Skip to content

Commit 2b4f833

Browse files
committed
Add PKI image policy validation tests
Signed-off-by: Qi Wang <[email protected]>
1 parent c49344f commit 2b4f833

File tree

1 file changed

+350
-0
lines changed

1 file changed

+350
-0
lines changed

test/extended/imagepolicy/imagepolicy.go

Lines changed: 350 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424

2525
const (
2626
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
27+
testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
2728
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
2829
registriesMasterPoolMachineConfig = "99-master-generated-registries"
2930
testPodName = "signature-validation-test-pod"
@@ -34,6 +35,11 @@ const (
3435
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
3536
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
3637
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
38+
invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
39+
invalidPKIImagePolicyName = "invalid-pki-image-policy"
40+
pkiClusterImagePolicyName = "pki-cluster-image-policy"
41+
pkiImagePolicyName = "pki-image-policy"
42+
invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
3743
)
3844

3945
var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]", g.Ordered, func() {
@@ -142,6 +148,106 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
142148
})
143149
})
144150

151+
var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]", g.Ordered, func() {
152+
defer g.GinkgoRecover()
153+
var (
154+
oc = exutil.NewCLIWithoutNamespace("cluster-image-policy")
155+
tctx = context.Background()
156+
cli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-e2e", admissionapi.LevelBaseline)
157+
clif = cli.KubeFramework()
158+
imgpolicyCli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-imagepolicy-e2e", admissionapi.LevelBaseline)
159+
imgpolicyClif = imgpolicyCli.KubeFramework()
160+
testClusterImagePolicies = generateClusterImagePolicies()
161+
testImagePolicies = generateImagePolicies()
162+
)
163+
164+
g.BeforeAll(func() {
165+
if !exutil.IsTechPreviewNoUpgrade(tctx, oc.AdminConfigClient()) {
166+
g.Skip("skipping, this feature is only supported on TechPreviewNoUpgrade clusters")
167+
}
168+
// skip test on disconnected clusters.
169+
networkConfig, err := oc.AdminConfigClient().ConfigV1().Networks().Get(context.Background(), "cluster", metav1.GetOptions{})
170+
if err != nil {
171+
e2e.Failf("unable to get cluster network config: %v", err)
172+
}
173+
usingIPv6 := false
174+
for _, clusterNetworkEntry := range networkConfig.Status.ClusterNetwork {
175+
addr, _, err := net.ParseCIDR(clusterNetworkEntry.CIDR)
176+
if err != nil {
177+
continue
178+
}
179+
if addr.To4() == nil {
180+
usingIPv6 = true
181+
break
182+
}
183+
}
184+
if usingIPv6 {
185+
g.Skip("skipping test on disconnected platform")
186+
}
187+
})
188+
189+
g.It("Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature", func() {
190+
createClusterImagePolicy(oc, testClusterImagePolicies[invalidPKIClusterImagePolicyName])
191+
g.DeferCleanup(deleteClusterImagePolicy, oc, invalidPKIClusterImagePolicyName)
192+
193+
pod, err := launchTestPod(tctx, clif, testPodName, testPKISignedPolicyScope)
194+
o.Expect(err).NotTo(o.HaveOccurred())
195+
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
196+
197+
err = waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
198+
o.Expect(err).NotTo(o.HaveOccurred())
199+
})
200+
201+
g.It("Should pass clusterimagepolicy signature validation with PKI signed image", func() {
202+
createClusterImagePolicy(oc, testClusterImagePolicies[pkiClusterImagePolicyName])
203+
g.DeferCleanup(deleteClusterImagePolicy, oc, pkiClusterImagePolicyName)
204+
205+
pod, err := launchTestPod(tctx, clif, testPodName, testPKISignedPolicyScope)
206+
o.Expect(err).NotTo(o.HaveOccurred())
207+
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
208+
209+
err = e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
210+
o.Expect(err).NotTo(o.HaveOccurred())
211+
})
212+
213+
g.It("Should fail imagepolicy signature validation PKI root of trust does not match the identity in the signature", func() {
214+
createImagePolicy(oc, testImagePolicies[invalidPKIImagePolicyName], imgpolicyClif.Namespace.Name)
215+
g.DeferCleanup(deleteImagePolicy, oc, invalidPKIImagePolicyName, imgpolicyClif.Namespace.Name)
216+
217+
pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testPKISignedPolicyScope)
218+
o.Expect(err).NotTo(o.HaveOccurred())
219+
g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)
220+
221+
err = waitForTestPodContainerToFailSignatureValidation(tctx, imgpolicyClif, pod)
222+
o.Expect(err).NotTo(o.HaveOccurred())
223+
})
224+
225+
g.It("Should pass imagepolicy signature validation with PKI signed image", func() {
226+
createImagePolicy(oc, testImagePolicies[pkiImagePolicyName], imgpolicyClif.Namespace.Name)
227+
g.DeferCleanup(deleteImagePolicy, oc, pkiImagePolicyName, imgpolicyClif.Namespace.Name)
228+
229+
pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testPKISignedPolicyScope)
230+
o.Expect(err).NotTo(o.HaveOccurred())
231+
g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)
232+
233+
err = e2epod.WaitForPodSuccessInNamespace(tctx, imgpolicyClif.ClientSet, pod.Name, pod.Namespace)
234+
o.Expect(err).NotTo(o.HaveOccurred())
235+
})
236+
237+
g.It("Should fail clusterimagepolicy signature validation PKI email does not match", func() {
238+
createClusterImagePolicy(oc, testClusterImagePolicies[invalidEmailPKIClusterImagePolicyName])
239+
g.DeferCleanup(deleteClusterImagePolicy, oc, invalidEmailPKIClusterImagePolicyName)
240+
241+
pod, err := launchTestPod(tctx, clif, testPodName, testPKISignedPolicyScope)
242+
o.Expect(err).NotTo(o.HaveOccurred())
243+
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
244+
245+
err = waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
246+
o.Expect(err).NotTo(o.HaveOccurred())
247+
})
248+
249+
})
250+
145251
func updateImageConfig(oc *exutil.CLI, allowedRegistries []string) {
146252
e2e.Logf("Updating image config with allowed registries")
147253
initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
@@ -323,6 +429,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
323429
},
324430
},
325431
},
432+
invalidPKIClusterImagePolicyName: {
433+
TypeMeta: metav1.TypeMeta{
434+
Kind: "ClusterImagePolicy",
435+
APIVersion: configv1.SchemeGroupVersion.String(),
436+
},
437+
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIClusterImagePolicyName},
438+
Spec: configv1.ClusterImagePolicySpec{
439+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
440+
Policy: configv1.Policy{
441+
RootOfTrust: configv1.PolicyRootOfTrust{
442+
PolicyType: configv1.PKIRootOfTrust,
443+
PKI: &configv1.PKI{
444+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
445+
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
446+
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
447+
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
448+
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
449+
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
450+
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
451+
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
452+
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
453+
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
454+
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
455+
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
456+
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
457+
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
458+
-----END CERTIFICATE-----`),
459+
PKICertificateSubject: configv1.PKICertificateSubject{
460+
461+
},
462+
},
463+
},
464+
SignedIdentity: &configv1.PolicyIdentity{
465+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
466+
},
467+
},
468+
},
469+
},
470+
pkiClusterImagePolicyName: {
471+
TypeMeta: metav1.TypeMeta{
472+
Kind: "ClusterImagePolicy",
473+
APIVersion: configv1.SchemeGroupVersion.String(),
474+
},
475+
ObjectMeta: metav1.ObjectMeta{Name: pkiClusterImagePolicyName},
476+
Spec: configv1.ClusterImagePolicySpec{
477+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
478+
Policy: configv1.Policy{
479+
RootOfTrust: configv1.PolicyRootOfTrust{
480+
PolicyType: configv1.PKIRootOfTrust,
481+
PKI: &configv1.PKI{
482+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
483+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
484+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
485+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
486+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
487+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
488+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
489+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
490+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
491+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
492+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
493+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
494+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
495+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
496+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
497+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
498+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
499+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
500+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
501+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
502+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
503+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
504+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
505+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
506+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
507+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
508+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
509+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
510+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
511+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
512+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
513+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
514+
-----END CERTIFICATE-----`),
515+
PKICertificateSubject: configv1.PKICertificateSubject{
516+
517+
},
518+
},
519+
},
520+
SignedIdentity: &configv1.PolicyIdentity{
521+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
522+
},
523+
},
524+
},
525+
},
526+
invalidEmailPKIClusterImagePolicyName: {
527+
TypeMeta: metav1.TypeMeta{
528+
Kind: "ClusterImagePolicy",
529+
APIVersion: configv1.SchemeGroupVersion.String(),
530+
},
531+
ObjectMeta: metav1.ObjectMeta{Name: invalidEmailPKIClusterImagePolicyName},
532+
Spec: configv1.ClusterImagePolicySpec{
533+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
534+
Policy: configv1.Policy{
535+
RootOfTrust: configv1.PolicyRootOfTrust{
536+
PolicyType: configv1.PKIRootOfTrust,
537+
PKI: &configv1.PKI{
538+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
539+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
540+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
541+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
542+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
543+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
544+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
545+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
546+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
547+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
548+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
549+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
550+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
551+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
552+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
553+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
554+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
555+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
556+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
557+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
558+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
559+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
560+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
561+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
562+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
563+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
564+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
565+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
566+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
567+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
568+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
569+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
570+
-----END CERTIFICATE-----`),
571+
PKICertificateSubject: configv1.PKICertificateSubject{
572+
573+
},
574+
},
575+
},
576+
SignedIdentity: &configv1.PolicyIdentity{
577+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
578+
},
579+
},
580+
},
581+
},
326582
}
327583
return testClusterImagePolicies
328584
}
@@ -377,6 +633,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
377633
},
378634
},
379635
},
636+
invalidPKIImagePolicyName: {
637+
TypeMeta: metav1.TypeMeta{
638+
Kind: "ImagePolicy",
639+
APIVersion: configv1.SchemeGroupVersion.String(),
640+
},
641+
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIImagePolicyName},
642+
Spec: configv1.ImagePolicySpec{
643+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
644+
Policy: configv1.Policy{
645+
RootOfTrust: configv1.PolicyRootOfTrust{
646+
PolicyType: configv1.PKIRootOfTrust,
647+
PKI: &configv1.PKI{
648+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
649+
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
650+
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
651+
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
652+
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
653+
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
654+
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
655+
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
656+
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
657+
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
658+
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
659+
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
660+
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
661+
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
662+
-----END CERTIFICATE-----`),
663+
PKICertificateSubject: configv1.PKICertificateSubject{
664+
665+
},
666+
},
667+
},
668+
SignedIdentity: &configv1.PolicyIdentity{
669+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
670+
},
671+
},
672+
},
673+
},
674+
pkiImagePolicyName: {
675+
TypeMeta: metav1.TypeMeta{
676+
Kind: "ImagePolicy",
677+
APIVersion: configv1.SchemeGroupVersion.String(),
678+
},
679+
ObjectMeta: metav1.ObjectMeta{Name: pkiImagePolicyName},
680+
Spec: configv1.ImagePolicySpec{
681+
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
682+
Policy: configv1.Policy{
683+
RootOfTrust: configv1.PolicyRootOfTrust{
684+
PolicyType: configv1.PKIRootOfTrust,
685+
PKI: &configv1.PKI{
686+
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
687+
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
688+
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
689+
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
690+
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
691+
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
692+
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
693+
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
694+
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
695+
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
696+
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
697+
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
698+
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
699+
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
700+
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
701+
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
702+
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
703+
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
704+
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
705+
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
706+
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
707+
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
708+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
709+
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
710+
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
711+
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
712+
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
713+
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
714+
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
715+
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
716+
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
717+
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
718+
-----END CERTIFICATE-----`),
719+
PKICertificateSubject: configv1.PKICertificateSubject{
720+
721+
},
722+
},
723+
},
724+
SignedIdentity: &configv1.PolicyIdentity{
725+
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
726+
},
727+
},
728+
},
729+
},
380730
}
381731
return testImagePolicies
382732
}

0 commit comments

Comments
 (0)