Deflake base profiles OCI registry e2e tests

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

api/spod/v1alpha1/spod_types.go

@@ -295,6 +295,11 @@ type SPODSpec struct {
 	// +optional
 	// +kubebuilder:default="system-node-critical"
 	PriorityClassName string `json:"priorityClassName,omitempty"`
+
+	// DisableOCIArtifactSignatureVerification can be used to disable OCI
+	// artifact signature verification.
+	// +optional
+	DisableOCIArtifactSignatureVerification bool `json:"disableOciArtifactSignatureVerification"`
 }
 
 // SPODState defines the state that the spod is in.

bundle/manifests/security-profiles-operator.x-k8s.io_securityprofilesoperatordaemons.yaml

@@ -933,6 +933,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

cmd/spoc/main.go

@@ -161,6 +161,12 @@ func main() {
 					Aliases: []string{"p"},
 					Usage:   "the platform to be used in format: os[/arch][/variant][:os_version]",
 				},
+				&cli.BoolFlag{
+					Name:    puller.FlagDisableSignatureVerification,
+					Aliases: []string{"s"},
+					EnvVars: []string{"DISABLE_SIGNATURE_VERIFICATION"},
+					Usage:   "disable signature verification",
+				},
 			},
 		},
 	)

deploy/base-crds/crds/securityprofilesoperatordaemon.yaml

@@ -930,6 +930,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/helm/crds/crds.yaml

@@ -1506,6 +1506,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/namespace-operator.yaml

@@ -1506,6 +1506,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/openshift-dev.yaml

@@ -1724,6 +1724,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/openshift-downstream.yaml

@@ -1506,6 +1506,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/operator.yaml

@@ -1506,6 +1506,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

deploy/webhook-operator.yaml

@@ -1724,6 +1724,10 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              disableOciArtifactSignatureVerification:
+                description: DisableOCIArtifactSignatureVerification can be used to
+                  disable OCI artifact signature verification.
+                type: boolean
               enableAppArmor:
                 description: tells the operator whether or not to enable AppArmor
                   support for this SPOD instance.

internal/pkg/artifact/artifact.go

@@ -242,20 +242,23 @@ func (a *Artifact) Pull(
 	c context.Context,
 	from, username, password string,
 	platform *v1.Platform,
+	disableSignatureVerification bool,
 ) (*PullResult, error) {
 	ctx, cancel := context.WithTimeout(c, defaultTimeout)
 	defer cancel()
 
-	a.logger.Info("Verifying signature")
-	const all = ".*"
-	v := verify.VerifyCommand{
-		CertVerifyOptions: options.CertVerifyOptions{
-			CertIdentityRegexp:   all,
-			CertOidcIssuerRegexp: all,
-		},
-	}
-	if err := a.VerifyCmd(ctx, v, from); err != nil {
-		return nil, fmt.Errorf("verify signature: %w", err)
+	if !disableSignatureVerification {
+		a.logger.Info("Verifying signature")
+		const all = ".*"
+		v := verify.VerifyCommand{
+			CertVerifyOptions: options.CertVerifyOptions{
+				CertIdentityRegexp:   all,
+				CertOidcIssuerRegexp: all,
+			},
+		}
+		if err := a.VerifyCmd(ctx, v, from); err != nil {
+			return nil, fmt.Errorf("verify signature: %w", err)
+		}
 	}
 
 	dir, err := a.MkdirTemp("", "pull-")

internal/pkg/artifact/artifact_test.go

@@ -394,7 +394,7 @@ func TestPull(t *testing.T) {
 			sut := New(logr.Discard())
 			sut.impl = mock
 
-			res, err := sut.Pull(context.Background(), "", "foo", "bar", nil)
+			res, err := sut.Pull(context.Background(), "", "foo", "bar", nil, false)
 			assert(res, err)
 		})
 	}

internal/pkg/cli/puller/consts.go

@@ -31,4 +31,8 @@ const (
 
 	// FlagPlatform is the flag for defining the platform.
 	FlagPlatform string = "platform"
+
+	// FlagDisableSignatureVerification is the flag for disabling the signature
+	// verification on pull.
+	FlagDisableSignatureVerification string = "disable-signature-verification"
 )

internal/pkg/cli/puller/impl.go

@@ -32,12 +32,16 @@ type defaultImpl struct{}
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate -header ../../../../hack/boilerplate/boilerplate.generatego.txt
 //counterfeiter:generate . impl
 type impl interface {
-	Pull(string, string, string, *v1.Platform) (*artifact.PullResult, error)
+	Pull(string, string, string, *v1.Platform, bool) (*artifact.PullResult, error)
 	WriteFile(string, []byte, os.FileMode) error
 }
 
-func (*defaultImpl) Pull(from, username, password string, platform *v1.Platform) (*artifact.PullResult, error) {
-	return artifact.New(logr.New(&cli.LogSink{})).Pull(context.Background(), from, username, password, platform)
+func (*defaultImpl) Pull(
+	from, username, password string, platform *v1.Platform, disableSignatureVerification bool,
+) (*artifact.PullResult, error) {
+	return artifact.New(logr.New(&cli.LogSink{})).Pull(
+		context.Background(), from, username, password, platform, disableSignatureVerification,
+	)
 }
 
 func (*defaultImpl) WriteFile(name string, data []byte, perm os.FileMode) error {

internal/pkg/cli/puller/options.go

@@ -29,11 +29,12 @@ import (
 
 // Options define all possible options for the puller.
 type Options struct {
-	pullFrom   string
-	outputFile string
-	username   string
-	password   string
-	platform   *v1.Platform
+	pullFrom                     string
+	outputFile                   string
+	username                     string
+	password                     string
+	platform                     *v1.Platform
+	disableSignatureVerification bool
 }
 
 // Default returns a default options instance.
@@ -64,6 +65,10 @@ func FromContext(ctx *ucli.Context) (*Options, error) {
 		options.username = ctx.String(FlagUsername)
 	}
 
+	if ctx.IsSet(FlagDisableSignatureVerification) {
+		options.disableSignatureVerification = ctx.Bool(FlagDisableSignatureVerification)
+	}
+
 	options.password = os.Getenv(cli.EnvKeyPassword)
 
 	platform, err := cli.ParsePlatform(ctx.String(FlagPlatform))

internal/pkg/cli/puller/options_test.go

@@ -29,7 +29,7 @@ func TestFromContext(t *testing.T) {
 	for _, tc := range []struct {
 		name    string
 		prepare func(*flag.FlagSet)
-		assert  func(error)
+		assert  func(*Options, error)
 	}{
 		{
 			name: "success",
@@ -38,8 +38,21 @@ func TestFromContext(t *testing.T) {
 				require.Nil(t, set.Set(FlagUsername, "username"))
 				require.Nil(t, set.Parse([]string{"echo"}))
 			},
-			assert: func(err error) {
+			assert: func(opts *Options, err error) {
 				require.NoError(t, err)
+				require.False(t, opts.disableSignatureVerification)
+			},
+		},
+		{
+			name: "success with verify signature disabled",
+			prepare: func(set *flag.FlagSet) {
+				set.Bool(FlagDisableSignatureVerification, true, "")
+				require.Nil(t, set.Set(FlagDisableSignatureVerification, "true"))
+				require.Nil(t, set.Parse([]string{"echo"}))
+			},
+			assert: func(opts *Options, err error) {
+				require.NoError(t, err)
+				require.True(t, opts.disableSignatureVerification)
 			},
 		},
 		{
@@ -48,7 +61,7 @@ func TestFromContext(t *testing.T) {
 				set.String(FlagOutputFile, "", "")
 				require.Nil(t, set.Set(FlagOutputFile, ""))
 			},
-			assert: func(err error) {
+			assert: func(_ *Options, err error) {
 				require.Error(t, err)
 			},
 		},
@@ -59,7 +72,18 @@ func TestFromContext(t *testing.T) {
 				require.Nil(t, set.Set(FlagOutputFile, ""))
 				require.Nil(t, set.Parse([]string{"echo"}))
 			},
-			assert: func(err error) {
+			assert: func(_ *Options, err error) {
+				require.Error(t, err)
+			},
+		},
+		{
+			name: "failure parse platform",
+			prepare: func(set *flag.FlagSet) {
+				set.String(FlagPlatform, "", "")
+				require.Nil(t, set.Set(FlagPlatform, "os//var"))
+				require.Nil(t, set.Parse([]string{"echo"}))
+			},
+			assert: func(_ *Options, err error) {
 				require.Error(t, err)
 			},
 		},
@@ -76,8 +100,8 @@ func TestFromContext(t *testing.T) {
 			app := cli.NewApp()
 			ctx := cli.NewContext(app, set, nil)
 
-			_, err := FromContext(ctx)
-			assert(err)
+			opts, err := FromContext(ctx)
+			assert(opts, err)
 		})
 	}
 }

internal/pkg/cli/puller/puller.go

@@ -47,6 +47,7 @@ func (p *Puller) Run() error {
 		p.options.username,
 		p.options.password,
 		p.options.platform,
+		p.options.disableSignatureVerification,
 	)
 	if err != nil {
 		return fmt.Errorf("pull profile: %w", err)