add kind

Signed-off-by: Sally O'Malley <[email protected]>
securesign · Sep 27, 2023 · a0f7581 · a0f7581
1 parent c42d3d0
commit a0f7581
Show file tree

Hide file tree

Showing 5 changed files with 217 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -14,3 +14,26 @@ Information on how to install Sigstore components on OpenShift can be found in t
 ## Scaffolding Chart
 
 More information can be found by inspecting the [scaffolding chart](charts/scaffolding).
+
+## Contributing
+
+Install the [pre-commit](https://pre-commit.com/) package and run `pre-commit run --all-files` before pushing changes, or `pre-commit install` to automatically run the pre-commit hooks with every `git commit`. If it fails,
+run the `git commit` command again. It's likely the pre-commit hook fixed the issue and you have to bring in the new changes.
+
+### Testing
+
+To set up a `kind` cluster and deploy the charts, run the following from the root of this repository
+
+```bash
+./kind/kind-up-test.sh
+
+kubectl wait --namespace ingress-nginx \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/component=controller \
+  --timeout=90s
+
+OPENSHIFT_APPS_SUBDOMAIN=localhost envsubst <  ./examples/values-kind-sigstore.yaml | helm upgrade -i scaffolding --debug ./charts/scaffolding -n sigstore --create-namespace --values -
+```
+
+This test setup is to verify that all deployments are healthy and all jobs complete. However, this does not create a working environment to sign artifacts.
+
diff --git a/charts/scaffolding/templates/cluster-monitoring-resources.yaml b/charts/scaffolding/templates/cluster-monitoring-resources.yaml
@@ -32,22 +32,22 @@ subjects:
   name: prometheus-k8s
   namespace: openshift-monitoring
 ---
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  labels:
-    app.kubernetes.io/name: {{ $config.namespace }}   
-  name: {{ $config.namespace }}
-  namespace: {{ $config.namespace }}
-spec:
-  endpoints:
-  {{- range $endpoint := $config.clusterMonitoring.endpoints }}
-  - interval: {{ $endpoint.interval }}
-    port: {{ $endpoint.port }}
-    scheme: {{ $endpoint.scheme }}
-  {{- end }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: scaffolding
-{{- end }}
-{{- end }}
+#apiVersion: monitoring.coreos.com/v1
+#kind: ServiceMonitor
+#metadata:
+#  labels:
+#    app.kubernetes.io/name: {{ $config.namespace }}   
+#  name: {{ $config.namespace }}
+#  namespace: {{ $config.namespace }}
+#spec:
+#  endpoints:
+#  {{- range $endpoint := $config.clusterMonitoring.endpoints }}
+#  - interval: {{ $endpoint.interval }}
+#    port: {{ $endpoint.port }}
+#    scheme: {{ $endpoint.scheme }}
+#  {{- end }}
+#  selector:
+#    matchLabels:
+#      app.kubernetes.io/instance: scaffolding
+#{{- end }}
+#{{- end }}
diff --git a/examples/values-kind-sigstore.yaml b/examples/values-kind-sigstore.yaml
@@ -0,0 +1,50 @@
+# With this example, it is expected that there is a secret with the fulcio root & signing keys
+# named 'fulcio-secret-rh' in namespace 'fulcio-system' and a secret 'rekor-private-key'
+# with rekor signing keys in the 'rekor-system' namespace.
+# secret names must match secret names in scaffold.tuf, that default to
+# 'fulcio-secret-rh' and 'rekor-private-key'
+# For root & key requirements, see ../requirements-keys-certs.md
+# Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below.
+# Base domain is results of "oc get dns cluster -o jsonpath='{ .spec.baseDomain }'"
+---
+configs:
+  cosign:
+    appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN
+  fulcio:
+    create: false
+  rekor:
+    create: false
+
+# github.com/sigstore/helm-charts/charts
+scaffold:
+  fulcio:
+    clusterMonitoring:
+      enabled: false
+    server:
+      ingress:
+        http:
+          hosts:
+            - host: fulcio.$OPENSHIFT_APPS_SUBDOMAIN
+              path: /
+    config:
+      contents:
+        OIDCIssuers:
+          # https://<keycloak_instance>.<keycloak_ns>.<openshift_apps_subdomain>/auth/realms/sigstore
+          ? https://keycloak-keycloak-system.apps.open-svc-sts.k1wl.p1.openshiftapps.com/auth/realms/sigstore
+          : IssuerURL: https://keycloak-keycloak-system.apps.open-svc-sts.k1wl.p1.openshiftapps.com/auth/realms/sigstore
+            ClientID: sigstore
+            Type: email
+  rekor:
+    clusterMonitoring:
+      enabled: false
+    server:
+      ingress:
+        hosts:
+          - host: rekor.$OPENSHIFT_APPS_SUBDOMAIN
+            path: /
+  tuf:
+    ingress:
+      http:
+        hosts:
+          - host: tuf.$OPENSHIFT_APPS_SUBDOMAIN
+            path: /
diff --git a/kind/kind-up-test.sh b/kind/kind-up-test.sh
@@ -0,0 +1,46 @@
+# run this from root of repository
+
+# spin up kind cluster
+cat <<EOF | sudo kind create cluster --image kindest/node:v1.28.0 --config=-
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: InitConfiguration
+    nodeRegistration:
+      kubeletExtraArgs:
+        node-labels: "ingress-ready=true"
+  extraPortMappings:
+  - containerPort: 80
+    hostPort: 80
+    protocol: TCP
+  - containerPort: 443
+    hostPort: 443
+    protocol: TCP
+EOF
+
+sudo kind get kubeconfig > /tmp/config
+sudo chown $USER:$USER /tmp/config
+mv /tmp/config ~/.kube/config
+
+# install ingress-nginx
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+
+#kubectl wait --namespace ingress-nginx \
+#  --for=condition=ready pod \
+#  --selector=app.kubernetes.io/component=controller \
+#  --timeout=90s
+#
+# TODO: add a wait for ingress to be ready with test.yaml & curl
+#sleep 20
+
+oc create ns fulcio-system
+oc create ns rekor-system
+oc -n fulcio-system create secret generic fulcio-secret-rh --from-file=private=./kind/test-keys-cert/file_ca_key.pem --from-file=public=./kind/test-keys-cert/file_ca_pub.pem --from-file=cert=./kind/test-keys-cert/fulcio-root.pem  --from-literal=password=secure --dry-run=client -o yaml | oc apply -f-
+
+oc -n rekor-system create secret generic rekor-private-key --from-file=private=./kind/test-keys-cert/rekor_key.pem --dry-run=client -o yaml | oc apply -f-
+
+# install charts
+#OPENSHIFT_APPS_SUBDOMAIN=localhost envsubst <  ./examples/values-kind-sigstore.yaml | helm upgrade -i scaffolding --debug ./charts/scaffolding -n sigstore --create-namespace --values -
diff --git a/kind/test.yaml b/kind/test.yaml
@@ -0,0 +1,79 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: foo-app
+  labels:
+    app: foo
+spec:
+  containers:
+  - command:
+    - /agnhost
+    - netexec
+    - --http-port
+    - "8080"
+    image: registry.k8s.io/e2e-test-images/agnhost:2.39
+    name: foo-app
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: foo-service
+spec:
+  selector:
+    app: foo
+  ports:
+  # Default port used by the image
+  - port: 8080
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: bar-app
+  labels:
+    app: bar
+spec:
+  containers:
+  - command:
+    - /agnhost
+    - netexec
+    - --http-port
+    - "8080"
+    image: registry.k8s.io/e2e-test-images/agnhost:2.39
+    name: bar-app
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: bar-service
+spec:
+  selector:
+    app: bar
+  ports:
+  # Default port used by the image
+  - port: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: example-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+spec:
+  rules:
+  - http:
+      paths:
+      - pathType: Prefix
+        path: /foo(/|$)(.*)
+        backend:
+          service:
+            name: foo-service
+            port:
+              number: 8080
+      - pathType: Prefix
+        path: /bar(/|$)(.*)
+        backend:
+          service:
+            name: bar-service
+            port:
+              number: 8080
+---