Add valid signaturePullSecrets test

Signed-off-by: Denny Hoang <dhoang@vmware.com>
sigstore · Apr 27, 2022 · 65bd3fd · 65bd3fd
1 parent f4063d6
commit 65bd3fd
Showing 1 changed file with 59 additions and 8 deletions.
diff --git a/pkg/cosign/kubernetes/webhook/validator_test.go b/pkg/cosign/kubernetes/webhook/validator_test.go
@@ -43,7 +43,6 @@ import (
 	"github.com/sigstore/cosign/pkg/oci/static"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"knative.dev/pkg/apis"
@@ -123,11 +122,23 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 	})
 
 	kc := fakekube.Get(ctx)
-	kc.CoreV1().ServiceAccounts("default").Create(ctx, &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "default",
-		},
-	}, metav1.CreateOptions{})
+	// Setup service acc and fakeSignaturePullSecrets for "default" and "cosign-system" namespace
+	for _, ns := range []string{"default", system.Namespace()} {
+		kc.CoreV1().ServiceAccounts(ns).Create(ctx, &corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "default",
+			},
+		}, metav1.CreateOptions{})
+
+		kc.CoreV1().Secrets(ns).Create(ctx, &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "fakeSignaturePullSecrets",
+			},
+			Data: map[string][]byte{
+				"dockerconfigjson": []byte(`{"auths":{"https://index.docker.io/v1/":{"username":"username","password":"password","auth":"dXNlcm5hbWU6cGFzc3dvcmQ="}}`),
+			},
+		}, metav1.CreateOptions{})
+	}
 
 	v := NewValidator(ctx, secretName)
 
@@ -470,7 +481,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 		}(),
 		cvs: fail,
 	}, {
-		name: "simple, error, authority source signaturePullSecrets, invalid secret",
+		name: "simple, error, authority source signaturePullSecrets, non exisiting secret",
 		ps: &corev1.PodSpec{
 			InitContainers: []corev1.Container{{
 				Name:  "setup-stuff",
@@ -497,7 +508,7 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 									},
 									Sources: []v1alpha1.Source{{
 										OCI: "example.com/alternative/signature",
-										SignaturePullSecrets: []v1.LocalObjectReference{{
+										SignaturePullSecrets: []corev1.LocalObjectReference{{
 											Name: "non-existing-secret",
 										}},
 									}},
@@ -521,6 +532,46 @@ UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
 			return errs
 		}(),
 		cvs: authorityPublicKeyCVS,
+	}, {
+		name: "simple, no error, authority source signaturePullSecrets, valid secret",
+		ps: &corev1.PodSpec{
+			InitContainers: []corev1.Container{{
+				Name:  "setup-stuff",
+				Image: digest.String(),
+			}},
+			Containers: []corev1.Container{{
+				Name:  "user-container",
+				Image: digest.String(),
+			}},
+		},
+		customContext: config.ToContext(ctx,
+			&config.Config{
+				ImagePolicyConfig: &config.ImagePolicyConfig{
+					Policies: map[string]webhookcip.ClusterImagePolicy{
+						"cluster-image-policy": {
+							Images: []v1alpha1.ImagePattern{{
+								Regex: ".*",
+							}},
+							Authorities: []webhookcip.Authority{
+								{
+									Key: &webhookcip.KeyRef{
+										Data:       authorityKeyCosignPubString,
+										PublicKeys: []crypto.PublicKey{authorityKeyCosignPub},
+									},
+									Sources: []v1alpha1.Source{{
+										OCI: "example.com/alternative/signature",
+										SignaturePullSecrets: []corev1.LocalObjectReference{{
+											Name: "fakeSignaturePullSecrets",
+										}},
+									}},
+								},
+							},
+						},
+					},
+				},
+			},
+		),
+		cvs: authorityPublicKeyCVS,
 	}}
 
 	for _, test := range tests {