diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index d6ce3588..bc8c0472 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ "main" ] +env: + MODEL_TRANSPARENCY_IMG: quay.io/securesign/model-transparency@sha256:3c870f9fe54b8c1ad625f7bc54420c8af2d877045d327598bea32e33edd9ee11 + permissions: contents: read @@ -34,6 +37,9 @@ jobs: kubectl wait --for=condition=Ready --namespace=kube-system pod --all --timeout=300s echo "Cluster is ready" + - name: Swap to dev images + run: make dev-images + - name: Run E2E tests run: | - make test-e2e-ci + make test-e2e-ci MODEL_TRANSPARENCY_IMG=${{ env.MODEL_TRANSPARENCY_IMG }} diff --git a/.tekton/model-validation-operator-bundle-pull-request.yaml b/.tekton/model-validation-operator-bundle-pull-request.yaml index 62fc25eb..08b84bf2 100644 --- a/.tekton/model-validation-operator-bundle-pull-request.yaml +++ b/.tekton/model-validation-operator-bundle-pull-request.yaml @@ -28,12 +28,18 @@ spec: value: 5d - name: dockerfile value: bundle.Dockerfile.model-validation.rh + - name: path-context + value: . - name: hermetic value: "true" - name: prefetch-input value: '{"type": "generic", "path": "."}' - name: build-source-image value: "true" + - name: manager-pipelinerun-selector + value: appstudio.openshift.io/application=model-validation-operator,appstudio.openshift.io/component=model-validation-operator,pipelinesascode.tekton.dev/sha={{revision}},pipelinesascode.tekton.dev/event-type=pull_request + - name: manager-registry-url + value: registry.redhat.io/rhtas/model-validation-rhel9-operator pipelineRef: params: - name: url @@ -41,7 +47,7 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/bundle-build-oci-ta.yaml resolver: git taskRunTemplate: serviceAccountName: build-pipeline-model-validation-operator-bundle diff --git a/.tekton/model-validation-operator-bundle-push.yaml b/.tekton/model-validation-operator-bundle-push.yaml index ab98d21f..a802811c 100644 --- a/.tekton/model-validation-operator-bundle-push.yaml +++ b/.tekton/model-validation-operator-bundle-push.yaml @@ -31,6 +31,10 @@ spec: value: '{"type": "generic", "path": "."}' - name: build-source-image value: "true" + - name: manager-pipelinerun-selector + value: appstudio.openshift.io/application=model-validation-operator,appstudio.openshift.io/component=model-validation-operator,pipelinesascode.tekton.dev/sha={{revision}},pipelinesascode.tekton.dev/event-type=push + - name: manager-registry-url + value: registry.redhat.io/rhtas/model-validation-rhel9-operator pipelineRef: params: - name: url @@ -38,7 +42,7 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/bundle-build-oci-ta.yaml resolver: git taskRunTemplate: serviceAccountName: build-pipeline-model-validation-operator-bundle diff --git a/.tekton/model-validation-operator-pull-request.yaml b/.tekton/model-validation-operator-pull-request.yaml index ab6828cc..e89f50c3 100644 --- a/.tekton/model-validation-operator-pull-request.yaml +++ b/.tekton/model-validation-operator-pull-request.yaml @@ -28,6 +28,11 @@ spec: value: 5d - name: dockerfile value: Dockerfile + - name: path-context + value: . + - name: build-platforms + value: + - linux/x86_64 - name: hermetic value: "true" - name: build-source-image @@ -41,7 +46,7 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/docker-build-multi-platform-oci-ta.yaml resolver: git taskRunTemplate: serviceAccountName: build-pipeline-model-validation-operator diff --git a/.tekton/model-validation-operator-push.yaml b/.tekton/model-validation-operator-push.yaml index 25c251bb..6e8c75ac 100644 --- a/.tekton/model-validation-operator-push.yaml +++ b/.tekton/model-validation-operator-push.yaml @@ -25,6 +25,11 @@ spec: value: quay.io/securesign/model-validation-operator:{{revision}} - name: dockerfile value: Dockerfile + - name: path-context + value: . + - name: build-platforms + value: + - linux/x86_64 - name: hermetic value: "true" - name: build-source-image @@ -38,7 +43,7 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/docker-build-multi-platform-oci-ta.yaml resolver: git taskRunTemplate: serviceAccountName: build-pipeline-model-validation-operator diff --git a/Makefile b/Makefile index 3dc99d47..5439f85d 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,12 @@ help: ## Display this help. ##@ Development +# Switch images from `registry.redhat.io` images to the dev images +.PHONY: dev-images +dev-images: + sed -E -i 's#registry.redhat.io/rhtas/model-transparency-rhel9#quay.io/securesign/model-transparency#g' \ + internal/constants/images.go + .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases @@ -453,9 +459,9 @@ e2e-sign-test-model: e2e-generate-test-keys $(CONTAINER_TOOL) run --rm \ -v $(PWD)/testdata/tensorflow_saved_model:/model \ -v $(PWD)/testdata/docker/test_private_key.priv:/test_private_key.priv \ - --entrypoint="" \ - ghcr.io/sigstore/model-transparency-cli:v1.0.1 \ - /usr/local/bin/model_signing sign key /model \ + --entrypoint "" \ + $(MODEL_TRANSPARENCY_IMG) \ + model_signing sign key /model \ --private_key /test_private_key.priv \ --signature /model/model.sig @@ -490,8 +496,6 @@ e2e-load-images: e2e-build-image e2e-build-test-model $(CONTAINER_TOOL) pull $(MODEL_TRANSPARENCY_IMG) @echo "Loading manager image into Kind cluster..." $(KIND) load docker-image -n $(KIND_CLUSTER) $(IMG) - @echo "Loading model-transparency-cli image into Kind cluster..." - $(KIND) load docker-image -n $(KIND_CLUSTER) $(MODEL_TRANSPARENCY_IMG) @echo "Loading test model image into Kind cluster..." $(KIND) load docker-image -n $(KIND_CLUSTER) $(E2E_TEST_MODEL) diff --git a/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml b/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml index 831b92ae..d28a6461 100644 --- a/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/model-validation-operator.clusterserviceversion.yaml @@ -4,13 +4,27 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - name: model-validation-operator.v0.0.0 + containerImage: placeholder + features.operators.openshift.io/cnf: "false" + features.operators.openshift.io/cni: "false" + features.operators.openshift.io/csi: "false" + features.operators.openshift.io/disconnected: "false" + features.operators.openshift.io/fips-compliant: "false" + features.operators.openshift.io/proxy-aware: "false" + features.operators.openshift.io/tls-profiles: "false" + features.operators.openshift.io/token-auth-aws: "false" + features.operators.openshift.io/token-auth-azure: "false" + features.operators.openshift.io/token-auth-gcp: "false" + operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' + repository: https://github.com/securesign/model-validation-operator + support: Red Hat + name: model-validation-operator.v0.0.1 namespace: placeholder spec: apiservicedefinitions: {} customresourcedefinitions: owned: - - description: ModelValidation is the Schema for the modelvalidations API + - description: ModelValidation is the Schema for the modelvalidations API. displayName: Model Validation kind: ModelValidation name: modelvalidations.ml.sigstore.dev @@ -47,8 +61,12 @@ spec: name: Rachel Yordan - email: ifont@redhat.com name: Ivan Font - maturity: alpha + - email: asiek@redhat.com + name: Aleksy Siek + - email: kconner@redhat.com + name: Kevin Conner + maturity: tech-preview minKubeVersion: 1.24.0 provider: - name: Sigstore - version: 0.0.0 + name: Red Hat + version: 0.0.1-techpreview diff --git a/internal/constants/images.go b/internal/constants/images.go index fbc41392..d8d1870c 100644 --- a/internal/constants/images.go +++ b/internal/constants/images.go @@ -23,5 +23,6 @@ const ( var ( // ModelTransparencyCliImage is the default image for the model transparency CLI // used as an init container to validate model signatures - ModelTransparencyCliImage = "ghcr.io/sigstore/model-transparency-cli:v1.0.1" + ModelTransparencyCliImage = "registry.redhat.io/rhtas/model-transparency-rhel9@" + + "sha256:3c870f9fe54b8c1ad625f7bc54420c8af2d877045d327598bea32e33edd9ee11" ) diff --git a/internal/webhooks/pod_webhook.go b/internal/webhooks/pod_webhook.go index 5dc3f8a3..8f4455d8 100644 --- a/internal/webhooks/pod_webhook.go +++ b/internal/webhooks/pod_webhook.go @@ -121,7 +121,7 @@ func (p *podInterceptor) Handle(ctx context.Context, req admission.Request) admi Name: constants.ModelValidationInitContainerName, ImagePullPolicy: corev1.PullAlways, Image: constants.ModelTransparencyCliImage, - Command: []string{"/usr/local/bin/model_signing"}, + Command: []string{"model_signing"}, Args: args, VolumeMounts: vm, }) diff --git a/test/e2e/testdata/model-data-daemonset.yaml b/test/e2e/testdata/model-data-daemonset.yaml index 7ed9293d..034e243d 100644 --- a/test/e2e/testdata/model-data-daemonset.yaml +++ b/test/e2e/testdata/model-data-daemonset.yaml @@ -26,6 +26,8 @@ spec: mkdir -p /host-data /host-keys cp -r /data/* /host-data/ cp -r /keys/* /host-keys/ + find /host-data /host-keys -type d -exec chmod 755 {} + + find /host-data /host-keys -type f -exec chmod 644 {} + echo "Model data setup complete on node $NODE_NAME" # Keep running so DaemonSet stays active sleep infinity @@ -53,4 +55,4 @@ spec: type: DirectoryOrCreate tolerations: - operator: Exists - effect: NoSchedule \ No newline at end of file + effect: NoSchedule