test: update e2e

Signed-off-by: Juncheng Zhu <[email protected]>

scripts/generate-crl-testing-certs.sh

@@ -205,7 +205,7 @@ openssl ca -config intermediate.cnf -in leaf.csr -out leaf.crt -batch -extension
 # Generate intermediate CRL using root.cnf (before revocation)
 openssl ca -config root.cnf -gencrl -out intermediate.crl
 
-# Convert root CRL to DER format
+# Convert intermediate CRL to DER format
 openssl crl -in intermediate.crl -outform der -out intermediate.crl
 
 # Revoke intermediate certificate using root CA
@@ -214,7 +214,7 @@ openssl ca -config root.cnf -revoke intermediate.crt
 # Generate intermediate CRL including revoked intermediate certificate
 openssl ca -config root.cnf -gencrl -out intermediate_revoked.crl
 
-# Convert intermediate CRL to DER format
+# Convert intermediate revoked CRL to DER format
 openssl crl -in intermediate_revoked.crl -outform der -out intermediate_revoked.crl
 
 # Generate leaf CRL
@@ -229,7 +229,7 @@ openssl ca -config intermediate.cnf -revoke leaf.crt
 # Generate leaf CRL including revoked leaf certificate
 openssl ca -config intermediate.cnf -gencrl -out leaf_revoked.crl
 
-# Convert leaf CRL to DER format
+# Convert leaf revoked CRL to DER format
 openssl crl -in leaf_revoked.crl -outform der -out leaf_revoked.crl
 
 # merge leaf cert and root cert to create fullchain file

test/bats/base-test.bats

@@ -129,8 +129,20 @@ RATIFY_NAMESPACE=gatekeeper-system
     teardown() {
         echo "cleaning up"
         wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod demo --namespace default --force --ignore-not-found=true'
+
+        # restore the original notation verifier for other tests
+        wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl replace -f ./config/samples/clustered/verifier/config_v1beta1_verifier_notation.yaml'
     }
-	run_crl_server
+    run_crl_server
+    expose_localhost
+
+    # add the tsaroot certificate as an inline key management provider
+    cat ./test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml >> crlkmprovider.yaml
+    cat .staging/notation/crl-test/root.crt | sed 's/^/      /g' >> crlkmprovider.yaml
+    run kubectl apply -f crlkmprovider.yaml --namespace ${RATIFY_NAMESPACE}
+    assert_success
+    run kubectl replace -f ./test/bats/tests/config/config_v1beta1_verifier_notation_crl.yaml
+
     run kubectl run demo --namespace default --image=registry:5000/notation:crl
     assert_success
 }

test/bats/helpers.bash

@@ -116,4 +116,8 @@ wait_for_process() {
 run_crl_server() {
 	python3 ./scripts/crl_server.py &
 	echo $(shell $!)
+}
+
+expose_localhost() {
+  kubectl proxy --address='0.0.0.0' --accept-hosts='.*'
 }

test/bats/tests/config/config_v1beta1_verifier_notation_crl.yaml

@@ -0,0 +1,24 @@
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Verifier
+metadata:
+  name: verifier-notation
+spec:
+  name: notation
+  artifactTypes: application/vnd.cncf.notary.signature
+  parameters:
+    verificationCertStores:
+      ca:
+        ca-crl:
+          - keymanagementprovider-inline
+    trustPolicyDoc:
+      version: "1.0"
+      trustPolicies:
+        - name: default
+          registryScopes:
+            - "*"
+          signatureVerification:
+            level: strict
+          trustStores:
+            - ca:ca-crl
+          trustedIdentities:
+            - "*"