Uploaded image for project: 'Cluster Integration and Delivery'
  1. Cluster Integration and Delivery
  2. CLID-347

Create defaults configs for signature mirroring/verification

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • openshift-4.19
    • None
    • oc-mirror
    • False
    • Hide

      None

      Show
      None
    • False
    • ---
    • ---
    • CLID Sprint 268, CLID Sprint 269
    • None

      In operating systems (OS) where the registries.d and policy.json does not include our internal registries and the field use-sigstore-attachment: true, it is necessary to have a default embedded in oc-mirror.

      For oc-mirror cache:

      docker:
     localhost:55000:
         use-sigstore-attachments: true

      For customer regitry (only an example of a registry running on localhost:6000 below)

      docker:
     localhost:6000:
         use-sigstore-attachments: true

      For the release images:

      docker:
     quay.io:
         use-sigstore-attachments: true

      For operator catalog and bundles:

      docker:
     registry.access.redhat.com:
         use-sigstore-attachments: true
         lookaside: https://access.redhat.com/webassets/docker/content/sigstore
      docker:
     registry.redhat.io:
         use-sigstore-attachments: true
         lookaside: https://registry.redhat.io/containers/sigstore

      Reference about containers/image policy.json/registries.d:

      https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md
      https://github.com/containers/image/blob/main/docs/containers-registries.conf.d.5.md

          1.
          		 Tune policy.json used by oc-mirror v2 Sub-task Code Review Undefined Sherine Khoury
          2.
          		 Tune registries.d used by oc-mirror Sub-task In Progress Undefined Sherine Khoury

            [CLID-347] Create defaults configs for signature mirroring/verification

            Sherine Khoury added a comment -

            For policy.json
            in packagegithub.com/containers/image/v5/signature, we can use:
            signature.DefaultPolicy(sys *types.SystemContext))

            This will give us the default policy.json, and takes into account whether one is defined in the home directory
            https://github.com/containers/image/blob/d6416b15bc8d130d677ae2645b3a9a3215a7a692/signature/policy_config.go#L53

            In any case, in our mirror.go , when we call copy.Image() we are passing the policyContext as an argument...
            This policyContext can be whatever we decide it to be because it is calculated in here.

            So technically, we could add the extra policies to the object in GetPolicyContext method , without annoying the customer with it

            For registries.d
            When we call copy.Image, it creates the ImageSource (NewImageSource) which in turn loadRegistryConfiguration.
            This is unfortunately an internal function... and we won't be able to change it.
            It takes the path specified in the systemContext, if not found tries the home dir, and finally the /etc...

            We could cheat though by :

            • creating our own function that
              • checks if a registries.d exists under home
              • or otherwise under /etc
              • copy that to a local folder (working-dir/registries.d)
              • add to that folder files for our cache registry
            • when calling copy.Image (the mirror package) , we set RegistriesDirPath in the srcSystemContext and dstSystemContext to working-dir/registries.d
              • This way we force c/image to use our registries.d always

            Sherine Khoury added a comment - For policy.json in package github.com/containers/image/v5/signature, we can use: signature.DefaultPolicy(sys *types.SystemContext)) This will give us the default policy.json, and takes into account whether one is defined in the home directory https://github.com/containers/image/blob/d6416b15bc8d130d677ae2645b3a9a3215a7a692/signature/policy_config.go#L53 In any case, in our mirror.go , when we call copy.Image() we are passing the policyContext as an argument... This policyContext can be whatever we decide it to be because it is calculated in here . So technically, we could add the extra policies to the object in GetPolicyContext method , without annoying the customer with it For registries.d When we call copy.Image , it creates the ImageSource ( NewImageSource ) which in turn loadRegistryConfiguration . This is unfortunately an internal function... and we won't be able to change it. It takes the path specified in the systemContext, if not found tries the home dir, and finally the /etc... We could cheat though by : creating our own function that checks if a registries.d exists under home or otherwise under /etc copy that to a local folder (working-dir/registries.d) add to that folder files for our cache registry when calling copy.Image (the mirror package) , we set RegistriesDirPath in the srcSystemContext and dstSystemContext to working-dir/registries.d This way we force c/image to use our registries.d always

              skhoury@redhat.com Sherine Khoury
              rh-ee-aguidi Alex Guidi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: