Skip to content

CiProvider as a new OIDCIssuer type #5173

CiProvider as a new OIDCIssuer type

CiProvider as a new OIDCIssuer type #5173

Workflow file for this run

#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Verify-K8s
on: [push, pull_request]
permissions:
contents: read
jobs:
verify-k8s-manifests:
name: k8s manifest check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# TODO: uncomment when we bump to go1.22 in go.mod
# - name: Extract version of Go to use
# run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ env.GOVERSION }}
check-latest: true
- name: Install kubeval
run: go install github.com/instrumenta/[email protected]
- run: kubeval config/*.yaml
verify-k8s-deployment:
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
issuer:
- "OIDC Issuer"
- "Meta Issuer"
include:
- issuer: "OIDC Issuer"
issuer-config: |
"OIDCIssuers": {"https://kubernetes.default.svc": {"IssuerURL": "https://kubernetes.default.svc","ClientID": "sigstore","Type": "kubernetes"}}
- issuer: "Meta Issuer"
issuer-config: |
"MetaIssuers": {"https://kubernetes.*.svc": {"ClientID": "sigstore","Type": "kubernetes"}}
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic,
# thus allowing us to test without bypassing tag-to-digest resolution.
REGISTRY_NAME: registry.local
REGISTRY_PORT: 5000
KO_PREFIX: registry.local:5000/fulcio
GIT_HASH: ${{ github.sha }}
GIT_VERSION: test
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# TODO: uncomment when we bump to go1.22 in go.mod
# - name: Extract version of Go to use
# run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.22'
check-latest: true
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
- name: Setup Cluster
uses: chainguard-dev/actions/setup-kind@f94883c3bd16936401291899070258f855b5d849 # main
with:
k8s-version: 1.26.x
registry-authority: ${{ env.REGISTRY_NAME }}:${{ env.REGISTRY_PORT }}
- name: Generate temporary CA files
run: |
openssl req -x509 \
-newkey ed25519 \
-sha256 \
-keyout "${{ github.run_id }}-key.pem" \
-out "${{ github.run_id }}-cert.pem" \
-subj "/CN=ed25519" \
-days 36500 \
-passout pass:"${{ github.run_id }}"
- name: Deploy fulcio-system
run: |
# Reduce the resource requests of Fulcio
sed -i -e 's,memory: "1G",memory: "100Mi",g' ${{ github.workspace }}/config/deployment.yaml
sed -i -e 's,cpu: ".5",cpu: "50m",g' ${{ github.workspace }}/config/deployment.yaml
# Switch to one replica to make it easier to test the scraping of
# metrics since we know all the requests then go to the same server.
sed -i -E 's,replicas: 3,replicas: 1,g' ${{ github.workspace }}/config/deployment.yaml
# Expose the prometheus port as a service so tests can grab it
# without hitting the k8s API
cat <<EOF >> ${{ github.workspace }}/config/deployment.yaml
- name: prometheus
protocol: TCP
port: 2112
targetPort: 2112
EOF
# Overwrite the configuration to be what we need for KinD.
cat <<EOF > config/fulcio-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: fulcio-config
namespace: fulcio-system
data:
config.json: |-
{
${{ matrix.issuer-config }}
}
server.yaml: |-
host: 0.0.0.0
port: 5555
grpc-port: 5554
ca: fileca
fileca-cert: /etc/fulcio-secret/cert.pem
fileca-key: /etc/fulcio-secret/key.pem
fileca-key-passwd: "${{ github.run_id }}"
ct-log-url: ""
log_type: prod
EOF
# Create secret needed to use fileca
cat <<EOF > config/fulcio-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: fulcio-secret
namespace: fulcio-system
data:
cert.pem: $(cat ${{ github.run_id }}-cert.pem | base64 -w 0)
key.pem: $(cat ${{ github.run_id }}-key.pem | base64 -w 0)
EOF
make ko-apply-ci
kubectl wait --for=condition=Available --timeout=5m -n fulcio-system deployment/fulcio-server
kubectl get po -n fulcio-system
- name: Run signing job
run: |
DIGEST=$(make ko-publish | sed '1d')
cat <<EOF | kubectl apply -f -
apiVersion: batch/v1
kind: Job
metadata:
name: check-oidc
spec:
template:
spec:
restartPolicy: Never
automountServiceAccountToken: false
containers:
- name: check-oidc
image: gcr.io/projectsigstore/cosign:v1.12.0
args: [
"sign",
"--fulcio-url=http://fulcio-server.fulcio-system.svc",
"--insecure-skip-verify=true",
"--upload=false",
"${DIGEST}",
]
env:
- name: COSIGN_EXPERIMENTAL
value: "true"
volumeMounts:
- name: oidc-info
mountPath: /var/run/sigstore/cosign
volumes:
- name: oidc-info
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
EOF
kubectl wait --for=condition=Complete --timeout=90s job/check-oidc
- name: Validate prometheus metrics exported and look correct
run: |
cat <<EOF | ko apply -f -
apiVersion: batch/v1
kind: Job
metadata:
name: check-prometheus-metrics
spec:
template:
spec:
restartPolicy: Never
automountServiceAccountToken: false
containers:
- name: check-metrics
image: ko://github.com/sigstore/fulcio/test/prometheus/
EOF
kubectl wait --for=condition=Complete --timeout=90s job/check-prometheus-metrics
env:
KO_DOCKER_REPO: registry.local:5000/fulcio
- name: Collect diagnostics and upload
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main