Allow podman-remote push to accept the --digestfile flag #18216
Comments
cooktheryan
added
the
kind/feature
|
Thanks for reaching out, @cooktheryan. I think that's doable for the remote client. The push REST endpoint is streaming to the client, so I guess we could transport the digest in the @mtrmac WDYT? |
|
The primary way to deal with signing pushed content should be Either way, implementing My intuitive first guess for how this can be done is be to add a new kind of entry to the body’s |
|
thanks @mtrmac it's an interesting scenario. We are trying to avoid needing to use the local podman commands because we are launching instances with terraform with a specific architecture allowing for us to quickly build with podman-remote versus trying to use the qemu functionality. Really appreciate yall discussing this so quickly |
Wire in support for writing the digest of the pushed image to a user-specified file. Requires some massaging of _internal_ APIs and the extension of the push endpoint to integrate the raw manifest (i.e., in bytes) in the stream. Closes: containers#18216 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
|
Opened #18284 to add support. |
Wire in support for writing the digest of the pushed image to a user-specified file. Requires some massaging of _internal_ APIs and the extension of the push endpoint to integrate the raw manifest (i.e., in bytes) in the stream. Closes: containers#18216 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Wire in support for writing the digest of the pushed image to a user-specified file. Requires some massaging of _internal_ APIs and the extension of the push endpoint to integrate the raw manifest (i.e., in bytes) in the stream. Closes: containers#18216 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Wire in support for writing the digest of the pushed image to a user-specified file. Requires some massaging of _internal_ APIs and the extension of the push endpoint to integrate the raw manifest (i.e., in bytes) in the stream. Closes: containers#18216 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Wire in support for writing the digest of the pushed image to a user-specified file. Requires some massaging of _internal_ APIs and the extension of the push endpoint to integrate the raw manifest (i.e., in bytes) in the stream. Closes: containers#18216 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
github-actions
bot
added
the
locked - please file new issue/PR
Feature request description
When using Tekton Chains to sign images generated through Tekton the outputs of Image_digest and Image URL are used by Tekton chains to generate attestation and to cosign the images. When using podman-remote especially when accessing a build server to build and push the process can be completed successfully but I cannot gain the digest information without doing a work around like scp or another back to the Tekton task.
Suggest potential solution
If we were to enable the flag to record the sha and write it to the system running podman-remote the problem would be resolved. I'm unsure if it could be grabbed from stdout of the podman-remote push.
Have you considered any alternatives?
Using podman-remote save to save the image to the pipeline allows for a potential breach of trust.
Additional context
This could be incredibly helpful for GitHub actions as well as Tekton/Tekton chains to build different architectures without needing a full kubernetes cluster of that architecture just a single VM
The text was updated successfully, but these errors were encountered: