Deflake base profiles OCI registry e2e tests

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

cmd/spoc/main.go

@@ -161,6 +161,13 @@ func main() {
 					Aliases: []string{"p"},
 					Usage:   "the platform to be used in format: os[/arch][/variant][:os_version]",
 				},
+				&cli.BoolFlag{
+					Name:    puller.FlagVerifySignature,
+					Aliases: []string{"s"},
+					EnvVars: []string{"VERIFY_SIGNATURE"},
+					Usage:   "verify the signature of the artifact",
+					Value:   true,
+				},
 			},
 		},
 	)

internal/pkg/artifact/artifact.go

@@ -242,20 +242,23 @@ func (a *Artifact) Pull(
 	c context.Context,
 	from, username, password string,
 	platform *v1.Platform,
+	verifySignature bool,
 ) (*PullResult, error) {
 	ctx, cancel := context.WithTimeout(c, defaultTimeout)
 	defer cancel()
 
-	a.logger.Info("Verifying signature")
-	const all = ".*"
-	v := verify.VerifyCommand{
-		CertVerifyOptions: options.CertVerifyOptions{
-			CertIdentityRegexp:   all,
-			CertOidcIssuerRegexp: all,
-		},
-	}
-	if err := a.VerifyCmd(ctx, v, from); err != nil {
-		return nil, fmt.Errorf("verify signature: %w", err)
+	if verifySignature {
+		a.logger.Info("Verifying signature")
+		const all = ".*"
+		v := verify.VerifyCommand{
+			CertVerifyOptions: options.CertVerifyOptions{
+				CertIdentityRegexp:   all,
+				CertOidcIssuerRegexp: all,
+			},
+		}
+		if err := a.VerifyCmd(ctx, v, from); err != nil {
+			return nil, fmt.Errorf("verify signature: %w", err)
+		}
 	}
 
 	dir, err := a.MkdirTemp("", "pull-")

internal/pkg/artifact/artifact_test.go

@@ -394,7 +394,7 @@ func TestPull(t *testing.T) {
 			sut := New(logr.Discard())
 			sut.impl = mock
 
-			res, err := sut.Pull(context.Background(), "", "foo", "bar", nil)
+			res, err := sut.Pull(context.Background(), "", "foo", "bar", nil, true)
 			assert(res, err)
 		})
 	}

internal/pkg/cli/puller/consts.go

@@ -31,4 +31,7 @@ const (
 
 	// FlagPlatform is the flag for defining the platform.
 	FlagPlatform string = "platform"
+
+	// FlagVerifySignature is the flag for verifying the signature on pull.
+	FlagVerifySignature string = "verify-signature"
 )

internal/pkg/cli/puller/impl.go

@@ -32,12 +32,16 @@ type defaultImpl struct{}
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate -header ../../../../hack/boilerplate/boilerplate.generatego.txt
 //counterfeiter:generate . impl
 type impl interface {
-	Pull(string, string, string, *v1.Platform) (*artifact.PullResult, error)
+	Pull(string, string, string, *v1.Platform, bool) (*artifact.PullResult, error)
 	WriteFile(string, []byte, os.FileMode) error
 }
 
-func (*defaultImpl) Pull(from, username, password string, platform *v1.Platform) (*artifact.PullResult, error) {
-	return artifact.New(logr.New(&cli.LogSink{})).Pull(context.Background(), from, username, password, platform)
+func (*defaultImpl) Pull(
+	from, username, password string, platform *v1.Platform, verifySignature bool,
+) (*artifact.PullResult, error) {
+	return artifact.New(logr.New(&cli.LogSink{})).Pull(
+		context.Background(), from, username, password, platform, verifySignature,
+	)
 }
 
 func (*defaultImpl) WriteFile(name string, data []byte, perm os.FileMode) error {

internal/pkg/cli/puller/options.go

@@ -29,17 +29,19 @@ import (
 
 // Options define all possible options for the puller.
 type Options struct {
-	pullFrom   string
-	outputFile string
-	username   string
-	password   string
-	platform   *v1.Platform
+	pullFrom        string
+	outputFile      string
+	username        string
+	password        string
+	platform        *v1.Platform
+	verifySignature bool
 }
 
 // Default returns a default options instance.
 func Default() *Options {
 	return &Options{
-		outputFile: DefaultOutputFile,
+		outputFile:      DefaultOutputFile,
+		verifySignature: true,
 	}
 }
 
@@ -64,6 +66,10 @@ func FromContext(ctx *ucli.Context) (*Options, error) {
 		options.username = ctx.String(FlagUsername)
 	}
 
+	if ctx.IsSet(FlagVerifySignature) {
+		options.verifySignature = ctx.Bool(FlagVerifySignature)
+	}
+
 	options.password = os.Getenv(cli.EnvKeyPassword)
 
 	platform, err := cli.ParsePlatform(ctx.String(FlagPlatform))

internal/pkg/cli/puller/options_test.go

@@ -29,7 +29,7 @@ func TestFromContext(t *testing.T) {
 	for _, tc := range []struct {
 		name    string
 		prepare func(*flag.FlagSet)
-		assert  func(error)
+		assert  func(*Options, error)
 	}{
 		{
 			name: "success",
@@ -38,8 +38,23 @@ func TestFromContext(t *testing.T) {
 				require.Nil(t, set.Set(FlagUsername, "username"))
 				require.Nil(t, set.Parse([]string{"echo"}))
 			},
-			assert: func(err error) {
+			assert: func(opts *Options, err error) {
 				require.NoError(t, err)
+				require.True(t, opts.verifySignature)
+			},
+		},
+		{
+			name: "success with verify signature disabled",
+			prepare: func(set *flag.FlagSet) {
+				set.String(FlagUsername, "", "")
+				set.Bool(FlagVerifySignature, true, "")
+				require.Nil(t, set.Set(FlagUsername, "username"))
+				require.Nil(t, set.Set(FlagVerifySignature, "false"))
+				require.Nil(t, set.Parse([]string{"echo"}))
+			},
+			assert: func(opts *Options, err error) {
+				require.NoError(t, err)
+				require.False(t, opts.verifySignature)
 			},
 		},
 		{
@@ -48,7 +63,7 @@ func TestFromContext(t *testing.T) {
 				set.String(FlagOutputFile, "", "")
 				require.Nil(t, set.Set(FlagOutputFile, ""))
 			},
-			assert: func(err error) {
+			assert: func(_ *Options, err error) {
 				require.Error(t, err)
 			},
 		},
@@ -59,7 +74,18 @@ func TestFromContext(t *testing.T) {
 				require.Nil(t, set.Set(FlagOutputFile, ""))
 				require.Nil(t, set.Parse([]string{"echo"}))
 			},
-			assert: func(err error) {
+			assert: func(_ *Options, err error) {
+				require.Error(t, err)
+			},
+		},
+		{
+			name: "failure parse platform",
+			prepare: func(set *flag.FlagSet) {
+				set.String(FlagPlatform, "", "")
+				require.Nil(t, set.Set(FlagPlatform, "os//var"))
+				require.Nil(t, set.Parse([]string{"echo"}))
+			},
+			assert: func(_ *Options, err error) {
 				require.Error(t, err)
 			},
 		},
@@ -76,8 +102,8 @@ func TestFromContext(t *testing.T) {
 			app := cli.NewApp()
 			ctx := cli.NewContext(app, set, nil)
 
-			_, err := FromContext(ctx)
-			assert(err)
+			opts, err := FromContext(ctx)
+			assert(opts, err)
 		})
 	}
 }

internal/pkg/cli/puller/puller.go

@@ -47,6 +47,7 @@ func (p *Puller) Run() error {
 		p.options.username,
 		p.options.password,
 		p.options.platform,
+		p.options.verifySignature,
 	)
 	if err != nil {
 		return fmt.Errorf("pull profile: %w", err)

internal/pkg/daemon/seccompprofile/impl.go

@@ -35,7 +35,7 @@ type defaultImpl struct{}
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate -header ../../../../hack/boilerplate/boilerplate.generatego.txt
 //counterfeiter:generate . impl
 type impl interface {
-	Pull(context.Context, logr.Logger, string, string, string, *v1.Platform) (*artifact.PullResult, error)
+	Pull(context.Context, logr.Logger, string, string, string, *v1.Platform, bool) (*artifact.PullResult, error)
 	PullResultType(*artifact.PullResult) artifact.PullResultType
 	PullResultSeccompProfile(*artifact.PullResult) *seccompprofileapi.SeccompProfile
 	ClientGetProfile(
@@ -46,9 +46,9 @@ type impl interface {
 }
 
 func (*defaultImpl) Pull(
-	ctx context.Context, l logr.Logger, from, _, _ string, platform *v1.Platform,
+	ctx context.Context, l logr.Logger, from, username, password string, platform *v1.Platform, verifySignature bool,
 ) (*artifact.PullResult, error) {
-	return artifact.New(l).Pull(ctx, from, "", "", platform)
+	return artifact.New(l).Pull(ctx, from, username, password, platform, verifySignature)
 }
 
 func (*defaultImpl) PullResultType(res *artifact.PullResult) artifact.PullResultType {

internal/pkg/daemon/seccompprofile/seccompprofile.go

@@ -367,7 +367,7 @@ func (r *Reconciler) resolveSyscallsForProfile(
 			res, err := r.Pull(ctx, l, from, "", "", &v1.Platform{
 				Architecture: runtime.GOARCH,
 				OS:           runtime.GOOS,
-			})
+			}, false /* TODO: make configurable */)
 			if err != nil {
 				l.Error(err, "cannot pull base profile "+baseProfileName)
 				r.IncSeccompProfileError(r.metrics, reasonCannotPullProfile)

internal/pkg/manager/spod/bindata/spod.go

@@ -369,7 +369,7 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 								},
 							},
 							{
-								Name: "OPERATOR_NAMESPACE",
+								Name: config.OperatorNamespaceEnvKey,
 								ValueFrom: &corev1.EnvVarSource{
 									FieldRef: &corev1.ObjectFieldSelector{
 										FieldPath: "metadata.namespace",

internal/pkg/manager/spod/bindata/webhook.go

@@ -341,7 +341,7 @@ var webhookDeployment = &appsv1.Deployment{
 						},
 						Env: []corev1.EnvVar{
 							{
-								Name: "OPERATOR_NAMESPACE",
+								Name: config.OperatorNamespaceEnvKey,
 								ValueFrom: &corev1.EnvVarSource{
 									FieldRef: &corev1.ObjectFieldSelector{
 										FieldPath: "metadata.namespace",

test/tc_base_profiles_oci_test.go

@@ -84,6 +84,8 @@ spec:
 	e.logf("Waiting for profile to be reconciled")
 	e.waitFor("condition=ready", "sp", "hello")
 
+	e.kubectlOperatorNS("logs", "-l", "name=spod")
+
 	e.logf("Creating hello-world pod")
 	helloPodFile, err := os.CreateTemp("", "hello-pod*.yaml")
 	e.Nil(err)