Skip to content

Commit

Permalink
Deflake base profiles OCI registry e2e tests
Browse files Browse the repository at this point in the history
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
  • Loading branch information
saschagrunert committed Jul 27, 2023
1 parent f1ec4c2 commit 9bfe6d4
Show file tree
Hide file tree
Showing 25 changed files with 250 additions and 50 deletions.
5 changes: 5 additions & 0 deletions api/spod/v1alpha1/spod_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,11 @@ type SPODSpec struct {
// +optional
// +kubebuilder:default="system-node-critical"
PriorityClassName string `json:"priorityClassName,omitempty"`

// DisableOCIArtifactSignatureVerification can be used to disable OCI
// artifact signature verification.
// +optional
DisableOCIArtifactSignatureVerification bool `json:"disableOciArtifactSignatureVerification"`
}

// SPODState defines the state that the spod is in.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -933,6 +933,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
6 changes: 6 additions & 0 deletions cmd/spoc/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,12 @@ func main() {
Aliases: []string{"p"},
Usage: "the platform to be used in format: os[/arch][/variant][:os_version]",
},
&cli.BoolFlag{
Name: puller.FlagDisableSignatureVerification,
Aliases: []string{"s"},
EnvVars: []string{"DISABLE_SIGNATURE_VERIFICATION"},
Usage: "disable signature verification",
},
},
},
)
Expand Down
4 changes: 4 additions & 0 deletions deploy/base-crds/crds/securityprofilesoperatordaemon.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -930,6 +930,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
4 changes: 4 additions & 0 deletions deploy/helm/crds/crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1506,6 +1506,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
4 changes: 4 additions & 0 deletions deploy/namespace-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1506,6 +1506,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
4 changes: 4 additions & 0 deletions deploy/openshift-dev.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1724,6 +1724,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
4 changes: 4 additions & 0 deletions deploy/openshift-downstream.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1506,6 +1506,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
4 changes: 4 additions & 0 deletions deploy/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1506,6 +1506,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
4 changes: 4 additions & 0 deletions deploy/webhook-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1724,6 +1724,10 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
disableOciArtifactSignatureVerification:
description: DisableOCIArtifactSignatureVerification can be used to
disable OCI artifact signature verification.
type: boolean
enableAppArmor:
description: tells the operator whether or not to enable AppArmor
support for this SPOD instance.
Expand Down
23 changes: 13 additions & 10 deletions internal/pkg/artifact/artifact.go
Original file line number Diff line number Diff line change
Expand Up @@ -242,20 +242,23 @@ func (a *Artifact) Pull(
c context.Context,
from, username, password string,
platform *v1.Platform,
disableSignatureVerification bool,
) (*PullResult, error) {
ctx, cancel := context.WithTimeout(c, defaultTimeout)
defer cancel()

a.logger.Info("Verifying signature")
const all = ".*"
v := verify.VerifyCommand{
CertVerifyOptions: options.CertVerifyOptions{
CertIdentityRegexp: all,
CertOidcIssuerRegexp: all,
},
}
if err := a.VerifyCmd(ctx, v, from); err != nil {
return nil, fmt.Errorf("verify signature: %w", err)
if !disableSignatureVerification {
a.logger.Info("Verifying signature")
const all = ".*"
v := verify.VerifyCommand{
CertVerifyOptions: options.CertVerifyOptions{
CertIdentityRegexp: all,
CertOidcIssuerRegexp: all,
},
}
if err := a.VerifyCmd(ctx, v, from); err != nil {
return nil, fmt.Errorf("verify signature: %w", err)
}
}

dir, err := a.MkdirTemp("", "pull-")
Expand Down
2 changes: 1 addition & 1 deletion internal/pkg/artifact/artifact_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ func TestPull(t *testing.T) {
sut := New(logr.Discard())
sut.impl = mock

res, err := sut.Pull(context.Background(), "", "foo", "bar", nil)
res, err := sut.Pull(context.Background(), "", "foo", "bar", nil, false)
assert(res, err)
})
}
Expand Down
4 changes: 4 additions & 0 deletions internal/pkg/cli/puller/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,8 @@ const (

// FlagPlatform is the flag for defining the platform.
FlagPlatform string = "platform"

// FlagDisableSignatureVerification is the flag for disabling the signature
// verification on pull.
FlagDisableSignatureVerification string = "disable-signature-verification"
)
10 changes: 7 additions & 3 deletions internal/pkg/cli/puller/impl.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,16 @@ type defaultImpl struct{}
//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate -header ../../../../hack/boilerplate/boilerplate.generatego.txt
//counterfeiter:generate . impl
type impl interface {
Pull(string, string, string, *v1.Platform) (*artifact.PullResult, error)
Pull(string, string, string, *v1.Platform, bool) (*artifact.PullResult, error)
WriteFile(string, []byte, os.FileMode) error
}

func (*defaultImpl) Pull(from, username, password string, platform *v1.Platform) (*artifact.PullResult, error) {
return artifact.New(logr.New(&cli.LogSink{})).Pull(context.Background(), from, username, password, platform)
func (*defaultImpl) Pull(
from, username, password string, platform *v1.Platform, disableSignatureVerification bool,
) (*artifact.PullResult, error) {
return artifact.New(logr.New(&cli.LogSink{})).Pull(
context.Background(), from, username, password, platform, disableSignatureVerification,
)
}

func (*defaultImpl) WriteFile(name string, data []byte, perm os.FileMode) error {
Expand Down
15 changes: 10 additions & 5 deletions internal/pkg/cli/puller/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,12 @@ import (

// Options define all possible options for the puller.
type Options struct {
pullFrom string
outputFile string
username string
password string
platform *v1.Platform
pullFrom string
outputFile string
username string
password string
platform *v1.Platform
disableSignatureVerification bool
}

// Default returns a default options instance.
Expand Down Expand Up @@ -64,6 +65,10 @@ func FromContext(ctx *ucli.Context) (*Options, error) {
options.username = ctx.String(FlagUsername)
}

if ctx.IsSet(FlagDisableSignatureVerification) {
options.disableSignatureVerification = ctx.Bool(FlagDisableSignatureVerification)
}

options.password = os.Getenv(cli.EnvKeyPassword)

platform, err := cli.ParsePlatform(ctx.String(FlagPlatform))
Expand Down
36 changes: 30 additions & 6 deletions internal/pkg/cli/puller/options_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func TestFromContext(t *testing.T) {
for _, tc := range []struct {
name string
prepare func(*flag.FlagSet)
assert func(error)
assert func(*Options, error)
}{
{
name: "success",
Expand All @@ -38,8 +38,21 @@ func TestFromContext(t *testing.T) {
require.Nil(t, set.Set(FlagUsername, "username"))
require.Nil(t, set.Parse([]string{"echo"}))
},
assert: func(err error) {
assert: func(opts *Options, err error) {
require.NoError(t, err)
require.False(t, opts.disableSignatureVerification)
},
},
{
name: "success with verify signature disabled",
prepare: func(set *flag.FlagSet) {
set.Bool(FlagDisableSignatureVerification, true, "")
require.Nil(t, set.Set(FlagDisableSignatureVerification, "true"))
require.Nil(t, set.Parse([]string{"echo"}))
},
assert: func(opts *Options, err error) {
require.NoError(t, err)
require.True(t, opts.disableSignatureVerification)
},
},
{
Expand All @@ -48,7 +61,7 @@ func TestFromContext(t *testing.T) {
set.String(FlagOutputFile, "", "")
require.Nil(t, set.Set(FlagOutputFile, ""))
},
assert: func(err error) {
assert: func(_ *Options, err error) {
require.Error(t, err)
},
},
Expand All @@ -59,7 +72,18 @@ func TestFromContext(t *testing.T) {
require.Nil(t, set.Set(FlagOutputFile, ""))
require.Nil(t, set.Parse([]string{"echo"}))
},
assert: func(err error) {
assert: func(_ *Options, err error) {
require.Error(t, err)
},
},
{
name: "failure parse platform",
prepare: func(set *flag.FlagSet) {
set.String(FlagPlatform, "", "")
require.Nil(t, set.Set(FlagPlatform, "os//var"))
require.Nil(t, set.Parse([]string{"echo"}))
},
assert: func(_ *Options, err error) {
require.Error(t, err)
},
},
Expand All @@ -76,8 +100,8 @@ func TestFromContext(t *testing.T) {
app := cli.NewApp()
ctx := cli.NewContext(app, set, nil)

_, err := FromContext(ctx)
assert(err)
opts, err := FromContext(ctx)
assert(opts, err)
})
}
}
1 change: 1 addition & 0 deletions internal/pkg/cli/puller/puller.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ func (p *Puller) Run() error {
p.options.username,
p.options.password,
p.options.platform,
p.options.disableSignatureVerification,
)
if err != nil {
return fmt.Errorf("pull profile: %w", err)
Expand Down
18 changes: 10 additions & 8 deletions internal/pkg/cli/puller/pullerfakes/fake_impl.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 9bfe6d4

Please sign in to comment.