Skip to content

feat(dagger): support explicit OCI credentials #514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
migmartri merged 5 commits into from
Feb 16, 2024
Merged

feat(dagger): support explicit OCI credentials #514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5c01aef
feat(dagger): support explicit OCI credentials
migmartri Feb 15, 2024
1c397c9
feat(dagger): support explicit OCI credentials
migmartri Feb 15, 2024
7ecbb8e
feat(dagger): support explicit OCI credentials
migmartri Feb 15, 2024
57f9af8
feat(dagger): support explicit OCI credentials
migmartri Feb 15, 2024
dad6261
bump container image
migmartri Feb 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion extras/dagger/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,21 @@ dagger call -m github.com/chainloop-dev/chainloop/extras/dagger \
--token env:CHAINLOOP_TOKEN attestation-add \
--attestation-id $ATTESTATION_ID \
--name my-container-image \
--value ghcr.io/chainloop-dev/chainloop
--value ghcr.io/chainloop-dev/chainloop/control-plane
```

In some cases, you might be providing a private container image as a piece of evidence. In this case, you'll also need to provide the container registry credentials.

```sh
# Or one with a raw value such as a container image reference
dagger call -m github.com/chainloop-dev/chainloop/extras/dagger \
--token env:CHAINLOOP_TOKEN attestation-add \
--attestation-id $ATTESTATION_ID \
--name my-container-image \
--value ghcr.io/chainloop-dev/chainloop/control-plane
--registry ghcr.io \
--registry-username my-username \
--registry-password MY_PAT_TOKEN
```

### Sign and push ([docs](https://docs.chainloop.dev/getting-started/attestation-crafting#encode-sign-and-push-attestation))
Expand Down
21 changes: 19 additions & 2 deletions extras/dagger/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"time"
)

const chainloopVersion = "v0.60.0"
const chainloopVersion = "v0.65.0"

type Chainloop struct {
Token *Secret
Expand Down Expand Up @@ -70,6 +70,7 @@ func (m *Chainloop) AttestationStatus(ctx context.Context, attestationID string)
// The file type is required for materials of kind ARTIFACT that are uploaded to the CAS
func (m *Chainloop) AttestationAdd(
ctx context.Context,
attestationID string,
// material name
name string,
// path to the file to be added
Expand All @@ -78,12 +79,28 @@ func (m *Chainloop) AttestationAdd(
// raw value to be added
// +optional
value string,
attestationID string) (string, error) {
// Container Registry Credentials for Container image-based materials
// i.e docker.io, ghcr.io, etc
// +optional
registry string,
// +optional
registryUsername string,
// +optional
registryPassword *Secret,
) (string, error) {
// Validate that either the path or the raw value is provided
if value != "" && path != nil {
return "", fmt.Errorf("only one of material path or value can be provided")
}

c := m.cliImage()
// These OCI credentials are used to resolve materials of type CONTAINER_IMAGE
if registry != "" {
c = c.WithEnvVariable("CHAINLOOP_REGISTRY_SERVER", registry).
WithEnvVariable("CHAINLOOP_REGISTRY_USERNAME", registryUsername).
WithSecretVariable("CHAINLOOP_REGISTRY_PASSWORD", registryPassword)
}

// if the value is provided in a file we need to upload it to the container
if path != nil {
fileName, err := path.Name(ctx)
Expand Down