@@ -23,7 +23,10 @@ import (
23
23
)
24
24
25
25
const (
26
+ clusterImagePolicyKind = "ClusterImagePolicy"
27
+ imagePolicyKind = "ImagePolicy"
26
28
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
29
+ testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
27
30
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
28
31
registriesMasterPoolMachineConfig = "99-master-generated-registries"
29
32
testPodName = "signature-validation-test-pod"
@@ -34,6 +37,11 @@ const (
34
37
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
35
38
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
36
39
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
40
+ invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
41
+ invalidPKIImagePolicyName = "invalid-pki-image-policy"
42
+ pkiClusterImagePolicyName = "pki-cluster-image-policy"
43
+ pkiImagePolicyName = "pki-image-policy"
44
+ invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
37
45
)
38
46
39
47
var _ = g .Describe ("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]" , g .Ordered , func () {
@@ -142,6 +150,56 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
142
150
})
143
151
})
144
152
153
+ var _ = g .Describe ("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]" , g .Ordered , func () {
154
+ defer g .GinkgoRecover ()
155
+ var (
156
+ oc = exutil .NewCLIWithoutNamespace ("cluster-image-policy" )
157
+ tctx = context .Background ()
158
+ cli = exutil .NewCLIWithPodSecurityLevel ("verifysigstore-e2e" , admissionapi .LevelBaseline )
159
+ clif = cli .KubeFramework ()
160
+ imgpolicyCli = exutil .NewCLIWithPodSecurityLevel ("verifysigstore-imagepolicy-e2e" , admissionapi .LevelBaseline )
161
+ imgpolicyClif = imgpolicyCli .KubeFramework ()
162
+ testClusterImagePolicies = generateClusterImagePolicies ()
163
+ testImagePolicies = generateImagePolicies ()
164
+ )
165
+
166
+ g .BeforeAll (func () {
167
+ if ! exutil .IsTechPreviewNoUpgrade (tctx , oc .AdminConfigClient ()) {
168
+ g .Skip ("skipping, this feature is only supported on TechPreviewNoUpgrade clusters" )
169
+ }
170
+ // skip test on disconnected clusters.
171
+ if isDisconnectedCluster (oc ) {
172
+ g .Skip ("skipping test on disconnected platform" )
173
+ }
174
+ })
175
+
176
+ g .DescribeTable ("clusterimagepolicy signature validation tests" ,
177
+ func (policyName string , expectPass bool , imageSpec string , verifyFunc func (tctx context.Context , clif * e2e.Framework , expectPass bool , testPodName string , imageSpec string ) error ) {
178
+ createClusterImagePolicy (oc , testClusterImagePolicies [policyName ])
179
+ g .DeferCleanup (deleteClusterImagePolicy , oc , policyName )
180
+
181
+ err := verifyFunc (tctx , clif , expectPass , testPodName , imageSpec )
182
+ o .Expect (err ).NotTo (o .HaveOccurred ())
183
+ },
184
+ g .Entry ("fail with PKI root of trust does not match the identity in the signature" , invalidPKIClusterImagePolicyName , false , testPKISignedPolicyScope , verifyPodSignature ),
185
+ g .Entry ("fail with PKI email does not match" , invalidEmailPKIClusterImagePolicyName , false , testPKISignedPolicyScope , verifyPodSignature ),
186
+ g .Entry ("pass with valid PKI" , pkiClusterImagePolicyName , true , testPKISignedPolicyScope , verifyPodSignature ),
187
+ )
188
+
189
+ g .DescribeTable ("imagepolicy signature validation tests" ,
190
+ func (policyName string , expectPass bool , imageSpec string , verifyFunc func (tctx context.Context , clif * e2e.Framework , expectPass bool , testPodName string , imageSpec string ) error ) {
191
+ createImagePolicy (oc , testImagePolicies [policyName ], imgpolicyClif .Namespace .Name )
192
+ g .DeferCleanup (deleteImagePolicy , oc , policyName , imgpolicyClif .Namespace .Name )
193
+
194
+ err := verifyFunc (tctx , imgpolicyClif , expectPass , testPodName , imageSpec )
195
+ o .Expect (err ).NotTo (o .HaveOccurred ())
196
+ },
197
+ g .Entry ("fail with PKI root of trust does not match the identity in the signature" , invalidPKIImagePolicyName , false , testPKISignedPolicyScope , verifyPodSignature ),
198
+ g .Entry ("pass with valid PKI" , pkiImagePolicyName , true , testPKISignedPolicyScope , verifyPodSignature ),
199
+ )
200
+
201
+ })
202
+
145
203
func updateImageConfig (oc * exutil.CLI , allowedRegistries []string ) {
146
204
e2e .Logf ("Updating image config with allowed registries" )
147
205
initialWorkerSpec := getMCPCurrentSpecConfigName (oc , workerPool )
@@ -323,6 +381,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
323
381
},
324
382
},
325
383
},
384
+ invalidPKIClusterImagePolicyName : {
385
+ TypeMeta : metav1.TypeMeta {
386
+ Kind : clusterImagePolicyKind ,
387
+ APIVersion : configv1 .SchemeGroupVersion .String (),
388
+ },
389
+ ObjectMeta : metav1.ObjectMeta {Name : invalidPKIClusterImagePolicyName },
390
+ Spec : configv1.ClusterImagePolicySpec {
391
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
392
+ Policy : configv1.Policy {
393
+ RootOfTrust : configv1.PolicyRootOfTrust {
394
+ PolicyType : configv1 .PKIRootOfTrust ,
395
+ PKI : & configv1.PKI {
396
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
397
+ MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
398
+ fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
399
+ WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
400
+ AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
401
+ MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
402
+ BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
403
+ BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
404
+ ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
405
+ RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
406
+ DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
407
+ dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
408
+ BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
409
+ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
410
+ -----END CERTIFICATE-----` ),
411
+ PKICertificateSubject : configv1.PKICertificateSubject {
412
+
413
+ },
414
+ },
415
+ },
416
+ SignedIdentity : & configv1.PolicyIdentity {
417
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
418
+ },
419
+ },
420
+ },
421
+ },
422
+ pkiClusterImagePolicyName : {
423
+ TypeMeta : metav1.TypeMeta {
424
+ Kind : clusterImagePolicyKind ,
425
+ APIVersion : configv1 .SchemeGroupVersion .String (),
426
+ },
427
+ ObjectMeta : metav1.ObjectMeta {Name : pkiClusterImagePolicyName },
428
+ Spec : configv1.ClusterImagePolicySpec {
429
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
430
+ Policy : configv1.Policy {
431
+ RootOfTrust : configv1.PolicyRootOfTrust {
432
+ PolicyType : configv1 .PKIRootOfTrust ,
433
+ PKI : & configv1.PKI {
434
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
435
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
436
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
437
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
438
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
439
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
440
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
441
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
442
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
443
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
444
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
445
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
446
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
447
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
448
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
449
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
450
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
451
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
452
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
453
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
454
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
455
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
456
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
457
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
458
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
459
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
460
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
461
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
462
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
463
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
464
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
465
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
466
+ -----END CERTIFICATE-----` ),
467
+ PKICertificateSubject : configv1.PKICertificateSubject {
468
+
469
+ },
470
+ },
471
+ },
472
+ SignedIdentity : & configv1.PolicyIdentity {
473
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
474
+ },
475
+ },
476
+ },
477
+ },
478
+ invalidEmailPKIClusterImagePolicyName : {
479
+ TypeMeta : metav1.TypeMeta {
480
+ Kind : clusterImagePolicyKind ,
481
+ APIVersion : configv1 .SchemeGroupVersion .String (),
482
+ },
483
+ ObjectMeta : metav1.ObjectMeta {Name : invalidEmailPKIClusterImagePolicyName },
484
+ Spec : configv1.ClusterImagePolicySpec {
485
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
486
+ Policy : configv1.Policy {
487
+ RootOfTrust : configv1.PolicyRootOfTrust {
488
+ PolicyType : configv1 .PKIRootOfTrust ,
489
+ PKI : & configv1.PKI {
490
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
491
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
492
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
493
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
494
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
495
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
496
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
497
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
498
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
499
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
500
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
501
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
502
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
503
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
504
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
505
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
506
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
507
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
508
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
509
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
510
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
511
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
512
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
513
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
514
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
515
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
516
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
517
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
518
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
519
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
520
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
521
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
522
+ -----END CERTIFICATE-----` ),
523
+ PKICertificateSubject : configv1.PKICertificateSubject {
524
+
525
+ },
526
+ },
527
+ },
528
+ SignedIdentity : & configv1.PolicyIdentity {
529
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
530
+ },
531
+ },
532
+ },
533
+ },
326
534
}
327
535
return testClusterImagePolicies
328
536
}
@@ -377,6 +585,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
377
585
},
378
586
},
379
587
},
588
+ invalidPKIImagePolicyName : {
589
+ TypeMeta : metav1.TypeMeta {
590
+ Kind : imagePolicyKind ,
591
+ APIVersion : configv1 .SchemeGroupVersion .String (),
592
+ },
593
+ ObjectMeta : metav1.ObjectMeta {Name : invalidPKIImagePolicyName },
594
+ Spec : configv1.ImagePolicySpec {
595
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
596
+ Policy : configv1.Policy {
597
+ RootOfTrust : configv1.PolicyRootOfTrust {
598
+ PolicyType : configv1 .PKIRootOfTrust ,
599
+ PKI : & configv1.PKI {
600
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
601
+ MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
602
+ fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
603
+ WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
604
+ AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
605
+ MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
606
+ BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
607
+ BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
608
+ ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
609
+ RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
610
+ DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
611
+ dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
612
+ BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
613
+ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
614
+ -----END CERTIFICATE-----` ),
615
+ PKICertificateSubject : configv1.PKICertificateSubject {
616
+
617
+ },
618
+ },
619
+ },
620
+ SignedIdentity : & configv1.PolicyIdentity {
621
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
622
+ },
623
+ },
624
+ },
625
+ },
626
+ pkiImagePolicyName : {
627
+ TypeMeta : metav1.TypeMeta {
628
+ Kind : imagePolicyKind ,
629
+ APIVersion : configv1 .SchemeGroupVersion .String (),
630
+ },
631
+ ObjectMeta : metav1.ObjectMeta {Name : pkiImagePolicyName },
632
+ Spec : configv1.ImagePolicySpec {
633
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
634
+ Policy : configv1.Policy {
635
+ RootOfTrust : configv1.PolicyRootOfTrust {
636
+ PolicyType : configv1 .PKIRootOfTrust ,
637
+ PKI : & configv1.PKI {
638
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
639
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
640
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
641
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
642
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
643
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
644
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
645
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
646
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
647
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
648
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
649
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
650
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
651
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
652
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
653
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
654
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
655
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
656
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
657
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
658
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
659
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
660
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
661
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
662
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
663
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
664
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
665
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
666
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
667
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
668
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
669
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
670
+ -----END CERTIFICATE-----` ),
671
+ PKICertificateSubject : configv1.PKICertificateSubject {
672
+
673
+ },
674
+ },
675
+ },
676
+ SignedIdentity : & configv1.PolicyIdentity {
677
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
678
+ },
679
+ },
680
+ },
681
+ },
380
682
}
381
683
return testImagePolicies
382
684
}
@@ -407,3 +709,36 @@ func waitForMCPConfigSpecChangeAndUpdated(oc *exutil.CLI, pool string, initialSp
407
709
return machineconfighelper .IsMachineConfigPoolConditionTrue (mcp .Status .Conditions , mcfgv1 .MachineConfigPoolUpdated )
408
710
}, 20 * time .Minute , 10 * time .Second ).Should (o .BeTrue ())
409
711
}
712
+
713
+ func isDisconnectedCluster (oc * exutil.CLI ) bool {
714
+ networkConfig , err := oc .AdminConfigClient ().ConfigV1 ().Networks ().Get (context .Background (), "cluster" , metav1.GetOptions {})
715
+ if err != nil {
716
+ e2e .Failf ("unable to get cluster network config: %v" , err )
717
+ }
718
+ usingIPv6 := false
719
+ for _ , clusterNetworkEntry := range networkConfig .Status .ClusterNetwork {
720
+ addr , _ , err := net .ParseCIDR (clusterNetworkEntry .CIDR )
721
+ if err != nil {
722
+ continue
723
+ }
724
+ if addr .To4 () == nil {
725
+ usingIPv6 = true
726
+ break
727
+ }
728
+ }
729
+ return usingIPv6
730
+ }
731
+
732
+ func verifyPodSignature (tctx context.Context , clif * e2e.Framework , expectPass bool , testPodName string , imageSpec string ) error {
733
+ pod , err := launchTestPod (tctx , clif , testPodName , imageSpec )
734
+ if err != nil {
735
+ return err
736
+ }
737
+ defer deleteTestPod (tctx , clif , testPodName )
738
+
739
+ if expectPass {
740
+ return e2epod .WaitForPodSuccessInNamespace (tctx , clif .ClientSet , pod .Name , pod .Namespace )
741
+ } else {
742
+ return waitForTestPodContainerToFailSignatureValidation (tctx , clif , pod )
743
+ }
744
+ }
0 commit comments