swap clientserver to correct image + linting

automated-testing.sh

@@ -28,48 +28,118 @@ fi
 source ./tas-env-variables.sh
 
 ## Binary testing
-### Deps: jq, yq, 
+### Deps: jq, yq, podman, oc
+echo "{}" > /tmp/tas-report.json
 clientserver_namespace=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.namespace)
+clientserver_name=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.name)
 OS_FAMILY=$(uname | tr '[:upper:]' '[:lower:]')
 ARCH=$(uname -m)
 
 #### Cosign
 binary="cosign"
 cosign_download_link=""
+
+# Generate cosign entry in report
+jq  -c  '.cosign = {}' -i /tmp/tas-report.json
+
+# find correct download link
 if [[ $OS_FAMILY == "linux" && $ARCH == "amd64" ]]; then
     cosign_download_link="https://$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary.gz"
 else
-    cosign_download_options=($(oc get -n $clientserver_namespace consoleclidownloads.console.openshift.io cosign -o json | jq ".spec.links[].href"))
+    cosign_download_options=($(oc get -n $clientserver_namespace consoleclidownloads.console.openshift.io cosign -o json | jq ".spec.links[].href" | cut -d "\"" -f 2 ))
     for cosign_download_option in "${cosign_download_options[@]}"; do
-        if [[ $cosign_download_option == "https://$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary-$ARCH.gz" ]]; then
+        if [[ $cosign_download_option == "https://$clientserver_name-$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary-$ARCH.gz" ]]; then
             cosign_download_link=$cosign_download_option
         fi
     done
 fi
 
+# check cosign download link
 if [[ -z $cosign_download_link ]]; then
     echo  "error getting cosign download link"
-    exit 1 #THIS IS A TEMPORARY PLACEHOLDER
+    jq  --arg OS "$OS_FAMILY" --arg ARCH "$ARCH" '.cosign.download = {"status": "failure", "os": $OS, "arch": $ARCH, "link": ""}' -i /tmp/tas-report.json
+else
+    echo "download matching OS: $OS_FAMILY and ARCH: $ARCH found:
+    $cosign_download_link
+    continuing... "
+    jq  --arg OS "$OS_FAMILY" --arg ARCH "$ARCH" --arg LINK "$cosign_download_link" '.cosign.download = {"os": $OS, "arch": $ARCH, "link": $LINK}' -i /tmp/tas-report.json
 fi
 
-cosign_download=$(curl -sL $cosign_download_link -o /tmp/cosign-$OS_FAMIL-$ARCH.gz)
-not_found_html_string="<head>
-<title>404 Not Found</title>
-</head>"
-if [[ $(cat $cosign_download | grep "$not_found_html_string") ]]
+dir=$(pwd)
+
+# idempotency
+
+if [ -d "/tmp/cosign" ]; then
+    rm -rf /tmp/cosign
+fi
 
+mkdir /tmp/cosign && cd /tmp/cosign
 
-# 2 options for testing cosign, could test by downloading the binary from console-cli-downloads, or we could use the cosign pod with kubectl exec
-# 1. download the binary from cluster
+cosign_download=$(curl -sL $cosign_download_link -o /tmp/cosign/cosign-$OS_FAMILY-$ARCH.gz)
+cosign_download_status=$(echo $?)
+cosign_download_404=$(cat /tmp/cosign/cosign-$OS_FAMILY-$ARCH.gz | grep "<title>404 Not Found</title>")
+gzip -d /tmp/cosign/cosign-$OS_FAMILY-$ARCH.gz --force
+cosign_unizp_status=$(echo $?)
 
+# checking download status of cosign
+if [[ $cosign_download_status == 0 && -z $cosign_download_404 && $cosign_unizp_status == 0 ]]; then
+    jq '.cosign.download.status = "success"' -i /tmp/tas-report.json
+else
+    jq '.cosign.download.status = "failure"' -i /tmp/tas-report.json
+fi
+
+chmod +x /tmp/cosign/cosign-$OS_FAMILY-$ARCH
+
+podman pull registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb
+/tmp/cosign/cosign-$OS_FAMILY-$ARCH initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
+cosign_initialize_status=$(echo $?)
+if [[ $cosign_initialize_status == 0 ]]; then
+    jq '.cosign.initialize.status = "success"' -i /tmp/tas-report.json
+else
+    jq '.cosign.initialize.status = "failure"' -i /tmp/tas-report.json
+
+fi
+
+### Cosign keyless flow (no upload)
+/tmp/cosign/cosign-$OS_FAMILY-$ARCH sign registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \
+    --yes \
+    --rekor-url=$REKOR_URL \
+    --fulcio-url=$FULCIO_URL \
+    --oidc-issuer=$OIDC_ISSUER_URL \
+    --upload=false 
+    # --output-file=/tmp/test-output # THIS DOES NOT WORK
+    # --timestamp-server-url= \ # THIS HAS YET TO BE INCLUDED IN THE CHARTS
+cosign_keyless_signing_status=$(echo $?)
+
+if [[ $cosign_keyless_signing_status == 0 ]]; then
+    jq --arg STATUS_CODE "$cosign_keyless_signing_status" '.cosign.sign.keyless = {"result": "success", "status_code": "$STATUS_CODE"}' -i /tmp/tas-report.json
+else
+    # ADD FAILURE CASE
+fi
+
+### Cosign generate-key-pair
+
+export COSIGN_PASSWORD="tmp_cosign_password"
+/tmp/cosign/cosign-$OS_FAMILY-$ARCH generate-key-pair --output-key-prefix tas-cosign
+cosign_generate_key_statues=$(echo $?)
+if [[ $cosign_generate_key_statues == 0 ]]; then
+    jq --arg STATUS_CODE "$cosign_generate_key_statues" '.cosign.keyed = {"generate-key-pair": {"result": "success", "status_code": "$STATUS_CODE"}}' -i /tmp/tas-report.json
+else
+    # ADD FAILURE CASE
+fi
 
-# for binary in "${!binaries[@]}"; do
-#     oc get consoleclidownloads.console.openshift.io cosign -n openshift-console -o json | jq ".spec.links[].href"
+## Cosign keyed flow
+export COSIGN_PASSWORD="tmp_cosign_password"
+tmp/cosign/cosign-$OS_FAMILY-$ARCH sign registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \
+    --key=/tmp/cosign/tas-cosign.key \
+    --rekor-url=$REKOR_URL \
+    --upload=false 
+cosign_keyed_signing_status=$(echo $?)
 
-# cosign_options=$(oc get consoleclidownloads.console.openshift.io cosign -n openshift-console -o json | jq ".spec.links")
-# 2. kubectl exec (in progress)
-    # cosign_pod=$(oc get pods -n cosign | tail -n 1 | awk '{print $1}')1
-    # kubectl exec -n cosign $cosign_pod 
-    # oc rsh $cosign_pod
 
-# cosign --help
+## COSIGN VERIFY --> this needs some where where we can push attestations
+export COSIGN_PASSWORD="tmp_cosign_password"
+tmp/cosign/cosign-$OS_FAMILY-$ARCH verify registry.access.redhat.com/ubi9/s2i-base@sha256:d3838e6e26baa335556eb04f0af128602ddf7b57161d168b21ed6cf997281ddb \
+    --key=/tmp/cosign/tas-cosign.key \
+    --rekor-url=$REKOR_URL
+cosign_keyed_signing_status=$(echo $?)

charts/trusted-artifact-signer/templates/clientserver-deployment.yaml

@@ -22,7 +22,6 @@ spec:
       containers:
       - name: tas-clients
         image: "{{ template "image" .Values.configs.clientserver.image }}"
-        #image: quay.io/sallyom/tas-clients:httpd
         imagePullPolicy: IfNotPresent
         ports:
           - containerPort: 8080

charts/trusted-artifact-signer/templates/segment-backup-job.yaml

@@ -19,8 +19,7 @@ spec:
       serviceAccountName: segment-backup-job
       containers:
         - name: {{ .Values.configs.segment_backup_job.name }}
-          # image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}/{{ .Values.configs.segment_backup_job.image.version }}"
-          image: "{{ .Values.configs.segment_backup_job.image.registry }}/{{ .Values.configs.segment_backup_job.image.repository }}@{{ .Values.configs.segment_backup_job.image.version }}"
+          image: "{{ template "image" .Values.configs.segment_backup_job.image }}"
           command: ["/bin/bash",  "/opt/app-root/src/script.sh"]
           env:
             - name: RUN_TYPE

charts/trusted-artifact-signer/values.yaml

@@ -27,9 +27,9 @@ configs:
     namespace_create: true
     namespace: trusted-artifact-signer-clientserver
     image:
-      registry: registry.redhat.io
-      repository: rhtas-tech-preview/client-server-rhel9
-      version: sha256:07b1c06290706873ee55e39bad5804ea1d7574b01909adf97d67495ad919f9a1
+      registry: quay.io
+      repository: redhat-user-workloads/rhtas-tenant/access-1-0-gamma/client-server-1-0-gamma
+      version: sha256:d8540b72f67c3947287d30913a9277770a43eb37eff2dd3efcb8e24759a106ac
       pullPolicy: IfNotPresent
   ctlog:
     namespace: ctlog-system

tas-easy-install.sh

@@ -144,6 +144,7 @@ oc -n rekor-system create secret generic rekor-private-key --from-file=private=.
 #OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm install --debug trusted-artifact-signer trusted-artifact-signer/trusted-artifact-signer -n trusted-artifact-signer --create-namespace --values -
 OPENSHIFT_APPS_SUBDOMAIN=$common_name envsubst < examples/values-sigstore-openshift.yaml | helm upgrade -i trusted-artifact-signer --debug charts/trusted-artifact-signer  -n trusted-artifact-signer --create-namespace --values -
 
+oc set env -n fulcio-system deployment/fulcio-server SSL_CERT_DIR=/var/run/fulcio
 # Create the script to initialize the environment variables for the service endpoints
 generate_env_script
 

testing/Dockerfile.test

@@ -0,0 +1,2 @@
+FROM scratch
+ADD test-file.txt /