Sigstore test env

Signed-off-by: Sally O'Malley <[email protected]>

Makefile

@@ -32,6 +32,7 @@ endif
 # Multiple scripts are sensitive to this value, make sure it's exported/available
 # N/B: Need to use 'command -v' here for compatibility with MacOS.
 export CONTAINER_RUNTIME ?= $(if $(shell command -v podman),podman,docker)
+export COMPOSE_CMD ?= $(if $(shell command -v podman-compose),podman-compose,docker-compose)
 GOMD2MAN ?= $(if $(shell command -v go-md2man),go-md2man,$(GOBIN)/go-md2man)
 
 # Go module support: set `-mod=vendor` to use the vendored sources.
@@ -210,6 +211,12 @@ test-unit:
 	# Just call (make test unit-local) here instead of worrying about environment differences
 	$(CONTAINER_RUN) $(MAKE) test-unit-local
 
+sigstore-testenv-up:
+	cd hack/sigstore-setup && ./sigstore-setup.sh setup
+
+sigstore-testenv-down:
+	cd hack/sigstore-setup && ./sigstore-setup.sh cleanup
+
 validate:
 	$(CONTAINER_RUN) $(MAKE) validate-local
 

contrib/cirrus/runner.sh

@@ -62,7 +62,7 @@ _run_setup() {
     dnf erase -y skopeo
 
     # Required for testing the SIF transport
-    dnf install -y fakeroot squashfs-tools
+    dnf install -y fakeroot squashfs-tools git podman-compose
 
     msg "Removing systemd-resolved from nsswitch.conf"
     # /etc/resolv.conf is already set to bypass systemd-resolvd
@@ -125,7 +125,12 @@ _run_integration() {
     # Ensure we start with a clean-slate
     podman system reset --force
 
+    # uncomment when sigstore integration tests merge
+    # make sigstore-testenv-up
+
     make test-integration-local BUILDTAGS="$BUILDTAGS"
+
+    # make sigstore-testenv-down
 }
 
 _run_system() {
@@ -136,7 +141,7 @@ _run_system() {
     make test-system-local BUILDTAGS="$BUILDTAGS"
 }
 
-req_env_vars SKOPEO_PATH BUILDTAGS
+req_env_vars SKOPEO_PATH BUILDTAGS GIT_CHECKOUT
 
 handler="_run_${1}"
 if [ "$(type -t $handler)" != "function" ]; then

hack/sigstore-setup/dex-config.yml

@@ -0,0 +1,45 @@
+#
+# Copyright 2021 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is copied from sigstore/sigstore
+# See https://github.com/sigstore/sigstore/blob/main/test/e2e/dex-config.yml
+
+issuer: http://127.0.0.1:5556/auth
+
+storage:
+  type: memory
+
+# Configuration for the HTTP endpoints.
+web:
+  http: 0.0.0.0:5556
+
+logger:
+  level: debug
+
+oauth2:
+  responseTypes: [ "code" ]
+  skipApprovalScreen: true
+  alwaysShowLoginScreen: false
+
+staticClients:
+- id: sigstore
+  name: 'Sigstore Mock'
+  public: true
+
+connectors:
+- type: mockCallback
+  id: mock
+  name: Mock
+

hack/sigstore-setup/docker-compose.yml

@@ -0,0 +1,41 @@
+#
+# Copyright 2021 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is copied from sigstore/sigstore
+# See https://github.com/sigstore/sigstore/blob/main/test/e2e/docker-compose.yml
+
+version: "3.8"
+services:
+  vault:
+    image: quay.io/sallyom/vault:latest
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
+    ports:
+      - 8200:8200
+    privileged: true
+  localstack:
+    image: quay.io/sallyom/localstack:0.12.16
+    ports:
+      - 4566:4566
+    environment:
+      - SERVICES=kms
+  dex:
+    image: quay.io/sallyom/dexidp-dex:v2.31.0
+    ports:
+      - "5556:5556"
+    volumes:
+      - ./dex-config.yml:/etc/dex/dex-config.yml:z
+    command: ["dex", "serve", "/etc/dex/dex-config.yml"]
+

hack/sigstore-setup/sigstore-setup.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+# Copyright 2021 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is copied from sigstore/sigstore
+# replacing docker-compose with podman-compose
+# See https://github.com/sigstore/sigstore/blob/main/test/e2e/e2e-test.sh
+
+set -ex
+
+cleanup() {
+  echo "cleanup"
+  $COMPOSE_CMD down
+}
+
+run=$1
+if [ $run = "cleanup" ]
+then
+    cleanup
+else
+  trap cleanup ERR
+
+  export VAULT_TOKEN=testtoken
+  export VAULT_ADDR=http://localhost:8200/
+
+  # The following env vars are required only when running sigstore e2es
+  # These are not required for sigstore setup
+  export AWS_ACCESS_KEY_ID=test
+  export AWS_SECRET_ACCESS_KEY=test
+  export AWS_REGION=us-east-1
+  export AWS_ENDPOINT=localhost:4566
+  export AWS_TLS_INSECURE_SKIP_VERIFY=1
+  export OIDC_ISSUER=http://127.0.0.1:5556/auth
+  export OIDC_ID=sigstore
+
+  echo "starting services"
+
+  $COMPOSE_CMD up -d
+
+  count=0
+
+  echo -n "waiting up to 60 sec for system to start"
+  until [ $($COMPOSE_CMD logs localstack | grep -c Ready) == 1 ];
+  do
+    if [ $count -eq 12 ]; then
+      echo "! timeout reached"
+      exit 1
+    else
+      echo -n "."
+      sleep 5
+      let 'count+=1'
+    fi
+  done
+
+  echo "sigstore setup complete"
+fi