Created
November 28, 2019 12:54
-
-
Save st3v/c3ad062a3ab8755860bd594df5e34126 to your computer and use it in GitHub Desktop.
TLS test for duffle relocate and irel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| function cleanup { | |
| if [ "$EUID" -ne 0 ] | |
| then echo "Must run as root to be able to update /etc/hosts" | |
| exit 1 | |
| fi | |
| rm -f ca1.crt ca1.key ca1.srl registry1.key registry1.crt registry1.csr | |
| rm -f ca2.crt ca2.key ca2.srl registry2.key registry2.crt registry2.csr | |
| docker kill registry1 || true | |
| docker kill registry2 || true | |
| sed -i '' '/^127\.0\.0\.1 my-registry-.$/d' /etc/hosts || true | |
| } | |
| case "$1" in | |
| setup) | |
| cleanup | |
| # generate self-signed CA certs | |
| openssl req -newkey rsa:2048 -nodes -keyout ca1.key -x509 -days 365 -subj '/CN=ca1/O=ACME/C=XY' -out ca1.crt | |
| openssl req -newkey rsa:2048 -nodes -keyout ca2.key -x509 -days 365 -subj '/CN=ca2/O=ACME/C=XY' -out ca2.crt | |
| # generate registry CSRs | |
| openssl req -new -newkey rsa:2048 -nodes -keyout registry1.key -subj "/C=XY/O=ACME/CN=my-registry-1" -out registry1.csr | |
| openssl req -new -newkey rsa:2048 -nodes -keyout registry2.key -subj "/C=XY/O=ACME/CN=my-registry-2" -out registry2.csr | |
| # sign registry CSRs | |
| openssl x509 -req -in registry1.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out registry1.crt -days 500 -sha256 | |
| openssl x509 -req -in registry2.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out registry2.crt -days 500 -sha256 | |
| # run two private registries | |
| docker run --rm -d -p 5000:5000 --name registry1 -e REGISTRY_HTTP_HOST=https://my-registry-1:5000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry1.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry1.key -v $(pwd):/certs registry:2 | |
| docker run --rm -d -p 5001:5000 --name registry2 -e REGISTRY_HTTP_HOST=https://my-registry-2:5001 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry2.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry2.key -v $(pwd):/certs registry:2 | |
| # add registry aliases for loopback in /etc/hosts | |
| echo "127.0.0.1 my-registry-1" >> /etc/hosts | |
| echo "127.0.0.1 my-registry-2" >> /etc/hosts | |
| ;; | |
| cleanup) | |
| cleanup | |
| ;; | |
| irel) | |
| echo "try to copy to private registry without specifying path to CA cert, should fail" | |
| irel copy gcr.io/distroless/static my-registry-1:5000/distroless/static && false | |
| echo -e "PASSED\n" | |
| echo "try to copy to private registry with specifying CA cert path, should succeed" | |
| irel --ca-cert-path ca1.crt copy gcr.io/distroless/static my-registry-1:5000/distroless/static | |
| echo -e "PASSED\n" | |
| echo "try to copy to private registry without cert verification, should succeed" | |
| irel --skip-tls-verify copy gcr.io/distroless/static my-registry-1:5000/distroless/static | |
| echo -e "PASSED\n" | |
| echo "try to copy from/to private registry without specifying path to CA cert for either the source nor the target registry, should fail" | |
| irel copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false | |
| echo -e "PASSED\n" | |
| echo "try to copy from/to private registry with specifying path to CA cert for the source but not the target registry, should fail" | |
| irel --ca-cert-path ca1.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static && false | |
| echo -e "PASSED\n" | |
| echo "try to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed" | |
| irel --ca-cert-path ca1.crt --ca-cert-path ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static | |
| echo -e "PASSED\n" | |
| echo "try to copy from/to private registry with specifying path to CA certs for both the source and the target registry, should succeed" | |
| irel --ca-cert-path ca1.crt,ca2.crt copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static | |
| echo -e "PASSED\n" | |
| echo "try to copy from/to private registry without cert verification, should succeed" | |
| irel --skip-tls-verify copy my-registry-1:5000/distroless/static my-registry-2:5001/distroless/static | |
| echo -e "PASSED\n" | |
| ;; | |
| duffle) | |
| git clone git@github.com:deislabs/example-bundles.git || true | |
| echo "try to relocate to private registry without specifying CA cert path, should fail" | |
| duffle relocate -f example-bundles/helloworld/bundle.json -m map.json -p my-registry-1:5000 && false | |
| echo -e "PASSED\n" | |
| echo "try to relocate to private registry with specifying correct CA cert path, should succeed" | |
| duffle relocate -f example-bundles/helloworld/bundle.json -m map.json -p my-registry-1:5000 --ca-cert-path ca1.crt | |
| echo -e "PASSED\n" | |
| echo "try to relocate to private registry with specifying incorrect CA cert path, should fail" | |
| duffle relocate -f example-bundles/helloworld/bundle.json -m map.json -p my-registry-1:5000 --ca-cert-path ca2.crt && false | |
| echo -e "PASSED\n" | |
| echo "try to relocate to private registry without cert verification, should succeed" | |
| duffle relocate -f example-bundles/helloworld/bundle.json -m map.json -p my-registry-1:5000 --skip-tls-verify | |
| echo -e "PASSED\n" | |
| # create new thin bundle referencing the relocated from the private registry | |
| export RELOCATED_IMAGE=$(cat map.json | jq -r '[. | to_entries[] | .value][0]') | |
| cat example-bundles/helloworld/bundle.json | jq '.invocationImages[0].image=env.RELOCATED_IMAGE' > relocated.json | |
| echo "try to relocate from/to private registry without specifying CA cert path for source, should fail" | |
| duffle relocate -f relocated.json -m map.json -p my-registry-2:5001 --ca-cert-path ca2.crt && false | |
| echo -e "PASSED\n" | |
| echo "try to relocate from/to private registry without specifying CA cert path for destination, should fail" | |
| duffle relocate -f relocated.json -m map.json -p my-registry-2:5001 --ca-cert-path ca1.crt && false | |
| echo -e "PASSED\n" | |
| echo "try to relocate from/to private registry with specifying CA cert paths for both source and destination, should succeed" | |
| duffle relocate -f relocated.json -m map.json -p my-registry-2:5001 --ca-cert-path ca1.crt --ca-cert-path ca2.crt | |
| echo -e "PASSED\n" | |
| echo "try to relocate from/to private registry with specifying CA cert paths for both source and destination, should succeed" | |
| duffle relocate -f relocated.json -m map.json -p my-registry-2:5001 --ca-cert-path ca2.crt,ca1.crt | |
| echo -e "PASSED\n" | |
| echo "try to relocate from/to private registry without cert verifictation, should succeed" | |
| duffle relocate -f relocated.json -m map.json -p my-registry-2:5001 --skip-tls-verify | |
| echo -e "PASSED\n" | |
| # create thick bundle | |
| duffle export example-bundles/helloworld/bundle.json -f | |
| echo "try to relocate images from thick bundle to private registry without specifying CA cert, should fail" | |
| duffle relocate -f helloworld-0.1.1.tgz -m map.json -p my-registry-1:5000 && false | |
| echo -e "PASSED\n" | |
| echo "try to relocate images from thick bundle to private registry with specifying CA cert, should succeed" | |
| duffle relocate -f helloworld-0.1.1.tgz -m map.json -p my-registry-1:5000 --ca-cert-path ca1.crt | |
| echo -e "PASSED\n" | |
| echo "try to relocate images from thick bundle to private registry without cert verification, should succeed" | |
| duffle relocate -f helloworld-0.1.1.tgz -m map.json -p my-registry-1:5000 --skip-tls-verify | |
| echo -e "PASSED\n" | |
| rm relocated.json | |
| rm map.json | |
| ;; | |
| *) | |
| echo $"Usage: $0 {setup|irel|duffle|cleanup}" | |
| exit 1 | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
disable