Merge pull request #623 from ooq/fix-integration-stability

Use strict/loose policy to fix signer integration test instability.

integration/signer/policy_loose.yaml

@@ -0,0 +1,10 @@
+apiVersion: kritis.grafeas.io/v1beta1
+kind: VulnzSigningPolicy
+metadata:
+  name: my-vsp
+spec:
+  imageVulnerabilityRequirements:
+    maximumFixableSeverity: CRITICAL
+    maximumUnfixableSeverity: CRITICAL
+    allowlistCVEs:
+      - projects/goog-vulnz/notes/CVE-2021-20305

integration/signer/policy_strict.yaml

@@ -0,0 +1,10 @@
+apiVersion: kritis.grafeas.io/v1beta1
+kind: VulnzSigningPolicy
+metadata:
+  name: my-vsp
+spec:
+  imageVulnerabilityRequirements:
+    maximumFixableSeverity: MEDIUM
+    maximumUnfixableSeverity: MEDIUM
+    allowlistCVEs:
+      - projects/goog-vulnz/notes/CVE-2021-20305

integration/signer/signer_int.sh

@@ -28,9 +28,6 @@ export KMS_PROJECT=$PROJECT_ID
 export KMS_DIGESTALG=SHA512
 export NOTE_NAME=projects/${PROJECT_ID}/notes/${NOTE_ID}
 
-# create policy.yaml
-cp policy_template.yaml policy.yaml
-
 # install jq
 # TODO: bake jq into a custom image
 apt-get install -y -q jq

integration/signer/tests/test-bypass-and-sign-with-kms.sh

@@ -20,7 +20,7 @@ echo ""
 set -eux
 
 GOOD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-good-image:$BUILD_ID
-docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile.good .
+docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile .
 
 clean_up() { ARG=$?; delete_image $GOOD_IMAGE_URL; exit $ARG;}
 trap 'clean_up'  EXIT

integration/signer/tests/test-bypass-and-sign-with-pkix.sh

@@ -20,7 +20,7 @@ echo ""
 set -eux
 
 GOOD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-good-image:$BUILD_ID
-docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile.good .
+docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile .
 
 clean_up() { ARG=$?; delete_image $GOOD_IMAGE_URL; exit $ARG;}
 trap 'clean_up'  EXIT

integration/signer/tests/test-bypass-and-sign.sh

@@ -20,7 +20,7 @@ echo ""
 set -eux
 
 GOOD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-good-image:$BUILD_ID
-docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile.good .
+docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile .
 
 clean_up() { ARG=$?; delete_image $GOOD_IMAGE_URL; exit $ARG;}
 trap 'clean_up'  EXIT

integration/signer/tests/test-check-and-sign-bad.sh

@@ -21,7 +21,7 @@ set -eux
 
 # build a "bad" example image
 BAD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-bad-image:$BUILD_ID
-docker build --no-cache -t $BAD_IMAGE_URL -f ./Dockerfile.bad .
+docker build --no-cache -t $BAD_IMAGE_URL -f ./Dockerfile .
 
 clean_up() { ARG=$?; delete_image $BAD_IMAGE_URL; exit $ARG;}
 trap 'clean_up'  EXIT
@@ -39,7 +39,7 @@ signing_bad_image_failed=false
 -alsologtostderr \
 -image=${BAD_IMG_DIGEST_URL} \
 -pgp_private_key=private.key \
--policy=policy.yaml \
+-policy=policy_strict.yaml \
 -note_name=${NOTE_NAME} || signing_bad_image_failed=true
 
 

integration/signer/tests/test-check-and-sign-good.sh

@@ -21,7 +21,7 @@ set -eux
 
 # build a "good" example image
 GOOD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-good-image:$BUILD_ID
-docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile.good .
+docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile .
 
 clean_up() { ARG=$?; delete_image $GOOD_IMAGE_URL; exit $ARG;}
 trap 'clean_up'  EXIT
@@ -39,7 +39,7 @@ trap 'clean_up'  EXIT
 -alsologtostderr \
 -image=${GOOD_IMG_DIGEST_URL} \
 -pgp_private_key=private.key \
--policy=policy.yaml \
+-policy=policy_loose.yaml \
 -note_name=${NOTE_NAME}
 
 # deploy to a binauthz-enabled cluster signer-int-test

integration/signer/tests/test-check-only-bad.sh

@@ -21,7 +21,7 @@ set -eux
 
 # build a "bad" example image
 BAD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-bad-image:$BUILD_ID
-docker build --no-cache -t $BAD_IMAGE_URL -f ./Dockerfile.bad .
+docker build --no-cache -t $BAD_IMAGE_URL -f ./Dockerfile .
 
 trap 'delete_image $BAD_IMAGE_URL'  EXIT
 
@@ -34,7 +34,7 @@ signing_bad_image_failed=false
 ./signer -v 10 \
 -alsologtostderr \
 -image=${BAD_IMG_DIGEST_URL} \
--policy=policy.yaml \
+-policy=policy_strict.yaml \
 -mode=check-only || checking_bad_image_failed=true
 
 if [ "$checking_bad_image_failed" = true ] ; then

integration/signer/tests/test-check-only-good.sh

@@ -21,7 +21,7 @@ set -eux
 
 # build a "good" example image
 GOOD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-good-image:$BUILD_ID
-docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile.good .
+docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile .
 
 trap 'delete_image $GOOD_IMAGE_URL'  EXIT
 
@@ -34,7 +34,7 @@ GOOD_IMG_DIGEST_URL=$(docker image inspect $GOOD_IMAGE_URL --format '{{index .Re
 ./signer -v 10 \
 -alsologtostderr \
 -image=${GOOD_IMG_DIGEST_URL} \
--policy=policy.yaml \
+-policy=policy_loose.yaml \
 -mode=check-only
 
 echo ""

integration/signer/tests/test-overwrite.sh

@@ -20,7 +20,7 @@ echo ""
 set -eux
 
 GOOD_IMAGE_URL=gcr.io/$PROJECT_ID/signer-int-good-image:$BUILD_ID
-docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile.good .
+docker build --no-cache -t $GOOD_IMAGE_URL -f ./Dockerfile .
 
 trap 'delete_image $GOOD_IMAGE_URL'  EXIT
 
@@ -37,7 +37,7 @@ trap 'delete_occ $GOOD_IMG_DIGEST_URL'  EXIT
 -mode=bypass-and-sign \
 -image=${GOOD_IMG_DIGEST_URL} \
 -pgp_private_key=private.key \
--policy=policy.yaml \
+-policy=policy_loose.yaml \
 -note_name=${NOTE_NAME}
 
 sleep 10
@@ -51,7 +51,7 @@ OLD_OCC_ID="$(get_occ $GOOD_IMG_DIGEST_URL)"
 -mode=bypass-and-sign \
 -image=${GOOD_IMG_DIGEST_URL} \
 -pgp_private_key=private.key \
--policy=policy.yaml \
+-policy=policy_loose.yaml \
 -note_name=${NOTE_NAME} \
 -overwrite