test: add anaconda-iso build tests with signed containers

Add anaconda-iso iso build tests with signed containers.
The rest of the images can be also added to the test once
[1] and [2] are merged

[1] osbuild/images#990
[2] osbuild/osbuild#1906

Signed-off-by: Miguel Martín <[email protected]>

.github/workflows/tests.yml

@@ -93,7 +93,7 @@ jobs:
         echo "deb $sources_url/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list
         curl -fsSL $key_url | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
         sudo apt update
-        sudo apt install -y podman
+        sudo apt install -y podman skopeo
     - name: Install python test deps
       run: |
         # make sure test deps are available for root

test/test_build.py

@@ -113,11 +113,20 @@ def build_images(shared_tmpdir, build_container, request, force_aws_upload):
     password = "password"
     kargs = "systemd.journald.forward_to_console=1"
 
+    container_ref = tc.container_ref
+
+    # We cannot use localhost as we need to access the registry from both
+    # the host system and the bootc-image-builder container.
+    default_ip = testutil.get_ip_from_default_route()
+    local_registry = f"{default_ip}:5000"
+    if tc.sign:
+        container_ref = testutil.get_signed_container_ref(local_registry, tc.container_ref)
+
     # params can be long and the qmp socket (that has a limit of 100ish
     # AF_UNIX) is derived from the path
     # hash the container_ref+target_arch, but exclude the image_type so that the output path is shared between calls to
     # different image type combinations
-    output_path = shared_tmpdir / format(abs(hash(tc.container_ref + str(tc.target_arch))), "x")
+    output_path = shared_tmpdir / format(abs(hash(container_ref + str(tc.target_arch))), "x")
     output_path.mkdir(exist_ok=True)
 
     # make sure that the test store exists, because podman refuses to start if the source directory for a volume
@@ -164,7 +173,7 @@ def build_images(shared_tmpdir, build_container, request, force_aws_upload):
             bib_output = bib_output_path.read_text(encoding="utf8")
             results.append(ImageBuildResult(
                 image_type, generated_img, tc.target_arch, tc.osinfo_template,
-                tc.container_ref, tc.rootfs, username, password,
+                container_ref, tc.rootfs, username, password,
                 ssh_keyfile_private_path, kargs, bib_output, journal_output))
 
     # generate new keyfile
@@ -257,15 +266,35 @@ def build_images(shared_tmpdir, build_container, request, force_aws_upload):
         if tc.local:
             cmd.extend(["-v", "/var/lib/containers/storage:/var/lib/containers/storage"])
 
+        if tc.sign:
+            registry_conf = testutil.RegistryConf()
+            registry_conf.local_registry = local_registry
+            registry_conf.base_dir = output_path
+            gpg_conf = testutil.GPGConf()
+            gpg_conf.base_dir = output_path
+            testutil.sign_container_image(gpg_conf, registry_conf, tc.container_ref)
+            policy_file = registry_conf.policy_file
+            lookaside_conf_file = registry_conf.lookaside_conf_file
+            sigstore_dir = registry_conf.sigstore_dir
+            pub_key_file = gpg_conf.pub_key_file
+            signed_image_args = [
+                "-v", f"{policy_file}:/etc/containers/policy.json",
+                "-v", f"{lookaside_conf_file}:/etc/containers/registries.d/bib-tests.yaml",
+                "-v", f"{sigstore_dir}:{sigstore_dir}",
+                "-v", f"{pub_key_file}:{pub_key_file}",
+            ]
+            cmd.extend(signed_image_args)
+
         cmd.extend([
             *creds_args,
             build_container,
-            tc.container_ref,
+            container_ref,
             *types_arg,
             *upload_args,
             *target_arch_args,
             *tc.bib_rootfs_args(),
             "--local" if tc.local else "--local=false",
+            "--tls-verify=false" if tc.sign else "--tls-verify=true"
         ])
 
         # print the build command for easier tracing
@@ -299,7 +328,7 @@ def del_ami():
     for image_type in image_types:
         results.append(ImageBuildResult(
             image_type, artifact[image_type], tc.target_arch, tc.osinfo_template,
-            tc.container_ref, tc.rootfs, username, password,
+            container_ref, tc.rootfs, username, password,
             ssh_keyfile_private_path, kargs, bib_output, journal_output, metadata))
     yield results
 
@@ -316,7 +345,7 @@ def del_ami():
                 img.unlink()
         else:
             print("does not exist")
-    subprocess.run(["podman", "rmi", tc.container_ref], check=False)
+    subprocess.run(["podman", "rmi", container_ref], check=False)
     return
 
 

test/testcases.py

@@ -23,6 +23,8 @@ class TestCase:
     # rootfs to use (e.g. ext4), some containers like fedora do not
     # have a default rootfs. If unset the container default is used.
     rootfs: str = ""
+    # Sign the container_ref and use the new signed image instead of the original one
+    sign: bool = False
 
     def bib_rootfs_args(self):
         if self.rootfs:
@@ -31,7 +33,7 @@ def bib_rootfs_args(self):
 
     def __str__(self):
         return ",".join([
-            attr
+            f"{name}={attr}"
             for name, attr in inspect.getmembers(self)
             if not name.startswith("_") and not callable(attr) and attr
         ])
@@ -68,7 +70,11 @@ def gen_testcases(what):  # pylint: disable=too-many-return-statements
     if what == "ami-boot":
         return [TestCaseCentos(image="ami"), TestCaseFedora(image="ami")]
     if what == "anaconda-iso":
-        return [TestCaseCentos(image="anaconda-iso"), TestCaseFedora(image="anaconda-iso")]
+        return [
+            TestCaseFedora(image="anaconda-iso", sign=True),
+            TestCaseCentos(image="anaconda-iso"),
+            TestCaseFedora(image="anaconda-iso"),
+        ]
     if what == "qemu-boot":
         test_cases = [
             klass(image=img)