kind: clusterImagePolicyKind,
481+
APIVersion: configv1.SchemeGroupVersion.String(),
482+
},
483+
ObjectMeta: metav1.ObjectMeta{Name: invalidEmailPKIClusterImagePolicyName},
484+
Spec: configv1.ClusterImagePolicySpec{
485+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
486+
Policy: configv1.Policy{
487+
RootOfTrust: configv1.PolicyRootOfTrust{
488+
PolicyType: configv1.PKIRootOfTrust,
489+
PKI: &configv1.PKI{
490+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
491+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
492+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
493+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
494+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
495+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
496+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
497+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
498+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
499+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
500+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
501+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
502+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
503+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
504+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
505+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
506+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
507+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
508+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
509+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
510+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
511+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
512+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
513+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
514+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
515+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
516+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
517+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
518+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
519+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
520+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
521+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
522+
-----END CERTIFICATE-----`),
523+
PKICertificateSubject: configv1.PKICertificateSubject{
524+
525+
},
526+
},
527+
},
528+
SignedIdentity: &configv1.PolicyIdentity{
529+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
530+
},
531+
},
532+
},
533+
},
326534
}
327535
return testClusterImagePolicies
328536
}
@@ -377,6 +585,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
377585
},
378586
},
379587
},
588+
invalidPKIImagePolicyName: {
589+
TypeMeta: metav1.TypeMeta{
590+
Kind: imagePolicyKind,
591+
APIVersion: configv1.SchemeGroupVersion.String(),
592+
},
593+
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIImagePolicyName},
594+
Spec: configv1.ImagePolicySpec{
595+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
596+
Policy: configv1.Policy{
597+
RootOfTrust: configv1.PolicyRootOfTrust{
598+
PolicyType: configv1.PKIRootOfTrust,
599+
PKI: &configv1.PKI{
600+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
601+
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
602+
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
603+
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
604+
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
605+
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
606+
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
607+
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
608+
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
609+
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
610+
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
611+
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
612+
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
613+
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
614+
-----END CERTIFICATE-----`),
615+
PKICertificateSubject: configv1.PKICertificateSubject{
616+
617+
},
618+
},
619+
},
620+
SignedIdentity: &configv1.PolicyIdentity{
621+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
622+
},
623+
},
624+
},
625+
},
626+
pkiImagePolicyName: {
627+
TypeMeta: metav1.TypeMeta{
628+
Kind: imagePolicyKind,
629+
APIVersion: configv1.SchemeGroupVersion.String(),
630+
},
631+
ObjectMeta: metav1.ObjectMeta{Name: pkiImagePolicyName},
632+
Spec: configv1.ImagePolicySpec{
633+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
634+
Policy: configv1.Policy{
635+
RootOfTrust: configv1.PolicyRootOfTrust{
636+
PolicyType: configv1.PKIRootOfTrust,
637+
PKI: &configv1.PKI{
638+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
639+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
640+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
641+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
642+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
643+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
644+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
645+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
646+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
647+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
648+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
649+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
650+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
651+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
652+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
653+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
654+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
655+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
656+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
657+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
658+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
659+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
660+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
661+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
662+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
663+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
664+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
665+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
666+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
667+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
668+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
669+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
670+
-----END CERTIFICATE-----`),
671+
PKICertificateSubject: configv1.PKICertificateSubject{
672+
673+
},
674+
},
675+
},
676+
SignedIdentity: &configv1.PolicyIdentity{
677+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
678+
},
679+
},
680+
},
681+
},
380682
}
381683
return testImagePolicies
382684
}
@@ -407,3 +709,36 @@ func waitForMCPConfigSpecChangeAndUpdated(oc *exutil.CLI, pool string, initialSp
407709
return machineconfighelper.IsMachineConfigPoolConditionTrue(mcp.Status.Conditions, mcfgv1.MachineConfigPoolUpdated)
408710
}, 20*time.Minute, 10*time.Second).Should(o.BeTrue())
409711
}
712+
713+
func isDisconnectedCluster(oc *exutil.CLI) bool {
714+
networkConfig, err := oc.AdminConfigClient().ConfigV1().Networks().Get(context.Background(), "cluster", metav1.GetOptions{})
715+
if err != nil {
716+
e2e.Failf("unable to get cluster network config: %v", err)
717+
}
718+
usingIPv6 := false
719+
for _, clusterNetworkEntry := range networkConfig.Status.ClusterNetwork {
720+
addr, _, err := net.ParseCIDR(clusterNetworkEntry.CIDR)
721+
if err != nil {
722+
continue
723+
}
724+
if addr.To4() == nil {
725+
usingIPv6 = true
726+
break
727+
}
728+
}
729+
return usingIPv6
730+
}
731+
732+
func verifyPodSignature(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error {
733+
pod, err := launchTestPod(tctx, clif, testPodName, imageSpec)
734+
if err != nil {
735+
return err
736+
}
737+
defer deleteTestPod(tctx, clif, testPodName)
738+
739+
if expectPass {
740+
return e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
741+
} else {
742+
return waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
743+
}
744+
}

0 commit comments

Comments
 (0)