Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container image signature validation #371

Merged
merged 25 commits into from
Jul 26, 2022
Merged

Container image signature validation #371

merged 25 commits into from
Jul 26, 2022

Conversation

Shrews
Copy link
Contributor

@Shrews Shrews commented Apr 18, 2022
edited

This implements container image signature validation with a new execution environment schema format and new CLI options to control sig validation policy.

Changes:

  • Assume version 1 of the EE def if a version is not specified. This ensures backward compatibility since we didn't actually enforce a version to be present.
  • Support for a version 2 of the EE def file, allowing for base and builder images to be signature verified.
  • New --container-policy and --container-keyring options for build action.

The pulp-integration jobs are successful against my fork, seen here.

@github-actions github-actions bot added the needs_triage New item that needs to be triaged label Apr 18, 2022
@Shrews Shrews force-pushed the images branch 6 times, most recently from d2b7def to b1544c0 Compare April 18, 2022 19:11
@Shrews Shrews removed the needs_triage New item that needs to be triaged label Apr 18, 2022
@softwarefactory-project-zuul
Copy link

Build succeeded.

@github-actions github-actions bot added the test Changes to test files label May 17, 2022
@github-actions github-actions bot removed the test Changes to test files label May 19, 2022
@Shrews Shrews force-pushed the images branch 2 times, most recently from 73a9897 to f2e6953 Compare May 24, 2022 20:00
@Shrews Shrews changed the title [wip] Support v2 of EE [wip] Container image validation May 24, 2022
@Shrews Shrews force-pushed the images branch 5 times, most recently from d661058 to 57b8186 Compare June 7, 2022 15:17
Shrews added 25 commits July 19, 2022 13:16
@Shrews
Support v2 of EE
ce20409
@Shrews
Use raise-from in UserDefinition
9855513
@Shrews
Assume version 1 of EE if not given
67e92a5
@Shrews
Add policies.py
a58eccb
@Shrews
Add cli option
b9131e3
@Shrews
Expand on policy data
ae017fe
@Shrews
Fix ExactRef and add starter build command code
e56b66c
@Shrews
Add tests for write_policy()
9dfa58d
@Shrews
Add --container-keyring option
6a4c3c8
@Shrews
Remove CUSTOM support for now
7a2063b
@Shrews
Correct option is --pull-always
06f6c1f
@Shrews
Pretty up the policy.json file
6eff07c
@Shrews
Always set dockerReference in policy.json for exactReference
3296781
@Shrews
Set EE_*_IMAGE based on v2 values
b0b79f9
@Shrews
Prevent defining base or builder image v1 style in v2 doc
4f0698d
@Shrews
pass not the same as return, fix lint error
1e67116
@Shrews
Add docs
5234c9b
@Shrews
More doc work
1dc6313
@Shrews
Don't force pull with ignore policy
77a6801
@Shrews
Disallow image in --build-args or specifying policy with EE format 1
90f25c6
@Shrews
Validate image names have a tag
a4b9935
@Shrews
Add doc note about podman env config
b81c247
@Shrews
Reword exc msg and fix typo
4aced2d
@Shrews
Move pytest conf from integration up a level
c45d732
@Shrews
Add pulp integration tests
514900b
nitzmahone
nitzmahone approved these changes Jul 25, 2022
View reviewed changes
Copy link
Member

@nitzmahone nitzmahone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, looks good- one question about the return type of the version property on UserDefinition that I never noticed, but it doesn't look like this PR introduced that change, so we can probably ignore it here.

ansible_builder/user_definition.py Show resolved Hide resolved
@Shrews Shrews merged commit 6466c44 into ansible:devel Jul 26, 2022
@Shrews Shrews deleted the images branch July 26, 2022 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Akasurde Akasurde Akasurde left review comments

@nitzmahone nitzmahone nitzmahone approved these changes

@eqrx eqrx eqrx approved these changes

Assignees
No one assigned
Labels
docs Changes to documentation test Changes to test files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Shrews @Akasurde @nitzmahone @eqrx