From 1b3268b4a93ef4050728d3f2be15d3b99d46063d Mon Sep 17 00:00:00 2001 From: Janine Olear Date: Mon, 27 Jan 2025 11:03:18 +0100 Subject: [PATCH] fix deployment examples Signed-off-by: Janine Olear --- README.md | 42 +++++++++++++++++++++++++++++++++++++----- examples/prepare.yaml | 2 +- examples/verify.yaml | 8 ++++---- 3 files changed, 42 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 9e3e8a6..8016064 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ metadata: spec: config: sigstoreConfig: - certificateIdentity: "nolear@redhat.com" + certificateIdentity: "https://github.com/miyunari/model-validation-controller/.github/workflows/sign-model.yaml@refs/tags/v0.0.2" certificateOidcIssuer: "https://token.actions.githubusercontent.com" model: path: /data/tensorflow_saved_model @@ -107,15 +107,47 @@ kubectl apply -f examples/verify.yaml After the example installation, the logs of the generated job should show a successful download: ```bash -kubectl logs -n testing job/download-extract-model +$ kubectl logs -n testing job/download-extract-model +Connecting to github.com (140.82.121.3:443) +Connecting to objects.githubusercontent.com (185.199.108.133:443) +saving to '/data/tensorflow_saved_model.tar.gz' +tensorflow_saved_mod 44% |************** | 3983k 0:00:01 ETA +tensorflow_saved_mod 100% |********************************| 8952k 0:00:00 ETA +'/data/tensorflow_saved_model.tar.gz' saved +./ +./model.sig +./variables/ +./variables/variables.data-00000-of-00001 +./variables/variables.index +./saved_model.pb +./fingerprint.pb ``` The controller logs should show that a pod has been modified: ```bash -kubectl logs -n model-validation-controller deploy/model-validation-controller +$ kubectl logs -n model-validation-controller deploy/model-validation-controller +time=2025-01-20T22:13:05.051Z level=INFO msg="Starting webhook server on :8080" +time=2025-01-20T22:13:47.556Z level=INFO msg="new request, path: /webhook" +time=2025-01-20T22:13:47.557Z level=INFO msg="Execute webhook" +time=2025-01-20T22:13:47.560Z level=INFO msg="Search associated Model Validation CR" pod=whatever-workload namespace=model-validation-controller +time=2025-01-20T22:13:47.591Z level=INFO msg="construct args" +time=2025-01-20T22:13:47.591Z level=INFO msg="found sigstore config" ``` Finally, the test pod should be running and the injected initcontainer should have been successfully validated. ```bash -kubectl logs -n testing whatever-workload model-validation -``` \ No newline at end of file +$ kubectl logs -n testing whatever-workload model-validation +INFO:__main__:Creating verifier for sigstore +INFO:tuf.api._payload:No signature for keyid f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f +INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c +INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c +INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c +INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c +INFO:__main__:Verifying model signature from /data/model.sig +INFO:__main__:all checks passed +``` +In case the workload is modified, is not executed: +```bash +ERROR:__main__:verification failed: the manifests do not match +``` + diff --git a/examples/prepare.yaml b/examples/prepare.yaml index 273751e..0714baf 100644 --- a/examples/prepare.yaml +++ b/examples/prepare.yaml @@ -24,7 +24,7 @@ spec: - /bin/sh - -c - | - wget -O /data/tensorflow_saved_model.tar.gz https://github.com/slsa-framework/oss-na24-slsa-workshop-model-integrity/releases/download/v0.0.1/tensorflow_saved_model.tar.gz + wget -O /data/tensorflow_saved_model.tar.gz https://github.com/miyunari/model-validation-controller/releases/download/v0.0.1/signed_model.tar.gz tar -xzvf /data/tensorflow_saved_model.tar.gz -C /data rm /data/tensorflow_saved_model.tar.gz volumeMounts: diff --git a/examples/verify.yaml b/examples/verify.yaml index 6de30c7..0976fe7 100644 --- a/examples/verify.yaml +++ b/examples/verify.yaml @@ -12,11 +12,11 @@ spec: # privateKeyConfig: # keyPath: /root/pub.key sigstoreConfig: - certificateIdentity: "laurentsimon@google.com" - certificateOidcIssuer: "https://accounts.google.com" + certificateIdentity: "https://github.com/miyunari/model-validation-controller/.github/workflows/sign-model.yaml@refs/tags/v0.0.2" + certificateOidcIssuer: "https://token.actions.githubusercontent.com" model: - path: /data/tensorflow_saved_model - signaturePath: /data/tensorflow_saved_model/model.sig + path: /data + signaturePath: /data/model.sig --- apiVersion: v1 kind: Pod