Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(EC-972): Add support for attaching trusted artifacts #138

Closed
wants to merge 1 commit into from

Conversation

arewm
Copy link
Member

@arewm arewm commented Oct 25, 2024

If trusted artifacts are generated after an image has been built, we can use oras to attach the artifacts instead of just pushing them to the same registry location and tag where the image will eventually be pushed.

@arewm arewm requested review from lcarva and zregvart and removed request for lcarva October 25, 2024 16:07
@arewm arewm force-pushed the oras-attach branch 5 times, most recently from 2f1c523 to bc463b0 Compare October 26, 2024 03:36
Copy link
Member

@zregvart zregvart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why we need this, attaching artifacts to a build could have been its own (separate) thing

create-oci.sh Outdated Show resolved Hide resolved
@@ -1,32 +1,20 @@
FROM scratch AS files
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could have been a separate commit/PR

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will plan to move it to its own commit. I made this change to make debugging faster as I didn't have to reinstall all dependencies every time I modified the scripts.

create-oci.sh Outdated Show resolved Hide resolved
create-oci.sh Outdated Show resolved Hide resolved
create-oci.sh Outdated Show resolved Hide resolved
Comment on lines +178 to +181
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \
--distribution-spec v1.1-referrers-api "${store}" "${attached_artifacts[@]}"
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \
--distribution-spec v1.1-referrers-tag "${store}" "${attached_artifacts[@]}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to force both options, ORAS will pick the best one available

Suggested change
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \
--distribution-spec v1.1-referrers-api "${store}" "${attached_artifacts[@]}"
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \
--distribution-spec v1.1-referrers-tag "${store}" "${attached_artifacts[@]}"
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" "${store}" "${attached_artifacts[@]}"

If trusted artifacts are generated after an image has been built, we can
use oras to attach the artifacts instead of just pushing them to the
same registry location and tag where the image will eventually be
pushed.

Signed-off-by: arewm <[email protected]>
@arewm
Copy link
Member Author

arewm commented Oct 28, 2024

Not sure why we need this, attaching artifacts to a build could have been its own (separate) thing

The model is the same, we are pushing related files to the registry and recording the digest in results. The difference is just the mechanism of the push -- if we have an artifact, we don't have to rely on the (potentially fragile) tag-based association. We can instead rely on the referrer's API.

A future change can add retrieving attached artifacts, but since that is not an immediate requirement, I didn't pursue that in the current PR.

@zregvart
Copy link
Member

Not sure why we need this, attaching artifacts to a build could have been its own (separate) thing

The model is the same, we are pushing related files to the registry and recording the digest in results. The difference is just the mechanism of the push -- if we have an artifact, we don't have to rely on the (potentially fragile) tag-based association. We can instead rely on the referrer's API.

A future change can add retrieving attached artifacts, but since that is not an immediate requirement, I didn't pursue that in the current PR.

We should strive to have simple tools that do one thing well, this change doesn't have a use case in maintaining the trust between Tasks which is the focus of this repositorty. It seems to me that it is convenient to put this functionality here -- not necessary. I think this should be part of a different tool, one that focuses on image attachments.

@arewm
Copy link
Member Author

arewm commented Dec 11, 2024

Closing as I implemented this functionality in
konflux-ci/oras-container#133

@arewm arewm closed this Dec 11, 2024
@arewm arewm deleted the oras-attach branch December 11, 2024 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants