OCPNODE-3238: Add SigstoreImageVerificationPKI image policy validation tests #30315
Conversation
QiWang19
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@QiWang19: This pull request references OCPNODE-3238 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview-serial periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/311a9040-9d59-11f0-879e-c930bc54baee-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-1of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-2of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-3of3 |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/253cde60-9d61-11f0-9a69-7fc8f0ecf81c-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview |
|
@QiWang19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/cd5df100-9d6c-11f0-914d-2e39ab7aa537-0 |
|
/retest-required |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-1of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-2of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-3of3 |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/8d822810-9e13-11f0-83ee-4c7920417d1a-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview-serial periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a8c67130-9e13-11f0-9674-06007256f8e8-0 |
|
Job Failure Risk Analysis for sha: 2b4f833
|
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview-serial periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d9843290-9eee-11f0-9226-c73580e8a2ed-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-1of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-2of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-3of3 |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/94a06f80-9eef-11f0-88d4-dfd174702621-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-1of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-2of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-3of3 |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b7cdf2a0-9f46-11f0-96fa-89cd148c9322-0 |
|
/verified by @QiWang19 Payload jobs passed the |
openshift-ci-robot
added
the
verified
|
@QiWang19: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| } | ||
| } | ||
| if usingIPv6 { | ||
| g.Skip("skipping test on disconnected platform") |
There was a problem hiding this comment.
could be shared with the [sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]" version
There was a problem hiding this comment.
Fixed.
we can cleanup for SigstoreImageVerification tests in a follow up PR.
| } | ||
| }) | ||
|
|
||
| g.It("Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature", func() { |
There was a problem hiding this comment.
these look like they could be a g.Table:
func(policyName, verifyFunc) {
createClusterImagePolicy(oc, testClusterImagePolicies[policyName])
g.DeferCleanup(deleteClusterImagePolicy, oc, policyName)
pod, err := launchTestPod(tctx, clif, testPodName, testPKISignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
verifyFunc()
}
with policyName = invalidPKIClusterImagePolicyName
and verifyFunc = () {
err = waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
o.Expect(err).NotTo(o.HaveOccurred())
}
| }) | ||
| }) | ||
|
|
||
| var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]", g.Ordered, func() { |
There was a problem hiding this comment.
Per new OTE naming conventions we should add "[Jira:Node]" for clear ownership. This is how Compnent Readiness knows what component to assign tests to.
There was a problem hiding this comment.
I realized that it needs to be "Node / Something". Not sure which "subcomponent" this would fall under.
There was a problem hiding this comment.
sig-imagepolicy was included in the https://github.com/openshift-eng/ci-test-mapping in the ci mapping, I think this can map the component when file a bug:
https://github.com/openshift-eng/ci-test-mapping/blob/89b8e6a2379e5ce77f44fe90863dd3d7ca8e53d2/pkg/components/node/crio/component.go#L25C11-L25C26
|
Job Failure Risk Analysis for sha: 2ade46e
|
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-1of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-2of3 periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-3of3 |
|
@QiWang19: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5398c190-a016-11f0-88c6-fcdd7397c93d-0 |
QiWang19
changed the title
|
/verified by @QiWang19 Payload jobs passed the [sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI] tests |
openshift-ci-robot
added
the
verified
|
@QiWang19: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| if err != nil { | ||
| return err | ||
| } | ||
| defer deleteTestPod(tctx, clif, testPodName) |
There was a problem hiding this comment.
If you directly use deleteTestPod then any error will be silently ignored, but if you use it with DeferCleanup, like you have done it earlier,
I will capture that error. Could generate helpful logs which could help in debugging CI job runs.
Signed-off-by: Qi Wang <[email protected]>
openshift-ci-robot
removed
the
verified
|
/lgtm |
|
/verified by @QiWang19 Payload jobs passed the [sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI] tests |
openshift-ci-robot
added
the
verified
|
@QiWang19: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: harche, neisw, QiWang19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Job Failure Risk Analysis for sha: 162b7b1
|
|
Job Failure Risk Analysis for sha: 162b7b1
|
|
/retest-required |
|
@QiWang19: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Job Failure Risk Analysis for sha: 162b7b1
|
1 similar comment
|
Job Failure Risk Analysis for sha: 162b7b1
|
Add image signature validation e2e test
policyType: PKIforClusterImagePolicyandImagePolicyCRDs.