Merge pull request #29915 from QiWang19/wip-timeouttest

OCPBUGS-58132: OCPFeatureGate:SigstoreImageVerification use multi arch image for testing

Author: openshift-merge-bot[bot]

test/extended/imagepolicy/imagepolicy.go

@@ -16,13 +16,11 @@ import (
 	"k8s.io/client-go/util/retry"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
-	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
 
 const (
-	testReleaseImageScope                  = "quay.io/openshift-release-dev/ocp-release@sha256:fbad931c725b2e5b937b295b58345334322bdabb0b67da1c800a53686d7397da"
-	testReferenceImageScope                = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4db234f37ae6712e2f7ed8d13f7fb49971c173d0e4f74613d0121672fa2e01f5"
+	testSignedPolicyScope                  = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
 	registriesWorkerPoolMachineConfig      = "99-worker-generated-registries"
 	registriesMasterPoolMachineConfig      = "99-master-generated-registries"
 	testPodName                            = "signature-validation-test-pod"
@@ -52,12 +50,6 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 		if !exutil.IsTechPreviewNoUpgrade(tctx, oc.AdminConfigClient()) {
 			g.Skip("skipping, this feature is only supported on TechPreviewNoUpgrade clusters")
 		}
-
-		outStr, err := oc.Run("adm", "release", "info", testReleaseImageScope).Args("-o=go-template", "--template={{.digest}}").Output()
-		if err != nil || outStr == "" {
-			o.Expect(err).ToNot(o.HaveOccurred())
-			e2eskipper.Skipf("can't validate %s release image for testing, consider updating the test", testReleaseImageScope)
-		}
 	})
 
 	g.It("Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature", func() {
@@ -66,7 +58,7 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 
 		waitForPoolComplete(oc)
 
-		pod, err := launchTestPod(tctx, clif, testPodName, testReleaseImageScope)
+		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
 
@@ -75,8 +67,8 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 	})
 
 	g.It("Should fail clusterimagepolicy signature validation when scope in allowedRegistries list does not skip signature verification", func() {
-		// Ensure allowedRegistries do not skip signature verification by adding testReleaseImageScope to the list
-		allowedRegistries := []string{"quay.io", "registry.redhat.io", "image-registry.openshift-image-registry.svc:5000", testReleaseImageScope}
+		// Ensure allowedRegistries do not skip signature verification by adding testSignedPolicyScope to the list.
+		allowedRegistries := []string{"quay.io", "registry.redhat.io", "image-registry.openshift-image-registry.svc:5000", testSignedPolicyScope}
 		updateImageConfig(oc, allowedRegistries)
 		g.DeferCleanup(cleanupImageConfig, oc)
 
@@ -85,7 +77,7 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 
 		waitForPoolComplete(oc)
 
-		pod, err := launchTestPod(tctx, clif, testPodName, testReleaseImageScope)
+		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
 
@@ -99,7 +91,7 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 
 		waitForPoolComplete(oc)
 
-		pod, err := launchTestPod(tctx, clif, testPodName, testReleaseImageScope)
+		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
 
@@ -110,20 +102,21 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 	g.It("Should fail imagepolicy signature validation in different namespaces root of trust does not match the identity in the signature", func() {
 		createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], imgpolicyClif.Namespace.Name)
 		g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, imgpolicyClif.Namespace.Name)
+		waitForPoolComplete(oc)
 
 		createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], clif.Namespace.Name)
 		g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, clif.Namespace.Name)
 
 		waitForPoolComplete(oc)
 
-		pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testReferenceImageScope)
+		pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)
 
 		err = waitForTestPodContainerToFailSignatureValidation(tctx, imgpolicyClif, pod)
 		o.Expect(err).NotTo(o.HaveOccurred())
 
-		pod, err = launchTestPod(tctx, clif, testPodName, testReferenceImageScope)
+		pod, err = launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
 
@@ -134,20 +127,21 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 	g.It("Should pass imagepolicy signature validation with signed image in namespaces", func() {
 		createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], clif.Namespace.Name)
 		g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, clif.Namespace.Name)
+		waitForPoolComplete(oc)
 
 		createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], imgpolicyClif.Namespace.Name)
 		g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, imgpolicyClif.Namespace.Name)
 
 		waitForPoolComplete(oc)
 
-		pod, err := launchTestPod(tctx, clif, testPodName, testReferenceImageScope)
+		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
 
 		err = e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
 		o.Expect(err).NotTo(o.HaveOccurred())
 
-		pod, err = launchTestPod(tctx, imgpolicyClif, testPodName, testReferenceImageScope)
+		pod, err = launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)
 
@@ -215,6 +209,7 @@ func launchTestPod(ctx context.Context, f *e2e.Framework, podName, image string)
 					Name:            contName,
 					Image:           image,
 					ImagePullPolicy: kapiv1.PullAlways,
+					Command:         []string{"/bin/sh", "-c", "exit 0"},
 				},
 			},
 			RestartPolicy: kapiv1.RestartPolicyNever,
@@ -263,7 +258,7 @@ func generateClusterImagePolicies() map[string]configv1alpha1.ClusterImagePolicy
 		invalidPublicKeyClusterImagePolicyName: {
 			ObjectMeta: metav1.ObjectMeta{Name: invalidPublicKeyClusterImagePolicyName},
 			Spec: configv1alpha1.ClusterImagePolicySpec{
-				Scopes: []configv1alpha1.ImageScope{testReleaseImageScope},
+				Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
 				Policy: configv1alpha1.Policy{
 					RootOfTrust: configv1alpha1.PolicyRootOfTrust{
 						PolicyType: configv1alpha1.PublicKeyRootOfTrust,
@@ -280,34 +275,19 @@ func generateClusterImagePolicies() map[string]configv1alpha1.ClusterImagePolicy
 		publiKeyRekorClusterImagePolicyName: {
 			ObjectMeta: metav1.ObjectMeta{Name: publiKeyRekorClusterImagePolicyName},
 			Spec: configv1alpha1.ClusterImagePolicySpec{
-				Scopes: []configv1alpha1.ImageScope{testReleaseImageScope},
+				Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
 				Policy: configv1alpha1.Policy{
 					RootOfTrust: configv1alpha1.PolicyRootOfTrust{
 						PolicyType: configv1alpha1.PublicKeyRootOfTrust,
 						PublicKey: &configv1alpha1.PublicKey{
 							KeyData: []byte(`-----BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
-75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
-M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
-RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
-tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
-XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
-ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
-BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
-VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
-p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
-gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
-secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
------END PUBLIC KEY-----`),
-							RekorKeyData: []byte(`-----BEGIN PUBLIC KEY-----
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDk0ElgGvMrsJULkg/ji1XX7EngDl2WY7
-c75kKKy/SwWQ8n3Zymomy4DtkXzjsju204Mgjtdc7dVSPGSBn7VLLdDIzqSd1mLE
-2ybPRzY8g742Mn/5hgH4eBzNKBjZ3wv1
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
+60l1/qUU0fRATNSCVORCog5PDFo5z0ZLeblWgwbn4c8xpvuo9jQFwpeOsg==
 -----END PUBLIC KEY-----`),
 						},
 					},
 					SignedIdentity: configv1alpha1.PolicyIdentity{
-						MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepoDigestOrExact,
+						MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepository,
 					},
 				},
 			},
@@ -321,7 +301,7 @@ func generateImagePolicies() map[string]configv1alpha1.ImagePolicy {
 		invalidPublicKeyImagePolicyName: {
 			ObjectMeta: metav1.ObjectMeta{Name: invalidPublicKeyImagePolicyName},
 			Spec: configv1alpha1.ImagePolicySpec{
-				Scopes: []configv1alpha1.ImageScope{testReferenceImageScope},
+				Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
 				Policy: configv1alpha1.Policy{
 					RootOfTrust: configv1alpha1.PolicyRootOfTrust{
 						PolicyType: configv1alpha1.PublicKeyRootOfTrust,
@@ -338,34 +318,19 @@ func generateImagePolicies() map[string]configv1alpha1.ImagePolicy {
 		publiKeyRekorImagePolicyName: {
 			ObjectMeta: metav1.ObjectMeta{Name: publiKeyRekorImagePolicyName},
 			Spec: configv1alpha1.ImagePolicySpec{
-				Scopes: []configv1alpha1.ImageScope{testReferenceImageScope},
+				Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
 				Policy: configv1alpha1.Policy{
 					RootOfTrust: configv1alpha1.PolicyRootOfTrust{
 						PolicyType: configv1alpha1.PublicKeyRootOfTrust,
 						PublicKey: &configv1alpha1.PublicKey{
 							KeyData: []byte(`-----BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
-75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
-M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
-RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
-tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
-XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
-ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
-BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
-VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
-p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
-gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
-secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
------END PUBLIC KEY-----`),
-							RekorKeyData: []byte(`-----BEGIN PUBLIC KEY-----
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDk0ElgGvMrsJULkg/ji1XX7EngDl2WY7
-c75kKKy/SwWQ8n3Zymomy4DtkXzjsju204Mgjtdc7dVSPGSBn7VLLdDIzqSd1mLE
-2ybPRzY8g742Mn/5hgH4eBzNKBjZ3wv1
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
+60l1/qUU0fRATNSCVORCog5PDFo5z0ZLeblWgwbn4c8xpvuo9jQFwpeOsg==
 -----END PUBLIC KEY-----`),
 						},
 					},
 					SignedIdentity: configv1alpha1.PolicyIdentity{
-						MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepoDigestOrExact,
+						MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepository,
 					},
 				},
 			},