Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tristate container verification #7

Closed
wants to merge 10 commits into from
Closed

Add tristate container verification #7

wants to merge 10 commits into from

Conversation

lukewarmtemp
Copy link

@lukewarmtemp lukewarmtemp commented Oct 17, 2023
edited
Loading

Changed target_signature_verification from a boolean to a tristate variable, modified fedora-coreos-container.mpp.yaml to reflect the tristate variable change, and modified the container deployment function to properly accept:

  • ostree-remote-registry:{remote}:{image_name}
  • ostree-image-signed:registry:{image_name}
  • ostree-unverified-registry:{image_name}

dustymabe and others added 8 commits October 13, 2023 15:47
@dustymabe
inputs/ostree: leverage util/ostree library code
0bde6d4 
Similar to the cleanups in 4e99e80, let's start using the library
code for the calls to ostree here.
@dustymabe
sources/ostree: leverage util/ostree library code
5140bcc 
Similar to the cleanups in 4e99e80, let's start using the library
code for the calls to ostree here.
@dustymabe
osbuild/util/ostree: create setup_remote function
41171c2 
This moves the setup_remote function from the ostree source into
util/ostree. This is prep for sharing this function with an mpp
helper in the future.
@dustymabe
tools/osbuild-mpp: add mpp-resolve-ostree-commits helper
2bf4d1a 
This will make it easier to resolve OSTree refs into commits similar
to how mpp-resolve-images works for container image references to
SHA256 digests.
@lukewarmtemp @dustymabe
tools/osbuild-mpp: Fix empty ostree commit object in deploy stage
7c05a3a 
This adds an early return to the `_process_ostree_commits` function to
prevent an empty ostree commit object from being created in the deploy
stage which causes violations to the deploy stage input schema.
@dustymabe
stages/ostree.deploy: add description for commits input
c8eff8a
@lukewarmtemp @dustymabe
stages/ostree.deploy: accept containers input to deploy
a855e69 
The ostree.deploy stage now accepts either a ostree input:

```
      - type: org.osbuild.ostree.deploy
        options:
          osname: fedora-coreos
          remote: fedora
          mounts:
            - /boot
            - /boot/efi
          kernel_opts:
            - rw
            - console=tty0
            - console=ttyS0
            - ignition.platform.id=qemu
            - '$ignition_firstboot'
        inputs:
          commits:
            type: org.osbuild.ostree
            origin: org.osbuild.source
            references:
              f2824f5801f1fb85c8dc08dd0e7394031362b504ec48a2658e8ea459f52209a3:
                ref: fedora/x86_64/coreos/stable
```

or a containers input:

```
      - type: org.osbuild.ostree.deploy
        options:
          osname: fedora-coreos
          mounts:
            - /boot
            - /boot/efi
          kernel_opts:
            - rw
            - console=tty0
            - console=ttyS0
            - ignition.platform.id=qemu
            - '$ignition_firstboot'
        inputs:
          images:
            type: org.osbuild.containers
            origin: org.osbuild.source
            references:
              sha256:f5ab2e0456ff52b0e95e99c59a1cc70fb690153f146c1c4163c4916781ac3ad5:
                name: quay.io/fedora/fedora-coreos:stable
```

In the containers input case we will run `ostree container image deploy`
wheras for ostree commits input we will continue to execute `ostree admin deploy`.

Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
@dustymabe
stages/ostree.deploy: include ostree remote in target-imgref
eea8f1c 
If specified, the ostree remote settings can be used for signature
verification of the commits inside the OSTree, which is a good
substitute if the containers in the registry aren't signed. Let's
take advantage of this if the user specified the remote.
cgwalters
cgwalters reviewed Oct 17, 2023
View reviewed changes
Copy link

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sane to me

stages/org.osbuild.ostree.deploy Outdated Show resolved Hide resolved
lukewarmtemp and others added 2 commits October 17, 2023 15:33
@lukewarmtemp
stages/ostree.deploy: enforce container verification
8bd43ad 
The target image reference should be set to pull signed container images
by default. There are still use cases for unsigned container images but
verfication should be explicitly disabled should the need arise.
@dustymabe @lukewarmtemp
manifests: add ostree container input examples
2e7e553 
These examples show how to run a pipeline with ostree containers
as inputs. One of them pulls from a remote registry and the other
builds an ostree commit first, then encapsulates it, then deploys
from that.
@lukewarmtemp lukewarmtemp force-pushed the tristate-container-verification branch from 9b5bc42 to 2e7e553 Compare October 17, 2023 19:33
@dustymabe
Copy link
Owner

LGTM

@dustymabe dustymabe force-pushed the dusty-ostree-deploy-container branch from ae894fa to f742e5e Compare October 18, 2023 02:02
@dustymabe
Copy link
Owner

merged into osbuild#1402

@dustymabe dustymabe closed this Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters cgwalters left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@lukewarmtemp @dustymabe @cgwalters