Merge spire into hpe#1
Open
joaoguazzelli wants to merge 34 commits into
Open
Conversation
* README updates * Update README.md
SPIREX-63 Change K8s wl to validate signature subject as a selector (#6)
* Initial tests with workload signed image * Initial test for signed image and validation based on selector subject entry * structure steps to support multiple workloads and adjust workload for signed image * deleting unnecessary step * Add test for unsigned image * Add test for image signed with wrong subject * rename check svid tep for signed image * Renaming yaml file for signed image and adjusting apply config step accordingly * adjusting test images for public docker registry * Removing signed image loading from setup step * adjusting spiffeID verification step for images from public registries with pull rate limit * Extracting kubectl path to variable * Provide simple description for the test validation * cleaning up add entry step
…integration tests (#11)
* Initial tests with workload signed image * Initial test for signed image and validation based on selector subject entry * structure steps to support multiple workloads and adjust workload for signed image * deleting unnecessary step * Add test for unsigned image * Add test for image signed with wrong subject * rename check svid tep for signed image * Renaming yaml file for signed image and adjusting apply config step accordingly * adjusting test images for public docker registry * Removing signed image loading from setup step * adjusting spiffeID verification step for images from public registries with pull rate limit * Extracting kubectl path to variable * Provide simple description for the test validation * cleaning up add entry step
…integration tests (#11)
* Refactoring sigstore requests from k8s to sigstore package * Change call from cosign.verify for a helper function in order to enable Mocking * First set of tests * Fixing exception cases * Linting issue * reverting the debug change Co-authored-by: Thiago Jamir <tjamir@gmail.com>
improved testing and coverage with sigstore package mock
* feat: Refactoring of sigstore package, added digest validation, added skip list * fix: added empty signature checking on getSignatureSubject * updated tests after refactoring * feat: added skiplist feature, adjusted after refactoring * feat: fixed tests after refactoring * fixing linting * tests: added AddSkipImage tests * tests: improved testing for sigstore.go * feat: added signature-verified selector for verified image signatures * tests: implemented tests covering code added to Attest tests: added tests for skip list config * fix: fixing linting issues * fix another linting issue * feat: the skip list in sigstore.go doesn't store selectors anymore, feat: the k8s attestor now adds the signature-verified:true selector to images in the skip list, and doesn't add any other sigstore related selectors beyond that * docs: updated agent_full.conf to reflect changes in the attestor * misc: removed old comment * misc: renamed SkipImage to ShouldSkipImage * misc: renamed SkipImage in comments too * misc: removing unused functions
[SPIREX-25] Add signature content selector
* updated tests after refactoring * feat: added allow_list support to the k8s/sigstore package * feat: added allowlist support for the k8s.go plugin * docs: added config docs for allowlist options * Fixing linting issues * misc: addressing comments on PR * misc: changed emails from hpe.com to example.com * tests: improved code coverage * misc: fixing linting complains * misc: fixing linting, again
* misc: changes to skipImage * misc: moved main logic to `sigstore.go` * misc: fixed tests for k8s.go * tests: added tests for AttestContainerSignatures * fix: setting rekorURL on config * refactor!: moved URL parsing and error handling to its own function * tests: updated tests to cover sigstore configuration in k8s.go * fix: fixing integration tests, empty url means use default
* feat: added selectors for logID and integratedTime * misc: removing last reference to hpe * misc: still had a hpe reference. * tests: added integration test for new selectors * tests:fixed app name on entry creation on new test * ci: fixing k8s-sigstore integration test for extra selectors
…#27) * tests: added new integration tests for registrar and skip/allow lists
* refactor: adjusted containerID place * fix: lint adjustment * fix: adjusted sigstore test file * fix: adjusted sigstore test file * fix: fixed k8s-sigstore integration tests * refactor: removed some comments and renamed k8s-sigstore-e2e folder to .k8s-sigstore-e2e * refactor: removed unnecessary line of code Co-authored-by: Matheus Santos <mfcs@cesar.org.br>
* adding missing logic on CRD k8s-workload-registrar * fixed tests * fix: removed sigstore selector in node registration entry * fix: removed old log * fix: lint and unit tests * fix: fixed flooding of registrar logs. fix: improved coverage to include sigstore selector inclusion * tests: modified tests to account for CheckSignatureEnabled * fix: addressing lint complaints * removing unneeded field * renamed last mentions of "signature-verified:true" * fix: integration tests had a double "$"
…ncluded again k8s-sigstore-e2e tests (#34) Co-authored-by: Matheus Santos <mfcs@cesar.org.br>
Signed-off-by: joaoguazzelli <joao.guazzelli@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
Description of change
Which issue this PR fixes