ImagePolicy CRD

ImagePolicy CR

Scenarios summary:

• Check API version (no techpreview image)
• Signatures match
  • matchPolicy: MatchRepoDigestOrExact - to differentiate from OCPNODE-3116, in this case we're signing using the image DIGEST
• Signatures do not match
• Pull an image from any repo not defined in the policy
• Check if ClusterImagePolicy still works
• Delete policy

Pre-requirement: almost same as OCPNODE-3116. To sign an image using the digest, do the following (changing to your repo):

 cosign sign --key ./cosign.key --sign-container-identity=quay.io/rh-ee-anahas/imagedigest@sha256:91a7f683619ea3c..........4ef3c0419 quay.io/rh-ee-anahas/imagedigest@sha256:91a7f683619ea3c..........4ef3c0419 --registry-username=user --registry-password=pass

• To verify the signature:

cosign verify --key cosign.pub quay.io/rh-ee-anahas/imagedigest@sha256:91a7f683619ea3c..........4ef3c0419

• Encode cosign.pub and store the result to use on the next tests:

cat cosign.pub > copy the whole key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIz................KYvhF8r+bhg==
-----END PUBLIC KEY-----

• • Go to https://www.base64encode.org/ > paste the key > Encode
  • Store the value for next tests

TESTING SCENARIOS(original): https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-83487

Testing Scenarios (final version, please consider using the following links for testing purposes):

TestCase1: OCP-83540 - Check if API Version for ImagePolicy is V1

TestCase2: OCP-83541 - ImagePolicy CR pulls image successfully after Cosign validation

TestCase3: OCP-83542 - ImagePolicy CR fails to pull image after Cosign validation

TestCase4: OCP-83543 - ImagePolicy CR should allow to pull images not defined in the Scope

TestCase5: OCP-83544 - ClusterImagePolicy should work in a namespace that has an ImagePolicy defined

TestCase6: OCP-83545 - After deleting a ImagePolicy CR the restriction to pull from a scope should be removed