sigstore test env #1630
sigstore test env #1630
Conversation
sallyom
force-pushed
the
ci-sigstore
branch
6 times, most recently
from
f4582ca
to
5bce179
Compare
|
@vrothberg @mtrmac I've tested this setup by running output: |
|
To avoid using docker.io images (rate limits) latest localstack 0.14.2 but 0.12.6 in use by sigstore atm The above docker.io images are referenced in this PR |
contrib/cirrus/runner.sh
Outdated
| @@ -119,7 +119,12 @@ _run_integration() { | |||
| # Ensure we start with a clean-slate | |||
| podman system reset --force | |||
|
|
|||
| # uncomment when sigstore integration tests merge | |||
| # make sigstore-testenv-up | |||
There was a problem hiding this comment.
I think this should be uncommented already to make sure that it's working and that it will continue to work in the future.
| version: "3.8" | ||
| services: | ||
| vault: | ||
| image: quay.io/sallyom/vault:latest |
There was a problem hiding this comment.
Let's avoid using the latest tag. The image may be updated in the future and we need to make sure that old/stable branches continue to work.
There was a problem hiding this comment.
can we move these images to a common quay.io directory/repo? I know we have one for libpod, do we have one for skopeo?
There was a problem hiding this comment.
Using the libpod one should be OK given we need these tests in Podman CI as well.
There was a problem hiding this comment.
updated from localstack:latest to localstack:0.12.16 (currently used in sigstore)
| ports: | ||
| - "5556:5556" | ||
| volumes: | ||
| - ./dex-config.yml:/etc/dex/dex-config.yml:z |
There was a problem hiding this comment.
Do we need this dex-config.yml?
There was a problem hiding this comment.
EDIT: keeping the dex-config.yml & the dex volume in docker-compose.yml nope, I've removed this and also updated the gist test script (not included in this PR but to prove this setup works until skopeo adds sigstore e2es)
| export AWS_REGION=us-east-1 | ||
| export AWS_ENDPOINT=localhost:4566 | ||
| export AWS_TLS_INSECURE_SKIP_VERIFY=1 | ||
| export OIDC_ISSUER=http://127.0.0.1:5556/auth |
There was a problem hiding this comment.
Should we export the IPs in the Makefile to make them accessible to all tests?
There was a problem hiding this comment.
right, yup - updated/added to Makefile
|
@TomSweeneyRedHat @vrothberg thanks for the reviews! I've updated this PR, ptal |
sallyom
force-pushed
the
ci-sigstore
branch
3 times, most recently
from
8330f02
to
8a60f9b
Compare
fixed, updated |
|
@sallyom another rebase is needed here |
rebased! |
|
@TomSweeneyRedHat @vrothberg anything else needed? thanks! |
|
@vrothberg @mtrmac I documented above (and in the Makefile) the env vars required. There's an example for how to use this setup against sigstore/sigstore e2e tests in this gist, too |
|
@sallyom @mtrmac @vrothberg Where are we with this one? Now most of the sigstore stuff is merged? |
what will help is if there is a WIP/PoC bringing in whatever is necessary from sigstore/cosign - then it will become clear what should be included in/ported to sigstore/sigstore relevant upstream: |
Signed-off-by: Sally O'Malley <somalley@redhat.com>
Signed-off-by: Sally O'Malley <somalley@redhat.com>
|
A friendly reminder that this PR had no activity for 30 days. |
|
@sallyom @vrothberg @mtrmac do we care about this PR at this point? Should it be fixed or closed? |
|
closing this for now and will reopen if necessary after examining current sigstore implementation |
This PR introduces 2 make targets:
This will enable testing for addition of sigstore image signing/verification
/cc @lukehinds @mtrmac @vrothberg :)