test: add k8s e2e scenarios

ratify-project · Aug 25, 2024 · e8770ec · e8770ec
1 parent fee6b7d
commit e8770ec
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/test/bats/base-test.bats b/test/bats/base-test.bats
@@ -96,6 +96,30 @@ RATIFY_NAMESPACE=gatekeeper-system
     assert_failure
 }
 
+@test "notation test timestamping" {
+    teardown() {
+        echo "cleaning up"
+        wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod demo-tsa --namespace default --force --ignore-not-found=true'
+
+        sed -i '10,$d' ./test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml
+        run kubectl apply -f ./test/bats/tests/config/config_v1beta1_verifier_notation_kmprovider.yaml
+    }
+
+    # add the tsaroot certificate as an inline key management provider
+    cat ~/.ratify/ratify-certs/notation/tsarootca.cer | sed 's/^/      /g' >>./test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml
+    run kubectl apply -f ./test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml --namespace ${RATIFY_NAMESPACE}
+    assert_success
+
+    # configure the notation verifier to use the inline key management provider
+    run kubectl apply -f ./test/bats/tests/config/config_v1beta1_verifier_notation_tsa.yaml
+    assert_success
+    sleep 10
+
+    # verify that the image can now be run
+    run kubectl run demo-tsa --namespace default --image=registry:5000/notation:tsa
+    assert_success
+}
+
 @test "notation test with certs across namespace" {
     teardown() {
         echo "cleaning up"

diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation_tsa.yaml b/test/bats/tests/config/config_v1beta1_verifier_notation_tsa.yaml
@@ -0,0 +1,24 @@
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Verifier
+metadata:
+  name: verifier-notation
+spec:
+  name: notation
+  artifactTypes: application/vnd.cncf.notary.signature
+  parameters:
+    verificationCertStores:
+      tsa:
+        tsa-certs:
+        - keymanagementprovider-inline
+    trustPolicyDoc:
+      version: "1.0"
+      trustPolicies:
+        - name: default
+          registryScopes:
+            - "*"
+          signatureVerification:
+            level: strict
+          trustStores:
+            - tsa:tsa-certs
+          trustedIdentities:
+            - "*"