OCPBUGS-36344: Add CIP relevant mirrors to sigstore attachement cfg

Add icsp/idms/itms mirrors of CIP scope to /etc/containers/registries.d, so sigstore attachment will be used during the image pull and verification.

Signed-off-by: Qi Wang <qiwan@redhat.com>

pkg/controller/container-runtime-config/container_runtime_config_controller.go

@@ -1007,7 +1007,7 @@ func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.Contr
 			return nil, fmt.Errorf("could not update policy json with new changes: %w", err)
 		}
 		// generates configuration under /etc/containers/registries.d to enable sigstore verification
-		sigstoreRegistriesConfigYaml, err = generateSigstoreRegistriesdConfig(clusterScopePolicies)
+		sigstoreRegistriesConfigYaml, err = generateSigstoreRegistriesdConfig(clusterScopePolicies, icspRules, idmsRules, itmsRules)
 		if err != nil {
 			return nil, err
 		}

pkg/controller/container-runtime-config/container_runtime_config_controller_test.go

@@ -534,7 +534,7 @@ func verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mc *mcfgv1.Machin
 	}
 
 	if verifyImagePoliciesRegistriesConfig {
-		expectedRegistriesConfd, err := generateSigstoreRegistriesdConfig(clusterScopePolicies)
+		expectedRegistriesConfd, err := generateSigstoreRegistriesdConfig(clusterScopePolicies, icsps, idmss, itmss)
 		require.NoError(t, err)
 		foundFile := false
 
@@ -1794,3 +1794,54 @@ func TestClusterImagePolicyCreate(t *testing.T) {
 		})
 	}
 }
+
+func TestSigstoreRegistriesConfigIDMSandCIPCreate(t *testing.T) {
+	for _, platform := range []apicfgv1.PlatformType{apicfgv1.AWSPlatformType, apicfgv1.NonePlatformType, "unrecognized"} {
+		t.Run(string(platform), func(t *testing.T) {
+			f := newFixture(t)
+
+			cc := newControllerConfig(ctrlcommon.ControllerConfigName, platform)
+			mcp := helpers.NewMachineConfigPool("master", nil, helpers.MasterSelector, "v0")
+			mcp2 := helpers.NewMachineConfigPool("worker", nil, helpers.WorkerSelector, "v0")
+			imgcfg1 := newImageConfig("cluster", &apicfgv1.RegistrySources{InsecureRegistries: []string{"blah.io"}, AllowedRegistries: []string{"example.com"}, ContainerRuntimeSearchRegistries: []string{"search-reg.io"}})
+
+			cvcfg1 := newClusterVersionConfig("version", "test.io/myuser/myimage:test")
+			keyReg1, _ := getManagedKeyReg(mcp, nil)
+			keyReg2, _ := getManagedKeyReg(mcp2, nil)
+
+			mcs1 := helpers.NewMachineConfig(keyReg1, map[string]string{"node-role": "master"}, "dummy://", []ign3types.File{{}})
+			mcs2 := helpers.NewMachineConfig(keyReg2, map[string]string{"node-role": "worker"}, "dummy://", []ign3types.File{{}})
+
+			// idms source is the same as cip scope
+			idms := newIDMS("built-in", []apicfgv1.ImageDigestMirrors{
+				{Source: "built-in-source.example.com", Mirrors: []apicfgv1.ImageMirror{"built-in-mirror.example.com"}},
+			})
+			clusterimgPolicy := newClusterImagePolicyWithPublicKey("built-in-source.example.com", []string{"example.com"}, []byte("foo bar"))
+			f.ccLister = append(f.ccLister, cc)
+			f.mcpLister = append(f.mcpLister, mcp)
+			f.mcpLister = append(f.mcpLister, mcp2)
+			f.imgLister = append(f.imgLister, imgcfg1)
+			f.idmsLister = append(f.idmsLister, idms)
+			f.clusterImagePolicyLister = append(f.clusterImagePolicyLister, clusterimgPolicy)
+			f.cvLister = append(f.cvLister, cvcfg1)
+			f.imgObjects = append(f.imgObjects, imgcfg1)
+
+			f.expectGetMachineConfigAction(mcs1)
+			f.expectGetMachineConfigAction(mcs1)
+			f.expectGetMachineConfigAction(mcs1)
+			f.expectCreateMachineConfigAction(mcs1)
+
+			f.expectGetMachineConfigAction(mcs2)
+			f.expectGetMachineConfigAction(mcs2)
+			f.expectGetMachineConfigAction(mcs2)
+
+			f.expectCreateMachineConfigAction(mcs2)
+
+			f.run("")
+
+			for _, mcName := range []string{mcs1.Name, mcs2.Name} {
+				f.verifyRegistriesConfigAndPolicyJSONContents(t, mcName, imgcfg1, nil, idms, nil, clusterimgPolicy, cc.Spec.ReleaseImage, true, true, true)
+			}
+		})
+	}
+}

pkg/controller/container-runtime-config/helpers.go

@@ -933,7 +933,7 @@ func validateClusterImagePolicyWithAllowedBlockedRegistries(clusterScopePolicies
 	return nil
 }
 
-func generateSigstoreRegistriesdConfig(clusterScopePolicies map[string]signature.PolicyRequirements) ([]byte, error) {
+func generateSigstoreRegistriesdConfig(clusterScopePolicies map[string]signature.PolicyRequirements, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy, idmsRules []*apicfgv1.ImageDigestMirrorSet, itmsRules []*apicfgv1.ImageTagMirrorSet) ([]byte, error) {
 	if len(clusterScopePolicies) == 0 {
 		return nil, nil
 	}
@@ -944,6 +944,7 @@ func generateSigstoreRegistriesdConfig(clusterScopePolicies map[string]signature
 	}
 	for scope := range clusterScopePolicies {
 		registriesDockerConfig[scope] = sigstoreAttachment
+		addScopeMirrorsSigstoreRegistriesdConfig(registriesDockerConfig, scope, icspRules, idmsRules, itmsRules, sigstoreAttachment)
 	}
 
 	registriesConfig := &registriesConfig{}
@@ -954,3 +955,108 @@ func generateSigstoreRegistriesdConfig(clusterScopePolicies map[string]signature
 	}
 	return data, nil
 }
+
+func addScopeMirrorsSigstoreRegistriesdConfig(registriesDockerConfig map[string]dockerConfig, scope string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy, idmsRules []*apicfgv1.ImageDigestMirrorSet, itmsRules []*apicfgv1.ImageTagMirrorSet, sigstoreAttachment dockerConfig) {
+	for _, icsp := range icspRules {
+		scopeIsSource := false
+		for _, rdm := range icsp.Spec.RepositoryDigestMirrors {
+			if strings.HasPrefix(rdm.Source, scope) {
+				for _, mirror := range rdm.Mirrors {
+					registriesDockerConfig[mirror] = sigstoreAttachment
+				}
+				if rdm.Source == scope {
+					scopeIsSource = true
+				}
+			}
+		}
+		if scopeIsSource {
+			continue
+		}
+
+		maxSourceLen := 0
+		var mirrors []string
+		for _, rdm := range icsp.Spec.RepositoryDigestMirrors {
+			if strings.HasPrefix(scope, rdm.Source) {
+				if len(rdm.Source) > maxSourceLen {
+					maxSourceLen = len(rdm.Source)
+					mirrors = rdm.Mirrors
+				}
+			}
+		}
+		if maxSourceLen > 0 {
+			for _, mirror := range mirrors {
+				registriesDockerConfig[mirror] = sigstoreAttachment
+			}
+		}
+	}
+
+	for _, idms := range idmsRules {
+		scopeIsSource := false
+		for _, idm := range idms.Spec.ImageDigestMirrors {
+			if strings.HasPrefix(idm.Source, scope) {
+				for _, mirror := range idm.Mirrors {
+					m := string(mirror)
+					registriesDockerConfig[m] = sigstoreAttachment
+				}
+				if idm.Source == scope {
+					scopeIsSource = true
+				}
+			}
+		}
+		if scopeIsSource {
+			continue
+		}
+
+		maxSourceLen := 0
+		var mirrors []apicfgv1.ImageMirror
+		for _, idm := range idms.Spec.ImageDigestMirrors {
+			if strings.HasPrefix(scope, idm.Source) {
+				if len(idm.Source) > maxSourceLen {
+					maxSourceLen = len(idm.Source)
+					mirrors = idm.Mirrors
+				}
+			}
+		}
+		if maxSourceLen > 0 {
+			for _, mirror := range mirrors {
+				m := string(mirror)
+				registriesDockerConfig[m] = sigstoreAttachment
+			}
+		}
+	}
+
+	for _, itms := range itmsRules {
+		scopeIsSource := false
+		for _, itm := range itms.Spec.ImageTagMirrors {
+			if strings.HasPrefix(itm.Source, scope) {
+				for _, mirror := range itm.Mirrors {
+					m := string(mirror)
+					registriesDockerConfig[m] = sigstoreAttachment
+				}
+				if itm.Source == scope {
+					scopeIsSource = true
+				}
+			}
+		}
+		if scopeIsSource {
+			continue
+		}
+
+		maxSourceLen := 0
+		var mirrors []apicfgv1.ImageMirror
+		for _, itm := range itms.Spec.ImageTagMirrors {
+			if strings.HasPrefix(scope, itm.Source) {
+				if len(itm.Source) > maxSourceLen {
+					maxSourceLen = len(itm.Source)
+					mirrors = itm.Mirrors
+				}
+			}
+		}
+		if maxSourceLen > 0 {
+			for _, mirror := range mirrors {
+				m := string(mirror)
+				registriesDockerConfig[m] = sigstoreAttachment
+			}
+		}
+	}
+}