OCPBUGS-36344: Add CIP relevant mirrors to sigstore attachement cfg #4449
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
QiWang19
force-pushed
the
add-mirrors-to-sigstore-regisconf
branch
2 times, most recently
from
f771a5e
to
7a610ae
Compare
QiWang19
changed the title
openshift-ci-robot
added
jira/severity-moderate
|
@QiWang19: This pull request references Jira Issue OCPBUGS-36344, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@QiWang19: This pull request references Jira Issue OCPBUGS-36344, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (schoudha@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test all |
QiWang19
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@QiWang19: This pull request references Jira Issue OCPBUGS-36344, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (schoudha@redhat.com), skipping review request. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@mtrmac could you review? |
QiWang19
force-pushed
the
add-mirrors-to-sigstore-regisconf
branch
from
7a610ae
to
60fd9c8
Compare
There was a problem hiding this comment.
Overall it seems to me that doing this with the ICSP/ITMS/IDMS data is harder than it needs to be; instead, the code could consume the already-generated registries.conf, or maybe this could be built along with registries.conf in runtime-utils/pkg/registries.
Something vaguely like:
registries.EditRegistriesConf(config, …)
tmpFile := marshalAndWriteTempFile(config)
systemContext := types.SystemContext{SystemRegistriesConfPath: tmpFile, SystemRegistriesConfDirPath: "/dev/null"}
attachmentScopes := Set[string].New()
for policyScope in allPolicyScopesFromClusterImagePolicy{
parent := sysregistriesv2.FindRegistry(systemContext, policyScope)
addPhysicalLocations(attachmentScopes, parent, policyScope)
for reg in config.Registries {
scope = reg.Prefix ?? reg.Location
if registries.ScopeIsNestedInsideScope(scope, policyScope) && scope != policyScope {
nested := sysregistriesv2.FindRegistry(systemContext, scope) // Finds (a preprocessed version of) reg
addPhysicalLocations(attachmentScopes, nested, scope)
}
}
createRegistriesD(attachmentScopes)
// ---
func addPhysicalLocations(dest *Set[string], reg Registry, scope string) {
// Ugly… we need to look up endpoints for a taged and a digested reference, to account for ITMS/IDMS
endpoints := reg.PullSourcesFromReference(scope + ":tag")
endpoints += reg.PullSourcesFromReference(scope + "@sha256:aaaa…")
dest.Add(endpoints)
}There are various ugly parts in there, admittedly, maybe c/image should gain a few more APIs (“load data from in-memory config”, “return all endpoints ignoring tag/digest restrictions”, …)
|
Arguably, it might not be strictly necessary to be precise in the So, I think, at the very least, it should not be hard-coded enabled via |
QiWang19
force-pushed
the
add-mirrors-to-sigstore-regisconf
branch
2 times, most recently
from
4f979d0
to
60d9968
Compare
|
@mtrmac Could you review? |
| if registriesTOML == nil { | ||
| continue | ||
| } | ||
| parentReg, err := sysregistriesv2.FindRegistry(&types.SystemContext{SystemRegistriesConfPath: tmpFile.Name()}, policyScope) |
There was a problem hiding this comment.
I think this should set SystemRegistriesConfDirPath to something non-existent or not-a-directory, so that the controller doesn’t read current configuration of the node/container where it is currently running.
(In both places, ideally by sharing the SystemContext)
There was a problem hiding this comment.
Thanks for the explanation.
| registriesDockerConfig[scope] = sigstoreAttachment | ||
|
|
||
| for policyScope := range clusterScopePolicies { | ||
| registriesDockerConfig[policyScope] = sigstoreAttachment |
There was a problem hiding this comment.
(Non-blocking: The entry for the primary repo is not necessary if NeverContactSource … but it also doesn’t really hurt; and otherwise we would need to special-case the “no configuration for registry” code path, i.e. this is a bit simpler than being 100% precise.)
| scope = strings.Replace(scope, "*", dummyPrefix, 1) | ||
| } | ||
|
|
||
| scopeRef, err := reference.Parse(scope) |
There was a problem hiding this comment.
[As a general rule, prefer ParseNormalizedNamed. It shouldn’t make a difference for valid scopes, … but do we actually validate that? IsValidRegistriesConfScope seems rather loose, and I’m not sure that there is any other location validating scopes more strictly.
I’m … worried what happens in the “scope == host name” case — AFAICS reference.Parse turns that into "[nothing]/$input". But it might work well enough.
OTOH with ParseNormalizedNamed, the dummyPath part would really have to happen before this parsing. See elsewhere.]
There was a problem hiding this comment.
On second thought, ParseNormalizedNamed("docker.io/library") would produce an unwanted result (or we would have to work around that even more); reference.Parse() is really better here.
| if digestRef, digested := scopeRef.(reference.Digested); digested { | ||
| namedRef, err := reference.ParseNamed(digestRef.String()) | ||
| if err != nil { | ||
| return fmt.Errorf("error parsing scope digested reference %s: %w", digestRef.String(), err) | ||
| } | ||
| scope = reference.TrimNamed(namedRef).String() | ||
|
|
||
| } | ||
| if tagRef, tagged := scopeRef.(reference.Tagged); tagged { | ||
| namedRef, err := reference.ParseNamed(tagRef.String()) | ||
| if err != nil { | ||
| return fmt.Errorf("error parsing scope tagged reference %s: %w", tagRef.String(), err) | ||
| } | ||
| scope = reference.TrimNamed(namedRef).String() | ||
| } |
There was a problem hiding this comment.
I think this can be just scope = scopeRef.Name(), or scopeRef = reference.TrimNamed(scopeRef), without specifically checking for tagged/digested.
| scope = reference.TrimNamed(namedRef).String() | ||
| } | ||
| if !strings.Contains(scope, "/") { | ||
| scope += dummyPath |
There was a problem hiding this comment.
Ugh… I didn’t realize there’s this corner case.
It’s safe to do because we have already looked up reg, but, AFAICS, if we add dummyPath here, we must also strip it from the returned endpoints.
There was a problem hiding this comment.
… or, alternatively, unconditionally add dummyPath, and unconditionally remove it. Either way, ugly…
| digestRef, err := reference.ParseNamed(scope + dummyDigest) | ||
| if err != nil { | ||
| return fmt.Errorf("error parsing digest name for scope %s: %w", scope, err) | ||
| } | ||
| tagRef, err := reference.ParseNamed(scope + dummyTag) | ||
| if err != nil { | ||
| return fmt.Errorf("error parsing tag name for scope %s: %w", scope, err) | ||
| } |
There was a problem hiding this comment.
(Non-blocking? This does work, but it does a bit more parsing than necessary. I think:
// dummyPrefix
if !strings.Contains(scope, "/") { // implies no tag and no digest, so this should be safe
scope += dummyPath
addedDummy = true
}
repo := reference.ParseNormalizedNamed(scope).TrimNamed()
digestRef = reference.WithDigest(repo, digest.Parse(dummyDigest))
tagRef = reference.WithTag(repo, dummyTag)should work.
| endpoint := s.Endpoint.Location | ||
| if endpoint == "" { | ||
| endpoint = reg.Prefix | ||
| } |
There was a problem hiding this comment.
AFAICS this should be strings.TrimSuffix(s.Reference.Name(), dummyPathIfUsed); s.Endpoint is the “root” of the mirror, not the final remapped repo (consider an original scope of example.com/foo/bar, and a mirror defined for example.com/foo)
There was a problem hiding this comment.
A more complete review: the two stand-outs are not setting SystemRegistriesConfDirPath and the Endpoint vs. Reference difference; the rest is mostly cosmetic.
If we absolutely had to, I’d be fine with merging as is and fixing that shortly after, e.g. in the immediately following sprint.
| `docker: | ||
| '*.example.com': | ||
| use-sigstore-attachments: true | ||
| a-a1.mirror/a1: |
There was a problem hiding this comment.
a.com/a1/a2 is mirrored to a-a1.mirror/a2/a2, so that should be the scope. (See Reference vs. Endpoint in the previous review brach.)
| `docker: | ||
| '*.example.com': | ||
| use-sigstore-attachments: true | ||
| '*.scope': |
There was a problem hiding this comment.
I don’t think this should be added (probably Endpoint vs. Reference?)
| use-sigstore-attachments: true | ||
| '*.scope': | ||
| use-sigstore-attachments: true | ||
| '*.x.example.com': |
There was a problem hiding this comment.
This doesn’t hurt but also doesn’t need to be added — *.x.example.com is a subset of *.example.com
| use-sigstore-attachments: true | ||
| a.com/a1/a2@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: | ||
| use-sigstore-attachments: true | ||
| a.example.com: |
There was a problem hiding this comment.
Doesn’t hurt but doesn’t need to be added.
QiWang19
force-pushed
the
add-mirrors-to-sigstore-regisconf
branch
2 times, most recently
from
855ca0d
to
78f043b
Compare
| if hasWildcard { | ||
| if endpoint == strings.Replace(originalScope, "*", dummyPrefix, 1) { | ||
| continue | ||
| } | ||
| } |
There was a problem hiding this comment.
@mtrmac Could you review this? We also need to add a check for dummyPrefix.
There was a problem hiding this comment.
(I’m afraid that my suggestion to use the c/image matching code has not been simpler — certainly not much simpler.)
To be explicit, the situation is a config entry with
prefix: *.example.comlocationnot set — OCP never does that for wild-carded scopes- and perhaps some mirrors, perhaps not, e.g. this entry might exist because there was an “insecure” bool set
And in that case the source reference is returned as is.
Here, unlike the added dummyPath, I’m worried about collisions with user-defined names (e.g. a mirroring setup from *.example.com to matched.example.com). I don’t think just a string comparison can resolve that.
It seems to me that this needs a condition && s.Endpoint.Location == "" to rule out this case: mirror endpoints must, by definition, have a mirror location. So if we have Location set, the host name was user-supplied; if Location is unset, the host name comes from dummyPrefix.
(Alternatively, I think the Location == "" check could be the only condition here, but then all primary endpoints would be ruled out and would have to be added at the top level. That would actually match the addScopeMirrorsSigstoreRegistriesdConfig function name a bit better — it would be adding only mirrors, and that would be good enough for currently OCP-generated configs, OTOH it would be less correct for processing registries.conf in general, because top-level redirection (`prefix: "logical"; location: "actualServer") would not be handled. I think we can handle top-level redirection here “for free”, so it’s better to do so than to risk future surprises.)
Please make sure there’s a unit test for this situation, and document what the situation and what the condition is checking for. (Something vaguely like “if we had to add a dummyPrefix to process a wildcard Registry entry, we only want to configure the mirror endpoints, if any; not to add a new entry for exactly dummyPrefix+originalScope”).
Also, this code would now depend on the caller unconditionally configuring attachments for registriesDockerConfig[policyScope] — that also seems worth having a comment.
| scope = reg.Prefix | ||
| } | ||
| if runtimeutils.ScopeIsNestedInsideScope(scope, policyScope) && scope != policyScope { | ||
| nestedReg, err := sysregistriesv2.FindRegistry(&types.SystemContext{SystemRegistriesConfPath: tmpFile.Name()}, scope) |
There was a problem hiding this comment.
This place also needs updating with SystemRegistriesConfDirPath.
(Please create a single SystemContext variable to share that.)
| return fmt.Errorf("error parsing scope %s: %w", scope, err) | ||
| } | ||
|
|
||
| repo := reference.TrimNamed(scopeRef.(reference.Named)) |
There was a problem hiding this comment.
Non-blocking: This cast probably can’t fail, but double-checking might be easier than worrying about crashes.
| require.Len(t, gotRegistriesCfg.Docker, len(tc.expectedSigstoreRegistriesConfigScopes)) | ||
| for _, scope := range tc.expectedSigstoreRegistriesConfigScopes { |
There was a problem hiding this comment.
assert.ElementsMatch(…, expected, maps.Keys(gotRegistriesCfg.Docker)) would check not just a subset relationship, but equality.
QiWang19
force-pushed
the
add-mirrors-to-sigstore-regisconf
branch
2 times, most recently
from
21e2187
to
f1c20bd
Compare
| Spec: apicfgv1.ImageDigestMirrorSetSpec{ | ||
| ImageDigestMirrors: []apicfgv1.ImageDigestMirrors{ | ||
| {Source: "a.example.com", Mirrors: []apicfgv1.ImageMirror{"a-example.mirror"}}, | ||
| {Source: "*.x.example.com", Mirrors: []apicfgv1.ImageMirror{"matched.example.mirror", "star-x.example.mirror"}}, |
There was a problem hiding this comment.
@mtrmac PTAL. Test cases for #4449 (comment)
There was a problem hiding this comment.
Thanks.
Also a test for policy scope foo.example.com/ns/repo vs *.example.com -> our.mirror/example (expected scopes foo.example.com/ns/repo. our.mirror/example/ns/repo) might be a interesting because it might be closer to real-world configurations (with fairly coarse mirror maps but fairly small policy scopes); I don’t expect it would change code coverage…
There was a problem hiding this comment.
We got foo.example.com/ns/repo, our.mirror/example/ns/repo, our.mirror/example
https://github.com/openshift/machine-config-operator/pull/4449/files#diff-e75cbabf033d7cdc22ac1877e6e0134549c848c7226729274f806c3ab943f37eR1366
| sigstoreAttachment = dockerConfig{ | ||
| UseSigstoreAttachments: true, | ||
| } | ||
| sysContext = &types.SystemContext{ |
There was a problem hiding this comment.
(This is only used on the registriesTOML != nil path, so it can be initialized there. A context with SystemRegistriesConfPath set but SystemRegistriesConfPath does not make all that much sense. But this works fine as is.)
Add icsp/idms/itms mirrors of CIP scope to /etc/containers/registries.d, so sigstore attachment will be used during the image pull and verification. Signed-off-by: Qi Wang <qiwan@redhat.com>
QiWang19
force-pushed
the
add-mirrors-to-sigstore-regisconf
branch
from
f1c20bd
to
861d9af
Compare
|
/lgtm |
|
The unit test failure seems not to be obviously related, but I didn’t investigate beyond reading the backtrace. |
|
/test unit |
|
/assign @saschagrunert |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac, QiWang19, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@QiWang19: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit 35ce1c1
into
openshift:master
|
@QiWang19: Jira Issue OCPBUGS-36344: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-36344 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-machine-config-operator-container-v4.17.0-202407111341.p0.g35ce1c1.assembly.stream.el9 for distgit ose-machine-config-operator. |
Close: #4446
- What I did
- How to verify it
Cluster 4.17.0-0.ci.test-2024-07-08-173847 has default ICSP:
Apply CIP:
Pull from mirror, check the log:
Looking for sigstore attachments- Description for the changelog
Add icsp/idms/itms mirrors of CIP scope to /etc/containers/registries.d, so sigstore attachment will be used during the image pull and verification.