diff --git a/.github/workflows/go-portieris.yaml b/.github/workflows/go-portieris.yaml index 0620d63f..1e2f6736 100644 --- a/.github/workflows/go-portieris.yaml +++ b/.github/workflows/go-portieris.yaml @@ -17,7 +17,7 @@ jobs: - name: Setup correct Go version uses: actions/setup-go@v2 with: - go-version: '1.18.9' + go-version: '1.19.10' check-latest: true - name: alltests diff --git a/.secrets.baseline b/.secrets.baseline index 781d8e2d..69ec05d5 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.*|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-01-27T14:05:01Z", + "generated_at": "2023-08-20T12:14:49Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -121,6 +121,126 @@ "verified_result": null } ], + "test/e2e/testdata/clusterimagepolicy/allow-signed.yaml": [ + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 12, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/clusterimagepolicy/simple-remap.yaml": [ + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 12, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml": [ + { + "hashed_secret": "0c70ff9d64093a7a37b4b4f46c1bab443ddb7fe0", + "is_secret": false, + "is_verified": false, + "line_number": 11, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 15, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml": [ + { + "hashed_secret": "0c70ff9d64093a7a37b4b4f46c1bab443ddb7fe0", + "is_secret": false, + "is_verified": false, + "line_number": 11, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 15, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml": [ + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 13, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "fc27e33f1b1d99c6ea1b257978ae7082ac11305d", + "is_secret": false, + "is_verified": false, + "line_number": 15, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml": [ + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 13, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "fc27e33f1b1d99c6ea1b257978ae7082ac11305d", + "is_secret": false, + "is_verified": false, + "line_number": 15, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml": [ + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 12, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "fc27e33f1b1d99c6ea1b257978ae7082ac11305d", + "is_secret": false, + "is_verified": false, + "line_number": 14, + "type": "Secret Keyword", + "verified_result": null + } + ], + "test/e2e/testdata/imagepolicy/allow-signed.yaml": [ + { + "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", + "is_secret": false, + "is_verified": false, + "line_number": 13, + "type": "Secret Keyword", + "verified_result": null + } + ], "test/e2e/testdata/imagepolicy/simple-remap.yaml": [ { "hashed_secret": "842aead05193389c5dcae32d145726af222a1d8e", @@ -231,6 +351,384 @@ "verified_result": null } ], + "test/e2e/testdata/secret/sh.pubkey.yaml": [ + { + "hashed_secret": "4ca54b96f63b8800393d00ecfcc064d8ecf543a6", + "is_secret": false, + "is_verified": false, + "line_number": 10, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "4f390d62619c81a7df9df5254d7a7cee59c3742e", + "is_secret": false, + "is_verified": false, + "line_number": 11, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "b1a07620be7daf49067f47fb8b3771095d728b43", + "is_secret": false, + "is_verified": false, + "line_number": 12, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "9bf33045086fa1e557cc5ecba3922f8f47839fc7", + "is_secret": false, + "is_verified": false, + "line_number": 13, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "e077529188417543345a0ef380a2e2c8c41fb701", + "is_secret": false, + "is_verified": false, + "line_number": 14, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "b8f14b4515054561563b680fa42350db818aa8a0", + "is_secret": false, + "is_verified": false, + "line_number": 15, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "af79848bf6497616e00013e24f304cb080ef1e91", + "is_secret": false, + "is_verified": false, + "line_number": 16, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "37ae710424c14b512707957488ad030f75b2fb72", + "is_secret": false, + "is_verified": false, + "line_number": 17, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "c980e644b07596a3699f593892efc4b233a525c5", + "is_secret": false, + "is_verified": false, + "line_number": 18, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "fb3b71ccfc7ed0cd9277d3791868268635326145", + "is_secret": false, + "is_verified": false, + "line_number": 19, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "1c9c8083a4a89d61a02969edef8e582d8792f683", + "is_secret": false, + "is_verified": false, + "line_number": 20, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "1f046ef25ec37ba83c215d38b2be530b4d9b9ff1", + "is_secret": false, + "is_verified": false, + "line_number": 21, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "28d16ea10d23c8ce2d28c87dd87bbd0a7d45cc51", + "is_secret": false, + "is_verified": false, + "line_number": 22, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "0032ec674e8fb1d0828217a0c2c0a6ffee5a3473", + "is_secret": false, + "is_verified": false, + "line_number": 23, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "f8b68fe998675212ada42afe2e1b40462bf4b09f", + "is_secret": false, + "is_verified": false, + "line_number": 24, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "81ad1d828f39165e00271c001605c61ad25da9b1", + "is_secret": false, + "is_verified": false, + "line_number": 25, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "686c91f51661a134e3e052b8be3eb4912d8892ed", + "is_secret": false, + "is_verified": false, + "line_number": 26, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "daf68fd5c3c73363868ff5ee994129614caf4512", + "is_secret": false, + "is_verified": false, + "line_number": 27, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "ffdc16c942b4164a53ea3f76c5ce6aa5ee5e1174", + "is_secret": false, + "is_verified": false, + "line_number": 28, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "1addafcaa9c487210feb6c344050f54684e43920", + "is_secret": false, + "is_verified": false, + "line_number": 29, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "b155d57ccf9f5c1b66a6b433ad5cef58cc85fa91", + "is_secret": false, + "is_verified": false, + "line_number": 30, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "cc243a5729d401ac7481d941e2473ed779576a6e", + "is_secret": false, + "is_verified": false, + "line_number": 31, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "4043e46a3064361e92a68fd9c38581378ca28a31", + "is_secret": false, + "is_verified": false, + "line_number": 32, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "a729929d6d67cae3968eeb63ed1da0eba7610c9e", + "is_secret": false, + "is_verified": false, + "line_number": 33, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "b7238f4e44ff4f2259a240e49bc662288516806c", + "is_secret": false, + "is_verified": false, + "line_number": 34, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "03c394fd52114d5aebb9ee8436292d1408a7ee52", + "is_secret": false, + "is_verified": false, + "line_number": 35, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "caea76b18230fe1ee6236f39e0d163f562711f5c", + "is_secret": false, + "is_verified": false, + "line_number": 36, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "9d23a8b27495e2c00807a3731316a6d7536329a5", + "is_secret": false, + "is_verified": false, + "line_number": 37, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "c6c7c34a3c821d694ed951c2ab4e2eb5f9a7f122", + "is_secret": false, + "is_verified": false, + "line_number": 38, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "08b470ee77302b5c5c995f599bcbc73cfc0a870c", + "is_secret": false, + "is_verified": false, + "line_number": 39, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "259613efbd7b86003719596ecc141b5f04bf27b3", + "is_secret": false, + "is_verified": false, + "line_number": 40, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "b7554181bd1bc6e1f56d04328c5409635cac499a", + "is_secret": false, + "is_verified": false, + "line_number": 41, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "3c5c8c369ed032fa551d92dc491acd335f483936", + "is_secret": false, + "is_verified": false, + "line_number": 42, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "107858d1d02dd46d51777fa819e1547f41972f65", + "is_secret": false, + "is_verified": false, + "line_number": 43, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "c2616df9f13433ffd666a34c29eedcc35277304d", + "is_secret": false, + "is_verified": false, + "line_number": 44, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "d4f9c89161627a718da0f327998699a1037d4aed", + "is_secret": false, + "is_verified": false, + "line_number": 45, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "0ee7d5d0f5bd5c320d7e0c3a15337efcb277a661", + "is_secret": false, + "is_verified": false, + "line_number": 46, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "375bf88be7833c70797fa3ead94262689a201216", + "is_secret": false, + "is_verified": false, + "line_number": 47, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "e3e6567955269039d99d307b6fe03cc39138e867", + "is_secret": false, + "is_verified": false, + "line_number": 48, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "02128c4b98e61cdf3f0415e41e52f3e7f742bcc7", + "is_secret": false, + "is_verified": false, + "line_number": 49, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "941e3e0ea370cf24d1ada5a36eb898c62421ed47", + "is_secret": false, + "is_verified": false, + "line_number": 50, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "f9318e097afc1adb2e024bd6a6f13a3491351503", + "is_secret": false, + "is_verified": false, + "line_number": 51, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "6e53162b3fd4de02e01aebd3bba96829764598dc", + "is_secret": false, + "is_verified": false, + "line_number": 52, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "f5e362153c098ccaf7cd94c5c0de58a36e0b519d", + "is_secret": false, + "is_verified": false, + "line_number": 53, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "66fa4c5bd34fe8f914f7ee69b206dae42c405826", + "is_secret": false, + "is_verified": false, + "line_number": 54, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "b1c2397ed527a3d9530a89843a4e4ddf3f46fe29", + "is_secret": false, + "is_verified": false, + "line_number": 55, + "type": "Base64 High Entropy String", + "verified_result": null + }, + { + "hashed_secret": "0858324b54d8756939901525f6316383add58e0f", + "is_secret": false, + "is_verified": false, + "line_number": 56, + "type": "Base64 High Entropy String", + "verified_result": null + } + ], "test/e2e/testdata/secret/signer1.pubkey.yaml": [ { "hashed_secret": "012b696585a4b3d5bab2614e493819a05654182a", @@ -672,7 +1170,7 @@ } ] }, - "version": "0.13.1+ibm.56.dss", + "version": "0.13.1+ibm.60.dss", "word_list": { "file": null, "hash": null diff --git a/CHANGELOG.md b/CHANGELOG.md index 538bdfb3..a158fca5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,10 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## v-next +## v0.13.6 + +* consume ubi8/go-toolset:1.19.10-3 + ## v0.13.5 Released 2023-04-11 diff --git a/Dockerfile b/Dockerfile index 3eefc5ec..923e1a15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This first stage of the build uses go-toolset to build the portieris binary creates # a simplified operating system image that satisfies vulnerability scanning requirements -FROM registry.access.redhat.com/ubi8/go-toolset:1.18.9-8 as installer +FROM registry.access.redhat.com/ubi8/go-toolset:1.19.10-10 as installer ARG PORTIERIS_VERSION=undefined # switch to root user as we need to run yum and rpm to ensure packages are up to date diff --git a/Makefile b/Makefile index 99a2f9d4..1402dfe7 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ GOFILES=$(shell find . -type f -name '*.go' -not -path "./code-generator/*" -not -path "./pkg/apis/*") GOPACKAGES=$(shell go list ./... | grep -v test/ | grep -v pkg/apis/) -VERSION=v0.13.5 +VERSION=v0.13.6 TAG=$(VERSION) GOTAGS='containers_image_openpgp' @@ -75,7 +75,7 @@ e2e.local: helm.install.local e2e.quick e2e.local.ics: helm.install.local e2e.quick.ics -e2e.quick: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy e2e.quick.vulnerability +e2e.quick: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy e2e.quick.simple.clusterimagepolicy e2e.quick.ics: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.armada e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) @@ -99,16 +99,17 @@ e2e.quick.generic: go test -v ./test/e2e --no-install --generic -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) +e2e.quick.simple.clusterimagepolicy: + go test -v ./test/e2e --no-install --simple-cluster-image-policy + -kubectl delete namespace secretnamespace + -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) + e2e.quick.simple.imagepolicy: -kubectl delete namespace secretnamespace go test -v ./test/e2e --no-install --simple-image-policy -kubectl delete namespace secretnamespace -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) -e2e.quick.vulnerability: - go test -v ./test/e2e --no-install --vulnerability - -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) - e2e.clean: helm.clean .PHONY: code-generator regenerate diff --git a/helm/portieris/Chart.yaml b/helm/portieris/Chart.yaml index 1d86c1d4..b7985f93 100644 --- a/helm/portieris/Chart.yaml +++ b/helm/portieris/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: portieris -version: v0.13.5 +version: v0.13.6 description: Admission Controller webhook for enforcing image trust in your cluster maintainers: - name: Stuart Hayton diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml index cadced10..c4584418 100644 --- a/helm/portieris/values.yaml +++ b/helm/portieris/values.yaml @@ -15,7 +15,7 @@ image: host: icr.io/portieris pullSecret: image: portieris - tag: v0.13.5 + tag: v0.13.6 pullPolicy: Always service: diff --git a/scripts/install-on-docker b/scripts/install-on-docker index 7da3eeac..247dd070 100755 --- a/scripts/install-on-docker +++ b/scripts/install-on-docker @@ -5,7 +5,7 @@ kubectl create secret docker-registry ${PULLSECRET} --docker-username iamapikey --docker-password "${PORTIERIS_PULL_APIKEY}" --docker-server ${REG} # make a secret that e2e tests can use to pull test images, do notary and get va results # e2e tests copy this to the test namespaces -kubectl create secret docker-registry all-icr-io --docker-username iamapikey --docker-password "${PORTIERIS_TESTIMAGE_APIKEY}" --docker-server de.icr.io +kubectl create secret docker-registry all-icr-io --docker-username iamapikey --docker-password "${PORTIERIS_TESTIMAGE_APIKEY}" --docker-server icr.io kubectl create ns portieris kubectl get secret ${PULLSECRET} -o yaml | sed 's/namespace: default/namespace: portieris/' | kubectl create -f - diff --git a/test/e2e/main_test.go b/test/e2e/main_test.go index 2d6cc42d..6937cd7b 100644 --- a/test/e2e/main_test.go +++ b/test/e2e/main_test.go @@ -1,4 +1,4 @@ -// Copyright 2018,2021 Portieris Authors. +// Copyright 2018, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -32,7 +32,7 @@ var ( noInstall bool - testTrustImagePolicy, testTrustClusterImagePolicy, testArmada, testVAImagePolicy, testVAClusterImagePolicy, testWildcardImagePolicy, testGeneric, testSimpleImagePolicy, testVulnerability bool + testTrustImagePolicy, testTrustClusterImagePolicy, testArmada, testVAImagePolicy, testWildcardImagePolicy, testGeneric, testSimpleImagePolicy, testSimpleClusterImagePolicy bool ) const ( @@ -47,12 +47,10 @@ func TestMain(m *testing.M) { flag.BoolVar(&testTrustImagePolicy, "trust-image-policy", false, "runs trust tests for image policies") flag.BoolVar(&testTrustClusterImagePolicy, "trust-cluster-image-policy", false, "runs trust tests for cluster image policies") flag.BoolVar(&testArmada, "armada", false, "runs tests for Armada based installation") - flag.BoolVar(&testVAImagePolicy, "va-image-policy", false, "runs va tests for image policies") - flag.BoolVar(&testVAClusterImagePolicy, "va-cluster-image-policy", false, "runs va tests for cluster image policies") flag.BoolVar(&testWildcardImagePolicy, "wildcards-image-policy", false, "runs tests for wildcards in image policies") flag.BoolVar(&testGeneric, "generic", false, "runs generic enforment tests") flag.BoolVar(&testSimpleImagePolicy, "simple-image-policy", false, "runs tests for simple signing policies") - flag.BoolVar(&testVulnerability, "vulnerability", false, "runs tests for vulnerability enforcement") + flag.BoolVar(&testSimpleClusterImagePolicy, "simple-cluster-image-policy", false, "runs tests for simple signing policies") flag.Parse() diff --git a/test/e2e/notary.ibm.clusterimagepolicy_test.go b/test/e2e/notary.ibm.clusterimagepolicy_test.go index 8d80dece..91fd606d 100644 --- a/test/e2e/notary.ibm.clusterimagepolicy_test.go +++ b/test/e2e/notary.ibm.clusterimagepolicy_test.go @@ -1,4 +1,4 @@ -// Copyright 2018, 2021 Portieris Authors. +// Copyright 2018, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -20,93 +20,6 @@ import ( "github.com/IBM/portieris/test/e2e/utils" ) -func TestNotary_ClusterImagePolicyRepositories_AllowAllDenyAll(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow all images", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-all.yaml") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny all images when no cluster image policy is present", func(t *testing.T) { - namespace, err := framework.CreateNamespaceWithIPS("deny-all") - if err != nil { - t.Fatalf("error creating deny-all namespace: %v", err) - } - defer framework.DeleteNamespace(namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - }) -} - -func TestNotary_ClusterImagePolicyRepositories_BasicTrust(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow signed images when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny unsigned images when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) -} - -func TestNotary_ClusterImagePolicyRepositories_TrustPinning(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow images signed by the correct single signer when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-signer1.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Allow images signed the correct multiple signers and when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-multi.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-multisigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny images signed by the wrong signer when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-signer2.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny images signed by a single signer when multiple are required when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-multi.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) -} - -func TestNotary_ClusterImagePolicyRepositories_TrustPinningMultiContainers(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - t.Run("Allow when both containers fulfill the policy", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny when one container fails to fulfill the policy", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed-unsigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) -} - // Temporary check until other registries are supported. func TestNotary_ClusterImagePolicyRepositories_ThirdPartyTrust(t *testing.T) { utils.CheckIfTesting(t, testTrustClusterImagePolicy) diff --git a/test/e2e/notary.ibm.imagepolicy_test.go b/test/e2e/notary.ibm.imagepolicy_test.go index 5a5cd274..03f848a2 100644 --- a/test/e2e/notary.ibm.imagepolicy_test.go +++ b/test/e2e/notary.ibm.imagepolicy_test.go @@ -1,4 +1,4 @@ -// Copyright 2018, 2021 Portieris Authors. +// Copyright 2018, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -20,96 +20,6 @@ import ( "github.com/IBM/portieris/test/e2e/utils" ) -func TestNotary_ImagePolicyRepositories_AllowAllDenyAll(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow all images", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-all.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny all images when no image policy is present", func(t *testing.T) { - t.Parallel() - namespace, err := framework.CreateNamespaceWithIPS("deny-all") - if err != nil { - t.Fatalf("error creating deny-all namespace: %v", err) - } - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - -} - -func TestNotary_ImagePolicyRepositories_BasicTrust(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - t.Run("Allow signed images when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny unsigned images when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) -} - -func TestNotary_ImagePolicyRepositories_TrustPinning(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - t.Run("Allow images signed by the correct single signer when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-signer1.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Allow images signed the correct multiple signers and when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-multi.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-multisigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny images signed by the wrong signer when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-signer2.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny images signed by a single signer when multiple are required when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-multi.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) -} - -func TestNotary_ImagePolicyRepositories_TrustPinningMultiContainers(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - t.Run("Allow when both containers fulfill the policy", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny when one container fails to fulfill the policy", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) -} - // Temporary check until other registries are supported. func TestNotary_ImagePolicyRepositories_ThirdPartyTrust(t *testing.T) { utils.CheckIfTesting(t, testTrustImagePolicy) diff --git a/test/e2e/policy.generic_test.go b/test/e2e/policy.generic_test.go index fb292305..68c8f5bf 100644 --- a/test/e2e/policy.generic_test.go +++ b/test/e2e/policy.generic_test.go @@ -1,4 +1,4 @@ -// Copyright 2018, 2021 Portieris Authors. +// Copyright 2018, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -26,12 +26,14 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on Deployment", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Policy enforced on DaemonSet", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestDaemonSetRunnable(t, framework, "./testdata/daemonset/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -39,6 +41,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on ReplicaSet", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestReplicaSetRunnable(t, framework, "./testdata/replicaset/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -46,6 +49,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on ReplicationController", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestReplicationControllerRunnable(t, framework, "./testdata/replicationcontroller/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -53,6 +57,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on Pod", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestPodRunnable(t, framework, "./testdata/pod/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -60,6 +65,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on StatefulSet", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestStatefulSetRunnable(t, framework, "./testdata/statefulset/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -67,6 +73,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on Job", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestJobRunnable(t, framework, "./testdata/job/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -74,6 +81,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on CronJob", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestCronJobRunnable(t, framework, "./testdata/cronjob/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -254,6 +262,7 @@ func Test_OperationsSucces(t *testing.T) { t.Parallel() // Create a namespace and policy to allow all. namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-all.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) // Start the deployment. deploymentName := utils.TestStartDeployNoDelete(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) // Change the policy to deny. @@ -283,6 +292,7 @@ func Test_OperationsSucces(t *testing.T) { }` // Create a namespace and policy to allow all. namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) // Start the deployment. deploymentName := utils.TestStartDeployNoDelete(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) // Change the policy to deny. @@ -295,6 +305,7 @@ func Test_OperationsSucces(t *testing.T) { t.Parallel() // Create a namespace and policy to allow all. namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) // Start the deployment. _ = utils.TestStartDeployNoDelete(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) // Change the policy to deny. diff --git a/test/e2e/simple.clusterimagepolicy_test.go b/test/e2e/simple.clusterimagepolicy_test.go new file mode 100644 index 00000000..affa1df0 --- /dev/null +++ b/test/e2e/simple.clusterimagepolicy_test.go @@ -0,0 +1,120 @@ +// Copyright 2018, 2023 Portieris Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "testing" + + "github.com/IBM/portieris/test/e2e/utils" +) + +func TestSimple_ClusterImagePolicyRepositories_AllowAllDenyAll(t *testing.T) { + utils.CheckIfTesting(t, testSimpleClusterImagePolicy) + if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { + defer framework.CreateClusterImagePolicy(defaultClusterPolicy) + } + + t.Run("Allow all images", func(t *testing.T) { + clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-all.yaml") + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) + utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) + }) + t.Run("Deny all images when no cluster image policy is present", func(t *testing.T) { + namespace, err := framework.CreateNamespaceWithIPS("deny-all") + if err != nil { + t.Fatalf("error creating deny-all namespace: %v", err) + } + defer framework.DeleteNamespace(namespace.Name) + utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) + }) +} + +func TestSimple_ClusterImagePolicyRepositories_Basic(t *testing.T) { + utils.CheckIfTesting(t, testSimpleClusterImagePolicy) + t.Run("Allow images signed by the correct single simple signer", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby1.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed the correct multiple simple signers", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed the correct multiple simple signers with no mutation", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifyNoSha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed the correct multiple simple signers with explicit mutation", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2-mutate.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed by the correct single simple signer with a secret namespace override", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml", "secretnamespace") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Deny images signed by the wrong single simple signer", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby1.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-another.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Deny images signed by a single simple signer when multiple are required", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-another.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images matched with remapIdentity policy", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-remap.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-remapped.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images without a pullSecret", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespaceNoSecrets(t, framework, "./testdata/clusterimagepolicy/simple-accept-anything.yaml") + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-another.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/dockerhub-nginx-unsigned.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images which require a signature without a pullSecret", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespaceNoSecrets(t, framework, "./testdata/clusterimagepolicy/simple-signedby1.yaml") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) +} diff --git a/test/e2e/simple.imagePolicy_test.go b/test/e2e/simple.imagePolicy_test.go index 119c25d0..ae96e1dd 100644 --- a/test/e2e/simple.imagePolicy_test.go +++ b/test/e2e/simple.imagePolicy_test.go @@ -1,4 +1,4 @@ -// Copyright 2020, 2021 Portieris Authors. +// Copyright 2020, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -49,7 +49,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby1.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed the correct multiple simple signers", func(t *testing.T) { @@ -57,7 +57,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby2.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifySha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed the correct multiple simple signers with no mutation", func(t *testing.T) { @@ -65,7 +65,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby2-nomutate.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifyNoSha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifyNoSha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed the correct multiple simple signers with explicit mutation", func(t *testing.T) { @@ -73,14 +73,14 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby2-mutate.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifySha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed by the correct single simple signer with a secret namespace override", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby1-keysecret-namespace-override.yaml", "secretnamespace") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifySha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Deny images signed by the wrong single simple signer", func(t *testing.T) { @@ -116,7 +116,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespaceNoSecrets(t, framework, "./testdata/imagepolicy/simple-signedby1.yaml") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) } diff --git a/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml b/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml index a27087a2..ef20a938 100644 --- a/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml +++ b/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml @@ -6,6 +6,7 @@ spec: repositories: - name: "de.icr.io/testing-authn/nginx" policy: - trust: - trustServer: "https://notary.de.icr.io" - enabled: true + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/pinned-multi.yaml b/test/e2e/testdata/clusterimagepolicy/pinned-multi.yaml deleted file mode 100644 index 198fde07..00000000 --- a/test/e2e/testdata/clusterimagepolicy/pinned-multi.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: portieris.cloud.ibm.com/v1 -kind: ClusterImagePolicy -metadata: - name: pinned-multi -spec: - repositories: - - name: "de.icr.io/testing-authn/nginx" - policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - signerSecrets: - - name: signer1pubkey - - name: signer2pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/pinned-signer1.yaml b/test/e2e/testdata/clusterimagepolicy/pinned-signer1.yaml deleted file mode 100644 index 7f589c27..00000000 --- a/test/e2e/testdata/clusterimagepolicy/pinned-signer1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: portieris.cloud.ibm.com/v1 -kind: ClusterImagePolicy -metadata: - name: pinned-signer1 -spec: - repositories: - - name: "de.icr.io/testing-authn/nginx" - policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - signerSecrets: - - name: signer1pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/pinned-signer2.yaml b/test/e2e/testdata/clusterimagepolicy/pinned-signer2.yaml deleted file mode 100644 index a19dcbe5..00000000 --- a/test/e2e/testdata/clusterimagepolicy/pinned-signer2.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: portieris.cloud.ibm.com/v1 -kind: ClusterImagePolicy -metadata: - name: pinned-signer2 -spec: - repositories: - - name: "de.icr.io/testing-authn/nginx" - policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - signerSecrets: - - name: signer2pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/simple-accept-anything.yaml b/test/e2e/testdata/clusterimagepolicy/simple-accept-anything.yaml new file mode 100644 index 00000000..515aa520 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-accept-anything.yaml @@ -0,0 +1,11 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-accept-anything +spec: + repositories: + - name: "*" + policy: + simple: + requirements: + - type: "insecureAcceptAnything" diff --git a/test/e2e/testdata/clusterimagepolicy/simple-remap.yaml b/test/e2e/testdata/clusterimagepolicy/simple-remap.yaml new file mode 100644 index 00000000..e6c1b81b --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-remap.yaml @@ -0,0 +1,16 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-remap +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + signedIdentity: + type: "remapIdentity" + prefix: "icr.io/cise/remap" + signedPrefix: "icr.io/cise" diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml new file mode 100644 index 00000000..3b112916 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml @@ -0,0 +1,16 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby1 +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simpleStore: + url: "https://foo.com/x" + auth: storesecret + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + keySecretNamespace: secretnamespace diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml new file mode 100644 index 00000000..65f20689 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml @@ -0,0 +1,15 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby1 +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simpleStore: + url: "https://foo.com/x" + auth: storesecret + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml new file mode 100644 index 00000000..102a4a71 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml @@ -0,0 +1,15 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby2-mutate +spec: + repositories: + - name: "icr.io/cise/*" + policy: + mutateImage: true + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + - type: "signedBy" + keySecret: simple2pubkey \ No newline at end of file diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml new file mode 100644 index 00000000..0411c641 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml @@ -0,0 +1,15 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby2-nomutate +spec: + repositories: + - name: "icr.io/cise/*" + policy: + mutateImage: false + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + - type: "signedBy" + keySecret: simple2pubkey \ No newline at end of file diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml new file mode 100644 index 00000000..682575e5 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml @@ -0,0 +1,14 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby2 +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + - type: "signedBy" + keySecret: simple2pubkey diff --git a/test/e2e/testdata/cronjob/global-nginx-signed.yaml b/test/e2e/testdata/cronjob/global-nginx-signed.yaml index 093d39e1..9e3617a2 100644 --- a/test/e2e/testdata/cronjob/global-nginx-signed.yaml +++ b/test/e2e/testdata/cronjob/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: batch/v1 kind: Job metadata: @@ -13,7 +14,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml b/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml index e415ee3e..01379326 100644 --- a/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: batch/v1 kind: Job metadata: @@ -13,7 +14,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/daemonset/global-nginx-signed.yaml b/test/e2e/testdata/daemonset/global-nginx-signed.yaml index bfc6c00d..f583681c 100644 --- a/test/e2e/testdata/daemonset/global-nginx-signed.yaml +++ b/test/e2e/testdata/daemonset/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: apps/v1 kind: DaemonSet metadata: @@ -17,6 +18,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml b/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml index 0a78e0ed..8bb5266e 100644 --- a/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/deployment/global-nginx-simple.yaml b/test/e2e/testdata/deployment/global-nginx-signed-free.yaml similarity index 100% rename from test/e2e/testdata/deployment/global-nginx-simple.yaml rename to test/e2e/testdata/deployment/global-nginx-signed-free.yaml diff --git a/test/e2e/testdata/deployment/global-nginx-signed.yaml b/test/e2e/testdata/deployment/global-nginx-signed.yaml index dde68115..074e1cc1 100644 --- a/test/e2e/testdata/deployment/global-nginx-signed.yaml +++ b/test/e2e/testdata/deployment/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: apps/v1 kind: Deployment metadata: @@ -17,6 +18,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/deployment/global-nginx-unsigned.yaml b/test/e2e/testdata/deployment/global-nginx-unsigned.yaml index e5747056..a7d2114d 100644 --- a/test/e2e/testdata/deployment/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/deployment/global-nginx-unsigned.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/imagepolicy/allow-signed.yaml b/test/e2e/testdata/imagepolicy/allow-signed.yaml index 0a611743..b239122d 100644 --- a/test/e2e/testdata/imagepolicy/allow-signed.yaml +++ b/test/e2e/testdata/imagepolicy/allow-signed.yaml @@ -1,12 +1,13 @@ +# allow simple sign from icr.io/portieris-authn apiVersion: portieris.cloud.ibm.com/v1 kind: ImagePolicy metadata: name: allow-signed spec: repositories: - - name: "de.icr.io/testing-authn/nginx" + - name: "icr.io/portieris-authn/nginx" policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey \ No newline at end of file diff --git a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml index 0f2c4456..9502cd84 100644 --- a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml +++ b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml @@ -4,7 +4,7 @@ metadata: name: allow-unsigned-embedded-trailing-wildcard spec: repositories: - - name: "de.icr.io/*/*" + - name: "icr.io/*/*" policy: trust: enabled: false diff --git a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml index 6d6d79b1..edc2c927 100644 --- a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml +++ b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml @@ -4,7 +4,7 @@ metadata: name: allow-unsigned-embedded-wildcard spec: repositories: - - name: "de.icr.io/*/nginx" + - name: "icr.io/*/nginx" policy: trust: enabled: false diff --git a/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml b/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml index c06adf9e..ac832926 100644 --- a/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml +++ b/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml @@ -4,7 +4,7 @@ metadata: name: allow-unsigned-trailing-wildcard spec: repositories: - - name: "de.icr.io/testing-authn/*" + - name: "icr.io/portieris-authn/*" policy: trust: enabled: false diff --git a/test/e2e/testdata/job/global-nginx-signed.yaml b/test/e2e/testdata/job/global-nginx-signed.yaml index c9d1a057..49928a9a 100644 --- a/test/e2e/testdata/job/global-nginx-signed.yaml +++ b/test/e2e/testdata/job/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: batch/v1 kind: Job metadata: @@ -10,7 +11,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/job/global-nginx-unsigned.yaml b/test/e2e/testdata/job/global-nginx-unsigned.yaml index 94ccb6a3..f0f4d1f0 100644 --- a/test/e2e/testdata/job/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/job/global-nginx-unsigned.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/pod/global-nginx-signed.yaml b/test/e2e/testdata/pod/global-nginx-signed.yaml index 3a95d45a..8182df7a 100644 --- a/test/e2e/testdata/pod/global-nginx-signed.yaml +++ b/test/e2e/testdata/pod/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: v1 kind: Pod metadata: @@ -8,6 +9,6 @@ metadata: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/pod/global-nginx-unsigned.yaml b/test/e2e/testdata/pod/global-nginx-unsigned.yaml index 36e823a0..7ad20f47 100644 --- a/test/e2e/testdata/pod/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/pod/global-nginx-unsigned.yaml @@ -8,6 +8,6 @@ metadata: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - - containerPort: 80 + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/replicaset/global-nginx-signed.yaml b/test/e2e/testdata/replicaset/global-nginx-signed.yaml index 875d311a..9f4a82f7 100644 --- a/test/e2e/testdata/replicaset/global-nginx-signed.yaml +++ b/test/e2e/testdata/replicaset/global-nginx-signed.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - - containerPort: 80 + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml b/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml index bbbd878c..a0c54b95 100644 --- a/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml b/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml index 3a62a1c2..798a5a80 100644 --- a/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml +++ b/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: v1 kind: ReplicationController metadata: @@ -13,6 +14,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml b/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml index 85f3fe8f..0fa9685f 100644 --- a/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml @@ -13,6 +13,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/secret/sh.pubkey.yaml b/test/e2e/testdata/secret/sh.pubkey.yaml new file mode 100644 index 00000000..3504dc27 --- /dev/null +++ b/test/e2e/testdata/secret/sh.pubkey.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: simple1pubkey +stringData: + key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQINBGF4lUwBEAC7oi1yrsqgST7eHrY7MvPmSKxtfKhZ78Z98XBAOY7MW/adBbu4 + xDK9ggvxqP/zRvTC5WDiJEYmZemx7Y89wIbYRem9eKH+Uy7Mym2vP2bQKFDFBS6x + S9UvUgYr473iGnWBLNL5D7wqpXVwpDgrHPBJDxgK5wKpjmIpjVNz1I+57U5F3IG/ + Mdj2QexP4qI7rIoQKSMooO0YVmzWRUVSrcqxRI3doWtqm6CJpGrBJpEIffoDfPKb + 0x/ItzidkrgWpxCcXBsGn5DxfcH36W8Fnpxj52KbtyySO+QthmliPqfKg0m221bw + Xw7gDhnMwpw8d6uswSFJqRl5+0TeYaJiF3p0lr7vKKfpr5TrHbEyiYxuT4FU7/sy + lAr7TN13CR0rQOQVLT1OxvUbSxoRf5Tczk6XF7acpDbARUYL71NYeAlTTqmegL58 + F4tYEqBLHb08yL1z4xC6TkoZbXGWtfE63jACZlZIVyco6dlJZ3g3Nvz5cwK8j3/N + XclEWYxGXUdRDT2/gBP1ccyE5FSE4QF6Yu66PBeb4DD5cYaqlzSVyuMBEYXkRTIf + 0wfuXybqvzevExLHrQp/Bk3oaR5+tV8jKkdb3GojUu0nAWbGInu952mesKwSOa6Q + 5c6qRtuLFdPydKaoqPSLtZBFpBGzCVKtmwORmuIGdWnKwxqmgiWAAvsjGQARAQAB + tChTdHVhcnQgSGF5dG9uIDxzdHVhcnQuaGF5dG9uQHVrLmlibS5jb20+iQJSBBMB + CAA8FiEE7QyWSjk40HCcvJo8h8EE7uQywsMFAmF4lUwCGwMFCwkIBwIDIgIBBhUK + CQgLAgQWAgMBAh4HAheAAAoJEIfBBO7kMsLDWuIQAI1GBz6RUh+8CIiigwV6L03k + 7lPAEHam6YN4S/z4XskClMlHCOrZGvSsOg/SzdEYV0asWY64sW60alULg0O4C+Pt + TNfjBO46URcsDvW01HhJVQP05NT4rNPDWNeK6SXnl+0sS18LcKywwkB+AdnjytFK + 2h97H8zYu5XRZMohiMt7x80zaQdwVqf0dHk212AyYSKHqdMPjS1EP/9NtUfF5og6 + 8MEua6Fhe1QkWVRBRdLO3ojLSLbMYzXHrxUV9BDVAHMR9AWnw0SiSz0FRoxwb9gl + gaHzAYUj6o+1j4iF9yj+cLWmOEMEi/xA0czkJ60FiOw8WZ+7UVnwXI9n5P4ctoJj + yGHSPWxeRLFuP0ptsA9Np/Vo/xF6YkI+zlEJDeed2XmIJXn60rGIEi9X81syXMnJ + IA5NxZU3egzrScLOZyuVu6HE7NomTM5KalM3/TLFe/fvBMGsjR+WZpKMIycpJhYw + ARORxcoS/AFo2sM9GVKW0N4v9/nwbigTjEloxrz2hO7betbFRvOTisXrJDU+J6CO + MorvYLv3OD3pWPJdr708AIYn7q4HHrGG9cdALOc4kxeCd3Zw2W0hcuYJZ5JkVFOW + GywT5TQ/bpsqNsLm4Hmv868im+GrmO/cxY3xsRcPVEmMwREW+8HveEXlh2BkhaYq + 3fhU1PZOWQssMIpnlZ/tuQINBGF4lUwBEADTYQzAHjsjc+XMXwzeXxZEyMIgc6NP + wkLgcOFkBi3L/SmiDcO30SkPAPF/ebou6igo3sHMDX8swdFcnneTbKr+e5NkY+24 + 6st+0lrPJLgdQ+aIinQ5cn0voEbFXZSas/oqDAlJ32GxxOGCJvx9Gjhzete+Xiyq + LJ+v+gYQwkgUYsAyVzE2k+uju+2Aay+QI6F0ICxIx/9y62rb3ZCH8cKXE3FjpS4J + z5lJqpc276/hgvTVbpWyExzf/C6QTAOFrGuudVlvDdEkXlpUQ8CBqe/SetLpg6qd + x4MJAuvTF2FKrw8EC1it3N7eadJWo2tHAPvysUb9TeZyoavpLWNL99Zm3Da+YMzJ + VeCHI15NOTUAmayv5Owfs7Yqn9++Z/4wfWfJAsr99jDoCrr4keff21ER3ejhjyq+ + KGdg5sthAH15xnieBoyNf14Sn+Hwqf7dQ5l9sC37L85PgxY/UCzDFj+hx+shBTjq + mgjd1y+SSGGp8LHILXWJdrvu4iFTnX7toeejh7m75jgL1u4vpDntMJA4cyJf7k4y + EbllrrDx3s+8nZoW2Yd66SKwmDkri91aeDxnulwXB/68l+KKARET98JgAmPJKBFL + NhJQPST/YnrHs2qncXcXDpTcVk6jBXQS0/miavVg3zM6FhQDUz1Ycyg0xQEN3Rrw + F0VU2y4wJUp2IQARAQABiQI2BBgBCAAgFiEE7QyWSjk40HCcvJo8h8EE7uQywsMF + AmF4lUwCGwwACgkQh8EE7uQywsMfpxAAlR+a3Y4VKB/0IwZPjqFNDh37D95f8NDk + JtHBIAC60EBe1zht6kXVj7O/V+yWLbktXCl25l7fgeaFYBPJB6MpMPYm29APBlLL + 4geVB0x+Qe+8KTPUgrrQWP98S8O5+6UiI801RcKMqpfAoBUc+ezauSZdGoEcN1lT + I0rho3Ot6D1rspmcCmN4rVWLm3vm+Pz70xaMolRZWaoWsX39gVzF45JtwO/zfG8m + I52m8KXfIKYNYD2Eqyaw02NiQ9efsNa7hR8SzjIwyoC0Ng8Mmvozr6kz6lnu95UD + 5Sotip+bkI+l+oDfOAHT0nFMNJa2jAzZq8mcieYjBuz4U8s3TedMNY5XHtpSDWl7 + LQFACoZBsOX0V+SKtenG2MI+KkmxmTto36By0Uq/KBfhuyoxyHVdsm8ikzUT1D9i + lobeRs1UpR4JA8Q55JtQY41p5bpp8thJUKVaUV1KuxhnX9L/g5XcdKr7wSVFuGmN + 4g6OKnsmdK+2kSTZPBiiS6cOvtompUusilmPOaNxTuYn/cvhfZPZIzYFYiHcjTMO + GzMRLVU0wQbokkaD1NXsR8FC8a2YcmrdzaWXy2wWrkP161tHF6TIsw8MfO3f6jOb + EZ40knBTJeyjZOFVCBdf2Ayj2NIYIBLpOqdDBMwrDcad+KGjBDUv6z+4QgKBAq+6 + R4p2Rlar8h0= + =e2cj + -----END PGP PUBLIC KEY BLOCK----- diff --git a/test/e2e/testdata/statefulset/global-nginx-signed.yaml b/test/e2e/testdata/statefulset/global-nginx-signed.yaml index 5c86c585..fc54746c 100644 --- a/test/e2e/testdata/statefulset/global-nginx-signed.yaml +++ b/test/e2e/testdata/statefulset/global-nginx-signed.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml b/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml index 8dce2118..b8894b70 100644 --- a/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/utils/imagepolicy.go b/test/e2e/utils/imagepolicy.go index 1e9a2056..dce1861e 100644 --- a/test/e2e/utils/imagepolicy.go +++ b/test/e2e/utils/imagepolicy.go @@ -1,4 +1,4 @@ -// Copyright 2020, 2022 Portieris Authors. +// Copyright 2020, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -86,9 +86,9 @@ func UpdateImagePolicy(t *testing.T, fw *framework.Framework, manifestPath, name t.Fatalf("error loading %q ImagePolicy manifest: %v", imagePolicy.Name, err) } if err := fw.DeleteImagePolicy(oldPolicy, namespace); err != nil { - t.Fatalf("error updating %q ImagePolicy: %v", imagePolicy.Name, err) + t.Fatalf("error deleting %q ImagePolicy: %v", imagePolicy.Name, err) } if err := fw.CreateImagePolicy(namespace, imagePolicy); err != nil { - t.Fatalf("error updating %q ImagePolicy: %v", imagePolicy.Name, err) + t.Fatalf("error creating %q ImagePolicy: %v", imagePolicy.Name, err) } } diff --git a/test/e2e/vulnerability.imagePolicy_test.go b/test/e2e/vulnerability.imagePolicy_test.go deleted file mode 100644 index 344e39f9..00000000 --- a/test/e2e/vulnerability.imagePolicy_test.go +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2020, 2021 Portieris Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package e2e - -import ( - "testing" - - "github.com/IBM/portieris/test/e2e/utils" -) - -func Test_ICCRVA_ImagePolicy(t *testing.T) { - utils.CheckIfTesting(t, testVulnerability) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Pods are admitted when ICCRVA is enabled when VA results are OK", func(t *testing.T) { - t.Parallel() - // this pod spec references an image with UNSUPPORTED status. - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/vulnerability-allow.yaml", namespace.Name) - }) - t.Run("Pods are denied when ICCRVA is enabled when VA results are not OK", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/vulnerability-deny.yaml", namespace.Name) - }) - t.Run("Pods that are admissable by simple signing, are denied when VA status is not OK", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled-with-simple.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/vulnerability-deny-vulnerable-signed.yaml", namespace.Name) - }) - t.Run("Pods are not admitted when they have non-exempted config issues", func(t *testing.T) { - t.Parallel() - // this pod spec references an image with configuration issues. - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/vulnerability-account-exemption.yaml", namespace.Name) - }) - t.Run("Pods are admitted when exemptions from a specified account make the image safe to deploy", func(t *testing.T) { - t.Parallel() - // this test requires you to export E2E_ACCOUNT_HEADER to an account which has exempted the configuration issue: - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-with-account.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/vulnerability-account-exemption.yaml", namespace.Name) - }) - -} diff --git a/test/framework/namespace.go b/test/framework/namespace.go index 08d2f709..3a381859 100644 --- a/test/framework/namespace.go +++ b/test/framework/namespace.go @@ -1,4 +1,4 @@ -// Copyright 2018, 2022 Portieris Authors. +// Copyright 2018, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License.