feat(security): guard local path provisioner rollout
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m11s
CD Pipeline / build-and-deploy (push) Successful in 14m13s
CD Pipeline / post-deploy-checks (push) Successful in 2m58s
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m11s
CD Pipeline / build-and-deploy (push) Successful in 14m13s
CD Pipeline / post-deploy-checks (push) Successful in 2m58s
This commit is contained in:
@@ -81,7 +81,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
|
||||
|
||||
self.assertEqual(policy.work_item_id, "AIA-P0-006-02A")
|
||||
self.assertEqual(policy.risk_level, "high")
|
||||
self.assertEqual(len(policy.images), 16)
|
||||
self.assertEqual(len(policy.images), 17)
|
||||
self.assertNotIn("github.com", raw)
|
||||
self.assertNotIn("ghcr.io", raw)
|
||||
self.assertIn('"external_pull_allowed": false', raw)
|
||||
@@ -106,7 +106,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
|
||||
)
|
||||
)
|
||||
container_kinds = [image.workload.container_kind for image in policy.images]
|
||||
self.assertEqual(container_kinds.count("container"), 13)
|
||||
self.assertEqual(container_kinds.count("container"), 14)
|
||||
self.assertEqual(container_kinds.count("init_container"), 3)
|
||||
|
||||
vpa = next(
|
||||
@@ -153,6 +153,29 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
|
||||
),
|
||||
)
|
||||
|
||||
local_path = next(
|
||||
image
|
||||
for image in policy.images
|
||||
if image.asset_id == "runtime-image:local-path-provisioner"
|
||||
)
|
||||
self.assertEqual(
|
||||
local_path.target_registry_digest,
|
||||
"sha256:8ea3128d48a78b376d094366101d54180cd5293839cabd8568b1dce064413619",
|
||||
)
|
||||
self.assertEqual(local_path.workload.namespace, "kube-system")
|
||||
self.assertEqual(local_path.workload.name, "local-path-provisioner")
|
||||
self.assertEqual(local_path.workload.container, "local-path-provisioner")
|
||||
self.assertEqual(
|
||||
local_path.availability_guard,
|
||||
controller.AvailabilityGuard(
|
||||
minimum_ready_replicas=1,
|
||||
maximum_effective_unavailable=0,
|
||||
minimum_effective_surge=1,
|
||||
enforced_max_unavailable=0,
|
||||
enforced_max_surge=1,
|
||||
),
|
||||
)
|
||||
|
||||
def test_policy_loads_and_validates_init_container_kind(self) -> None:
|
||||
image = self._image_with_container_kind("init_container")
|
||||
|
||||
@@ -389,6 +412,34 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
|
||||
stable.runtime_ref.endswith("@" + stable.target_registry_digest)
|
||||
)
|
||||
|
||||
def test_local_path_stable_policy_reuses_verified_staging_provenance(
|
||||
self,
|
||||
) -> None:
|
||||
policy = controller.load_policy(POLICY_PATH)
|
||||
staging = next(
|
||||
image
|
||||
for image in controller.load_staging_policy(STAGING_POLICY_PATH).images
|
||||
if image.asset_id
|
||||
== "runtime-image:local-path-provisioner-0.0.34-canary"
|
||||
)
|
||||
stable = next(
|
||||
image
|
||||
for image in policy.images
|
||||
if image.asset_id == "runtime-image:local-path-provisioner"
|
||||
)
|
||||
|
||||
self.assertEqual(stable.source_index_digest, staging.source_index_digest)
|
||||
self.assertEqual(stable.platform_digest, staging.platform_digest)
|
||||
self.assertEqual(stable.push_ref, staging.push_ref)
|
||||
self.assertEqual(stable.workload, staging.workload)
|
||||
self.assertEqual(
|
||||
stable.target_registry_digest,
|
||||
"sha256:8ea3128d48a78b376d094366101d54180cd5293839cabd8568b1dce064413619",
|
||||
)
|
||||
self.assertTrue(
|
||||
stable.runtime_ref.endswith("@" + stable.target_registry_digest)
|
||||
)
|
||||
|
||||
def test_argocd_controller_batch_reuses_verified_staging_artifact(self) -> None:
|
||||
policy = controller.load_policy(POLICY_PATH)
|
||||
staging = controller.load_staging_policy(STAGING_POLICY_PATH).images[0]
|
||||
|
||||
Reference in New Issue
Block a user