Skip to content

OCPNODE-3238: Add SigstoreImageVerificationPKI image policy validation tests #30315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPNODE-3238: Add SigstoreImageVerificationPKI image policy validation tests #30315

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
335 changes: 335 additions & 0 deletions test/extended/imagepolicy/imagepolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@ import (
)

const (
clusterImagePolicyKind = "ClusterImagePolicy"
imagePolicyKind = "ImagePolicy"
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
testPKISignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresignedpki@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
registriesMasterPoolMachineConfig = "99-master-generated-registries"
testPodName = "signature-validation-test-pod"
Expand All @@ -34,6 +37,11 @@ const (
publiKeyRekorClusterImagePolicyName = "public-key-rekor-cluster-image-policy"
invalidPublicKeyImagePolicyName = "invalid-public-key-image-policy"
publiKeyRekorImagePolicyName = "public-key-rekor-image-policy"
invalidPKIClusterImagePolicyName = "invalid-pki-cluster-image-policy"
invalidPKIImagePolicyName = "invalid-pki-image-policy"
pkiClusterImagePolicyName = "pki-cluster-image-policy"
pkiImagePolicyName = "pki-image-policy"
invalidEmailPKIClusterImagePolicyName = "invalid-email-pki-cluster-image-policy"
)

var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]", g.Ordered, func() {
Expand Down Expand Up @@ -142,6 +150,56 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
})
})

var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPKI][Serial]", g.Ordered, func() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per new OTE naming conventions we should add "[Jira:Node]" for clear ownership. This is how Compnent Readiness knows what component to assign tests to.

Copy link

@cpmeadors cpmeadors Oct 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realized that it needs to be "Node / Something". Not sure which "subcomponent" this would fall under.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sig-imagepolicy was included in the https://github.com/openshift-eng/ci-test-mapping in the ci mapping, I think this can map the component when file a bug:
https://github.com/openshift-eng/ci-test-mapping/blob/89b8e6a2379e5ce77f44fe90863dd3d7ca8e53d2/pkg/components/node/crio/component.go#L25C11-L25C26

defer g.GinkgoRecover()
var (
oc = exutil.NewCLIWithoutNamespace("cluster-image-policy")
tctx = context.Background()
cli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-e2e", admissionapi.LevelBaseline)
clif = cli.KubeFramework()
imgpolicyCli = exutil.NewCLIWithPodSecurityLevel("verifysigstore-imagepolicy-e2e", admissionapi.LevelBaseline)
imgpolicyClif = imgpolicyCli.KubeFramework()
testClusterImagePolicies = generateClusterImagePolicies()
testImagePolicies = generateImagePolicies()
)

g.BeforeAll(func() {
if !exutil.IsTechPreviewNoUpgrade(tctx, oc.AdminConfigClient()) {
g.Skip("skipping, this feature is only supported on TechPreviewNoUpgrade clusters")
}
// skip test on disconnected clusters.
if isDisconnectedCluster(oc) {
g.Skip("skipping test on disconnected platform")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could be shared with the [sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]" version

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.
we can cleanup for SigstoreImageVerification tests in a follow up PR.

}
})

g.DescribeTable("clusterimagepolicy signature validation tests",
func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
createClusterImagePolicy(oc, testClusterImagePolicies[policyName])
g.DeferCleanup(deleteClusterImagePolicy, oc, policyName)

err := verifyFunc(tctx, clif, expectPass, testPodName, imageSpec)
o.Expect(err).NotTo(o.HaveOccurred())
},
g.Entry("fail with PKI root of trust does not match the identity in the signature", invalidPKIClusterImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
g.Entry("fail with PKI email does not match", invalidEmailPKIClusterImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
g.Entry("pass with valid PKI", pkiClusterImagePolicyName, true, testPKISignedPolicyScope, verifyPodSignature),
)

g.DescribeTable("imagepolicy signature validation tests",
func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
createImagePolicy(oc, testImagePolicies[policyName], imgpolicyClif.Namespace.Name)
g.DeferCleanup(deleteImagePolicy, oc, policyName, imgpolicyClif.Namespace.Name)

err := verifyFunc(tctx, imgpolicyClif, expectPass, testPodName, imageSpec)
o.Expect(err).NotTo(o.HaveOccurred())
},
g.Entry("fail with PKI root of trust does not match the identity in the signature", invalidPKIImagePolicyName, false, testPKISignedPolicyScope, verifyPodSignature),
g.Entry("pass with valid PKI", pkiImagePolicyName, true, testPKISignedPolicyScope, verifyPodSignature),
)

})

func updateImageConfig(oc *exutil.CLI, allowedRegistries []string) {
e2e.Logf("Updating image config with allowed registries")
initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
Expand Down Expand Up @@ -323,6 +381,156 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
},
},
},
invalidPKIClusterImagePolicyName: {
TypeMeta: metav1.TypeMeta{
Kind: clusterImagePolicyKind,
APIVersion: configv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIClusterImagePolicyName},
Spec: configv1.ClusterImagePolicySpec{
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
Policy: configv1.Policy{
RootOfTrust: configv1.PolicyRootOfTrust{
PolicyType: configv1.PKIRootOfTrust,
PKI: &configv1.PKI{
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
-----END CERTIFICATE-----`),
PKICertificateSubject: configv1.PKICertificateSubject{
Email: "[email protected]",
},
},
},
SignedIdentity: &configv1.PolicyIdentity{
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
},
},
},
},
pkiClusterImagePolicyName: {
TypeMeta: metav1.TypeMeta{
Kind: clusterImagePolicyKind,
APIVersion: configv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{Name: pkiClusterImagePolicyName},
Spec: configv1.ClusterImagePolicySpec{
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
Policy: configv1.Policy{
RootOfTrust: configv1.PolicyRootOfTrust{
PolicyType: configv1.PKIRootOfTrust,
PKI: &configv1.PKI{
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
-----END CERTIFICATE-----`),
PKICertificateSubject: configv1.PKICertificateSubject{
Email: "[email protected]",
},
},
},
SignedIdentity: &configv1.PolicyIdentity{
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
},
},
},
},
invalidEmailPKIClusterImagePolicyName: {
TypeMeta: metav1.TypeMeta{
Kind: clusterImagePolicyKind,
APIVersion: configv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{Name: invalidEmailPKIClusterImagePolicyName},
Spec: configv1.ClusterImagePolicySpec{
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
Policy: configv1.Policy{
RootOfTrust: configv1.PolicyRootOfTrust{
PolicyType: configv1.PKIRootOfTrust,
PKI: &configv1.PKI{
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
-----END CERTIFICATE-----`),
PKICertificateSubject: configv1.PKICertificateSubject{
Email: "[email protected]",
},
},
},
SignedIdentity: &configv1.PolicyIdentity{
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
},
},
},
},
}
return testClusterImagePolicies
}
Expand Down Expand Up @@ -377,6 +585,100 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
},
},
},
invalidPKIImagePolicyName: {
TypeMeta: metav1.TypeMeta{
Kind: imagePolicyKind,
APIVersion: configv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{Name: invalidPKIImagePolicyName},
Spec: configv1.ImagePolicySpec{
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
Policy: configv1.Policy{
RootOfTrust: configv1.PolicyRootOfTrust{
PolicyType: configv1.PKIRootOfTrust,
PKI: &configv1.PKI{
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
WTEVMBMGA1UEChMMT1JHQU5JU0FUSU9OMQ4wDAYDVQQLEwVMT0NBTDEjMCEGA1UE
AxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQwNjA2MTQxODAwWhcN
MzQwNjA0MTQxODAwWjB8MQswCQYDVQQGEwItLTEOMAwGA1UECBMFU1RBVEUxETAP
BgNVBAcTCExPQ0FMSVRZMRUwEwYDVQQKEwxPUkdBTklTQVRJT04xDjAMBgNVBAsT
BUxPQ0FMMSMwIQYDVQQDExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABDYxY1BnzNsriTp9PZ0TSumXOg36Xr4fO6xa
RHp7chgZ9KUhA+s2YoafOWobSiq3ZhfU5vjT2MVIeJjOZjw9EUWjZjBkMA4GA1Ud
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQQOPL7R8z2
dG1h6uJ6bWX/xxl6mjAfBgNVHSMEGDAWgBQQOPL7R8z2dG1h6uJ6bWX/xxl6mjAK
BggqhkjOPQQDAgNIADBFAiAf7kYcHVNe1kj6R8pdVlAckVZZTu6khmBlJoe32FEu
TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
-----END CERTIFICATE-----`),
PKICertificateSubject: configv1.PKICertificateSubject{
Email: "[email protected]",
},
},
},
SignedIdentity: &configv1.PolicyIdentity{
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
},
},
},
},
pkiImagePolicyName: {
TypeMeta: metav1.TypeMeta{
Kind: imagePolicyKind,
APIVersion: configv1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{Name: pkiImagePolicyName},
Spec: configv1.ImagePolicySpec{
Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
Policy: configv1.Policy{
RootOfTrust: configv1.PolicyRootOfTrust{
PolicyType: configv1.PKIRootOfTrust,
PKI: &configv1.PKI{
CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
VDERMA8GA1UECwwIU2VjdXJpdHkxLDAqBgNVBAMMI0xpbnV4ZXJhIFJvb3QgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI0MDkzMDE2MjM1N1oYDzIwNTIwMjE1MTYy
MzU3WjBuMQswCQYDVQQGEwJFUzERMA8GA1UEBwwIVmFsZW5jaWExCzAJBgNVBAoM
AklUMREwDwYDVQQLDAhTZWN1cml0eTEsMCoGA1UEAwwjTGludXhlcmEgUm9vdCBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCy8vGuh6+27xqtsANJUMIeGaX/rjx5hIgh/eOcxZc2/azTB/zHnwjZX7qn
Co3zaYZaS3ibOouS1yPv2G3NeRPwfGHn2kcR3QM7h4BdYxZ3SR/VioaWpVymLCm2
/V2gQWMWKrtdYfOXBviqhhD9OIxrLSOqjac8T/icQcfN+dKktKyGlY7vJLKO9w2x
IdpOTa2IDuYp5DNQV6vy9sDFglP/iafvcDkLGUhrsop8LeNcejpmpFBPRwJKXgan
5spry6GgCpNNJuB/Hqgth0fGPjMEY8bPuVOCehnRxe094U01sGrobkkbnM+SxumA
oLwk1//jC1K3HaKjkIOMMHxEzqYx0Q4RalvPWhd6o/KP5Cs+rd5+EwSeFuvbaIrF
sEPZBPpH0UDLR0yiQNk2j4LVbV1xdP7tX8KtUvF8+E3Gm5SwnCodNbfnAUxNF4RK
4lDqGibUUI5B5SniJ5YMVeTJSc1Jo9gTaKa9lRniMitY9FjzjQjDF4yGnhNPmmKG
zIvVOXIhQpcw3UhEMmDz6p1wr3wMDtjufoaxaTjoAuxUzSwwFqxzzcJenQiHoFeQ
B6cJ5RayizadlkqBnHAkrzAB0aM9W8zh5AhIcnO6gfGBaOFom+I5Huy3TyZ9FjTn
vlxVM5txPV5VsBPMK96hF6mnWeKNg/22qY0X+wo8T33G4LvWIwIDAQABo1MwUTAd
BgNVHQ4EFgQUD+bFpMAOhNSptdQo+NZle+Yd1L4wHwYDVR0jBBgwFoAUD+bFpMAO
hNSptdQo+NZle+Yd1L4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AgEAmE21e2H51volFI0CboDakb5T9VLkDzLgmxH2iZPBJrnQBFaPTEaQnM93pDq+
czfc7+WJL+6TUyUYFOg2rueK/KWC3AQYUrsb+i3BDNZVv74f3wLidmqELcyjHO8m
7yoGIgeG8ksMYPCzPfuuFHYNDiv11brmbdhdGGbvQMbayLYvhB543J5sTiUsr3iv
ShKvmr/krAbdj6ZK2m6us+pFktjjbirHVqj5tE+RvEC9oHSngyCRCKJEuEDt+gUK
gmSFh1+AFJdjWqYqnX7kPu6N4x4KoH72OUkd7NHpzkG57UM0iVQ8jCAclkZxrpng
HCD+dY0JnIlF+LJ7qGgmrNQQvTZ11hWyV7fRHcCPwuqT0kJC/yjWWXEafsMWTPl7
2zrQg5YW0zbcWfRzo1ucx0tf47unRjVqjaXjyyzkgkHrqZH939SrAy9e2SFZUqdy
qIXwGmZktzL8DU+8ZH47R+CIwcv59l4Wy889fUrjk4Kgg45IhqnP5NMg2Z8aytUH
0Zwo0iJxuCe0tQTdSMvYC0PoWsEyR4KULEU83GfCbGZQG8hOFAPHXV0CpM025+9Y
L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
+9V8SSde7D5iMV/3z9LDxA/oLoqNGFcD0TSR5+obeqJzl40=
-----END CERTIFICATE-----`),
PKICertificateSubject: configv1.PKICertificateSubject{
Email: "[email protected]",
},
},
},
SignedIdentity: &configv1.PolicyIdentity{
MatchPolicy: configv1.IdentityMatchPolicyMatchRepository,
},
},
},
},
}
return testImagePolicies
}
Expand Down Expand Up @@ -407,3 +709,36 @@ func waitForMCPConfigSpecChangeAndUpdated(oc *exutil.CLI, pool string, initialSp
return machineconfighelper.IsMachineConfigPoolConditionTrue(mcp.Status.Conditions, mcfgv1.MachineConfigPoolUpdated)
}, 20*time.Minute, 10*time.Second).Should(o.BeTrue())
}

func isDisconnectedCluster(oc *exutil.CLI) bool {
networkConfig, err := oc.AdminConfigClient().ConfigV1().Networks().Get(context.Background(), "cluster", metav1.GetOptions{})
if err != nil {
e2e.Failf("unable to get cluster network config: %v", err)
}
usingIPv6 := false
for _, clusterNetworkEntry := range networkConfig.Status.ClusterNetwork {
addr, _, err := net.ParseCIDR(clusterNetworkEntry.CIDR)
if err != nil {
continue
}
if addr.To4() == nil {
usingIPv6 = true
break
}
}
return usingIPv6
}

func verifyPodSignature(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error {
pod, err := launchTestPod(tctx, clif, testPodName, imageSpec)
if err != nil {
return err
}
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)

if expectPass {
return e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
} else {
return waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
}
}