Additional deploy validation #2100

ssalinas · 2020-06-04T20:03:51Z

Two main pieces:

Add the ability to lock down artifact specification to only signed artifacts (s3 + signature file). This does not validate everything within a list, assuming that if the list is signed, the things within the list are valid
Add valid docker registry list so Singularity can lock usage down to only an internal docker registry if needed

SingularityService/src/main/java/com/hubspot/singularity/data/SingularityValidator.java

pschoenfelder · 2020-06-09T17:19:55Z

🚢

pschoenfelder · 2020-06-10T20:25:22Z

🚢

ssalinas added 2 commits June 4, 2020 15:56

Add ability to enforce signed artifact usage

8be3673

ability to validate docker registry

a788c1f

PaulFurtado reviewed Jun 4, 2020

View reviewed changes

SingularityService/src/main/java/com/hubspot/singularity/data/SingularityValidator.java Outdated Show resolved Hide resolved

specify list of allowed registries

95d0b18

ssalinas added hs_staging labels Jun 9, 2020

ssalinas added the hs_stable label Jun 9, 2020

ssalinas added 9 commits June 9, 2020 16:09

robust image registry parsing

b64b32f

fix build

2de44b9

verify signature in local downloaded directory, not in cache dir

7fc71ab

option to fail fast on this

378a415

resolve to filename

cf35a56

specific exception for artifact verify

0ab673b

one more spot to catch this

04ae608

verify untar'd

14437d1

missed a constructor

c32ae18

ssalinas merged commit fd24145 into master Jun 11, 2020

ssalinas deleted the enforce_signature branch June 11, 2020 12:35

ssalinas added this to the 1.3.0 milestone Sep 24, 2020

Provide feedback