1# Copyright 2021 The Sigstore Authors.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15name: Insecure Registry KinD E2E
16
17on:
18 pull_request:
19 branches: [ 'main', 'release-*' ]
20
21permissions: read-all
22
23jobs:
24 e2e-tests:
25 name: e2e tests
26 runs-on: ubuntu-latest
27
28 strategy:
29 fail-fast: false # Keep running if one leg fails.
30 matrix:
31 k8s-version:
32 - v1.24.x
33 - v1.25.x
34 - v1.26.x
35 - v1.27.x
36
37 env:
38 # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
39 # '*.local' hostnames.
40 REGISTRY_NAME: registry.local
41 REGISTRY_PORT: 5000
42 INSECURE_REGISTRY_NAME: insecure-registry.notlocal
43 INSECURE_REGISTRY_PORT: 5001
44 INSECURE_OCI_REGISTRY_NAME: insecure-oci-registry.notlocal
45 INSECURE_OCI_REGISTRY_PORT: 5002
46 KO_DOCKER_REPO: registry.local:5000/policy-controller
47
48 steps:
49 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
50 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
51 with:
52 go-version: '1.21'
53 check-latest: true
54
55 - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
56
57 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
58
59 - name: Install yq
60 uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1
61
62 - name: Install Cosign
63 run: |
64 go install ./cmd/cosign
65
66 - name: Setup mirror
67 uses: chainguard-dev/actions/setup-mirror@main
68 with:
69 mirror: mirror.gcr.io
70
71 - name: Setup kind cluster
72 uses: chainguard-dev/actions/setup-kind@main
73 with:
74 k8s-version: ${{ matrix.k8s-version }}
75 cluster-suffix: c${{ github.run_id }}.local
76
77 - name: Setup local insecure registry
78 run: |
79 # Create a self-signed SSL cert
80 mkdir -p insecure-certs
81 openssl req \
82 -subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
83 -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
84 -x509 -days 365 -out insecure-certs/domain.crt
85 # Run a registry.
86 docker run -d --restart=always \
87 --name $INSECURE_REGISTRY_NAME \
88 -v "$(pwd)"/insecure-certs:/insecure-certs \
89 -e REGISTRY_HTTP_ADDR=0.0.0.0:$INSECURE_REGISTRY_PORT \
90 -e REGISTRY_HTTP_TLS_CERTIFICATE=/insecure-certs/domain.crt \
91 -e REGISTRY_HTTP_TLS_KEY=/insecure-certs/domain.key \
92 -p $INSECURE_REGISTRY_PORT:$INSECURE_REGISTRY_PORT \
93 registry:2
94 # Connect the registry to the KinD network.
95 docker network connect "kind" $INSECURE_REGISTRY_NAME
96 # Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
97 # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
98 sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
99
100 - name: Run Insecure Registry Tests
101 run: |
102 go install github.com/google/go-containerregistry/cmd/crane
103 ./test/e2e_test_insecure_registry.sh
104
105 - name: Setup local insecure OCI registry
106 run: |
107 # Create a self-signed SSL cert
108 mkdir -p insecure-certs
109 openssl req \
110 -subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
111 -newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
112 -x509 -days 365 -out insecure-certs/domain.crt
113 cat > config.json << EOF
114 {
115 "distSpecVersion": "1.1.0-dev",
116 "storage": {
117 "rootDirectory": "/tmp/zot"
118 },
119 "http": {
120 "address": "0.0.0.0",
121 "port": "5000",
122 "realm": "zot",
123 "tls": {
124 "cert": "/insecure-certs/domain.crt",
125 "key": "/insecure-certs/domain.key"
126 }
127 },
128 "log": {
129 "level": "debug"
130 }
131 }
132 EOF
133 # Run a registry.
134 docker run -d --restart=always \
135 --name $INSECURE_OCI_REGISTRY_NAME \
136 -v "$(pwd)"/insecure-certs:/insecure-certs \
137 -v "$(pwd)"/config.json:/etc/zot/config.json \
138 -p $INSECURE_OCI_REGISTRY_PORT:$REGISTRY_PORT \
139 ghcr.io/project-zot/zot-minimal-linux-amd64:$ZOT_VERSION
140 # Connect the registry to the KinD network.
141 docker network connect "kind" $INSECURE_OCI_REGISTRY_NAME
142 # Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
143 # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
144 sudo echo "127.0.0.1 $INSECURE_OCI_REGISTRY_NAME" | sudo tee -a /etc/hosts
145 env:
146 ZOT_VERSION: v2.0.0-rc6
147
148 - name: Run Insecure OCI Registry Tests
149 run: |
150 go install github.com/google/go-containerregistry/cmd/crane
151 ./test/e2e_test_insecure_oci_registry.sh
152
153 - name: Collect diagnostics
154 if: ${{ failure() }}
155 uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
View as plain text