Don't read the image to be signed from docker.io

Instead, use an already existing one in the internal registry, and hope
that we still have enough free signature slots left.

Send the required credentials to the source registry.

Also use the injected service CA instead of disabling TLS.  I don't know
whether it is supposed to work like that (per
https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes
the path is deprecated) but the same path is already assumed to exist
by the preceding (oc login).

Signed-off-by: Miloslav Trmač <[email protected]>

Author: mtrmac

test/extended/images/signatures.go

@@ -11,6 +11,7 @@ import (
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 
 	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
 )
 
 var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow", func() {
@@ -98,10 +99,14 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 			"--registries.d", "/this/does/not/exist",
 
 			"copy", "--sign-by", "[email protected]",
+			"--src-creds=" + user + ":" + token,
 			"--dest-creds=" + user + ":" + token,
-			// TODO: test with this turned to true as well
-			"--dest-tls-verify=false",
-			"docker://docker.io/library/memcached:latest",
+
+			// Expect to use /run/secrets/kubernetes.io/serviceaccount/ca.crt
+			"--src-cert-dir=/run/secrets/kubernetes.io/serviceaccount",
+			"--dest-cert-dir=/run/secrets/kubernetes.io/serviceaccount",
+
+			"docker://" + image.ShellImage(),
 			"docker://" + signedImage,
 		}, " "))
 		fmt.Fprintf(g.GinkgoWriter, "output: %s\n", out)