From dee630d5a7bf380ac5d7544dd460e095c1e34498 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Fri, 4 Feb 2022 14:37:50 -0800 Subject: [PATCH] updates for .14 release, clean up docs --- .github/workflows/test-release.yaml | 2 +- getting-started.md | 131 +++++++++++++--------------- hack/setup-kind.sh | 11 --- 3 files changed, 64 insertions(+), 80 deletions(-) diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index df8f9be00..3c2d77652 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -31,7 +31,7 @@ jobs: env: KNATIVE_VERSION: "1.1.0" - RELEASE_VERSION: "v0.1.13-alpha" + RELEASE_VERSION: "v0.1.14" KO_DOCKER_REPO: registry.local:5000/knative KOCACHE: ~/ko diff --git a/getting-started.md b/getting-started.md index e8d40df7c..b7e287708 100644 --- a/getting-started.md +++ b/getting-started.md @@ -29,10 +29,6 @@ disabled, details [here](https://developer.apple.com/forums/thread/682332)). Alternatively, you can manually modify the script and change the [REGISTRY_PORT](https://github.com/vaikas/sigstore-scaffolding/blob/main/hack/setup-mac-kind.sh#L19) -```shell -./hack/setup-mac-kind.sh -``` - *NOTE* You may have to uninstall the docker registry container between running the above scripts because it spins up a registry container in a daemon mode. To clean a previously running registry, you can do one of these: @@ -58,13 +54,13 @@ docker rm -f b1e3f3238f7a # Install sigstore-scaffolding pieces ```shell -curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release.yaml | kubectl apply -f - +curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/release.yaml | kubectl apply -f - ``` Or for Arm64 based (M1 for example): ```shell -curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release-arm.yaml | kubectl apply -f - +curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/release-arm.yaml | kubectl apply -f - ``` The reason for different releases is the mysql binary used in the Intel based @@ -125,6 +121,10 @@ and Rekor can be accessed in the cluster with: * `rekor.rekor-system.svc` ## Testing Your new Sigstore Kind Cluster + +Let's first run a quick smoke test that does a cosign sign followed by making +sure that the rekor entry is created for it. + 1) Get ctlog-public-key and add to default namespace ```shell kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f - @@ -132,74 +132,48 @@ kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: 3) Create the two test jobs (checktree and check-oidc) using this yaml (this may take a bit, since the two jobs are launched simultaneously) ```shell -curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/testrelease.yaml | kubectl apply -f - +curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/testrelease.yaml | kubectl apply -f - ``` 4) To view if jobs have completed ```shell -kubectl get jobs/checktree jobs/check-oidc +kubectl wait --timeout=5m --for=condition=Complete jobs checktree check-oidc ``` -## Example e2e test and cosign invocation using all of the above +## Exercising the local cluster -There's an [E2E](./github/workflows/fulcio-rekor-kind.yaml) test that spins all -these up and before the documentation here catches up is probably the best place -to look to see how things are spun up if you run into trouble or want to use it -in your tests. +Because all the pieces are running in the kind cluster, we need to make couple +of things to make it usable by normal cosign tooling from your local machine. -As part of the E2E test we use [cosign](https://github.com/sigstore/cosign) to -sign an image (and verify an entry made it Rekor), that should hopefully allow -you to use it in your tests as well. The invocation is -[here](./testdata/config/sign-job/sign-job.yaml) and while it's wrapped in a k8s -Job and it uses a container, it basically executes this against the stack -deployed above: - -```shell -COSIGN_EXPERIMENTAL=true SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=/var/run/sigstore-root/rootfile.pem -cosign sign --fulcio-url=http://fulcio.fulcio-system.svc \ ---rekor-url=http://rekor.rekor-system.svc \ -ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree -``` +### Certificates -Where the `rootfile.pem` gets mounted by the job, but you can get this Public -key of the CTLog, so that you can verify the SCT coming back from Fulcio, by -doing this: +There are two certificates that we need, CT Log and Fulcio root certs. Note that +if you are switching back and forth between public / your instance, you might +not want to export these variables as hilarity will ensue. +CT Log: ```shell -kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d +kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem +export SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem ``` -For example for my invocation it looks like this: - +Fulcio root: ```shell -kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEAtPFdYCIKeK9yIZioAqk1JZnkxQVaisxJf17iMgZ6zRxoOh/E/Owh -GIHLUE53P3Zucezq5haJtUz0U8DQd5SDDt7KkT6hyWddLBqVpeHsvIVFb+fva4pn -HgUhXSLiPDuKFP6a4d1b/g9FX0PUFRfUtt1pBL6w+r/oEZtvNgt6xj2a/YK1Vfef -MzJowQ86qAuvAUko9Rt2wkSyjlk3hAq3T+9zTdrR8mfJ6Q0TfFjqVDgZIlVu92TN -BneIzkSp+CnpJo6ghQiVlCMKqaBzYmNWBusNGShGBXuH976nW4AWPMagyUlYDVu3 -1L2vHyEuEZpwJgGxWH0SQ2uV94rYqnrdNRfIMvkCQsW/U7zVRf9S3u1lA2sRp7h2 -fBe0D27Bu0sCOPH4fwabsKNcrNN/7vTNvujmoS7LqYwI6DvzyjTXSazy9mImB6Ik -0Izm94FL12vQSSsHRXXT0lkvL3cBRHbCd/qk54LKWisO098Nsx24W6dIjFXevnPg -SPqIvN546ELoE5Opa5p8KCEw7IAkkb0OvnfnfciRwmPVBR19fslkm1qAS17ayAKq -OFShVnTiiecQpssOUTCpe9n0y+GRnsx6KazyDHZ6iTCNrXTFDYzocoX3xJV62vyo -uiXoqBju311tisbKmtUX+g8JNlyH3p/eN0TePflERtS4yTcNkDvxVrUCAwEAAQ== ------END RSA PUBLIC KEY----- +kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem +export SIGSTORE_ROOT_FILE=./fulcio-root.pem ``` -So you can pipe that to file and replace the `/var/run/sigstore-root/rootfile.pem` -with that location. +### Network access -If the services of the cluster are not publically accessible, you can -port-forward to your cluster like so (assuming you installed Knative with -kourier): +Setup port forwarding: ```shell kubectl -n kourier-system port-forward service/kourier-internal 8080:80 & ``` -and adding entries to your /etc/hosts +### Adding localhost entries to make tools usable + +Add the following entries to your `/etc/hosts` file ``` 127.0.0.1 rekor.rekor-system.svc @@ -207,30 +181,51 @@ and adding entries to your /etc/hosts 127.0.0.1 ctlog.ctlog-system.svc ``` -If you do this port forwarding, then you also have to modify the --fulcio-url -and --rekor-url above to have the local port number, so for example: +This makes using tooling easier, for example: +```shell +rekor-cli --rekor_server http://rekor.rekor-system.svc:8080 loginfo ``` ---fulcio-url=http://fulcio.fulcio-system.svc:8080 ---rekor-url=http://rekor.rekor-system.svc:8080 + +For example, this is what I get after smoke tests have successfully completed: +```shell +rekor-cli --rekor_server http://rekor.rekor-system.svc:8080 loginfo +No previous log state stored, unable to prove consistency +Verification Successful! +Tree Size: 1 +Root Hash: 062e2fa50e2b523f9cfd4eadc4b67745436226d64bf9799d57c5dc023681c4b8 +Timestamp: 2022-02-04T22:09:46Z ``` -You can also verify that the entries were added to the CTLog (this is assuming) -you successfully ran the jobs to completion above. For example, this is what -I get: +You can then execute various cosign/rekor-cli commands against these. However, +until [this issue](https://github.com/sigstore/cosign/issues/1405) gets fixed +for cosign you have to use `--allow-insecure-flag` in your cosign invocations. +For example, to verify an image hosted in the local registry: ```shell -curl http://ctlog.ctlog-system.svc:8080/sigstorescaffolding/ct/v1/get-sth -{"tree_size":1,"timestamp":1643137195022,"sha256_root_hash":"i3NpxGSUw0/Ol0NmIba9ssMbYsogHHpwD3fHIGS84AI=","tree_head_signature":"BAECAAHqdlMlgLN6lBptnCd4fWaF/m99j877NRu0RerfO8eA/t7b15UKfSRzVmXG60tk1WVCPr0I2yqckIBFMB5tb/d7WCddlWVLbhtwTFG8hJwv1NbAFuSGmkKFHaZCt8rc9Ht9hEYiZTjKjIfXDP+FudSrQt0YsmZCAcVBM0LszowLGhjrx1oUrYNKbfnihI8CEyQMN7qCz83Cebm2acDgaGfv3NgfsC7LMPVFJNN9ryG1F2kK9Mb4UF6us3k8WeAAaOzxO7+NfHNQuaCt7FbFBjrDDtTAuTSfp9rgcGgJ4AiHvrx6X8PhXt7RdTQVDMPlWKPZg/gBYKla+19GSsCLf60msrF57295c2fPoL87mDZGuxLVaSBQKOlKWb+CJAe5+WUqG22Veq8xxlHrZkaXTRToNTA6P8/Z3Vy/QHTDaDd4k3Fm33sERu7F/R46U4UMQd1eMGTIoknKupDbjbW2JigbmAJMdT8dw5EskFLY/+Usn6ykZI6MBp2hHMiW84Son7CiniIzwqYBW0JFPSm/Pf/6LAYYNg/q5DX+AmHWTB8GM58+3IodlAO3qorF7TXUZqpZCiMjlJWP5AC5NRwVfnLOu8nS+fS27dWxK0MqIcAOVTUZ+T6vFAbKCiDIDp6MwggJ2tSUx4lk3wp4i0PF9nEH8S2VeiX7c9cwsP6GXGLV"}% +COSIGN_EXPERIMENTAL=1 ./main verify --allow-insecure-registry registry.local:5000/knative/pythontest@sha256:080c3ad99fdd8b6f23da3085fb321d8a4fa57f8d4dd30135132e0fe3b31aa602 ``` -And if you check the rekor state for example with loginfo, you can do so like: +## Incorporating to e2e tests for projects using Sigstore. + +There's an [E2E](./github/workflows/fulcio-rekor-kind.yaml) test that spins all +these up and before the documentation here catches up is probably the best place +to look to see how things are spun up if you run into trouble or want to use it +in your tests. + +As part of the E2E test we use [cosign](https://github.com/sigstore/cosign) to +sign an image (and verify an entry made it Rekor), that should hopefully allow +you to use it in your tests as well. The invocation is +[here](./testdata/config/sign-job/sign-job.yaml) and while it's wrapped in a k8s +Job and it uses a container, it basically executes this against the stack +deployed above: ```shell -rekor-cli --store_tree_state=false --rekor_server http://rekor.rekor-system.svc:8080 loginfo -No previous log state stored, unable to prove consistency -Verification Successful! -Tree Size: 1 -Root Hash: 68034bc4c888a307cd2f3289aecc4ebf80c5b720a4655bc2b3a073671ca2d54a -Timestamp: 2022-01-25T19:28:56Z +COSIGN_EXPERIMENTAL=true SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=/var/run/sigstore-root/rootfile.pem +cosign sign --fulcio-url=http://fulcio.fulcio-system.svc \ +--rekor-url=http://rekor.rekor-system.svc \ +ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree ``` + +Where the `rootfile.pem` gets mounted by the job, and it's the public key of the +CTLog, so we can verify the SCT coming back from Fulcio. diff --git a/hack/setup-kind.sh b/hack/setup-kind.sh index 12f7547b9..d73a39b55 100755 --- a/hack/setup-kind.sh +++ b/hack/setup-kind.sh @@ -17,17 +17,6 @@ else RUNNING_ON_MAC="false" fi -if [ ${THIS_HW} == "arm64" ]; then - RELEASE="https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release-arm.yaml" -else - RELEASE="https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release.yaml" -fi - -#if [[ -z "${GITHUB_WORKSPACE}" ]]; then -# echo "This script is expected to run in the context of GitHub Actions." -# exit 1 -#fi - # Defaults K8S_VERSION="v1.21.x" KNATIVE_VERSION="1.1.0"