From a0f7581e0fec5bfc04645ca19cd7b19c6535db92 Mon Sep 17 00:00:00 2001 From: Sally O'Malley Date: Mon, 25 Sep 2023 11:21:54 -0400 Subject: [PATCH] add kind Signed-off-by: Sally O'Malley --- README.md | 23 ++++++ .../cluster-monitoring-resources.yaml | 38 ++++----- examples/values-kind-sigstore.yaml | 50 ++++++++++++ kind/kind-up-test.sh | 46 +++++++++++ kind/test.yaml | 79 +++++++++++++++++++ 5 files changed, 217 insertions(+), 19 deletions(-) create mode 100644 examples/values-kind-sigstore.yaml create mode 100755 kind/kind-up-test.sh create mode 100644 kind/test.yaml diff --git a/README.md b/README.md index 75dd54ea..dd749e8c 100644 --- a/README.md +++ b/README.md @@ -14,3 +14,26 @@ Information on how to install Sigstore components on OpenShift can be found in t ## Scaffolding Chart More information can be found by inspecting the [scaffolding chart](charts/scaffolding). + +## Contributing + +Install the [pre-commit](https://pre-commit.com/) package and run `pre-commit run --all-files` before pushing changes, or `pre-commit install` to automatically run the pre-commit hooks with every `git commit`. If it fails, +run the `git commit` command again. It's likely the pre-commit hook fixed the issue and you have to bring in the new changes. + +### Testing + +To set up a `kind` cluster and deploy the charts, run the following from the root of this repository + +```bash +./kind/kind-up-test.sh + +kubectl wait --namespace ingress-nginx \ + --for=condition=ready pod \ + --selector=app.kubernetes.io/component=controller \ + --timeout=90s + +OPENSHIFT_APPS_SUBDOMAIN=localhost envsubst < ./examples/values-kind-sigstore.yaml | helm upgrade -i scaffolding --debug ./charts/scaffolding -n sigstore --create-namespace --values - +``` + +This test setup is to verify that all deployments are healthy and all jobs complete. However, this does not create a working environment to sign artifacts. + diff --git a/charts/scaffolding/templates/cluster-monitoring-resources.yaml b/charts/scaffolding/templates/cluster-monitoring-resources.yaml index a08dbca2..17c01e78 100644 --- a/charts/scaffolding/templates/cluster-monitoring-resources.yaml +++ b/charts/scaffolding/templates/cluster-monitoring-resources.yaml @@ -32,22 +32,22 @@ subjects: name: prometheus-k8s namespace: openshift-monitoring --- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - app.kubernetes.io/name: {{ $config.namespace }} - name: {{ $config.namespace }} - namespace: {{ $config.namespace }} -spec: - endpoints: - {{- range $endpoint := $config.clusterMonitoring.endpoints }} - - interval: {{ $endpoint.interval }} - port: {{ $endpoint.port }} - scheme: {{ $endpoint.scheme }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/instance: scaffolding -{{- end }} -{{- end }} \ No newline at end of file +#apiVersion: monitoring.coreos.com/v1 +#kind: ServiceMonitor +#metadata: +# labels: +# app.kubernetes.io/name: {{ $config.namespace }} +# name: {{ $config.namespace }} +# namespace: {{ $config.namespace }} +#spec: +# endpoints: +# {{- range $endpoint := $config.clusterMonitoring.endpoints }} +# - interval: {{ $endpoint.interval }} +# port: {{ $endpoint.port }} +# scheme: {{ $endpoint.scheme }} +# {{- end }} +# selector: +# matchLabels: +# app.kubernetes.io/instance: scaffolding +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/examples/values-kind-sigstore.yaml b/examples/values-kind-sigstore.yaml new file mode 100644 index 00000000..2a7081dc --- /dev/null +++ b/examples/values-kind-sigstore.yaml @@ -0,0 +1,50 @@ +# With this example, it is expected that there is a secret with the fulcio root & signing keys +# named 'fulcio-secret-rh' in namespace 'fulcio-system' and a secret 'rekor-private-key' +# with rekor signing keys in the 'rekor-system' namespace. +# secret names must match secret names in scaffold.tuf, that default to +# 'fulcio-secret-rh' and 'rekor-private-key' +# For root & key requirements, see ../requirements-keys-certs.md +# Note: User must substitute for $OPENSHIFT_APPS_SUBDOMAIN below. +# Base domain is results of "oc get dns cluster -o jsonpath='{ .spec.baseDomain }'" +--- +configs: + cosign: + appsSubdomain: $OPENSHIFT_APPS_SUBDOMAIN + fulcio: + create: false + rekor: + create: false + +# github.com/sigstore/helm-charts/charts +scaffold: + fulcio: + clusterMonitoring: + enabled: false + server: + ingress: + http: + hosts: + - host: fulcio.$OPENSHIFT_APPS_SUBDOMAIN + path: / + config: + contents: + OIDCIssuers: + # https://../auth/realms/sigstore + ? https://keycloak-keycloak-system.apps.open-svc-sts.k1wl.p1.openshiftapps.com/auth/realms/sigstore + : IssuerURL: https://keycloak-keycloak-system.apps.open-svc-sts.k1wl.p1.openshiftapps.com/auth/realms/sigstore + ClientID: sigstore + Type: email + rekor: + clusterMonitoring: + enabled: false + server: + ingress: + hosts: + - host: rekor.$OPENSHIFT_APPS_SUBDOMAIN + path: / + tuf: + ingress: + http: + hosts: + - host: tuf.$OPENSHIFT_APPS_SUBDOMAIN + path: / \ No newline at end of file diff --git a/kind/kind-up-test.sh b/kind/kind-up-test.sh new file mode 100755 index 00000000..1946eabb --- /dev/null +++ b/kind/kind-up-test.sh @@ -0,0 +1,46 @@ +# run this from root of repository + +# spin up kind cluster +cat < /tmp/config +sudo chown $USER:$USER /tmp/config +mv /tmp/config ~/.kube/config + +# install ingress-nginx +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + +#kubectl wait --namespace ingress-nginx \ +# --for=condition=ready pod \ +# --selector=app.kubernetes.io/component=controller \ +# --timeout=90s +# +# TODO: add a wait for ingress to be ready with test.yaml & curl +#sleep 20 + +oc create ns fulcio-system +oc create ns rekor-system +oc -n fulcio-system create secret generic fulcio-secret-rh --from-file=private=./kind/test-keys-cert/file_ca_key.pem --from-file=public=./kind/test-keys-cert/file_ca_pub.pem --from-file=cert=./kind/test-keys-cert/fulcio-root.pem --from-literal=password=secure --dry-run=client -o yaml | oc apply -f- + +oc -n rekor-system create secret generic rekor-private-key --from-file=private=./kind/test-keys-cert/rekor_key.pem --dry-run=client -o yaml | oc apply -f- + +# install charts +#OPENSHIFT_APPS_SUBDOMAIN=localhost envsubst < ./examples/values-kind-sigstore.yaml | helm upgrade -i scaffolding --debug ./charts/scaffolding -n sigstore --create-namespace --values - diff --git a/kind/test.yaml b/kind/test.yaml new file mode 100644 index 00000000..030f4874 --- /dev/null +++ b/kind/test.yaml @@ -0,0 +1,79 @@ +kind: Pod +apiVersion: v1 +metadata: + name: foo-app + labels: + app: foo +spec: + containers: + - command: + - /agnhost + - netexec + - --http-port + - "8080" + image: registry.k8s.io/e2e-test-images/agnhost:2.39 + name: foo-app +--- +kind: Service +apiVersion: v1 +metadata: + name: foo-service +spec: + selector: + app: foo + ports: + # Default port used by the image + - port: 8080 +--- +kind: Pod +apiVersion: v1 +metadata: + name: bar-app + labels: + app: bar +spec: + containers: + - command: + - /agnhost + - netexec + - --http-port + - "8080" + image: registry.k8s.io/e2e-test-images/agnhost:2.39 + name: bar-app +--- +kind: Service +apiVersion: v1 +metadata: + name: bar-service +spec: + selector: + app: bar + ports: + # Default port used by the image + - port: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: example-ingress + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 +spec: + rules: + - http: + paths: + - pathType: Prefix + path: /foo(/|$)(.*) + backend: + service: + name: foo-service + port: + number: 8080 + - pathType: Prefix + path: /bar(/|$)(.*) + backend: + service: + name: bar-service + port: + number: 8080 +---