mirror of
https://github.com/siderolabs/talos.git
synced 2026-05-05 12:26:21 +02:00
7f2eb48561
Add support for whole machine-wide image verification configuration. Configuration is a set of rules applied top-down to the image reference, each specifying a specific cosign-based identity or static public key claim. Talos provides a machined API to verify an image reference, resolving it to the digest on the way as needed. Talos itself hooks up in the image verification process, while containerd CRI plugin accesses same API via the machined socket. Signed-off-by: Laura Brehm <laurabrehm@hey.com> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
33 lines
998 B
Go
33 lines
998 B
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package security_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/cosi-project/runtime/pkg/resource/meta"
|
|
"github.com/cosi-project/runtime/pkg/state"
|
|
"github.com/cosi-project/runtime/pkg/state/impl/inmem"
|
|
"github.com/cosi-project/runtime/pkg/state/impl/namespaced"
|
|
"github.com/cosi-project/runtime/pkg/state/registry"
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/siderolabs/talos/pkg/machinery/resources/security"
|
|
)
|
|
|
|
func TestRegisterResource(t *testing.T) {
|
|
ctx := t.Context()
|
|
|
|
resources := state.WrapCore(namespaced.NewState(inmem.Build))
|
|
resourceRegistry := registry.NewResourceRegistry(resources)
|
|
|
|
for _, resource := range []meta.ResourceWithRD{
|
|
&security.ImageVerificationRule{},
|
|
&security.TUFTrustedRoot{},
|
|
} {
|
|
assert.NoError(t, resourceRegistry.Register(ctx, resource))
|
|
}
|
|
}
|