fix: expose image manifest from build-vm-image task

The way this previously worked was that each build-vm-image task would produce an image index (index1), which was later fed into a the build-image-index task to produce a second image index (index2), which (by use of the --all option) would throwaway the vm image's original index image (index1), keeping only its image manifest. The problem this caused was that the vm image's original index image (index1) was exposed as a result, and not the image manifest. This meant that tekton chains would not see the image manifest, would not generate an attestation for it, and would not sign it. Later, when trying to validate the aggregate index image (index2), policy checks would fail since the index image (index2) was signed, but non of the image manifests were signed. The change here modifies things so that the build-vm-image task exposes only an image manifest, which will be attested to and signed. Its exposed pullspect will be fed to the build-image-index task, which will expose its own image index pullspec as a result to be attested to and signed. And in the end, we should have a correct situation with one image index (signed) referring to $N image manifests (also signed).
konflux-ci · Jul 10, 2024 · 2787df2 · 2787df2
1 parent 1f7de64
commit 2787df2
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml
@@ -206,7 +206,9 @@ spec:
         cat >scripts/script-push.sh <<REMOTESSHEOF
         #!/bin/bash
         set -ex
-        dnf -y install buildah pigz
+        dnf -y install buildah pigz jq
+
+        # Build an image index of length 1 referring to an image manifest with the content
         buildah --storage-driver=vfs manifest create "$OUTPUT_IMAGE"
 
         # show contents of /output
@@ -226,8 +228,14 @@ spec:
           buildah --storage-driver=vfs manifest add --arch $(arch) --os linux --artifact --artifact-type application/vnd.diskimage.iso.gzip $OUTPUT_IMAGE /output/bootiso/install.iso.gz
         fi
         buildah --storage-driver=vfs manifest push --digestfile image-digest --authfile /.docker/config.json --all $OUTPUT_IMAGE
+
+        # At this point, we have pushed an image index of length 1 to the registry.
+        # Next, extract a reference to the image manifest and expose that, throwing away the image index.
+        IMAGE_INDEX_DIGEST=$(cat image-digest)
+        MANIFEST_DIGEST=$(buildah manifest inspect --authfile /.docker/config.json $OUTPUT_IMAGE@$IMAGE_INDEX_DIGEST | jq '.manifests[0].digest')
+
         echo -n "$OUTPUT_IMAGE" | tee /tekton-results/IMAGE_URL
-        cat image-digest | tee /tekton-results/IMAGE_DIGEST
+        echo $MANIFEST_DIGEST | tee /tekton-results/IMAGE_DIGEST
         REMOTESSHEOF