Feat/rsa keys

.dockerignore

@@ -0,0 +1,8 @@
+Makefile
+*.key
+*.pub
+*.png
+hack/
+manifests/
+chart/
+README.md

.github/workflows/build.yaml

@@ -4,8 +4,8 @@ on:
   push:
     branches:
       - main
-    tags:        
-      - '*'
+    tags:
+      - "*"
 
 jobs:
   build:
@@ -28,7 +28,7 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v2.2.0'
+          cosign-release: "v2.4.0"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx

.golangci.yaml

@@ -23,8 +23,8 @@ linters-settings:
     min-complexity: 15
   gofmt:
     rewrite-rules:
-      - pattern: 'interface{}'
-        replacement: 'any'
+      - pattern: "interface{}"
+        replacement: "any"
   goimports:
     local-prefixes: github.com/golangci/golangci-lint
   gomnd:
@@ -35,15 +35,14 @@ linters-settings:
       - condition
       - return
     ignored-numbers:
-      - '0'
-      - '1'
-      - '2'
-      - '3'
+      - "0"
+      - "1"
+      - "2"
+      - "3"
     ignored-functions:
       - strings.SplitN
 
   govet:
-    check-shadowing: true
     settings:
       printf:
         funcs:
@@ -72,7 +71,7 @@ linters:
     - dogsled
     - dupl
     - errcheck
-    - exportloopref
+    - copyloopvar
     - funlen
     - gocheckcompilerdirectives
     - gochecknoinits
@@ -81,7 +80,7 @@ linters:
     - gocyclo
     - gofmt
     - goimports
-    - gomnd
+    - mnd
     - goprintffuncname
     - gosec
     - gosimple
@@ -99,9 +98,8 @@ linters:
     - unused
     - whitespace
 
-run:
-  timeout: 5m
-  skip-files:
+issues:
+  exclude-files:
     - .*_test\.go
-  skip-dirs:
+  exclude-dirs:
     - test/

Dockerfile

@@ -1,5 +1,5 @@
 # build stage
-FROM golang:1.21 AS build-env
+FROM golang:1.23 AS build-env
 WORKDIR /app
 COPY  . /app
 RUN useradd -u 10001 webhook && \

Makefile

@@ -1,10 +1,13 @@
+PORT := 5000
+
 #############
 ### TESTS ###
 #############
+
 .PHONY: test-e2e
 test-e2e:
 	@echo "Running e2e tests..."
-	@go test -v -race -count 1 ./test/
+	@export COSIGN_E2E="42" && go test -v -race -count 1 ./test/
 
 .PHONY: test-unit
 test-unit:
@@ -17,9 +20,9 @@ test-unit:
 
 e2e-cluster:
 	@echo "Creating registry..."
-	@k3d registry create registry.localhost --port 5000
+	@k3d registry create registry.localhost --port $(PORT)
 	@echo "Adding registry to cluster..."
-	@k3d cluster create cosign-tests --registry-use k3d-registry.localhost:5000
+	@uname -m | grep -q 'Darwin' && export K3D_FIX_DNS=0; k3d cluster create cosign-tests --registry-use k3d-registry.localhost:$(PORT)
 	@echo "Create test namespace..."
 	@kubectl create namespace test-cases
 
@@ -33,39 +36,41 @@ e2e-images:
 	@echo "Checking for cosign.key..."
 	@test -f cosign.key || (echo "cosign.key not found. Run 'make e2e-keys' to generate the pairs needed for the tests." && exit 1)
 	@echo "Building test image..."
-	@docker build -t k3d-registry.localhost:5000/cosignwebhook:dev .
+	@docker build -t k3d-registry.localhost:$(PORT)/cosignwebhook:dev .
 	@echo "Pushing test image..."
-	@docker push k3d-registry.localhost:5000/cosignwebhook:dev
+	@docker push k3d-registry.localhost:$(PORT)/cosignwebhook:dev
 	@echo "Signing test image..."
 	@export COSIGN_PASSWORD="" && \
-		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/cosignwebhook:dev
+		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:$(PORT)/cosignwebhook:dev
 	@echo "Importing test image to cluster..."
-	@k3d image import k3d-registry.localhost:5000/cosignwebhook:dev --cluster cosign-tests
+	@k3d image import k3d-registry.localhost:$(PORT)/cosignwebhook:dev --cluster cosign-tests
 	@echo "Building busybox image..."
 	@docker pull busybox:latest
 	@echo "Tagging & pushing busybox images..."
-	@docker tag busybox:latest k3d-registry.localhost:5000/busybox:first
-	@docker tag busybox:latest k3d-registry.localhost:5000/busybox:second
-	@docker push k3d-registry.localhost:5000/busybox --all-tags
+	@docker tag busybox:latest k3d-registry.localhost:$(PORT)/busybox:first
+	@docker tag busybox:latest k3d-registry.localhost:$(PORT)/busybox:second
+	@docker push k3d-registry.localhost:$(PORT)/busybox --all-tags
 	@echo "Signing busybox images..."
 	@export COSIGN_PASSWORD="" && \
-		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:5000/busybox:first && \
-		cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:5000/busybox:second
+		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:$(PORT)/busybox:first && \
+		cosign sign --tlog-upload=false --key cosign.key k3d-registry.localhost:$(PORT)/busybox:first && \
+		cosign sign --tlog-upload=false --key second.key k3d-registry.localhost:$(PORT)/busybox:second
 
 e2e-deploy:
 	@echo "Deploying test image..."
 	@helm upgrade -i cosignwebhook chart -n cosignwebhook --create-namespace \
-		--set image.repository=k3d-registry.localhost:5000/cosignwebhook \
+		--set image.repository=k3d-registry.localhost:$(PORT)/cosignwebhook \
 		--set image.tag=dev \
 		--set-file cosign.scwebhook.key=cosign.pub \
 		--set logLevel=debug \
-		--wait --debug
+		--wait --debug --atomic
 
 e2e-prep: e2e-cluster e2e-keys e2e-images e2e-deploy
 
 e2e-cleanup:
-	@echo "Cleaning up..."
-	@helm uninstall cosignwebhook -n cosignwebhook
-	@k3d registry delete k3d-registry.localhost
-	@k3d cluster delete cosign-tests
-	@rm -f cosign.pub cosign.key second.pub second.key
+	@echo "Cleaning up test env..."
+	@k3d registry delete registry.localhost || echo "Deleting k3d registry failed. Continuing..."
+	@helm uninstall cosignwebhook -n cosignwebhook || echo "Uninstalling cosignwebhook helm release failed. Continuing..."
+	@k3d cluster delete cosign-tests || echo "Deleting cosign tests k3d cluster failed. Continuing..."
+	@rm -f cosign.pub cosign.key second.pub second.key || echo "Removing files failed. Continuing..."
+	@echo "Done."

README.md

@@ -150,12 +150,12 @@ make test-e2e
 ### E2E tests
 
 The E2E tests require a running kubernetes cluster. Currently, the namespace and webhook are deployed via helper make
-targets. To run the tests the following is required:
+targets. To only run the tests, the following is required:
 
 * docker
 * cosign (v2)
 
-To run the E2E tests, the following steps are required (in order):
+To run the whole E2E tests, the following steps are required (in order):
 
 * create a k3d local cluster for the tests and a local iamge registry (`make e2e-cluster`)
 * signing keys are generated (`make e2e-keys`)
@@ -167,6 +167,8 @@ up the E2E setup, run `make e2e-cleanup`.
 This will delete everything created by the E2E preparation. If you've already created the cluster and the keys, and
 you're actively testing new code, you may run `make e2e-images e2e-deploy test-e2e` to test your changes.
 
+In case you're running the tests on Apple devices, you may need to use deactivate the k3s dns fix (already implemented in the makefile). If your containers in the cluster don't start by skipping the fix, you may set `K3S_FIX_DNS` back to `1` in the `e2e-cluster` target.
+
 ## Local build
 
 ```bash

chart/values.yaml

@@ -103,17 +103,17 @@ affinity: {}
 cosign:
   image:
     repository: ghcr.io/sigstore/cosign/cosign
-    tag: v2.0.0
+    tag: v2.4.0
     pullPolicy: IfNotPresent
   sccosign:
     key: |
-        -----BEGIN PUBLIC KEY-----
-        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
-        IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
-        -----END PUBLIC KEY-----
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
+      IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
+      -----END PUBLIC KEY-----
   scwebhook:
     key: |
-        -----BEGIN PUBLIC KEY-----
-        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENDN3HpXY2weMYRuuJbZnNczrOyns
-        ZvVnR15G9EILCH8+elXkYy+4U70mR++XIL0iD8NhZ3kxfpFjxyHlnG5Snw==
-        -----END PUBLIC KEY-----
+      -----BEGIN PUBLIC KEY-----
+      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENDN3HpXY2weMYRuuJbZnNczrOyns
+      ZvVnR15G9EILCH8+elXkYy+4U70mR++XIL0iD8NhZ3kxfpFjxyHlnG5Snw==
+      -----END PUBLIC KEY-----