ci: add a OCI registry test for referrers support

zot is a strongly OCI conformant registry with referrers support. --- Note the new --registry-referrers-mode flag which must be set to “oci-1-1”. References: [1] https://www.chainguard.dev/unchained/building-towards-oci-v1-1-support-in-cosign [2] https://zotregistry.io Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
sigstore · Oct 12, 2023 · 1af6118 · 1af6118
1 parent 5b2d30a
commit 1af6118
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 0 deletions.
diff --git a/.github/workflows/kind-e2e-insecure-registry.yaml b/.github/workflows/kind-e2e-insecure-registry.yaml
@@ -41,6 +41,8 @@ jobs:
       REGISTRY_PORT: 5000
       INSECURE_REGISTRY_NAME: insecure-registry.notlocal
       INSECURE_REGISTRY_PORT: 5001
+      INSECURE_OCI_REGISTRY_NAME: insecure-oci-registry.notlocal
+      INSECURE_OCI_REGISTRY_PORT: 5002
       KO_DOCKER_REPO: registry.local:5000/policy-controller
 
     steps:
@@ -100,6 +102,54 @@ jobs:
         go install github.com/google/go-containerregistry/cmd/crane
         ./test/e2e_test_insecure_registry.sh
 
+    - name: Setup local insecure OCI registry
+      run: |
+        # Create a self-signed SSL cert
+        mkdir -p insecure-certs
+        openssl req \
+          -subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
+          -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
+          -x509 -days 365 -out insecure-certs/domain.crt
+        cat > config.json << EOF
+        {
+          "distSpecVersion": "1.1.0-dev",
+          "storage": {
+            "rootDirectory": "/tmp/zot"
+          },
+          "http": {
+            "address": "0.0.0.0",
+            "port": "5000",
+            "realm": "zot",
+            "tls": {
+              "cert": "/insecure-certs/domain.crt",
+              "key": "/insecure-certs/domain.key"
+            }
+          },
+          "log": {
+            "level": "debug"
+          }
+        }
+        EOF
+        # Run a registry.
+        docker run -d  --restart=always \
+          --name $INSECURE_OCI_REGISTRY_NAME \
+          -v "$(pwd)"/insecure-certs:/insecure-certs \
+          -v "$(pwd)"/config.json:/etc/zot/config.json \
+          -p $INSECURE_OCI_REGISTRY_PORT:$REGISTRY_PORT \
+          ghcr.io/project-zot/zot-minimal-linux-amd64:$ZOT_VERSION
+        # Connect the registry to the KinD network.
+        docker network connect "kind" $INSECURE_OCI_REGISTRY_NAME
+        # Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
+        # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
+        sudo echo "127.0.0.1 $INSECURE_OCI_REGISTRY_NAME" | sudo tee -a /etc/hosts
+      env:
+        ZOT_VERSION: v2.0.0-rc6
+
+    - name: Run Insecure OCI Registry Tests
+      run: |
+        go install github.com/google/go-containerregistry/cmd/crane
+        ./test/e2e_test_insecure_oci_registry.sh
+
     - name: Collect diagnostics
       if: ${{ failure() }}
       uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
diff --git a/test/e2e_test_insecure_oci_registry.sh b/test/e2e_test_insecure_oci_registry.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#
+# Copyright 2023 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+go build -o cosign ./cmd/cosign
+tmp=$(mktemp -d)
+cp cosign $tmp/
+
+INSECURE_REGISTRY_NAME=${INSECURE_OCI_REGISTRY_NAME:-insecure-oci-registry.notlocal}
+INSECURE_REGISTRY_PORT=${INSECURE_OCI_REGISTRY_PORT:-5002}
+
+pushd $tmp
+
+pass="$RANDOM"
+export COSIGN_PASSWORD=$pass
+export COSIGN_YES="true"
+export COSIGN_EXPERIMENTAL=1
+
+./cosign generate-key-pair
+signing_key=cosign.key
+verification_key=cosign.pub
+
+img="${INSECURE_REGISTRY_NAME}:${INSECURE_REGISTRY_PORT}/test"
+(crane delete $(./cosign triangulate $img)) || true
+crane cp ghcr.io/distroless/static $img --insecure
+
+# Operations with insecure registries should fail by default, then succeed
+# with `--allow-insecure-registry`
+if (./cosign sign --key ${signing_key} $img); then false; fi
+./cosign sign --allow-insecure-registry --registry-referrers-mode=oci-1-1 --key ${signing_key} $img
+if (./cosign verify --key ${verification_key} $img); then false; fi
+./cosign verify --allow-insecure-registry --experimental-oci11=true --key ${verification_key} $img
+
+echo "SUCCESS"