Re-enable test/extended/images/signatures.go

mtrmac · mtrmac · commit 922ee64f83ea · 2021-03-04T15:19:11.000+01:00
Don't read the image to be signed from docker.io. Instead, sign the just-built signer image (which is unique, so there always should be enough free signature slots left). Send the required credentials to the source registry. Also use the injected service CA instead of disabling TLS. I don't know whether it is supposed to work like that (per https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes the path is deprecated) but the same path is already assumed to exist by the preceding (oc login). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
diff --git a/test/extended/images/signatures.go b/test/extended/images/signatures.go
@@ -22,7 +22,6 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 	)
 
 	g.It("can push a signed image to openshift registry and verify it", func() {
-		g.Skip("disable because containers/image: https://github.com/containers/image/pull/570")
 		g.By("building a signer image that knows how to sign images")
 		output, err := oc.Run("create").Args("-f", signerBuildFixture).Output()
 		if err != nil {
@@ -90,7 +89,7 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 		o.Expect(out).To(o.ContainSubstring("Logged in"))
 
 		// Sign and copy the memcached image into target image stream tag
-		g.By("signing the memcached:latest image and pushing it into openshift registry")
+		g.By("signing a just-built image and pushing it into openshift registry")
 		out, err = pod.Exec(strings.Join([]string{
 			"GNUPGHOME=/var/lib/origin/gnupg",
 			"skopeo", "--debug",
@@ -99,10 +98,14 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 			"--registries.d", "/this/does/not/exist",
 
 			"copy", "--sign-by", "joe@foo.bar",
+			"--src-creds=" + user + ":" + token,
 			"--dest-creds=" + user + ":" + token,
-			// TODO: test with this turned to true as well
-			"--dest-tls-verify=false",
-			"docker://docker.io/library/memcached:latest",
+
+			// Expect to use /run/secrets/kubernetes.io/serviceaccount/ca.crt
+			"--src-cert-dir=/run/secrets/kubernetes.io/serviceaccount",
+			"--dest-cert-dir=/run/secrets/kubernetes.io/serviceaccount",
+
+			"docker://" + signerImage,
 			"docker://" + signedImage,
 		}, " "))
 		fmt.Fprintf(g.GinkgoWriter, "output: %s\n", out)
