Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind

[vaikas]

Summary

• Plumb through the Keyless validation from ClusterImagePolicy

Ticket Link

Fixes

Release Note

 * Start enforcing ClusterImagePolicy. Supports both Key, Keyless Authorities.

[codecov-commenter]

Codecov Report

Merging #1650 (58ff276) into main (b102404) will increase coverage by 0.87%.
The diff coverage is 78.57%.

@@            Coverage Diff             @@
##             main    #1650      +/-   ##
==========================================
+ Coverage   27.89%   28.77%   +0.87%     
==========================================
  Files         139      139              
  Lines        7972     8139     +167     
==========================================
+ Hits         2224     2342     +118     
- Misses       5512     5544      +32     
- Partials      236      253      +17     

Impacted Files	Coverage Δ
pkg/cosign/kubernetes/webhook/validator.go	80.49% <76.19%> (-1.22%)	⬇️
pkg/apis/config/image_policies.go	69.38% <100.00%> (ø)
pkg/cosign/kubernetes/webhook/validation.go	80.21% <100.00%> (+1.64%)	⬆️
pkg/cosign/tuf/client.go	62.34% <0.00%> (-0.95%)	⬇️
pkg/cosign/common.go	0.00% <0.00%> (ø)
cmd/cosign/cli/clean.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/clean.go	0.00% <0.00%> (ø)
pkg/cosign/verify.go	16.32% <0.00%> (+4.65%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b102404...58ff276. Read the comment docs.

[mattmoor]

Move this into scripts like these?

cosign/.github/workflows/kind-e2e-cosigned.yaml

Lines 185 to 196 in bdef009

	- name: Run Insecure Registry Tests
	run: |
	go install github.com/google/go-containerregistry/cmd/crane
	./test/e2e_test_insecure_registry.sh
	- name: Run Image Policy Tests
	run: |
	./test/e2e_test_policy_crd.sh
	- name: Run Cosigned Tests
	run: |
	./test/e2e_test_cosigned.sh

[mattmoor]

Then you can avoid some of the GITHUB_ENV bits for passing env vars across steps, and folks can more easily run this locally.

[vaikas]

Yeah! I was planning on doing that as a follow on. Part of the original reasoning for the test/testadata/cosigned was to dump things into there so that we can then easier pick and choose what we run and automate that. I wasn't quite sure how to structure that :)

There's some stuff that I'd like to pass from the cluster (like the oidc_token, or a way to fetch it, or fulcio URL), etc. but I reckon when I call from actions to shell, env persists?

[mattmoor]

Can we drop /api/v1/rootCert everywhere now?

[mattmoor]

(per my comment above)

[vaikas]

Yes, it actually doesn't work with this anymore, I had fixed it already 👍

[mattmoor]

All of my comments are nits, so feel free to iterate.

[vaikas]

Thanks for the reviews / feedbacks. Since you were both in the approval mood, I'll merge this now and then I'll address / refactor in a follow up PRs. I think it's good to get started testing the pieces and now we also have e2e tests to start building more complex policy validations.