From 2787df252d8af752f79536803a71f1839cd88635 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 10 Jul 2024 16:10:45 -0400 Subject: [PATCH] fix: expose image manifest from build-vm-image task The way this previously worked was that each build-vm-image task would produce an image index (index1), which was later fed into a the build-image-index task to produce a second image index (index2), which (by use of the --all option) would throwaway the vm image's original index image (index1), keeping only its image manifest. The problem this caused was that the vm image's original index image (index1) was exposed as a result, and not the image manifest. This meant that tekton chains would not see the image manifest, would not generate an attestation for it, and would not sign it. Later, when trying to validate the aggregate index image (index2), policy checks would fail since the index image (index2) was signed, but non of the image manifests were signed. The change here modifies things so that the build-vm-image task exposes only an image manifest, which will be attested to and signed. Its exposed pullspect will be fed to the build-image-index task, which will expose its own image index pullspec as a result to be attested to and signed. And in the end, we should have a correct situation with one image index (signed) referring to $N image manifests (also signed). --- task/build-vm-image/0.1/build-vm-image.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 506b528776..2a4e17f104 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -206,7 +206,9 @@ spec: cat >scripts/script-push.sh <