Skip to content

Commit 58ff014

Browse files
committed
support v1 for sign and verofy command
This commit adds v1 support for sign and verify. Signed-off-by: Yongxuan Zhang [email protected]
1 parent 95548d3 commit 58ff014

20 files changed

+275
-85
lines changed

docs/cmd/tkn_pipeline_sign.md

+1
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ or using kms
3636
-o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
3737
--show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format.
3838
--template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
39+
-v, --version string apiVersion of the Pipeline to be signed (default "v1")
3940
```
4041

4142
### Options inherited from parent commands

docs/cmd/tkn_pipeline_verify.md

+1
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ or using kms
3535
-o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
3636
--show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format.
3737
--template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
38+
-v, --version string apiVersion of the Pipeline to be verified (default "v1")
3839
```
3940

4041
### Options inherited from parent commands

docs/cmd/tkn_task_sign.md

+1
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ or using kms
3636
-o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
3737
--show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format.
3838
--template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
39+
-v, --version string apiVersion of the Task to be signed (default "v1")
3940
```
4041

4142
### Options inherited from parent commands

docs/cmd/tkn_task_verify.md

+1
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ or using kms
3535
-o, --output string Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
3636
--show-managed-fields If true, keep the managedFields when printing objects in JSON or YAML format.
3737
--template string Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
38+
-v, --version string apiVersion of the Task to be verified (default "v1")
3839
```
3940

4041
### Options inherited from parent commands

docs/man/man1/tkn-pipeline-sign.1

+4
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,10 @@ For KMS:
6363
Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [
6464
\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]].
6565

66+
.PP
67+
\fB\-v\fP, \fB\-\-version\fP="v1"
68+
apiVersion of the Pipeline to be signed
69+
6670

6771
.SH OPTIONS INHERITED FROM PARENT COMMANDS
6872
.PP

docs/man/man1/tkn-pipeline-verify.1

+4
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,10 @@ For KMS:
5959
Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [
6060
\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]].
6161

62+
.PP
63+
\fB\-v\fP, \fB\-\-version\fP="v1"
64+
apiVersion of the Pipeline to be verified
65+
6266

6367
.SH OPTIONS INHERITED FROM PARENT COMMANDS
6468
.PP

docs/man/man1/tkn-task-sign.1

+4
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,10 @@ For KMS:
6363
Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [
6464
\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]].
6565

66+
.PP
67+
\fB\-v\fP, \fB\-\-version\fP="v1"
68+
apiVersion of the Task to be signed
69+
6670

6771
.SH OPTIONS INHERITED FROM PARENT COMMANDS
6872
.PP

docs/man/man1/tkn-task-verify.1

+4
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,10 @@ For KMS:
5959
Template string or path to template file to use when \-o=go\-template, \-o=go\-template\-file. The template format is golang templates [
6060
\[la]http://golang.org/pkg/text/template/#pkg-overview\[ra]].
6161

62+
.PP
63+
\fB\-v\fP, \fB\-\-version\fP="v1"
64+
apiVersion of the Task to be verified
65+
6266

6367
.SH OPTIONS INHERITED FROM PARENT COMMANDS
6468
.PP

pkg/cmd/pipeline/sign.go

+11-2
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,9 @@ import (
2222
"github.com/spf13/cobra"
2323
"github.com/tektoncd/cli/pkg/cli"
2424
"github.com/tektoncd/cli/pkg/trustedresources"
25+
v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
2526
"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
27+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2628
cliopts "k8s.io/cli-runtime/pkg/genericclioptions"
2729
"sigs.k8s.io/yaml"
2830
)
@@ -31,6 +33,7 @@ type signOptions struct {
3133
keyfile string
3234
kmsKey string
3335
targetFile string
36+
apiVersion string
3437
}
3538

3639
func signCommand() *cobra.Command {
@@ -70,7 +73,13 @@ or using kms
7073
return err
7174
}
7275

73-
crd := &v1beta1.Pipeline{}
76+
var crd metav1.Object
77+
if opts.apiVersion == "v1beta1" {
78+
crd = &v1beta1.Pipeline{}
79+
} else {
80+
crd = &v1.Pipeline{}
81+
}
82+
7483
if err := yaml.Unmarshal(b, &crd); err != nil {
7584
return fmt.Errorf("error unmarshalling Pipeline: %v", err)
7685
}
@@ -87,7 +96,7 @@ or using kms
8796
c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file")
8897
c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url")
8998
c.Flags().StringVarP(&opts.targetFile, "file-name", "f", "", "Fle name of the signed pipeline, using the original file name will overwrite the file")
90-
99+
c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Pipeline to be signed")
91100
return c
92101
}
93102

pkg/cmd/pipeline/sign_test.go

+43-27
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ package pipeline
1616

1717
import (
1818
"context"
19+
"fmt"
1920
"os"
2021
"path/filepath"
2122
"testing"
@@ -28,37 +29,52 @@ import (
2829
func TestSign(t *testing.T) {
2930
ctx := context.Background()
3031
p := &test.Params{}
31-
32-
task := Command(p)
33-
32+
pipeline := Command(p)
3433
os.Setenv("PRIVATE_PASSWORD", "1234")
35-
tmpDir := t.TempDir()
36-
targetFile := filepath.Join(tmpDir, "signed.yaml")
37-
out, err := test.ExecuteCommand(task, "sign", "testdata/pipeline.yaml", "-K", "testdata/cosign.key", "-f", targetFile)
38-
if err != nil {
39-
t.Errorf("Unexpected error: %v", err)
40-
}
41-
expected := "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline testdata/pipeline.yaml is signed successfully \n"
42-
test.AssertOutput(t, expected, out)
4334

44-
// verify the signed task
45-
verifier, err := cosignsignature.LoadPublicKey(ctx, "testdata/cosign.pub")
46-
if err != nil {
47-
t.Errorf("error getting verifier from key file: %v", err)
48-
}
35+
testcases := []struct {
36+
name string
37+
taskFile string
38+
apiVersion string
39+
}{{
40+
name: "sign and verify v1beta1 Pipeline",
41+
taskFile: "testdata/pipeline.yaml",
42+
apiVersion: "v1beta1",
43+
}, {
44+
name: "sign and verify v1 Pipeline",
45+
taskFile: "testdata/pipeline-v1.yaml",
46+
apiVersion: "v1",
47+
}}
48+
for _, tc := range testcases {
49+
t.Run(tc.name, func(t *testing.T) {
50+
tmpDir := t.TempDir()
51+
targetFile := filepath.Join(tmpDir, "signed.yaml")
52+
out, err := test.ExecuteCommand(pipeline, "sign", tc.taskFile, "-K", "testdata/cosign.key", "-f", targetFile, "--pipeline-version", tc.apiVersion)
53+
if err != nil {
54+
t.Errorf("Unexpected error: %v", err)
55+
}
56+
expected := fmt.Sprintf("*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline %s is signed successfully \n", tc.taskFile)
57+
test.AssertOutput(t, expected, out)
4958

50-
signed, err := os.ReadFile(targetFile)
51-
if err != nil {
52-
t.Fatalf("error reading file: %v", err)
53-
}
59+
// verify the signed task
60+
verifier, err := cosignsignature.LoadPublicKey(ctx, "testdata/cosign.pub")
61+
if err != nil {
62+
t.Errorf("error getting verifier from key file: %v", err)
63+
}
5464

55-
target, signature, err := trustedresources.UnmarshalCRD(signed, "Pipeline")
56-
if err != nil {
57-
t.Fatalf("error unmarshalling crd: %v", err)
58-
}
65+
signed, err := os.ReadFile(targetFile)
66+
if err != nil {
67+
t.Fatalf("error reading file: %v", err)
68+
}
5969

60-
if err := trustedresources.VerifyInterface(target, verifier, signature); err != nil {
61-
t.Fatalf("VerifyInterface get error: %v", err)
62-
}
70+
target, signature, err := trustedresources.UnmarshalCRD(signed, "Pipeline", tc.apiVersion)
71+
if err != nil {
72+
t.Fatalf("error unmarshalling crd: %v", err)
73+
}
6374

75+
if err := trustedresources.VerifyInterface(target, verifier, signature); err != nil {
76+
t.Fatalf("VerifyInterface get error: %v", err)
77+
}
78+
})
79+
}
6480
}
+25
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
apiVersion: tekton.dev/v1
2+
kind: Pipeline
3+
metadata:
4+
annotations:
5+
tekton.dev/signature: MEUCIQD3tcptnk2F+9ru5gNUi91K2NPe59Dk28lwaHEQzScnOQIgL+KpDuGBf67FHGrh34cZRHVmPuYzOzPUbmvealAJPvE=
6+
creationTimestamp: null
7+
name: test-pipeline
8+
spec:
9+
tasks:
10+
- name: build-skaffold-web
11+
params:
12+
- name: pathToDockerFile
13+
value: Dockerfile
14+
- name: pathToContext
15+
value: /workspace/docker-source/examples/microservices/leeroy-web
16+
taskRef:
17+
name: build-docker-image-from-git-source
18+
- name: deploy-web
19+
params:
20+
- name: path
21+
value: /workspace/source/examples/microservices/leeroy-web/kubernetes/deployment.yaml
22+
- name: yamlPathToImage
23+
value: spec.template.spec.containers[0].image
24+
taskRef:
25+
name: deploy-using-kubectl

pkg/cmd/pipeline/verify.go

+12-3
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,17 @@ import (
2222
"github.com/spf13/cobra"
2323
"github.com/tektoncd/cli/pkg/cli"
2424
"github.com/tektoncd/cli/pkg/trustedresources"
25+
v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
2526
"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
27+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2628
cliopts "k8s.io/cli-runtime/pkg/genericclioptions"
2729
"sigs.k8s.io/yaml"
2830
)
2931

3032
type verifyOptions struct {
31-
keyfile string
32-
kmsKey string
33+
keyfile string
34+
kmsKey string
35+
apiVersion string
3336
}
3437

3538
func verifyCommand() *cobra.Command {
@@ -68,7 +71,12 @@ or using kms
6871
return err
6972
}
7073

71-
crd := &v1beta1.Pipeline{}
74+
var crd metav1.Object
75+
if opts.apiVersion == "v1beta1" {
76+
crd = &v1beta1.Pipeline{}
77+
} else {
78+
crd = &v1.Pipeline{}
79+
}
7280
if err := yaml.Unmarshal(b, &crd); err != nil {
7381
log.Fatalf("error unmarshalling Pipeline: %v", err)
7482
return err
@@ -85,5 +93,6 @@ or using kms
8593
f.AddFlags(c)
8694
c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file")
8795
c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url")
96+
c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Pipeline to be verified")
8897
return c
8998
}

pkg/cmd/pipeline/verify_test.go

+23-7
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
package pipeline
1616

1717
import (
18+
"fmt"
1819
"os"
1920
"testing"
2021

@@ -23,15 +24,30 @@ import (
2324

2425
func TestVerify(t *testing.T) {
2526
p := &test.Params{}
26-
2727
pipeline := Command(p)
28-
2928
os.Setenv("PRIVATE_PASSWORD", "1234")
3029

31-
out, err := test.ExecuteCommand(pipeline, "verify", "testdata/signed.yaml", "-K", "testdata/cosign.pub")
32-
if err != nil {
33-
t.Errorf("Unexpected error: %v", err)
30+
testcases := []struct {
31+
name string
32+
taskFile string
33+
apiVersion string
34+
}{{
35+
name: "verify v1beta1 Pipeline",
36+
taskFile: "testdata/signed.yaml",
37+
apiVersion: "v1beta1",
38+
}, {
39+
name: "verify v1 Pipeline",
40+
taskFile: "testdata/signed-v1.yaml",
41+
apiVersion: "v1",
42+
}}
43+
for _, tc := range testcases {
44+
t.Run(tc.name, func(t *testing.T) {
45+
out, err := test.ExecuteCommand(pipeline, "verify", tc.taskFile, "-K", "testdata/cosign.pub", "--pipeline-version", tc.apiVersion)
46+
if err != nil {
47+
t.Errorf("Unexpected error: %v", err)
48+
}
49+
expected := fmt.Sprintf("*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline %s passes verification \n", tc.taskFile)
50+
test.AssertOutput(t, expected, out)
51+
})
3452
}
35-
expected := "*Warning*: This is an experimental command, it's usage and behavior can change in the next release(s)\nPipeline testdata/signed.yaml passes verification \n"
36-
test.AssertOutput(t, expected, out)
3753
}

pkg/cmd/task/sign.go

+10-2
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,9 @@ import (
2222
"github.com/spf13/cobra"
2323
"github.com/tektoncd/cli/pkg/cli"
2424
"github.com/tektoncd/cli/pkg/trustedresources"
25+
v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
2526
"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
27+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2628
cliopts "k8s.io/cli-runtime/pkg/genericclioptions"
2729
"sigs.k8s.io/yaml"
2830
)
@@ -36,6 +38,7 @@ type signOptions struct {
3638
keyfile string
3739
kmsKey string
3840
targetFile string
41+
apiVersion string
3942
}
4043

4144
func signCommand() *cobra.Command {
@@ -74,8 +77,13 @@ or using kms
7477
log.Fatalf("error reading file: %v", err)
7578
return err
7679
}
80+
var crd metav1.Object
81+
if opts.apiVersion == "v1beta1" {
82+
crd = &v1beta1.Task{}
83+
} else {
84+
crd = &v1.Task{}
85+
}
7786

78-
crd := &v1beta1.Task{}
7987
if err := yaml.Unmarshal(b, &crd); err != nil {
8088
return fmt.Errorf("error unmarshalling Task: %v", err)
8189
}
@@ -91,6 +99,6 @@ or using kms
9199
c.Flags().StringVarP(&opts.keyfile, "key-file", "K", "", "Key file")
92100
c.Flags().StringVarP(&opts.kmsKey, "kms-key", "m", "", "KMS key url")
93101
c.Flags().StringVarP(&opts.targetFile, "file-name", "f", "", "file name of the signed task, using the original file name will overwrite the file")
94-
102+
c.Flags().StringVarP(&opts.apiVersion, "pipeline-version", "", "v1", "apiVersion of the Task to be signed")
95103
return c
96104
}

0 commit comments

Comments
 (0)