diff --git a/scripts/generate-crl-testing-certs.sh b/scripts/generate-crl-testing-certs.sh index 9ce6c1041..1ba529afd 100755 --- a/scripts/generate-crl-testing-certs.sh +++ b/scripts/generate-crl-testing-certs.sh @@ -205,7 +205,7 @@ openssl ca -config intermediate.cnf -in leaf.csr -out leaf.crt -batch -extension # Generate intermediate CRL using root.cnf (before revocation) openssl ca -config root.cnf -gencrl -out intermediate.crl -# Convert root CRL to DER format +# Convert intermediate CRL to DER format openssl crl -in intermediate.crl -outform der -out intermediate.crl # Revoke intermediate certificate using root CA @@ -214,7 +214,7 @@ openssl ca -config root.cnf -revoke intermediate.crt # Generate intermediate CRL including revoked intermediate certificate openssl ca -config root.cnf -gencrl -out intermediate_revoked.crl -# Convert intermediate CRL to DER format +# Convert intermediate revoked CRL to DER format openssl crl -in intermediate_revoked.crl -outform der -out intermediate_revoked.crl # Generate leaf CRL @@ -229,7 +229,7 @@ openssl ca -config intermediate.cnf -revoke leaf.crt # Generate leaf CRL including revoked leaf certificate openssl ca -config intermediate.cnf -gencrl -out leaf_revoked.crl -# Convert leaf CRL to DER format +# Convert leaf revoked CRL to DER format openssl crl -in leaf_revoked.crl -outform der -out leaf_revoked.crl # merge leaf cert and root cert to create fullchain file diff --git a/test/bats/base-test.bats b/test/bats/base-test.bats index 88c476bcd..3b73a12cc 100644 --- a/test/bats/base-test.bats +++ b/test/bats/base-test.bats @@ -129,8 +129,20 @@ RATIFY_NAMESPACE=gatekeeper-system teardown() { echo "cleaning up" wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod demo --namespace default --force --ignore-not-found=true' + + # restore the original notation verifier for other tests + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl replace -f ./config/samples/clustered/verifier/config_v1beta1_verifier_notation.yaml' } - run_crl_server + run_crl_server + expose_localhost + + # add the tsaroot certificate as an inline key management provider + cat ./test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml >> crlkmprovider.yaml + cat .staging/notation/crl-test/root.crt | sed 's/^/ /g' >> crlkmprovider.yaml + run kubectl apply -f crlkmprovider.yaml --namespace ${RATIFY_NAMESPACE} + assert_success + run kubectl replace -f ./test/bats/tests/config/config_v1beta1_verifier_notation_crl.yaml + run kubectl run demo --namespace default --image=registry:5000/notation:crl assert_success } diff --git a/test/bats/helpers.bash b/test/bats/helpers.bash index aa95ab664..e9db0c62b 100644 --- a/test/bats/helpers.bash +++ b/test/bats/helpers.bash @@ -116,4 +116,8 @@ wait_for_process() { run_crl_server() { python3 ./scripts/crl_server.py & echo $(shell $!) +} + +expose_localhost() { + kubectl proxy --address='0.0.0.0' --accept-hosts='.*' } \ No newline at end of file diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation_crl.yaml b/test/bats/tests/config/config_v1beta1_verifier_notation_crl.yaml new file mode 100644 index 000000000..56b5bb00b --- /dev/null +++ b/test/bats/tests/config/config_v1beta1_verifier_notation_crl.yaml @@ -0,0 +1,24 @@ +apiVersion: config.ratify.deislabs.io/v1beta1 +kind: Verifier +metadata: + name: verifier-notation +spec: + name: notation + artifactTypes: application/vnd.cncf.notary.signature + parameters: + verificationCertStores: + ca: + ca-crl: + - keymanagementprovider-inline + trustPolicyDoc: + version: "1.0" + trustPolicies: + - name: default + registryScopes: + - "*" + signatureVerification: + level: strict + trustStores: + - ca:ca-crl + trustedIdentities: + - "*"