Merge pull request #38 from vaikas/release-14

updates for .14 release, clean up docs

.github/workflows/test-release.yaml

@@ -31,7 +31,7 @@ jobs:
 
     env:
       KNATIVE_VERSION: "1.1.0"
-      RELEASE_VERSION: "v0.1.13-alpha"
+      RELEASE_VERSION: "v0.1.14"
       KO_DOCKER_REPO: registry.local:5000/knative
       KOCACHE: ~/ko
 

getting-started.md

@@ -29,10 +29,6 @@ disabled, details [here](https://developer.apple.com/forums/thread/682332)).
 Alternatively, you can manually modify the script and change the
 [REGISTRY_PORT](https://github.com/vaikas/sigstore-scaffolding/blob/main/hack/setup-mac-kind.sh#L19)
 
-```shell
-./hack/setup-mac-kind.sh
-```
-
 *NOTE* You may have to uninstall the docker registry container between running
 the above scripts because it spins up a registry container in a daemon mode.
 To clean a previously running registry, you can do one of these:
@@ -58,13 +54,13 @@ docker rm -f b1e3f3238f7a
 # Install sigstore-scaffolding pieces
 
 ```shell
-curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release.yaml | kubectl apply -f -
+curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/release.yaml | kubectl apply -f -
 ```
 
 Or for Arm64 based (M1 for example):
 
 ```shell
-curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release-arm.yaml | kubectl apply -f -
+curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/release-arm.yaml | kubectl apply -f -
 ```
 
 The reason for different releases is the mysql binary used in the Intel based
@@ -125,112 +121,111 @@ and Rekor can be accessed in the cluster with:
  * `rekor.rekor-system.svc`
 
 ## Testing Your new Sigstore Kind Cluster
+
+Let's first run a quick smoke test that does a cosign sign followed by making
+sure that the rekor entry is created for it.
+
 1) Get ctlog-public-key and add to default namespace
 ```shell
 kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
 ```
 
 3) Create the two test jobs (checktree and check-oidc)  using this yaml (this may take a bit, since the two jobs are launched simultaneously)
 ```shell
-curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/testrelease.yaml | kubectl apply -f -
+curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/testrelease.yaml | kubectl apply -f -
 ```
 
 4) To view if jobs have completed
 ```shell
-kubectl get jobs/checktree jobs/check-oidc
+kubectl wait --timeout=5m --for=condition=Complete jobs checktree check-oidc
 ```
 
-## Example e2e test and cosign invocation using all of the above
+## Exercising the local cluster
 
-There's an [E2E](./github/workflows/fulcio-rekor-kind.yaml) test that spins all
-these up and before the documentation here catches up is probably the best place
-to look to see how things are spun up if you run into trouble or want to use it
-in your tests.
+Because all the pieces are running in the kind cluster, we need to make couple
+of things to make it usable by normal cosign tooling from your local machine.
 
-As part of the E2E test we use [cosign](https://github.com/sigstore/cosign) to
-sign an image (and verify an entry made it Rekor), that should hopefully allow
-you to use it in your tests as well. The invocation is
-[here](./testdata/config/sign-job/sign-job.yaml) and while it's wrapped in a k8s
-Job and it uses a container, it basically executes this against the stack
-deployed above:
-
-```shell
-COSIGN_EXPERIMENTAL=true SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=/var/run/sigstore-root/rootfile.pem
-cosign sign --fulcio-url=http://fulcio.fulcio-system.svc \
---rekor-url=http://rekor.rekor-system.svc \
-ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree
-```
+### Certificates
 
-Where the `rootfile.pem` gets mounted by the job, but you can get this Public
-key of the CTLog, so that you can verify the SCT coming back from Fulcio, by
-doing this:
+There are two certificates that we need, CT Log and Fulcio root certs. Note that
+if you are switching back and forth between public / your instance, you might
+not want to export these variables as hilarity will ensue.
 
+CT Log:
 ```shell
-kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d
+kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
+export SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem
 ```
 
-For example for my invocation it looks like this:
-
+Fulcio root:
 ```shell
-kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d
------BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEAtPFdYCIKeK9yIZioAqk1JZnkxQVaisxJf17iMgZ6zRxoOh/E/Owh
-GIHLUE53P3Zucezq5haJtUz0U8DQd5SDDt7KkT6hyWddLBqVpeHsvIVFb+fva4pn
-HgUhXSLiPDuKFP6a4d1b/g9FX0PUFRfUtt1pBL6w+r/oEZtvNgt6xj2a/YK1Vfef
-MzJowQ86qAuvAUko9Rt2wkSyjlk3hAq3T+9zTdrR8mfJ6Q0TfFjqVDgZIlVu92TN
-BneIzkSp+CnpJo6ghQiVlCMKqaBzYmNWBusNGShGBXuH976nW4AWPMagyUlYDVu3
-1L2vHyEuEZpwJgGxWH0SQ2uV94rYqnrdNRfIMvkCQsW/U7zVRf9S3u1lA2sRp7h2
-fBe0D27Bu0sCOPH4fwabsKNcrNN/7vTNvujmoS7LqYwI6DvzyjTXSazy9mImB6Ik
-0Izm94FL12vQSSsHRXXT0lkvL3cBRHbCd/qk54LKWisO098Nsx24W6dIjFXevnPg
-SPqIvN546ELoE5Opa5p8KCEw7IAkkb0OvnfnfciRwmPVBR19fslkm1qAS17ayAKq
-OFShVnTiiecQpssOUTCpe9n0y+GRnsx6KazyDHZ6iTCNrXTFDYzocoX3xJV62vyo
-uiXoqBju311tisbKmtUX+g8JNlyH3p/eN0TePflERtS4yTcNkDvxVrUCAwEAAQ==
------END RSA PUBLIC KEY-----
+kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
+export SIGSTORE_ROOT_FILE=./fulcio-root.pem
 ```
 
-So you can pipe that to file and replace the `/var/run/sigstore-root/rootfile.pem`
-with that location.
+### Network access
 
-If the services of the cluster are not publically accessible, you can
-port-forward to your cluster like so (assuming you installed Knative with
-kourier):
+Setup port forwarding:
 
 ```shell
 kubectl -n kourier-system port-forward service/kourier-internal 8080:80 &
 ```
 
-and adding entries to your /etc/hosts
+### Adding localhost entries to make tools usable
+
+Add the following entries to your `/etc/hosts` file
 
 ```
 127.0.0.1 rekor.rekor-system.svc
 127.0.0.1 fulcio.fulcio-system.svc
 127.0.0.1 ctlog.ctlog-system.svc
 ```
 
-If you do this port forwarding, then you also have to modify the --fulcio-url
-and --rekor-url above to have the local port number, so for example:
+This makes using tooling easier, for example:
 
+```shell
+rekor-cli --rekor_server http://rekor.rekor-system.svc:8080 loginfo
 ```
---fulcio-url=http://fulcio.fulcio-system.svc:8080
---rekor-url=http://rekor.rekor-system.svc:8080
+
+For example, this is what I get after smoke tests have successfully completed:
+```shell
+rekor-cli --rekor_server http://rekor.rekor-system.svc:8080 loginfo
+No previous log state stored, unable to prove consistency
+Verification Successful!
+Tree Size: 1
+Root Hash: 062e2fa50e2b523f9cfd4eadc4b67745436226d64bf9799d57c5dc023681c4b8
+Timestamp: 2022-02-04T22:09:46Z
 ```
 
-You can also verify that the entries were added to the CTLog (this is assuming)
-you successfully ran the jobs to completion above. For example, this is what
-I get:
+You can then execute various cosign/rekor-cli commands against these. However,
+until [this issue](https://github.com/sigstore/cosign/issues/1405) gets fixed
+for cosign you have to use `--allow-insecure-flag` in your cosign invocations.
+For example, to verify an image hosted in the local registry:
 
 ```shell
-curl http://ctlog.ctlog-system.svc:8080/sigstorescaffolding/ct/v1/get-sth
-{"tree_size":1,"timestamp":1643137195022,"sha256_root_hash":"i3NpxGSUw0/Ol0NmIba9ssMbYsogHHpwD3fHIGS84AI=","tree_head_signature":"BAECAAHqdlMlgLN6lBptnCd4fWaF/m99j877NRu0RerfO8eA/t7b15UKfSRzVmXG60tk1WVCPr0I2yqckIBFMB5tb/d7WCddlWVLbhtwTFG8hJwv1NbAFuSGmkKFHaZCt8rc9Ht9hEYiZTjKjIfXDP+FudSrQt0YsmZCAcVBM0LszowLGhjrx1oUrYNKbfnihI8CEyQMN7qCz83Cebm2acDgaGfv3NgfsC7LMPVFJNN9ryG1F2kK9Mb4UF6us3k8WeAAaOzxO7+NfHNQuaCt7FbFBjrDDtTAuTSfp9rgcGgJ4AiHvrx6X8PhXt7RdTQVDMPlWKPZg/gBYKla+19GSsCLf60msrF57295c2fPoL87mDZGuxLVaSBQKOlKWb+CJAe5+WUqG22Veq8xxlHrZkaXTRToNTA6P8/Z3Vy/QHTDaDd4k3Fm33sERu7F/R46U4UMQd1eMGTIoknKupDbjbW2JigbmAJMdT8dw5EskFLY/+Usn6ykZI6MBp2hHMiW84Son7CiniIzwqYBW0JFPSm/Pf/6LAYYNg/q5DX+AmHWTB8GM58+3IodlAO3qorF7TXUZqpZCiMjlJWP5AC5NRwVfnLOu8nS+fS27dWxK0MqIcAOVTUZ+T6vFAbKCiDIDp6MwggJ2tSUx4lk3wp4i0PF9nEH8S2VeiX7c9cwsP6GXGLV"}%
+COSIGN_EXPERIMENTAL=1 ./main verify --allow-insecure-registry  registry.local:5000/knative/pythontest@sha256:080c3ad99fdd8b6f23da3085fb321d8a4fa57f8d4dd30135132e0fe3b31aa602
 ```
 
-And if you check the rekor state for example with loginfo, you can do so like:
+## Incorporating to e2e tests for projects using Sigstore.
+
+There's an [E2E](./github/workflows/fulcio-rekor-kind.yaml) test that spins all
+these up and before the documentation here catches up is probably the best place
+to look to see how things are spun up if you run into trouble or want to use it
+in your tests.
+
+As part of the E2E test we use [cosign](https://github.com/sigstore/cosign) to
+sign an image (and verify an entry made it Rekor), that should hopefully allow
+you to use it in your tests as well. The invocation is
+[here](./testdata/config/sign-job/sign-job.yaml) and while it's wrapped in a k8s
+Job and it uses a container, it basically executes this against the stack
+deployed above:
 
 ```shell
-rekor-cli --store_tree_state=false --rekor_server http://rekor.rekor-system.svc:8080 loginfo
-No previous log state stored, unable to prove consistency
-Verification Successful!
-Tree Size: 1
-Root Hash: 68034bc4c888a307cd2f3289aecc4ebf80c5b720a4655bc2b3a073671ca2d54a
-Timestamp: 2022-01-25T19:28:56Z
+COSIGN_EXPERIMENTAL=true SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=/var/run/sigstore-root/rootfile.pem
+cosign sign --fulcio-url=http://fulcio.fulcio-system.svc \
+--rekor-url=http://rekor.rekor-system.svc \
+ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree
 ```
+
+Where the `rootfile.pem` gets mounted by the job, and it's the public key of the
+CTLog, so we can verify the SCT coming back from Fulcio.

hack/setup-kind.sh

@@ -17,17 +17,6 @@ else
   RUNNING_ON_MAC="false"
 fi
 
-if [ ${THIS_HW} == "arm64" ]; then
-  RELEASE="https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release-arm.yaml"
-else
-  RELEASE="https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release.yaml"
-fi
-
-#if [[ -z "${GITHUB_WORKSPACE}" ]]; then
-#  echo "This script is expected to run in the context of GitHub Actions."
-#  exit 1
-#fi
-
 # Defaults
 K8S_VERSION="v1.21.x"
 KNATIVE_VERSION="1.1.0"