@@ -55,7 +55,7 @@ metadata:
5555spec :
5656 config :
5757 sigstoreConfig :
58- certificateIdentity : " nolear@redhat .com"
58+ certificateIdentity : " https://github .com/miyunari/model-validation-controller/.github/workflows/sign-model.yaml@refs/tags/v0.0.2 "
5959 certificateOidcIssuer : " https://token.actions.githubusercontent.com"
6060 model :
6161 path : /data/tensorflow_saved_model
@@ -107,15 +107,47 @@ kubectl apply -f examples/verify.yaml
107107
108108After the example installation, the logs of the generated job should show a successful download :
109109` ` ` bash
110- kubectl logs -n testing job/download-extract-model
110+ $ kubectl logs -n testing job/download-extract-model
111+ Connecting to github.com (140.82.121.3:443)
112+ Connecting to objects.githubusercontent.com (185.199.108.133:443)
113+ saving to '/data/tensorflow_saved_model.tar.gz'
114+ tensorflow_saved_mod 44% |************** | 3983k 0:00:01 ETA
115+ tensorflow_saved_mod 100% |********************************| 8952k 0:00:00 ETA
116+ '/data/tensorflow_saved_model.tar.gz' saved
117+ ./
118+ ./model.sig
119+ ./variables/
120+ ./variables/variables.data-00000-of-00001
121+ ./variables/variables.index
122+ ./saved_model.pb
123+ ./fingerprint.pb
111124` ` `
112125
113126The controller logs should show that a pod has been modified :
114127` ` ` bash
115- kubectl logs -n model-validation-controller deploy/model-validation-controller
128+ $ kubectl logs -n model-validation-controller deploy/model-validation-controller
129+ time=2025-01-20T22:13:05.051Z level=INFO msg="Starting webhook server on :8080"
130+ time=2025-01-20T22:13:47.556Z level=INFO msg="new request, path: /webhook"
131+ time=2025-01-20T22:13:47.557Z level=INFO msg="Execute webhook"
132+ time=2025-01-20T22:13:47.560Z level=INFO msg="Search associated Model Validation CR" pod=whatever-workload namespace=model-validation-controller
133+ time=2025-01-20T22:13:47.591Z level=INFO msg="construct args"
134+ time=2025-01-20T22:13:47.591Z level=INFO msg="found sigstore config"
116135` ` `
117136
118137Finally, the test pod should be running and the injected initcontainer should have been successfully validated.
119138` ` ` bash
120- kubectl logs -n testing whatever-workload model-validation
121- ` ` `
139+ $ kubectl logs -n testing whatever-workload model-validation
140+ INFO:__main__:Creating verifier for sigstore
141+ INFO:tuf.api._payload:No signature for keyid f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f
142+ INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
143+ INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
144+ INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
145+ INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
146+ INFO:__main__:Verifying model signature from /data/model.sig
147+ INFO:__main__:all checks passed
148+ ` ` `
149+ In case the workload is modified, is not executed :
150+ ` ` ` bash
151+ ERROR:__main__:verification failed: the manifests do not match
152+ ` ` `
153+
0 commit comments