From fcc17b177b3ef0d5eb7f6032ee4eb289b3d110c9 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Tue, 28 Jan 2025 09:23:32 +0200 Subject: [PATCH 1/6] Remove explicit IMAGE_SIGSTORE_ENABLED=false setting from scenarios --- .../periodics/el94-crel@el94-src@optional-upgrade.sh | 5 ----- .../periodics/el94-crel@el94-src@upgrade-fails.sh | 5 ----- .../periodics/el94-prel@el94-crel@upgrade-ok.sh | 5 ----- .../el94-prel@el94-src@upgrade-fails-and-rolls-back.sh | 5 ----- .../periodics/el94-prel@el94-src@upgrade-ostree2bootc-ok.sh | 5 ----- .../periodics/el94-src@upgrade-fails-cannot-backup.sh | 5 ----- .../el94-yminus2@el94-src@upgrade-ostree2bootc-ok.sh | 5 ----- test/scenarios-bootc/presubmits/cos9-src@optional.sh | 3 --- .../presubmits/el94-base@el94-src@upgrade-ok.sh | 5 ----- .../presubmits/el94-crel@el94-src@upgrade-ok.sh | 5 ----- .../presubmits/el94-prel@el94-src@upgrade-ok.sh | 5 ----- test/scenarios-bootc/presubmits/el94-src@downgrade-block.sh | 5 ----- test/scenarios-bootc/presubmits/el94-src@optional.sh | 3 --- ...el94-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh | 5 ----- test/scenarios-bootc/presubmits/el94-src@upgrade-fails.sh | 5 ----- .../presubmits/el94-yminus2@el94-src@upgrade-ok.sh | 5 ----- test/scenarios/periodics/el94-src@optional.sh | 3 --- 17 files changed, 79 deletions(-) diff --git a/test/scenarios-bootc/periodics/el94-crel@el94-src@optional-upgrade.sh b/test/scenarios-bootc/periodics/el94-crel@el94-src@optional-upgrade.sh index e0fced349c..53ea6dfffa 100644 --- a/test/scenarios-bootc/periodics/el94-crel@el94-src@optional-upgrade.sh +++ b/test/scenarios-bootc/periodics/el94-crel@el94-src@optional-upgrade.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-crel-optionals launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/periodics/el94-crel@el94-src@upgrade-fails.sh b/test/scenarios-bootc/periodics/el94-crel@el94-src@upgrade-fails.sh index 29ffa77a29..29e7400087 100644 --- a/test/scenarios-bootc/periodics/el94-crel@el94-src@upgrade-fails.sh +++ b/test/scenarios-bootc/periodics/el94-crel@el94-src@upgrade-fails.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-crel launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/periodics/el94-prel@el94-crel@upgrade-ok.sh b/test/scenarios-bootc/periodics/el94-prel@el94-crel@upgrade-ok.sh index d3654fef06..191a1c0bb0 100644 --- a/test/scenarios-bootc/periodics/el94-prel@el94-crel@upgrade-ok.sh +++ b/test/scenarios-bootc/periodics/el94-prel@el94-crel@upgrade-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-prel launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-fails-and-rolls-back.sh b/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-fails-and-rolls-back.sh index cde5fd3ed4..550da444f7 100644 --- a/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-fails-and-rolls-back.sh +++ b/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-fails-and-rolls-back.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-prel launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-ostree2bootc-ok.sh b/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-ostree2bootc-ok.sh index f8b3f45945..7532b7493c 100644 --- a/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-ostree2bootc-ok.sh +++ b/test/scenarios-bootc/periodics/el94-prel@el94-src@upgrade-ostree2bootc-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { # The y-1 ostree image will be fetched from the cache as it is not built # as part of the bootc image build procedure diff --git a/test/scenarios-bootc/periodics/el94-src@upgrade-fails-cannot-backup.sh b/test/scenarios-bootc/periodics/el94-src@upgrade-fails-cannot-backup.sh index 4c183f8bc2..85e3c17083 100644 --- a/test/scenarios-bootc/periodics/el94-src@upgrade-fails-cannot-backup.sh +++ b/test/scenarios-bootc/periodics/el94-src@upgrade-fails-cannot-backup.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/periodics/el94-yminus2@el94-src@upgrade-ostree2bootc-ok.sh b/test/scenarios-bootc/periodics/el94-yminus2@el94-src@upgrade-ostree2bootc-ok.sh index 77cf17fecf..7a358e6c2d 100644 --- a/test/scenarios-bootc/periodics/el94-yminus2@el94-src@upgrade-ostree2bootc-ok.sh +++ b/test/scenarios-bootc/periodics/el94-yminus2@el94-src@upgrade-ostree2bootc-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { # The y-1 ostree image will be fetched from the cache as it is not built # as part of the bootc image build procedure diff --git a/test/scenarios-bootc/presubmits/cos9-src@optional.sh b/test/scenarios-bootc/presubmits/cos9-src@optional.sh index e1a504b077..3c5cc360b8 100644 --- a/test/scenarios-bootc/presubmits/cos9-src@optional.sh +++ b/test/scenarios-bootc/presubmits/cos9-src@optional.sh @@ -6,9 +6,6 @@ VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_MULTUS_NETWORK}")" # shellcheck disable=SC2034 # used elsewhere WEB_SERVER_URL="http://${VM_BRIDGE_IP}:${WEB_SERVER_PORT}" -# Disable signature verification due to unsigned images used in this test -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source-optionals diff --git a/test/scenarios-bootc/presubmits/el94-base@el94-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el94-base@el94-src@upgrade-ok.sh index 80fe12e0e9..af6f9e7858 100644 --- a/test/scenarios-bootc/presubmits/el94-base@el94-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el94-base@el94-src@upgrade-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-base launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/presubmits/el94-crel@el94-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el94-crel@el94-src@upgrade-ok.sh index 779092c347..deef6e4a43 100644 --- a/test/scenarios-bootc/presubmits/el94-crel@el94-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el94-crel@el94-src@upgrade-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-crel launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/presubmits/el94-prel@el94-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el94-prel@el94-src@upgrade-ok.sh index f10f91c4fb..f56cf85c10 100644 --- a/test/scenarios-bootc/presubmits/el94-prel@el94-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el94-prel@el94-src@upgrade-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-prel launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/presubmits/el94-src@downgrade-block.sh b/test/scenarios-bootc/presubmits/el94-src@downgrade-block.sh index 336ca32986..0733e3cc49 100644 --- a/test/scenarios-bootc/presubmits/el94-src@downgrade-block.sh +++ b/test/scenarios-bootc/presubmits/el94-src@downgrade-block.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-fake-next-minor launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/presubmits/el94-src@optional.sh b/test/scenarios-bootc/presubmits/el94-src@optional.sh index 4128f1d4a2..868ca736cb 100644 --- a/test/scenarios-bootc/presubmits/el94-src@optional.sh +++ b/test/scenarios-bootc/presubmits/el94-src@optional.sh @@ -6,9 +6,6 @@ VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_MULTUS_NETWORK}")" # shellcheck disable=SC2034 # used elsewhere WEB_SERVER_URL="http://${VM_BRIDGE_IP}:${WEB_SERVER_PORT}" -# Disable signature verification due to unsigned images used in this test -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-optionals diff --git a/test/scenarios-bootc/presubmits/el94-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh b/test/scenarios-bootc/presubmits/el94-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh index f24c7bf44e..04305c6121 100644 --- a/test/scenarios-bootc/presubmits/el94-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh +++ b/test/scenarios-bootc/presubmits/el94-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/presubmits/el94-src@upgrade-fails.sh b/test/scenarios-bootc/presubmits/el94-src@upgrade-fails.sh index 2038153272..0969a5083c 100644 --- a/test/scenarios-bootc/presubmits/el94-src@upgrade-fails.sh +++ b/test/scenarios-bootc/presubmits/el94-src@upgrade-fails.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios-bootc/presubmits/el94-yminus2@el94-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el94-yminus2@el94-src@upgrade-ok.sh index 670cc3b96e..45b8f1d3fa 100644 --- a/test/scenarios-bootc/presubmits/el94-yminus2@el94-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el94-yminus2@el94-src@upgrade-ok.sh @@ -2,11 +2,6 @@ # Sourced from scenario.sh and uses functions defined there. -# Disable signature verification because the test performs an upgrade to -# a target reference unsigned image that was generated by local builds -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false - scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-ostree-microshift-yminus2 launch_vm --boot_blueprint rhel94-bootc --bootc diff --git a/test/scenarios/periodics/el94-src@optional.sh b/test/scenarios/periodics/el94-src@optional.sh index c2b2006ff5..b36673a589 100644 --- a/test/scenarios/periodics/el94-src@optional.sh +++ b/test/scenarios/periodics/el94-src@optional.sh @@ -6,9 +6,6 @@ VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_MULTUS_NETWORK}")" # shellcheck disable=SC2034 # used elsewhere WEB_SERVER_URL="http://${VM_BRIDGE_IP}:${WEB_SERVER_PORT}" -# Disable signature verification due to unsigned images used in this test -# shellcheck disable=SC2034 # used elsewhere -IMAGE_SIGSTORE_ENABLED=false scenario_create_vms() { prepare_kickstart host1 kickstart.ks.template rhel-9.4-microshift-source-optionals From ca845d77ff2489bca09c00aea6a09b66d45202f8 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Mon, 27 Jan 2025 18:48:54 +0200 Subject: [PATCH 2/6] Enable sigstore check in published image tests --- .../periodics/el94-crel@published-images-standard1.sh | 5 +++++ .../periodics/el94-crel@published-images-standard2.sh | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh b/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh index 1b4a7599d7..77856c38b2 100644 --- a/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh +++ b/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Enable container signature verification for published MicroShift images. +# These are ec / rc / z-stream, thus guaranteed to be signed. +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=true + scenario_create_vms() { if [[ "${CURRENT_RELEASE_REPO}" == http* ]] ; then # Discover a pre-release MicroShift bootc image reference on the mirror diff --git a/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh b/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh index c9c2ae3d56..921885f9ad 100644 --- a/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh +++ b/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Enable container signature verification for published MicroShift images. +# These are ec / rc / z-stream, thus guaranteed to be signed. +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=true + scenario_create_vms() { if [[ "${CURRENT_RELEASE_REPO}" == http* ]] ; then # Discover a pre-release MicroShift bootc image reference on the mirror From 8428fb5f4e33dcd8b0aeea2409cd6d06ea8c1969 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Mon, 27 Jan 2025 20:22:18 +0200 Subject: [PATCH 3/6] Add dedicated container policy verification test --- .../el94-crel@published-images-standard1.sh | 10 ++- .../el94-crel@published-images-standard2.sh | 8 +- .../periodics/el95-crel@optional-sigstore.sh | 40 +++++++++ .../periodics/el94-crel@optional-sigstore.sh | 40 +++++++++ test/suites/standard1/containers-policy.robot | 81 +++++++++++++++++++ test/suites/standard2/containers-policy.robot | 1 + 6 files changed, 177 insertions(+), 3 deletions(-) create mode 100644 test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh create mode 100644 test/scenarios/periodics/el94-crel@optional-sigstore.sh create mode 100644 test/suites/standard1/containers-policy.robot create mode 120000 test/suites/standard2/containers-policy.robot diff --git a/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh b/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh index 77856c38b2..03c331d626 100644 --- a/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh +++ b/test/scenarios-bootc/periodics/el94-crel@published-images-standard1.sh @@ -42,7 +42,13 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/standard1/ - # When SELinux is working on bootc systems add following suite: + if [[ "${CURRENT_RELEASE_REPO}" == "" ]] ; then + # Empty string means there's no EC build yet, so the test needs to be skipped. + exit 0 + fi + run_tests host1 \ + --variable "IMAGE_SIGSTORE_ENABLED:True" \ + suites/standard1/ + # When SELinux is working on RHEL 9.6 bootc systems add following suite: # suites/selinux/validate-selinux-policy.robot } diff --git a/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh b/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh index 921885f9ad..43a439b28c 100644 --- a/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh +++ b/test/scenarios-bootc/periodics/el94-crel@published-images-standard2.sh @@ -42,5 +42,11 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/standard2/ + if [[ "${CURRENT_RELEASE_REPO}" == "" ]] ; then + # TODO: While 4.19-ec is not available, it needs to exit without an error. + exit 0 + fi + run_tests host1 \ + --variable "IMAGE_SIGSTORE_ENABLED:True" \ + suites/standard2/ } diff --git a/test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh b/test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh new file mode 100644 index 0000000000..07215165f2 --- /dev/null +++ b/test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +# Enable container signature verification for current release images, +# including the optional components. +# These are ec / rc / z-stream, thus must all to be signed. +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=true + +start_image=rhel95-bootc-crel-optionals + +scenario_create_vms() { + if ! does_image_exist "${start_image}"; then + echo "Image '${start_image}' not found - skipping test" + return 0 + fi + prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}" + launch_vm --boot_blueprint rhel95-bootc +} + +scenario_remove_vms() { + if ! does_image_exist "${start_image}"; then + echo "Image '${start_image}' not found - skipping test" + return 0 + fi + remove_vm host1 +} + +scenario_run_tests() { + if ! does_image_exist "${start_image}"; then + echo "Image '${start_image}' not found - skipping test" + return 0 + fi + # Run a minimal test for this scenario as its main functionality is + # to verify container image signature check is enabled + run_tests host1 \ + --variable "IMAGE_SIGSTORE_ENABLED:True" \ + suites/standard1/containers-policy.robot +} diff --git a/test/scenarios/periodics/el94-crel@optional-sigstore.sh b/test/scenarios/periodics/el94-crel@optional-sigstore.sh new file mode 100644 index 0000000000..ee99dc25b0 --- /dev/null +++ b/test/scenarios/periodics/el94-crel@optional-sigstore.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +# Enable container signature verification for current release images, +# including the optional components. +# These are ec / rc / z-stream, thus must all to be signed. +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=true + +start_commit=rhel-9.4-microshift-crel-optionals + +scenario_create_vms() { + if ! does_commit_exist "${start_commit}"; then + echo "Commit '${start_commit}' not found in ostree repo - skipping test" + return 0 + fi + prepare_kickstart host1 kickstart.ks.template "${start_commit}" + launch_vm +} + +scenario_remove_vms() { + if ! does_commit_exist "${start_commit}"; then + echo "Commit '${start_commit}' not found in ostree repo - skipping test" + return 0 + fi + remove_vm host1 +} + +scenario_run_tests() { + if ! does_commit_exist "${start_commit}"; then + echo "Commit '${start_commit}' not found in ostree repo - skipping test" + return 0 + fi + # Run a minimal test for this scenario as its main functionality is + # to verify container image signature check is enabled + run_tests host1 \ + --variable "IMAGE_SIGSTORE_ENABLED:True" \ + suites/standard1/containers-policy.robot +} diff --git a/test/suites/standard1/containers-policy.robot b/test/suites/standard1/containers-policy.robot new file mode 100644 index 0000000000..60bafd802c --- /dev/null +++ b/test/suites/standard1/containers-policy.robot @@ -0,0 +1,81 @@ +*** Settings *** +Documentation Container policy verification + +Resource ../../resources/microshift-process.resource +Library OperatingSystem +Library Collections + +Suite Setup Setup +Suite Teardown Teardown + + +*** Variables *** +${POLICY_JSON_PATH} /etc/containers/policy.json +${IMAGE_SIGSTORE_ENABLED} False + + +*** Test Cases *** +Verify Policy JSON Contents + [Documentation] Verify container policy contents + ${policy_contents}= Command Should Work cat ${POLICY_JSON_PATH} + ${policy}= Json Parse ${policy_contents} + + IF ${IMAGE_SIGSTORE_ENABLED} + Verify Sigstore Signing Enabled ${policy} + ELSE + Verify Sigstore Signing Disabled ${policy} + END + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Login MicroShift Host + +Teardown + [Documentation] Test suite teardown + Logout MicroShift Host + +Verify Sigstore Signing Enabled # robocop: disable=too-many-calls-in-keyword + [Documentation] Verify the policy file contents when sigstore signing + ... verification is enabled + [Arguments] ${policy} + + # This verification should match the policy contents defined in + # https://github.com/openshift/microshift/blob/main/test/kickstart-templates/includes/post-containers-sigstore.cfg + + # Verify default entry + ${default_type}= Evaluate "${policy}[default][0][type]" + Should Be Equal As Strings ${default_type} reject + + # Verify quay.io entry + ${quay_type}= Evaluate "${policy}[transports][docker][quay.io/openshift-release-dev][0][type]" + Should Be Equal ${quay_type} sigstoreSigned + ${quay_key}= Evaluate "${policy}[transports][docker][quay.io/openshift-release-dev][0][keyPath]" + Should Be Equal ${quay_key} /etc/containers/RedHat_ReleaseKey3.pub + ${quay_ident}= Evaluate + ... "${policy}[transports][docker][quay.io/openshift-release-dev][0][signedIdentity][type]" + Should Be Equal ${quay_ident} matchRepoDigestOrExact + + # Verify registry.redhat.io entry + ${redhat_type}= Evaluate "${policy}[transports][docker][registry.redhat.io][0][type]" + Should Be Equal ${redhat_type} sigstoreSigned + ${redhat_key}= Evaluate "${policy}[transports][docker][registry.redhat.io][0][keyPath]" + Should Be Equal ${redhat_key} /etc/containers/RedHat_ReleaseKey3.pub + ${redhat_ident}= Evaluate "${policy}[transports][docker][registry.redhat.io][0][signedIdentity][type]" + Should Be Equal ${redhat_ident} matchRepoDigestOrExact + +Verify Sigstore Signing Disabled + [Documentation] Verify the policy file contents when sigstore signing + ... verification is disabled + [Arguments] ${policy} + # This verification should match the policy contents defined in + # https://github.com/openshift/microshift/blob/main/test/kickstart-templates/includes/post-containers.cfg + + # Verify default entry + ${default_type}= Evaluate "${policy}[default][0][type]" + Should Be Equal As Strings ${default_type} insecureAcceptAnything + + # Verify transports entry + ${quay_type}= Evaluate '${policy}[transports][docker-daemon][][0][type]' + Should Be Equal ${quay_type} insecureAcceptAnything diff --git a/test/suites/standard2/containers-policy.robot b/test/suites/standard2/containers-policy.robot new file mode 120000 index 0000000000..1b9fd8f8fe --- /dev/null +++ b/test/suites/standard2/containers-policy.robot @@ -0,0 +1 @@ +../standard1/containers-policy.robot \ No newline at end of file From 8cab2aa4471d230ed11f0d7023b3cf4b279851ee Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Wed, 29 Jan 2025 10:28:30 +0200 Subject: [PATCH 4/6] Fix does_image_exist function logic in scenario.sh --- test/bin/scenario.sh | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/test/bin/scenario.sh b/test/bin/scenario.sh index eeec1c7ffc..89681dca64 100755 --- a/test/bin/scenario.sh +++ b/test/bin/scenario.sh @@ -299,7 +299,8 @@ prepare_kickstart() { record_junit "${vmname}" "prepare_kickstart" "OK" } -# Checks if provided commit exists in local ostree repository +# Checks if provided commit exists in local ostree repository. +# Returns 0 when the ref exists or 1 otherwise. does_commit_exist() { local -r commit="${1}" @@ -310,6 +311,18 @@ does_commit_exist() { fi } +# Checks if provided image ref exists in local image storage. +# Returns 0 when the ref exists or 1 otherwise. +does_image_exist() { + local -r image="${1}" + + if [ -n "$(sudo podman images -q "${image}")" ]; then + return 0 + else + return 1 + fi +} + # Show the IP address of the VM function get_vm_ip { local -r vmname="${1}" From e3da28b5441bc489dd0ec76785fe830384c12b3b Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Wed, 29 Jan 2025 10:32:43 +0200 Subject: [PATCH 5/6] Fix el94-crel@optional-sigstore.sh scenario to use rhel94 --- ...el@optional-sigstore.sh => el94-crel@optional-sigstore.sh} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename test/scenarios-bootc/periodics/{el95-crel@optional-sigstore.sh => el94-crel@optional-sigstore.sh} (93%) diff --git a/test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh b/test/scenarios-bootc/periodics/el94-crel@optional-sigstore.sh similarity index 93% rename from test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh rename to test/scenarios-bootc/periodics/el94-crel@optional-sigstore.sh index 07215165f2..96f2c4d2b1 100644 --- a/test/scenarios-bootc/periodics/el95-crel@optional-sigstore.sh +++ b/test/scenarios-bootc/periodics/el94-crel@optional-sigstore.sh @@ -8,7 +8,7 @@ # shellcheck disable=SC2034 # used elsewhere IMAGE_SIGSTORE_ENABLED=true -start_image=rhel95-bootc-crel-optionals +start_image=rhel94-bootc-crel-optionals scenario_create_vms() { if ! does_image_exist "${start_image}"; then @@ -16,7 +16,7 @@ scenario_create_vms() { return 0 fi prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}" - launch_vm --boot_blueprint rhel95-bootc + launch_vm --boot_blueprint rhel94-bootc } scenario_remove_vms() { From 23ec0ac73277ba3b62b2e1e10d6d7e5dc9cec6b8 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Thu, 30 Jan 2025 12:33:17 +0200 Subject: [PATCH 6/6] Fix does_image_exist function to check in the mirror registry --- test/bin/scenario.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/bin/scenario.sh b/test/bin/scenario.sh index 89681dca64..f6e18c076a 100755 --- a/test/bin/scenario.sh +++ b/test/bin/scenario.sh @@ -311,12 +311,12 @@ does_commit_exist() { fi } -# Checks if provided image ref exists in local image storage. +# Checks if provided image ref exists in the mirror registry. # Returns 0 when the ref exists or 1 otherwise. does_image_exist() { local -r image="${1}" - if [ -n "$(sudo podman images -q "${image}")" ]; then + if skopeo inspect "docker://${MIRROR_REGISTRY_URL}/${image}" &>/dev/null ; then return 0 else return 1