Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check failure message of policy that fails with issuer mismatch #1815

Merged
merged 1 commit into from Apr 28, 2022
Merged

Check failure message of policy that fails with issuer mismatch #1815

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
31 changes: 24 additions & 7 deletions test/e2e_test_cluster_image_policy.sh
View file
Open in desktop
Expand Up @@ -56,6 +56,26 @@ fi
# Trust our own custom Rekor API
export SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1

# To simplify testing failures, use this function to execute a kubectl to create
# our job and verify that the failure is expected.
assert_error() {
local KUBECTL_OUT_FILE="/tmp/kubectl.failure.out"
match="$@"
echo looking for ${match}
kubectl delete job job-that-fails -n ${NS} --ignore-not-found=true
if kubectl create -n ${NS} job job-that-fails --image=${demoimage} 2> ${KUBECTL_OUT_FILE} ; then
echo Failed to block expected Job failure!
exit 1
else
echo Successfully blocked Job creation with expected error: "${match}"
if ! grep -q "${match}" ${KUBECTL_OUT_FILE} ; then
echo Did not get expected failure message, wanted "${match}", got
cat ${KUBECTL_OUT_FILE}
exit 1
fi
fi
}

# Publish the first test image
echo '::group:: publish test image demoimage'
pushd $(mktemp -d)
Expand Down Expand Up @@ -107,6 +127,7 @@ echo '::endgroup::'
echo '::group:: Create test namespace and label for verification'
kubectl create namespace demo-keyless-signing
kubectl label namespace demo-keyless-signing cosigned.sigstore.dev/include=true
export NS=demo-keyless-signing
echo '::endgroup::'

echo '::group:: test job success'
Expand Down Expand Up @@ -151,13 +172,9 @@ kubectl apply -f ./test/testdata/cosigned/e2e/cip-keyless-with-identities-mismat
sleep 5
echo '::endgroup::'

echo '::group:: test job block'
if kubectl create -n demo-keyless-signing job demo-identities-works --image=${demoimage} ; then
echo Failed to block Job in namespace with non matching issuer and subject!
exit 1
else
echo Succcessfully blocked Job with mismatching issuer and subject
fi
echo '::group:: test job block with mismatching issuer/subject'
expected_error='none of the expected identities matched what was in the certificate'
assert_error ${expected_error}
echo '::endgroup::'

echo '::group:: Remove mismatching cip, start fresh for key'
Expand Down