From c02dad9573ccd1f8c8669752d39ec634a1021321 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 25 Mar 2024 10:30:23 +0100 Subject: [PATCH] fix: test EC only for a single component Due to https://issues.redhat.com/browse/KFLUXBUGS-24, testing the EC pipelines takes extremely long (the tests have to wait for the attestation to exist before they can start the EC pipelines). Run the test only for one component to try and improve the situation. Signed-off-by: Adam Cmiel --- tests/build/build_templates.go | 139 +++++++++++++++++---------------- 1 file changed, 72 insertions(+), 67 deletions(-) diff --git a/tests/build/build_templates.go b/tests/build/build_templates.go index 5f09a1c067..5a42873551 100644 --- a/tests/build/build_templates.go +++ b/tests/build/build_templates.go @@ -382,88 +382,93 @@ var _ = framework.BuildSuiteDescribe("Build templates E2E test", Label("build", } }) - It("verify-enterprise-contract check should pass", Label(buildTemplatesTestLabel), func() { - // If the Tekton Chains controller is busy, it may take longer than usual for it - // to sign and attest the image built in BeforeAll. - err = kubeadminClient.TektonController.AwaitAttestationAndSignature(imageWithDigest, constants.ChainsAttestationTimeout) - Expect(err).ToNot(HaveOccurred()) - - cm, err := kubeadminClient.CommonController.GetConfigMap("ec-defaults", "enterprise-contract-service") - Expect(err).ToNot(HaveOccurred()) + // temp: run only one enterprise-contract check because of https://issues.redhat.com/browse/KFLUXBUGS-24 + // (have to wait for Tekton Chains to generate the attestation before the check can pass) + if i == 0 { + It("verify-enterprise-contract check should pass", Label(buildTemplatesTestLabel), func() { + // If the Tekton Chains controller is busy, it may take longer than usual for it + // to sign and attest the image built in BeforeAll. + err = kubeadminClient.TektonController.AwaitAttestationAndSignature(imageWithDigest, constants.ChainsAttestationTimeout) + Expect(err).ToNot(HaveOccurred()) - verifyECTaskBundle := cm.Data["verify_ec_task_bundle"] - Expect(verifyECTaskBundle).ToNot(BeEmpty()) + cm, err := kubeadminClient.CommonController.GetConfigMap("ec-defaults", "enterprise-contract-service") + Expect(err).ToNot(HaveOccurred()) - publicSecretName := "cosign-public-key" - publicKey, err := kubeadminClient.TektonController.GetTektonChainsPublicKey() - Expect(err).ToNot(HaveOccurred()) + verifyECTaskBundle := cm.Data["verify_ec_task_bundle"] + Expect(verifyECTaskBundle).ToNot(BeEmpty()) - Expect(kubeadminClient.TektonController.CreateOrUpdateSigningSecret( - publicKey, publicSecretName, testNamespace)).To(Succeed()) + publicSecretName := "cosign-public-key" + publicKey, err := kubeadminClient.TektonController.GetTektonChainsPublicKey() + Expect(err).ToNot(HaveOccurred()) - defaultECP, err := kubeadminClient.TektonController.GetEnterpriseContractPolicy("default", "enterprise-contract-service") - Expect(err).NotTo(HaveOccurred()) + Expect(kubeadminClient.TektonController.CreateOrUpdateSigningSecret( + publicKey, publicSecretName, testNamespace)).To(Succeed()) - policy := contract.PolicySpecWithSourceConfig( - defaultECP.Spec, - ecp.SourceConfig{ - Include: []string{"@slsa3"}, - Exclude: []string{"cve"}, - }, - ) - Expect(kubeadminClient.TektonController.CreateOrUpdatePolicyConfiguration(testNamespace, policy)).To(Succeed()) + defaultECP, err := kubeadminClient.TektonController.GetEnterpriseContractPolicy("default", "enterprise-contract-service") + Expect(err).NotTo(HaveOccurred()) - pipelineRun, err := kubeadminClient.HasController.GetComponentPipelineRun(componentNames[i], applicationName, testNamespace, "") - Expect(err).ToNot(HaveOccurred()) - - revision := pipelineRun.Annotations["build.appstudio.redhat.com/commit_sha"] - Expect(revision).ToNot(BeEmpty()) - - generator := tekton.VerifyEnterpriseContract{ - Snapshot: v1alpha1.SnapshotSpec{ - Application: applicationName, - Components: []v1alpha1.SnapshotComponent{ - { - Name: componentNames[i], - ContainerImage: imageWithDigest, - Source: v1alpha1.ComponentSource{ - ComponentSourceUnion: v1alpha1.ComponentSourceUnion{ - GitSource: &v1alpha1.GitSource{ - URL: gitUrl, - Revision: revision, + policy := contract.PolicySpecWithSourceConfig( + defaultECP.Spec, + ecp.SourceConfig{ + Include: []string{"@slsa3"}, + Exclude: []string{"cve"}, + }, + ) + Expect(kubeadminClient.TektonController.CreateOrUpdatePolicyConfiguration(testNamespace, policy)).To(Succeed()) + + pipelineRun, err := kubeadminClient.HasController.GetComponentPipelineRun(componentNames[i], applicationName, testNamespace, "") + Expect(err).ToNot(HaveOccurred()) + + revision := pipelineRun.Annotations["build.appstudio.redhat.com/commit_sha"] + Expect(revision).ToNot(BeEmpty()) + + generator := tekton.VerifyEnterpriseContract{ + Snapshot: v1alpha1.SnapshotSpec{ + Application: applicationName, + Components: []v1alpha1.SnapshotComponent{ + { + Name: componentNames[i], + ContainerImage: imageWithDigest, + Source: v1alpha1.ComponentSource{ + ComponentSourceUnion: v1alpha1.ComponentSourceUnion{ + GitSource: &v1alpha1.GitSource{ + URL: gitUrl, + Revision: revision, + }, }, }, }, }, }, - }, - TaskBundle: verifyECTaskBundle, - Name: "verify-enterprise-contract", - Namespace: testNamespace, - PolicyConfiguration: "ec-policy", - PublicKey: fmt.Sprintf("k8s://%s/%s", testNamespace, publicSecretName), - Strict: true, - EffectiveTime: "now", - IgnoreRekor: true, - } + TaskBundle: verifyECTaskBundle, + Name: "verify-enterprise-contract", + Namespace: testNamespace, + PolicyConfiguration: "ec-policy", + PublicKey: fmt.Sprintf("k8s://%s/%s", testNamespace, publicSecretName), + Strict: true, + EffectiveTime: "now", + IgnoreRekor: true, + } - pr, err = kubeadminClient.TektonController.RunPipeline(generator, testNamespace, int(ecPipelineRunTimeout.Seconds())) - Expect(err).NotTo(HaveOccurred()) + pr, err = kubeadminClient.TektonController.RunPipeline(generator, testNamespace, int(ecPipelineRunTimeout.Seconds())) + Expect(err).NotTo(HaveOccurred()) - Expect(kubeadminClient.TektonController.WatchPipelineRun(pr.Name, testNamespace, int(ecPipelineRunTimeout.Seconds()))).To(Succeed()) + Expect(kubeadminClient.TektonController.WatchPipelineRun(pr.Name, testNamespace, int(ecPipelineRunTimeout.Seconds()))).To(Succeed()) - pr, err = kubeadminClient.TektonController.GetPipelineRun(pr.Name, pr.Namespace) - Expect(err).NotTo(HaveOccurred()) + pr, err = kubeadminClient.TektonController.GetPipelineRun(pr.Name, pr.Namespace) + Expect(err).NotTo(HaveOccurred()) + + tr, err := kubeadminClient.TektonController.GetTaskRunStatus(kubeadminClient.CommonController.KubeRest(), pr, "verify-enterprise-contract") + Expect(err).NotTo(HaveOccurred()) + Expect(tekton.DidTaskRunSucceed(tr)).To(BeTrue()) + Expect(tr.Status.TaskRunStatusFields.Results).Should(Or( + // TODO: delete the first option after https://issues.redhat.com/browse/RHTAP-810 is completed + ContainElements(tekton.MatchTaskRunResultWithJSONPathValue(constants.OldTektonTaskTestOutputName, "{$.result}", `["SUCCESS"]`)), + ContainElements(tekton.MatchTaskRunResultWithJSONPathValue(constants.TektonTaskTestOutputName, "{$.result}", `["SUCCESS"]`)), + )) + }) + } - tr, err := kubeadminClient.TektonController.GetTaskRunStatus(kubeadminClient.CommonController.KubeRest(), pr, "verify-enterprise-contract") - Expect(err).NotTo(HaveOccurred()) - Expect(tekton.DidTaskRunSucceed(tr)).To(BeTrue()) - Expect(tr.Status.TaskRunStatusFields.Results).Should(Or( - // TODO: delete the first option after https://issues.redhat.com/browse/RHTAP-810 is completed - ContainElements(tekton.MatchTaskRunResultWithJSONPathValue(constants.OldTektonTaskTestOutputName, "{$.result}", `["SUCCESS"]`)), - ContainElements(tekton.MatchTaskRunResultWithJSONPathValue(constants.TektonTaskTestOutputName, "{$.result}", `["SUCCESS"]`)), - )) - }) It("contains non-empty sbom files", Label(buildTemplatesTestLabel), func() { purl, cyclonedx, err := build.GetParsedSbomFilesContentFromImage(imageWithDigest) Expect(err).NotTo(HaveOccurred())