Skip to content

Commit

Permalink
updates for .14 release, clean up docs
Browse files Browse the repository at this point in the history
  • Loading branch information
vaikas committed Feb 4, 2022
1 parent 89a026f commit dee630d
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 80 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/test-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:

env:
KNATIVE_VERSION: "1.1.0"
RELEASE_VERSION: "v0.1.13-alpha"
RELEASE_VERSION: "v0.1.14"
KO_DOCKER_REPO: registry.local:5000/knative
KOCACHE: ~/ko

Expand Down
131 changes: 63 additions & 68 deletions getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,6 @@ disabled, details [here](https://developer.apple.com/forums/thread/682332)).
Alternatively, you can manually modify the script and change the
[REGISTRY_PORT](https://github.com/vaikas/sigstore-scaffolding/blob/main/hack/setup-mac-kind.sh#L19)

```shell
./hack/setup-mac-kind.sh
```

*NOTE* You may have to uninstall the docker registry container between running
the above scripts because it spins up a registry container in a daemon mode.
To clean a previously running registry, you can do one of these:
Expand All @@ -58,13 +54,13 @@ docker rm -f b1e3f3238f7a
# Install sigstore-scaffolding pieces

```shell
curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release.yaml | kubectl apply -f -
curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/release.yaml | kubectl apply -f -
```

Or for Arm64 based (M1 for example):

```shell
curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release-arm.yaml | kubectl apply -f -
curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/release-arm.yaml | kubectl apply -f -
```

The reason for different releases is the mysql binary used in the Intel based
Expand Down Expand Up @@ -125,112 +121,111 @@ and Rekor can be accessed in the cluster with:
* `rekor.rekor-system.svc`

## Testing Your new Sigstore Kind Cluster

Let's first run a quick smoke test that does a cosign sign followed by making
sure that the rekor entry is created for it.

1) Get ctlog-public-key and add to default namespace
```shell
kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl apply -f -
```

3) Create the two test jobs (checktree and check-oidc) using this yaml (this may take a bit, since the two jobs are launched simultaneously)
```shell
curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/testrelease.yaml | kubectl apply -f -
curl -L https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.14/testrelease.yaml | kubectl apply -f -
```

4) To view if jobs have completed
```shell
kubectl get jobs/checktree jobs/check-oidc
kubectl wait --timeout=5m --for=condition=Complete jobs checktree check-oidc
```

## Example e2e test and cosign invocation using all of the above
## Exercising the local cluster

There's an [E2E](./github/workflows/fulcio-rekor-kind.yaml) test that spins all
these up and before the documentation here catches up is probably the best place
to look to see how things are spun up if you run into trouble or want to use it
in your tests.
Because all the pieces are running in the kind cluster, we need to make couple
of things to make it usable by normal cosign tooling from your local machine.

As part of the E2E test we use [cosign](https://github.com/sigstore/cosign) to
sign an image (and verify an entry made it Rekor), that should hopefully allow
you to use it in your tests as well. The invocation is
[here](./testdata/config/sign-job/sign-job.yaml) and while it's wrapped in a k8s
Job and it uses a container, it basically executes this against the stack
deployed above:

```shell
COSIGN_EXPERIMENTAL=true SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=/var/run/sigstore-root/rootfile.pem
cosign sign --fulcio-url=http://fulcio.fulcio-system.svc \
--rekor-url=http://rekor.rekor-system.svc \
ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree
```
### Certificates

Where the `rootfile.pem` gets mounted by the job, but you can get this Public
key of the CTLog, so that you can verify the SCT coming back from Fulcio, by
doing this:
There are two certificates that we need, CT Log and Fulcio root certs. Note that
if you are switching back and forth between public / your instance, you might
not want to export these variables as hilarity will ensue.

CT Log:
```shell
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d > ./ctlog-public.pem
export SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=./ctlog-public.pem
```

For example for my invocation it looks like this:

Fulcio root:
```shell
kubectl -n ctlog-system get secrets ctlog-public-key -o=jsonpath='{.data.public}' | base64 -d
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAtPFdYCIKeK9yIZioAqk1JZnkxQVaisxJf17iMgZ6zRxoOh/E/Owh
GIHLUE53P3Zucezq5haJtUz0U8DQd5SDDt7KkT6hyWddLBqVpeHsvIVFb+fva4pn
HgUhXSLiPDuKFP6a4d1b/g9FX0PUFRfUtt1pBL6w+r/oEZtvNgt6xj2a/YK1Vfef
MzJowQ86qAuvAUko9Rt2wkSyjlk3hAq3T+9zTdrR8mfJ6Q0TfFjqVDgZIlVu92TN
BneIzkSp+CnpJo6ghQiVlCMKqaBzYmNWBusNGShGBXuH976nW4AWPMagyUlYDVu3
1L2vHyEuEZpwJgGxWH0SQ2uV94rYqnrdNRfIMvkCQsW/U7zVRf9S3u1lA2sRp7h2
fBe0D27Bu0sCOPH4fwabsKNcrNN/7vTNvujmoS7LqYwI6DvzyjTXSazy9mImB6Ik
0Izm94FL12vQSSsHRXXT0lkvL3cBRHbCd/qk54LKWisO098Nsx24W6dIjFXevnPg
SPqIvN546ELoE5Opa5p8KCEw7IAkkb0OvnfnfciRwmPVBR19fslkm1qAS17ayAKq
OFShVnTiiecQpssOUTCpe9n0y+GRnsx6KazyDHZ6iTCNrXTFDYzocoX3xJV62vyo
uiXoqBju311tisbKmtUX+g8JNlyH3p/eN0TePflERtS4yTcNkDvxVrUCAwEAAQ==
-----END RSA PUBLIC KEY-----
kubectl -n fulcio-system get secrets fulcio-secret -ojsonpath='{.data.cert}' | base64 -d > ./fulcio-root.pem
export SIGSTORE_ROOT_FILE=./fulcio-root.pem
```

So you can pipe that to file and replace the `/var/run/sigstore-root/rootfile.pem`
with that location.
### Network access

If the services of the cluster are not publically accessible, you can
port-forward to your cluster like so (assuming you installed Knative with
kourier):
Setup port forwarding:

```shell
kubectl -n kourier-system port-forward service/kourier-internal 8080:80 &
```

and adding entries to your /etc/hosts
### Adding localhost entries to make tools usable

Add the following entries to your `/etc/hosts` file

```
127.0.0.1 rekor.rekor-system.svc
127.0.0.1 fulcio.fulcio-system.svc
127.0.0.1 ctlog.ctlog-system.svc
```

If you do this port forwarding, then you also have to modify the --fulcio-url
and --rekor-url above to have the local port number, so for example:
This makes using tooling easier, for example:

```shell
rekor-cli --rekor_server http://rekor.rekor-system.svc:8080 loginfo
```
--fulcio-url=http://fulcio.fulcio-system.svc:8080
--rekor-url=http://rekor.rekor-system.svc:8080

For example, this is what I get after smoke tests have successfully completed:
```shell
rekor-cli --rekor_server http://rekor.rekor-system.svc:8080 loginfo
No previous log state stored, unable to prove consistency
Verification Successful!
Tree Size: 1
Root Hash: 062e2fa50e2b523f9cfd4eadc4b67745436226d64bf9799d57c5dc023681c4b8
Timestamp: 2022-02-04T22:09:46Z
```

You can also verify that the entries were added to the CTLog (this is assuming)
you successfully ran the jobs to completion above. For example, this is what
I get:
You can then execute various cosign/rekor-cli commands against these. However,
until [this issue](https://github.com/sigstore/cosign/issues/1405) gets fixed
for cosign you have to use `--allow-insecure-flag` in your cosign invocations.
For example, to verify an image hosted in the local registry:

```shell
curl http://ctlog.ctlog-system.svc:8080/sigstorescaffolding/ct/v1/get-sth
{"tree_size":1,"timestamp":1643137195022,"sha256_root_hash":"i3NpxGSUw0/Ol0NmIba9ssMbYsogHHpwD3fHIGS84AI=","tree_head_signature":"BAECAAHqdlMlgLN6lBptnCd4fWaF/m99j877NRu0RerfO8eA/t7b15UKfSRzVmXG60tk1WVCPr0I2yqckIBFMB5tb/d7WCddlWVLbhtwTFG8hJwv1NbAFuSGmkKFHaZCt8rc9Ht9hEYiZTjKjIfXDP+FudSrQt0YsmZCAcVBM0LszowLGhjrx1oUrYNKbfnihI8CEyQMN7qCz83Cebm2acDgaGfv3NgfsC7LMPVFJNN9ryG1F2kK9Mb4UF6us3k8WeAAaOzxO7+NfHNQuaCt7FbFBjrDDtTAuTSfp9rgcGgJ4AiHvrx6X8PhXt7RdTQVDMPlWKPZg/gBYKla+19GSsCLf60msrF57295c2fPoL87mDZGuxLVaSBQKOlKWb+CJAe5+WUqG22Veq8xxlHrZkaXTRToNTA6P8/Z3Vy/QHTDaDd4k3Fm33sERu7F/R46U4UMQd1eMGTIoknKupDbjbW2JigbmAJMdT8dw5EskFLY/+Usn6ykZI6MBp2hHMiW84Son7CiniIzwqYBW0JFPSm/Pf/6LAYYNg/q5DX+AmHWTB8GM58+3IodlAO3qorF7TXUZqpZCiMjlJWP5AC5NRwVfnLOu8nS+fS27dWxK0MqIcAOVTUZ+T6vFAbKCiDIDp6MwggJ2tSUx4lk3wp4i0PF9nEH8S2VeiX7c9cwsP6GXGLV"}%
COSIGN_EXPERIMENTAL=1 ./main verify --allow-insecure-registry registry.local:5000/knative/pythontest@sha256:080c3ad99fdd8b6f23da3085fb321d8a4fa57f8d4dd30135132e0fe3b31aa602
```

And if you check the rekor state for example with loginfo, you can do so like:
## Incorporating to e2e tests for projects using Sigstore.

There's an [E2E](./github/workflows/fulcio-rekor-kind.yaml) test that spins all
these up and before the documentation here catches up is probably the best place
to look to see how things are spun up if you run into trouble or want to use it
in your tests.

As part of the E2E test we use [cosign](https://github.com/sigstore/cosign) to
sign an image (and verify an entry made it Rekor), that should hopefully allow
you to use it in your tests as well. The invocation is
[here](./testdata/config/sign-job/sign-job.yaml) and while it's wrapped in a k8s
Job and it uses a container, it basically executes this against the stack
deployed above:

```shell
rekor-cli --store_tree_state=false --rekor_server http://rekor.rekor-system.svc:8080 loginfo
No previous log state stored, unable to prove consistency
Verification Successful!
Tree Size: 1
Root Hash: 68034bc4c888a307cd2f3289aecc4ebf80c5b720a4655bc2b3a073671ca2d54a
Timestamp: 2022-01-25T19:28:56Z
COSIGN_EXPERIMENTAL=true SIGSTORE_CT_LOG_PUBLIC_KEY_FILE=/var/run/sigstore-root/rootfile.pem
cosign sign --fulcio-url=http://fulcio.fulcio-system.svc \
--rekor-url=http://rekor.rekor-system.svc \
ko://github.com/vaikas/sigstore-scaffolding/cmd/rekor/checktree
```

Where the `rootfile.pem` gets mounted by the job, and it's the public key of the
CTLog, so we can verify the SCT coming back from Fulcio.
11 changes: 0 additions & 11 deletions hack/setup-kind.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,6 @@ else
RUNNING_ON_MAC="false"
fi

if [ ${THIS_HW} == "arm64" ]; then
RELEASE="https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release-arm.yaml"
else
RELEASE="https://github.com/vaikas/sigstore-scaffolding/releases/download/v0.1.13-alpha/release.yaml"
fi

#if [[ -z "${GITHUB_WORKSPACE}" ]]; then
# echo "This script is expected to run in the context of GitHub Actions."
# exit 1
#fi

# Defaults
K8S_VERSION="v1.21.x"
KNATIVE_VERSION="1.1.0"
Expand Down

0 comments on commit dee630d

Please sign in to comment.