@@ -24,6 +24,7 @@ import (
24
24
25
25
const (
26
26
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
27
+ testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
27
28
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
28
29
registriesMasterPoolMachineConfig = "99-master-generated-registries"
29
30
testPodName = "signature-validation-test-pod"
@@ -34,6 +35,11 @@ const (
34
35
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
35
36
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
36
37
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
38
+ invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
39
+ invalidPKIImagePolicyName = "invalid-pki-image-policy"
40
+ pkiClusterImagePolicyName = "pki-cluster-image-policy"
41
+ pkiImagePolicyName = "pki-image-policy"
42
+ invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
37
43
)
38
44
39
45
var _ = g .Describe ("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]" , g .Ordered , func () {
@@ -142,6 +148,106 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
142
148
})
143
149
})
144
150
151
+ var _ = g .Describe ("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]" , g .Ordered , func () {
152
+ defer g .GinkgoRecover ()
153
+ var (
154
+ oc = exutil .NewCLIWithoutNamespace ("cluster-image-policy" )
155
+ tctx = context .Background ()
156
+ cli = exutil .NewCLIWithPodSecurityLevel ("verifysigstore-e2e" , admissionapi .LevelBaseline )
157
+ clif = cli .KubeFramework ()
158
+ imgpolicyCli = exutil .NewCLIWithPodSecurityLevel ("verifysigstore-imagepolicy-e2e" , admissionapi .LevelBaseline )
159
+ imgpolicyClif = imgpolicyCli .KubeFramework ()
160
+ testClusterImagePolicies = generateClusterImagePolicies ()
161
+ testImagePolicies = generateImagePolicies ()
162
+ )
163
+
164
+ g .BeforeAll (func () {
165
+ if ! exutil .IsTechPreviewNoUpgrade (tctx , oc .AdminConfigClient ()) {
166
+ g .Skip ("skipping, this feature is only supported on TechPreviewNoUpgrade clusters" )
167
+ }
168
+ // skip test on disconnected clusters.
169
+ networkConfig , err := oc .AdminConfigClient ().ConfigV1 ().Networks ().Get (context .Background (), "cluster" , metav1.GetOptions {})
170
+ if err != nil {
171
+ e2e .Failf ("unable to get cluster network config: %v" , err )
172
+ }
173
+ usingIPv6 := false
174
+ for _ , clusterNetworkEntry := range networkConfig .Status .ClusterNetwork {
175
+ addr , _ , err := net .ParseCIDR (clusterNetworkEntry .CIDR )
176
+ if err != nil {
177
+ continue
178
+ }
179
+ if addr .To4 () == nil {
180
+ usingIPv6 = true
181
+ break
182
+ }
183
+ }
184
+ if usingIPv6 {
185
+ g .Skip ("skipping test on disconnected platform" )
186
+ }
187
+ })
188
+
189
+ g .It ("Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature" , func () {
190
+ createClusterImagePolicy (oc , testClusterImagePolicies [invalidPKIClusterImagePolicyName ])
191
+ g .DeferCleanup (deleteClusterImagePolicy , oc , invalidPKIClusterImagePolicyName )
192
+
193
+ pod , err := launchTestPod (tctx , clif , testPodName , testPKISignedPolicyScope )
194
+ o .Expect (err ).NotTo (o .HaveOccurred ())
195
+ g .DeferCleanup (deleteTestPod , tctx , clif , testPodName )
196
+
197
+ err = waitForTestPodContainerToFailSignatureValidation (tctx , clif , pod )
198
+ o .Expect (err ).NotTo (o .HaveOccurred ())
199
+ })
200
+
201
+ g .It ("Should pass clusterimagepolicy signature validation with PKI signed image" , func () {
202
+ createClusterImagePolicy (oc , testClusterImagePolicies [pkiClusterImagePolicyName ])
203
+ g .DeferCleanup (deleteClusterImagePolicy , oc , pkiClusterImagePolicyName )
204
+
205
+ pod , err := launchTestPod (tctx , clif , testPodName , testPKISignedPolicyScope )
206
+ o .Expect (err ).NotTo (o .HaveOccurred ())
207
+ g .DeferCleanup (deleteTestPod , tctx , clif , testPodName )
208
+
209
+ err = e2epod .WaitForPodSuccessInNamespace (tctx , clif .ClientSet , pod .Name , pod .Namespace )
210
+ o .Expect (err ).NotTo (o .HaveOccurred ())
211
+ })
212
+
213
+ g .It ("Should fail imagepolicy signature validation PKI root of trust does not match the identity in the signature" , func () {
214
+ createImagePolicy (oc , testImagePolicies [invalidPKIImagePolicyName ], imgpolicyClif .Namespace .Name )
215
+ g .DeferCleanup (deleteImagePolicy , oc , invalidPKIImagePolicyName , imgpolicyClif .Namespace .Name )
216
+
217
+ pod , err := launchTestPod (tctx , imgpolicyClif , testPodName , testPKISignedPolicyScope )
218
+ o .Expect (err ).NotTo (o .HaveOccurred ())
219
+ g .DeferCleanup (deleteTestPod , tctx , imgpolicyClif , testPodName )
220
+
221
+ err = waitForTestPodContainerToFailSignatureValidation (tctx , imgpolicyClif , pod )
222
+ o .Expect (err ).NotTo (o .HaveOccurred ())
223
+ })
224
+
225
+ g .It ("Should pass imagepolicy signature validation with PKI signed image" , func () {
226
+ createImagePolicy (oc , testImagePolicies [pkiImagePolicyName ], imgpolicyClif .Namespace .Name )
227
+ g .DeferCleanup (deleteImagePolicy , oc , pkiImagePolicyName , imgpolicyClif .Namespace .Name )
228
+
229
+ pod , err := launchTestPod (tctx , imgpolicyClif , testPodName , testPKISignedPolicyScope )
230
+ o .Expect (err ).NotTo (o .HaveOccurred ())
231
+ g .DeferCleanup (deleteTestPod , tctx , imgpolicyClif , testPodName )
232
+
233
+ err = e2epod .WaitForPodSuccessInNamespace (tctx , imgpolicyClif .ClientSet , pod .Name , pod .Namespace )
234
+ o .Expect (err ).NotTo (o .HaveOccurred ())
235
+ })
236
+
237
+ g .It ("Should fail clusterimagepolicy signature validation PKI email does not match" , func () {
238
+ createClusterImagePolicy (oc , testClusterImagePolicies [invalidEmailPKIClusterImagePolicyName ])
239
+ g .DeferCleanup (deleteClusterImagePolicy , oc , invalidEmailPKIClusterImagePolicyName )
240
+
241
+ pod , err := launchTestPod (tctx , clif , testPodName , testPKISignedPolicyScope )
242
+ o .Expect (err ).NotTo (o .HaveOccurred ())
243
+ g .DeferCleanup (deleteTestPod , tctx , clif , testPodName )
244
+
245
+ err = waitForTestPodContainerToFailSignatureValidation (tctx , clif , pod )
246
+ o .Expect (err ).NotTo (o .HaveOccurred ())
247
+ })
248
+
249
+ })
250
+
145
251
func updateImageConfig (oc * exutil.CLI , allowedRegistries []string ) {
146
252
e2e .Logf ("Updating image config with allowed registries" )
147
253
initialWorkerSpec := getMCPCurrentSpecConfigName (oc , workerPool )
@@ -323,6 +429,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
323
429
},
324
430
},
325
431
},
432
+ invalidPKIClusterImagePolicyName : {
433
+ TypeMeta : metav1.TypeMeta {
434
+ Kind : "ClusterImagePolicy" ,
435
+ APIVersion : configv1 .SchemeGroupVersion .String (),
436
+ },
437
+ ObjectMeta : metav1.ObjectMeta {Name : invalidPKIClusterImagePolicyName },
438
+ Spec : configv1.ClusterImagePolicySpec {
439
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
440
+ Policy : configv1.Policy {
441
+ RootOfTrust : configv1.PolicyRootOfTrust {
442
+ PolicyType : configv1 .PKIRootOfTrust ,
443
+ PKI : & configv1.PKI {
444
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
445
+ MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
446
+ fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
447
+ WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
448
+ AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
449
+ MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
450
+ BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
451
+ BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
452
+ ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
453
+ RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
454
+ DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
455
+ dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
456
+ BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
457
+ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
458
+ -----END CERTIFICATE-----` ),
459
+ PKICertificateSubject : configv1.PKICertificateSubject {
460
+
461
+ },
462
+ },
463
+ },
464
+ SignedIdentity : & configv1.PolicyIdentity {
465
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
466
+ },
467
+ },
468
+ },
469
+ },
470
+ pkiClusterImagePolicyName : {
471
+ TypeMeta : metav1.TypeMeta {
472
+ Kind : "ClusterImagePolicy" ,
473
+ APIVersion : configv1 .SchemeGroupVersion .String (),
474
+ },
475
+ ObjectMeta : metav1.ObjectMeta {Name : pkiClusterImagePolicyName },
476
+ Spec : configv1.ClusterImagePolicySpec {
477
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
478
+ Policy : configv1.Policy {
479
+ RootOfTrust : configv1.PolicyRootOfTrust {
480
+ PolicyType : configv1 .PKIRootOfTrust ,
481
+ PKI : & configv1.PKI {
482
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
483
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
484
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
485
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
486
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
487
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
488
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
489
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
490
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
491
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
492
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
493
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
494
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
495
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
496
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
497
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
498
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
499
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
500
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
501
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
502
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
503
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
504
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
505
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
506
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
507
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
508
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
509
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
510
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
511
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
512
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
513
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
514
+ -----END CERTIFICATE-----` ),
515
+ PKICertificateSubject : configv1.PKICertificateSubject {
516
+
517
+ },
518
+ },
519
+ },
520
+ SignedIdentity : & configv1.PolicyIdentity {
521
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
522
+ },
523
+ },
524
+ },
525
+ },
526
+ invalidEmailPKIClusterImagePolicyName : {
527
+ TypeMeta : metav1.TypeMeta {
528
+ Kind : "ClusterImagePolicy" ,
529
+ APIVersion : configv1 .SchemeGroupVersion .String (),
530
+ },
531
+ ObjectMeta : metav1.ObjectMeta {Name : invalidEmailPKIClusterImagePolicyName },
532
+ Spec : configv1.ClusterImagePolicySpec {
533
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
534
+ Policy : configv1.Policy {
535
+ RootOfTrust : configv1.PolicyRootOfTrust {
536
+ PolicyType : configv1 .PKIRootOfTrust ,
537
+ PKI : & configv1.PKI {
538
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
539
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
540
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
541
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
542
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
543
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
544
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
545
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
546
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
547
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
548
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
549
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
550
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
551
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
552
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
553
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
554
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
555
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
556
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
557
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
558
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
559
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
560
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
561
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
562
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
563
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
564
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
565
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
566
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
567
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
568
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
569
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
570
+ -----END CERTIFICATE-----` ),
571
+ PKICertificateSubject : configv1.PKICertificateSubject {
572
+
573
+ },
574
+ },
575
+ },
576
+ SignedIdentity : & configv1.PolicyIdentity {
577
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
578
+ },
579
+ },
580
+ },
581
+ },
326
582
}
327
583
return testClusterImagePolicies
328
584
}
@@ -377,6 +633,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
377
633
},
378
634
},
379
635
},
636
+ invalidPKIImagePolicyName : {
637
+ TypeMeta : metav1.TypeMeta {
638
+ Kind : "ImagePolicy" ,
639
+ APIVersion : configv1 .SchemeGroupVersion .String (),
640
+ },
641
+ ObjectMeta : metav1.ObjectMeta {Name : invalidPKIImagePolicyName },
642
+ Spec : configv1.ImagePolicySpec {
643
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
644
+ Policy : configv1.Policy {
645
+ RootOfTrust : configv1.PolicyRootOfTrust {
646
+ PolicyType : configv1 .PKIRootOfTrust ,
647
+ PKI : & configv1.PKI {
648
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
649
+ MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
650
+ fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
651
+ WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
652
+ AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
653
+ MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
654
+ BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
655
+ BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
656
+ ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
657
+ RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
658
+ DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
659
+ dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
660
+ BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
661
+ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
662
+ -----END CERTIFICATE-----` ),
663
+ PKICertificateSubject : configv1.PKICertificateSubject {
664
+
665
+ },
666
+ },
667
+ },
668
+ SignedIdentity : & configv1.PolicyIdentity {
669
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
670
+ },
671
+ },
672
+ },
673
+ },
674
+ pkiImagePolicyName : {
675
+ TypeMeta : metav1.TypeMeta {
676
+ Kind : "ImagePolicy" ,
677
+ APIVersion : configv1 .SchemeGroupVersion .String (),
678
+ },
679
+ ObjectMeta : metav1.ObjectMeta {Name : pkiImagePolicyName },
680
+ Spec : configv1.ImagePolicySpec {
681
+ Scopes : []configv1.ImageScope {testPKISignedPolicyScope },
682
+ Policy : configv1.Policy {
683
+ RootOfTrust : configv1.PolicyRootOfTrust {
684
+ PolicyType : configv1 .PKIRootOfTrust ,
685
+ PKI : & configv1.PKI {
686
+ CertificateAuthorityRootsData : []byte (`-----BEGIN CERTIFICATE-----
687
+ MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
688
+ BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
689
+ VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
690
+ dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
691
+ MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
692
+ AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
693
+ ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
694
+ AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
695
+ Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
696
+ /V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
697
+ IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
698
+ 5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
699
+ oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
700
+ sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
701
+ 4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
702
+ zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
703
+ B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
704
+ vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
705
+ BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
706
+ hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
707
+ AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
708
+ czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
709
+ 7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
710
+ ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
711
+ gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
712
+ HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
713
+ 2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
714
+ qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
715
+ 0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
716
+ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
717
+ +9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
718
+ -----END CERTIFICATE-----` ),
719
+ PKICertificateSubject : configv1.PKICertificateSubject {
720
+
721
+ },
722
+ },
723
+ },
724
+ SignedIdentity : & configv1.PolicyIdentity {
725
+ MatchPolicy : configv1 .IdentityMatchPolicyMatchRepository ,
726
+ },
727
+ },
728
+ },
729
+ },
380
730
}
381
731
return testImagePolicies
382
732
}
0 commit comments