Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Load a TrustRoot reference when using the policy-tester #698

Merged
merged 1 commit into from
Apr 3, 2023
Merged

Load a TrustRoot reference when using the policy-tester #698

merged 1 commit into from
Apr 3, 2023

Conversation

hectorj2f
Copy link
Collaborator

@hectorj2f hectorj2f commented Apr 3, 2023
edited
Loading

Summary

closes #560

Load a trustroot definition using the policy-tester.

policy-tester \
        --trustroot=trustroot.yaml \
        --policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \
        --image=k8s.gcr.io/pause:3.9

where the trustroot could be:

apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
  name: my-sigstore-keys
spec:
  sigstoreKeys:
    certificateAuthorities: []
    timestampAuthorities:
    - subject:
        organization: tsa-organization
        commonName: tsa-common-name
      uri: TSA_URL
      certChain: |-
        TSA_CERT_CHAIN
        ...

Release Note

Documentation

@hectorj2f
load trustroot definition
95e21f5 
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
@hectorj2f hectorj2f requested a review from vaikas April 3, 2023 12:37
@hectorj2f hectorj2f self-assigned this Apr 3, 2023
@hectorj2f hectorj2f changed the title load trustroot definition Load a TrustRoot reference when using the policy-tester Apr 3, 2023
@codecov
Copy link

codecov bot commented Apr 3, 2023

Codecov Report

Merging #698 (95e21f5) into main (00988ae) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #698   +/-   ##
=======================================
  Coverage   55.37%   55.37%           
=======================================
  Files          45       45           
  Lines        4791     4791           
=======================================
  Hits         2653     2653           
  Misses       1934     1934           
  Partials      204      204

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

priyawadhwa
priyawadhwa reviewed Apr 3, 2023
View reviewed changes
Copy link
Collaborator

@priyawadhwa priyawadhwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be possible to add a test in for verifying a TSA-signed image with a CIP and TrustRoot?

@hectorj2f
Copy link
Collaborator Author

@priyawadhwa We already have e2e tests to exercise this behauvior in the controller https://github.com/sigstore/policy-controller/blob/main/test/e2e_test_cluster_image_policy_with_tsa.sh#L136 and https://github.com/sigstore/policy-controller/blob/main/test/e2e_test_cluster_image_policy_with_tsa.sh#L129.

@hectorj2f hectorj2f merged commit 44e0685 into sigstore:main Apr 3, 2023
@hectorj2f hectorj2f deleted the tester_load_trustroot branch April 3, 2023 17:42
@github-actions github-actions bot added this to the v1 milestone Apr 3, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@vaikas vaikas vaikas approved these changes

@priyawadhwa priyawadhwa priyawadhwa approved these changes

Assignees

@hectorj2f hectorj2f

Labels
None yet
Projects
None yet
Milestone
v1
Development

Successfully merging this pull request may close these issues.

policy-tester: support TrustRoot references
3 participants
@hectorj2f @priyawadhwa @vaikas