diff --git a/docs/cmd/tkn_pipeline_sign.md b/docs/cmd/tkn_pipeline_sign.md index 7f0113823a..59344d0260 100644 --- a/docs/cmd/tkn_pipeline_sign.md +++ b/docs/cmd/tkn_pipeline_sign.md @@ -36,6 +36,7 @@ or using kms -o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). --show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format. --template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. + -v, --version string apiVersion of the Pipeline to be signed (default "v1") ``` ### Options inherited from parent commands diff --git a/docs/cmd/tkn_pipeline_verify.md b/docs/cmd/tkn_pipeline_verify.md index d8c65b3091..c6f72291cb 100644 --- a/docs/cmd/tkn_pipeline_verify.md +++ b/docs/cmd/tkn_pipeline_verify.md @@ -35,6 +35,7 @@ or using kms -o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). --show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format. --template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. + -v, --version string apiVersion of the Pipeline to be verified (default "v1") ``` ### Options inherited from parent commands diff --git a/docs/cmd/tkn_task_sign.md b/docs/cmd/tkn_task_sign.md index 51c1b248a9..5a6a14b24e 100644 --- a/docs/cmd/tkn_task_sign.md +++ b/docs/cmd/tkn_task_sign.md @@ -36,6 +36,7 @@ or using kms -o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). --show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format. --template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. + -v, --version string apiVersion of the Task to be signed (default "v1") ``` ### Options inherited from parent commands diff --git a/docs/cmd/tkn_task_verify.md b/docs/cmd/tkn_task_verify.md index a97f3c5072..49848763dc 100644 --- a/docs/cmd/tkn_task_verify.md +++ b/docs/cmd/tkn_task_verify.md @@ -35,6 +35,7 @@ or using kms -o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). --show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format. --template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. + -v, --version string apiVersion of the Task to be verified (default "v1") ``` ### Options inherited from parent commands diff --git a/docs/man/man1/tkn-pipeline-sign.1 b/docs/man/man1/tkn-pipeline-sign.1 index 552d205064..c43e4b1880 100644 --- a/docs/man/man1/tkn-pipeline-sign.1 +++ b/docs/man/man1/tkn-pipeline-sign.1 @@ -63,6 +63,10 @@ For KMS: Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ \[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. +.PP +\fB\-v\fP, \fB\-\-version\fP="v1" + apiVersion of the Pipeline to be signed + .SH OPTIONS INHERITED FROM PARENT COMMANDS .PP diff --git a/docs/man/man1/tkn-pipeline-verify.1 b/docs/man/man1/tkn-pipeline-verify.1 index 4238a226f3..0082cad632 100644 --- a/docs/man/man1/tkn-pipeline-verify.1 +++ b/docs/man/man1/tkn-pipeline-verify.1 @@ -59,6 +59,10 @@ For KMS: Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ \[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. +.PP +\fB\-v\fP, \fB\-\-version\fP="v1" + apiVersion of the Pipeline to be verified + .SH OPTIONS INHERITED FROM PARENT COMMANDS .PP diff --git a/docs/man/man1/tkn-task-sign.1 b/docs/man/man1/tkn-task-sign.1 index eb11477932..80c52bff1c 100644 --- a/docs/man/man1/tkn-task-sign.1 +++ b/docs/man/man1/tkn-task-sign.1 @@ -63,6 +63,10 @@ For KMS: Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ \[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. +.PP +\fB\-v\fP, \fB\-\-version\fP="v1" + apiVersion of the Task to be signed + .SH OPTIONS INHERITED FROM PARENT COMMANDS .PP diff --git a/docs/man/man1/tkn-task-verify.1 b/docs/man/man1/tkn-task-verify.1 index 7a4da38087..cb45b711ca 100644 --- a/docs/man/man1/tkn-task-verify.1 +++ b/docs/man/man1/tkn-task-verify.1 @@ -59,6 +59,10 @@ For KMS: Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [ \[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]]. +.PP +\fB\-v\fP, \fB\-\-version\fP="v1" + apiVersion of the Task to be verified + .SH OPTIONS INHERITED FROM PARENT COMMANDS .PP diff --git a/pkg/cmd/pipeline/sign.go b/pkg/cmd/pipeline/sign.go index 2b233037c4..f6cf4efe7c 100644 --- a/pkg/cmd/pipeline/sign.go +++ b/pkg/cmd/pipeline/sign.go @@ -22,7 +22,9 @@ import ( "github.com/spf13/cobra" "github.com/tektoncd/cli/pkg/cli" "github.com/tektoncd/cli/pkg/trustedresources" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" cliopts "k8s.io/cli-runtime/pkg/genericclioptions" "sigs.k8s.io/yaml" ) @@ -31,6 +33,7 @@ type signOptions struct { keyfile string kmsKey string targetFile string + apiVersion string } func signCommand() *cobra.Command { @@ -70,7 +73,13 @@ or using kms return err } - crd := &v1beta1.Pipeline{} + var crd metav1.Object + if opts.apiVersion == "v1beta1" { + crd = &v1beta1.Pipeline{} + } else { + crd = &v1.Pipeline{} + } + if err := yaml.Unmarshal(b, &crd); err != nil { return fmt.Errorf("error unmarshalling Pipeline: %v", err) } @@ -87,7 +96,7 @@ or using kms c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file") c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url") c.Flags().StringVarP(&opts.targetFile, "file-name", "f", "", "Fle name of the signed pipeline, using the original file name will overwrite the file") - + c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Pipeline to be signed") return c } diff --git a/pkg/cmd/pipeline/sign_test.go b/pkg/cmd/pipeline/sign_test.go index da32355e7c..410664ef54 100644 --- a/pkg/cmd/pipeline/sign_test.go +++ b/pkg/cmd/pipeline/sign_test.go @@ -16,6 +16,7 @@ package pipeline import ( "context" + "fmt" "os" "path/filepath" "testing" @@ -28,37 +29,52 @@ import ( func TestSign(t *testing.T) { ctx := context.Background() p := &test.Params{} - - task := Command(p) - + pipeline := Command(p) os.Setenv("PRIVATE_PASSWORD", "1234") - tmpDir := t.TempDir() - targetFile := filepath.Join(tmpDir, "signed.yaml") - out, err := test.ExecuteCommand(task, "sign", "testdata/pipeline.yaml", "-K", "testdata/cosign.key", "-f", targetFile) - if err != nil { - t.Errorf("Unexpected error: %v", err) - } - expected := "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline testdata/pipeline.yaml is signed successfully \n" - test.AssertOutput(t, expected, out) - // verify the signed task - verifier, err := cosignsignature.LoadPublicKey(ctx, "testdata/cosign.pub") - if err != nil { - t.Errorf("error getting verifier from key file: %v", err) - } + testcases := []struct { + name string + taskFile string + apiVersion string + }{{ + name: "sign and verify v1beta1 Pipeline", + taskFile: "testdata/pipeline.yaml", + apiVersion: "v1beta1", + }, { + name: "sign and verify v1 Pipeline", + taskFile: "testdata/pipeline-v1.yaml", + apiVersion: "v1", + }} + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + tmpDir := t.TempDir() + targetFile := filepath.Join(tmpDir, "signed.yaml") + out, err := test.ExecuteCommand(pipeline, "sign", tc.taskFile, "-K", "testdata/cosign.key", "-f", targetFile, "--pipeline-version", tc.apiVersion) + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + expected := fmt.Sprintf("*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline %s is signed successfully \n", tc.taskFile) + test.AssertOutput(t, expected, out) - signed, err := os.ReadFile(targetFile) - if err != nil { - t.Fatalf("error reading file: %v", err) - } + // verify the signed task + verifier, err := cosignsignature.LoadPublicKey(ctx, "testdata/cosign.pub") + if err != nil { + t.Errorf("error getting verifier from key file: %v", err) + } - target, signature, err := trustedresources.UnmarshalCRD(signed, "Pipeline") - if err != nil { - t.Fatalf("error unmarshalling crd: %v", err) - } + signed, err := os.ReadFile(targetFile) + if err != nil { + t.Fatalf("error reading file: %v", err) + } - if err := trustedresources.VerifyInterface(target, verifier, signature); err != nil { - t.Fatalf("VerifyInterface get error: %v", err) - } + target, signature, err := trustedresources.UnmarshalCRD(signed, "Pipeline", tc.apiVersion) + if err != nil { + t.Fatalf("error unmarshalling crd: %v", err) + } + if err := trustedresources.VerifyInterface(target, verifier, signature); err != nil { + t.Fatalf("VerifyInterface get error: %v", err) + } + }) + } } diff --git a/pkg/cmd/pipeline/testdata/signed-v1.yaml b/pkg/cmd/pipeline/testdata/signed-v1.yaml new file mode 100644 index 0000000000..c04d4518d0 --- /dev/null +++ b/pkg/cmd/pipeline/testdata/signed-v1.yaml @@ -0,0 +1,25 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + annotations: + tekton.dev/signature: MEUCIQD3tcptnk2F+9ru5gNUi91K2NPe59Dk28lwaHEQzScnOQIgL+KpDuGBf67FHGrh34cZRHVmPuYzOzPUbmvealAJPvE= + creationTimestamp: null + name: test-pipeline +spec: + tasks: + - name: build-skaffold-web + params: + - name: pathToDockerFile + value: Dockerfile + - name: pathToContext + value: /workspace/docker-source/examples/microservices/leeroy-web + taskRef: + name: build-docker-image-from-git-source + - name: deploy-web + params: + - name: path + value: /workspace/source/examples/microservices/leeroy-web/kubernetes/deployment.yaml + - name: yamlPathToImage + value: spec.template.spec.containers[0].image + taskRef: + name: deploy-using-kubectl diff --git a/pkg/cmd/pipeline/verify.go b/pkg/cmd/pipeline/verify.go index 0a1977b6ef..9fa5b2bdb1 100644 --- a/pkg/cmd/pipeline/verify.go +++ b/pkg/cmd/pipeline/verify.go @@ -22,14 +22,17 @@ import ( "github.com/spf13/cobra" "github.com/tektoncd/cli/pkg/cli" "github.com/tektoncd/cli/pkg/trustedresources" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" cliopts "k8s.io/cli-runtime/pkg/genericclioptions" "sigs.k8s.io/yaml" ) type verifyOptions struct { - keyfile string - kmsKey string + keyfile string + kmsKey string + apiVersion string } func verifyCommand() *cobra.Command { @@ -68,7 +71,12 @@ or using kms return err } - crd := &v1beta1.Pipeline{} + var crd metav1.Object + if opts.apiVersion == "v1beta1" { + crd = &v1beta1.Pipeline{} + } else { + crd = &v1.Pipeline{} + } if err := yaml.Unmarshal(b, &crd); err != nil { log.Fatalf("error unmarshalling Pipeline: %v", err) return err @@ -85,5 +93,6 @@ or using kms f.AddFlags(c) c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file") c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url") + c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Pipeline to be verified") return c } diff --git a/pkg/cmd/pipeline/verify_test.go b/pkg/cmd/pipeline/verify_test.go index d4e5b4592a..d7b672c57f 100644 --- a/pkg/cmd/pipeline/verify_test.go +++ b/pkg/cmd/pipeline/verify_test.go @@ -15,6 +15,7 @@ package pipeline import ( + "fmt" "os" "testing" @@ -23,15 +24,30 @@ import ( func TestVerify(t *testing.T) { p := &test.Params{} - pipeline := Command(p) - os.Setenv("PRIVATE_PASSWORD", "1234") - out, err := test.ExecuteCommand(pipeline, "verify", "testdata/signed.yaml", "-K", "testdata/cosign.pub") - if err != nil { - t.Errorf("Unexpected error: %v", err) + testcases := []struct { + name string + taskFile string + apiVersion string + }{{ + name: "verify v1beta1 Pipeline", + taskFile: "testdata/signed.yaml", + apiVersion: "v1beta1", + }, { + name: "verify v1 Pipeline", + taskFile: "testdata/signed-v1.yaml", + apiVersion: "v1", + }} + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + out, err := test.ExecuteCommand(pipeline, "verify", tc.taskFile, "-K", "testdata/cosign.pub", "--pipeline-version", tc.apiVersion) + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + expected := fmt.Sprintf("*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline %s passes verification \n", tc.taskFile) + test.AssertOutput(t, expected, out) + }) } - expected := "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline testdata/signed.yaml passes verification \n" - test.AssertOutput(t, expected, out) } diff --git a/pkg/cmd/task/sign.go b/pkg/cmd/task/sign.go index 3c7ca0eb21..93a56c3cb6 100644 --- a/pkg/cmd/task/sign.go +++ b/pkg/cmd/task/sign.go @@ -22,7 +22,9 @@ import ( "github.com/spf13/cobra" "github.com/tektoncd/cli/pkg/cli" "github.com/tektoncd/cli/pkg/trustedresources" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" cliopts "k8s.io/cli-runtime/pkg/genericclioptions" "sigs.k8s.io/yaml" ) @@ -36,6 +38,7 @@ type signOptions struct { keyfile string kmsKey string targetFile string + apiVersion string } func signCommand() *cobra.Command { @@ -74,8 +77,13 @@ or using kms log.Fatalf("error reading file: %v", err) return err } + var crd metav1.Object + if opts.apiVersion == "v1beta1" { + crd = &v1beta1.Task{} + } else { + crd = &v1.Task{} + } - crd := &v1beta1.Task{} if err := yaml.Unmarshal(b, &crd); err != nil { return fmt.Errorf("error unmarshalling Task: %v", err) } @@ -91,6 +99,6 @@ or using kms c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file") c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url") c.Flags().StringVarP(&opts.targetFile, "file-name", "f", "", "file name of the signed task, using the original file name will overwrite the file") - + c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Task to be signed") return c } diff --git a/pkg/cmd/task/sign_test.go b/pkg/cmd/task/sign_test.go index 351c9ad810..b9728fb56c 100644 --- a/pkg/cmd/task/sign_test.go +++ b/pkg/cmd/task/sign_test.go @@ -16,6 +16,7 @@ package task import ( "context" + "fmt" "os" "path/filepath" "testing" @@ -28,36 +29,52 @@ import ( func TestSign(t *testing.T) { ctx := context.Background() p := &test.Params{} - task := Command(p) - os.Setenv("PRIVATE_PASSWORD", "1234") - tmpDir := t.TempDir() - targetFile := filepath.Join(tmpDir, "signed.yaml") - out, err := test.ExecuteCommand(task, "sign", "testdata/task.yaml", "-K", "testdata/cosign.key", "-f", targetFile) - if err != nil { - t.Errorf("Unexpected error: %v", err) - } - expected := "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nTask testdata/task.yaml is signed successfully \n" - test.AssertOutput(t, expected, out) - // verify the signed task - verifier, err := cosignsignature.LoadPublicKey(ctx, "testdata/cosign.pub") - if err != nil { - t.Errorf("error getting verifier from key file: %v", err) - } + testcases := []struct { + name string + taskFile string + apiVersion string + }{{ + name: "sign and verify v1beta1 Task", + taskFile: "testdata/task.yaml", + apiVersion: "v1beta1", + }, { + name: "sign and verify v1 Task", + taskFile: "testdata/task-v1.yaml", + apiVersion: "v1", + }} - signed, err := os.ReadFile(targetFile) - if err != nil { - t.Fatalf("error reading file: %v", err) - } + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + tmpDir := t.TempDir() + targetFile := filepath.Join(tmpDir, "signed.yaml") + out, err := test.ExecuteCommand(task, "sign", tc.taskFile, "-K", "testdata/cosign.key", "-f", targetFile, "--pipeline-version", tc.apiVersion) + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + expected := fmt.Sprintf("*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nTask %s is signed successfully \n", tc.taskFile) + test.AssertOutput(t, expected, out) - target, signature, err := trustedresources.UnmarshalCRD(signed, "Task") - if err != nil { - t.Fatalf("error unmarshalling crd: %v", err) - } - if err := trustedresources.VerifyInterface(target, verifier, signature); err != nil { - t.Fatalf("VerifyTaskOCIBundle get error: %v", err) - } + // verify the signed task + verifier, err := cosignsignature.LoadPublicKey(ctx, "testdata/cosign.pub") + if err != nil { + t.Errorf("error getting verifier from key file: %v", err) + } + signed, err := os.ReadFile(targetFile) + if err != nil { + t.Fatalf("error reading file: %v", err) + } + + target, signature, err := trustedresources.UnmarshalCRD(signed, "Task", tc.apiVersion) + if err != nil { + t.Fatalf("error unmarshalling crd: %v", err) + } + if err := trustedresources.VerifyInterface(target, verifier, signature); err != nil { + t.Fatalf("VerifyInterface get error: %v", err) + } + }) + } } diff --git a/pkg/cmd/task/testdata/signed-v1.yaml b/pkg/cmd/task/testdata/signed-v1.yaml new file mode 100644 index 0000000000..da7d074401 --- /dev/null +++ b/pkg/cmd/task/testdata/signed-v1.yaml @@ -0,0 +1,26 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + annotations: + tekton.dev/signature: MEUCIESVeQ7mC8hxSLrmcQhVsnc0ErIjZ9NLaKv2MifSrHYtAiEA1KfI181TCK2eJ8XH5fboBvbr2/YBVGqlgrkS7vfY9mw= + creationTimestamp: null + name: task-v1 +spec: + params: + - name: foobar + type: string + results: + - name: url + steps: + - computeResources: {} + env: + - name: PARAM_URL + value: $(params.foobar) + image: alpine + name: build-sources + script: | + #!/bin/sh + + printf "%s" "${PARAM_URL}" > "$(results.url.path)" + workspaces: + - name: temporary diff --git a/pkg/cmd/task/verify.go b/pkg/cmd/task/verify.go index 55407d74a3..ffa8197513 100644 --- a/pkg/cmd/task/verify.go +++ b/pkg/cmd/task/verify.go @@ -22,14 +22,17 @@ import ( "github.com/spf13/cobra" "github.com/tektoncd/cli/pkg/cli" "github.com/tektoncd/cli/pkg/trustedresources" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" cliopts "k8s.io/cli-runtime/pkg/genericclioptions" "sigs.k8s.io/yaml" ) type verifyOptions struct { - keyfile string - kmsKey string + keyfile string + kmsKey string + apiVersion string } func verifyCommand() *cobra.Command { @@ -68,7 +71,13 @@ or using kms return err } - crd := &v1beta1.Task{} + var crd metav1.Object + if opts.apiVersion == "v1beta1" { + crd = &v1beta1.Task{} + } else { + crd = &v1.Task{} + } + if err := yaml.Unmarshal(b, &crd); err != nil { log.Fatalf("error unmarshalling Task: %v", err) return err @@ -85,5 +94,6 @@ or using kms f.AddFlags(c) c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file") c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url") + c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Task to be verified") return c } diff --git a/pkg/cmd/task/verify_test.go b/pkg/cmd/task/verify_test.go index c465556655..106e764eb4 100644 --- a/pkg/cmd/task/verify_test.go +++ b/pkg/cmd/task/verify_test.go @@ -15,6 +15,7 @@ package task import ( + "fmt" "os" "testing" @@ -23,15 +24,30 @@ import ( func TestVerify(t *testing.T) { p := &test.Params{} - task := Command(p) - os.Setenv("PRIVATE_PASSWORD", "1234") - out, err := test.ExecuteCommand(task, "verify", "testdata/signed.yaml", "-K", "testdata/cosign.pub") - if err != nil { - t.Errorf("Unexpected error: %v", err) + testcases := []struct { + name string + taskFile string + apiVersion string + }{{ + name: "verify v1beta1 Task", + taskFile: "testdata/signed.yaml", + apiVersion: "v1beta1", + }, { + name: "verify v1 Task", + taskFile: "testdata/signed-v1.yaml", + apiVersion: "v1", + }} + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + out, err := test.ExecuteCommand(task, "verify", tc.taskFile, "-K", "testdata/cosign.pub", "--pipeline-version", tc.apiVersion) + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + expected := fmt.Sprintf("*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nTask %s passes verification \n", tc.taskFile) + test.AssertOutput(t, expected, out) + }) } - expected := "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nTask testdata/signed.yaml passes verification \n" - test.AssertOutput(t, expected, out) } diff --git a/pkg/trustedresources/sign.go b/pkg/trustedresources/sign.go index 4977fa90c0..b0d140b29f 100644 --- a/pkg/trustedresources/sign.go +++ b/pkg/trustedresources/sign.go @@ -29,6 +29,7 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/kms" + v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1" "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" "golang.org/x/term" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -114,20 +115,34 @@ func signInterface(signer signature.Signer, i interface{}) ([]byte, error) { } // UnmarshalCRD will get the task/pipeline from buffer and extract the signature. -func UnmarshalCRD(buf []byte, kind string) (metav1.Object, []byte, error) { +func UnmarshalCRD(buf []byte, kind string, version string) (metav1.Object, []byte, error) { var resource metav1.Object var signature []byte switch kind { case "Task": - resource = &v1beta1.Task{} - if err := yaml.Unmarshal(buf, &resource); err != nil { - return nil, nil, err + if version == "v1beta1" { + resource = &v1beta1.Task{} + if err := yaml.Unmarshal(buf, &resource); err != nil { + return nil, nil, err + } + } else { + resource = &v1.Task{} + if err := yaml.Unmarshal(buf, &resource); err != nil { + return nil, nil, err + } } case "Pipeline": - resource = &v1beta1.Pipeline{} - if err := yaml.Unmarshal(buf, &resource); err != nil { - return nil, nil, err + if version == "v1beta1" { + resource = &v1beta1.Pipeline{} + if err := yaml.Unmarshal(buf, &resource); err != nil { + return nil, nil, err + } + } else { + resource = &v1.Pipeline{} + if err := yaml.Unmarshal(buf, &resource); err != nil { + return nil, nil, err + } } } annotations := resource.GetAnnotations() diff --git a/pkg/trustedresources/sign_test.go b/pkg/trustedresources/sign_test.go index 421c7eaada..741ef52dcc 100644 --- a/pkg/trustedresources/sign_test.go +++ b/pkg/trustedresources/sign_test.go @@ -78,16 +78,19 @@ func TestSign(t *testing.T) { resource metav1.Object kind string targetFile string + apiVersion string }{{ name: "Task Sign and pass verification", resource: getTask(), kind: "Task", targetFile: "signed-task.yaml", + apiVersion: "v1beta1", }, { name: "Pipeline Sign and pass verification", resource: getPipeline(), kind: "Pipeline", targetFile: "signed-pipeline.yaml", + apiVersion: "v1beta1", }, } @@ -101,7 +104,7 @@ func TestSign(t *testing.T) { t.Fatalf("error reading file: %v", err) } - target, signature, err := UnmarshalCRD(signed, tc.kind) + target, signature, err := UnmarshalCRD(signed, tc.kind, tc.apiVersion) if err != nil { t.Fatalf("error unmarshalling crd: %v", err) }