e2e test cosign v3 with fluxcd-testing artifacts

stealthybox · stealthybox · commit fdfaeca7fc8e · 2026-01-26T01:53:48.000-07:00
Signed-off-by: leigh capili &lt;leigh@null.net&gt;
diff --git a/config/testdata/helmchart-from-oci/cosign-v3.yaml b/config/testdata/helmchart-from-oci/cosign-v3.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo-cosign-v3
+spec:
+  url: oci://ghcr.io/fluxcd-testing/cosign-testing/v3/charts
+  type: "oci"
+  interval: 1m
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo-cosign-v3-keyless
+spec:
+  chart: podinfo
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo-cosign-v3
+  version: '6.9.4'
+  interval: 1m
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+    - issuer: ^https://token\.actions\.githubusercontent\.com$
+      subject: ^https://github\.com/fluxcd-testing/cosign-testing/\.github/workflows/release\.yml@refs/tags/.*
diff --git a/config/testdata/ocirepository/signed-with-cosign-v2-key.yaml b/config/testdata/ocirepository/signed-with-cosign-v2-key.yaml
@@ -2,7 +2,7 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
-  name: podinfo-deploy-signed-with-key
+  name: podinfo-deploy-signed-with-v2-key
 spec:
   interval: 5m
   url: oci://ghcr.io/stefanprodan/podinfo-deploy
diff --git a/config/testdata/ocirepository/signed-with-cosign-v2-keyless.yaml b/config/testdata/ocirepository/signed-with-cosign-v2-keyless.yaml
@@ -2,7 +2,7 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
-  name: podinfo-deploy-signed-with-keyless
+  name: podinfo-deploy-signed-with-v2-keyless
 spec:
   interval: 5m
   url: oci://ghcr.io/stefanprodan/manifests/podinfo
diff --git a/config/testdata/ocirepository/signed-with-cosign-v3-key.yaml b/config/testdata/ocirepository/signed-with-cosign-v3-key.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: podinfo-deploy-signed-with-v3-key
+spec:
+  interval: 5m
+  url: oci://ghcr.io/fluxcd-testing/cosign-testing/v3/podinfo-deploy
+  ref:
+    semver: "6.9.4"
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-testing-key
diff --git a/config/testdata/ocirepository/signed-with-cosign-v3-keyless.yaml b/config/testdata/ocirepository/signed-with-cosign-v3-keyless.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: podinfo-deploy-signed-with-v3-keyless
+spec:
+  interval: 5m
+  url: oci://ghcr.io/fluxcd-testing/cosign-testing/v3/manifests/podinfo
+  ref:
+    semver: "6.9.4"
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+    - issuer: ^https://token\.actions\.githubusercontent\.com$
+      subject: ^https://github\.com/fluxcd-testing/cosign-testing/\.github/workflows/release\.yml@refs/tags/.*
diff --git a/hack/ci/e2e.sh b/hack/ci/e2e.sh
@@ -85,20 +85,29 @@ kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oc
 kubectl -n source-system wait helmchart/podinfo --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmchart/podinfo-keyless --for=condition=ready --timeout=1m
 
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oci/cosign-v3.yaml"
+kubectl -n source-system wait helmchart/podinfo-cosign-v3-keyless --for=condition=ready --timeout=1m
+
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oci/notation.yaml"
 curl -sSLo notation.crt https://raw.githubusercontent.com/stefanprodan/podinfo/master/.notation/notation.crt
 curl -sSLo trustpolicy.json https://raw.githubusercontent.com/stefanprodan/podinfo/master/.notation/trustpolicy.json
 kubectl -n source-system create secret generic notation-config --from-file=notation.crt --from-file=trustpolicy.json --dry-run=client -o yaml | kubectl apply -f -
 kubectl -n source-system wait helmchart/podinfo-notation --for=condition=ready --timeout=1m
 
 echo "Run OCIRepository verify tests"
-kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-key.yaml"
-kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-keyless.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v2-key.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v2-keyless.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v3-key.yaml"
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-cosign-v3-keyless.yaml"
 curl -sSLo cosign.pub https://raw.githubusercontent.com/stefanprodan/podinfo/master/.cosign/cosign.pub
 kubectl -n source-system create secret generic cosign-key --from-file=cosign.pub --dry-run=client -o yaml | kubectl apply -f -
+curl -sSLo cosign-testing.pub https://raw.githubusercontent.com/fluxcd-testing/cosign-testing/main/cosign.pub
+kubectl -n source-system create secret generic cosign-testing-key --from-file=cosign-testing.pub --dry-run=client -o yaml | kubectl apply -f -
 
-kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-key --for=condition=ready --timeout=1m
-kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-keyless --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v2-key --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v2-keyless --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v3-key --for=condition=ready --timeout=1m
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-v3-keyless --for=condition=ready --timeout=1m
 
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-notation.yaml"
 kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-notation --for=condition=ready --timeout=1m
