[CVE pipeline] Could we use RELATED_IMAGES_* env vars in registries and operator metadata CSV? #16815
Comments
nickboldt
added
the
kind/enhancement
che-bot
added
the
status/need-triage
tolusha
added
the
area/che-operator
sleshchenko
added
the
severity/P1
ericwill
removed
the
status/need-triage
|
@nickboldt |
|
Not a dupe since the spec has changed a little since 4.3 -> 4.5. You waited long enough, so now you can use the new 4.5+ approach for declaring related images, which will flow nicely into downstream. :D |
|
Hello, Nick. Sorry, I want to ask some implementation details.
Is it correct plan or I misunderstood something? |
|
/cc @nickboldt |
|
new details about how metadata containers in Brew can automatically generate relatedImages from annotations in csv and from env vars: https://osbs.readthedocs.io/en/latest/users.html#replacing-pullspecs |
|
I think your plan makes sense but... step 1. the existing script does not appear to read registries, so the list of sidecars/stacks/runtimes would have to be hardcoded as envs/annotations in the operator CSV as RELATED_IMAGES_foo variables. This makes sense as a manual human step since the registries are also set up that way. (Problem is that a new devfile or plugin added to the registry would have to submit a PR against the che-operator repo to update the latest 9.9.9 CSV. But at least ALL the images that the operator needs to know about will be in one place, making it easier potentially to do CVE respins?) step 2. not sure what this does or why we need it? step 3. yes, the devfile registry image refs and the plugin registry image refs should have known names so that we can refer to them in meta.yaml and devfile.yaml (assuming the devfile 2.0 spec allows this?) cc: @davidfestal step 4. yes. |
nickboldt
changed the title
|
Will this refactoring be done for 7.15? if so, please set milestone. We need this for digest pinning / CVE fixes in CRW 2.3 (Che 7.16). |
|
Current state: I encoded in base32 image tag, because it could contains not valid for env variable name chars. For example:
- name: RELATED_IMAGE_coder_plugin_registry_image_GIXDCNJSGMWXM43DGEXDGOBOGEWWG2DFBI______
value: docker.io/chinodesuuu/coder@sha256:6387eee627678d36fa1313017cf5620890f25559df8b24cb53e1d5f4ab6f4726
- name: RELATED_IMAGE_che_quarkus_devfile_registry_image_G4XDCMZOGIFA____
value: quay.io/eclipse/che-quarkus@sha256:12b8f37808cedd9004d1dc0489d75a5df22c914645ebb7f0e0c8de8fe2e5b3c9I created pull requests with modification entrypoint.sh scripts for devfile and plugin registry to extract and use image digest from env variables: eclipse-che/che-devfile-registry#244 |
|
Hello, @nickboldt . Do we need to replace 'next' tag to digest for che-plugin-registry for released CSV? I guess we shouldn't, because next should be experimental and always the latest. What do you think? |
|
@nickboldt Sorry, Do we use https://github.com/eclipse/che-plugin-registry/blob/ba10bf6972fe4bd5e903cc24b5db66111311d66a/build/dockerfiles/rhel.Dockerfile#L78 rhel7 somewhere? P.S.: I asked, because for rhel7 we could install coreutils, but without base32, because available older version coreutils. For rhel8 we have base32 from the box(because newer coreutils is pre-installed). |
|
We only use rhel8 in CRW builds in Brew But to make it easier for people upstream to build on rhel, we set this dockerfile to use older rhel7 based httpd. See comments inline in the dockerfile, lines 75-82. If you would prefer we can switch over to a pure rhel8 solution. |
|
+1 for pure rhel8. |
|
che-dev mail list item https://www.eclipse.org/lists/che-dev/msg03794.html |
|
Related to this activity, see https://issues.redhat.com/browse/CRW-1026 and linked RFEs in JIRA. |
|
demo here https://www.youtube.com/watch?v=rXReQy33vIM&feature=youtu.be , it contains some extra steps needed while we have not merged pr's. |
Is your enhancement related to a problem? Please describe.
This is an issue related to openshift restricted environments >= 4.3, which requires that the CSV include a
relatedImagessection listing the digests of all the images in the operator's payload.While not directly a problem (yet) for Che, this will eventually be a problem when Che starts using digests in registries and operator metadata, as new builds of containers referenced by those released registries and metadata will never be available to released operators.
So if say, the java sidecar is updated to fix a CVE, a MANUAL re-release of registries and a new CSV will be required to pull the new digest value.
If we switch to using RELATED_IMAGES_* env vars for all the places where a container image reference uses a digest, then in the downstream productization flow, we will get CVE fixes for free.
Details in
https://projects.engineering.redhat.com/browse/CLOUDBLD-26?focusedCommentId=2350684&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-2350684
Describe the solution you'd like
Rather than hardcoding image references in the registries and the operator metadata, could they all be
RELATED_IMAGES_che_server
RELATED_IMAGES_operator
RELATED_IMAGES_quarkus_sidecar
RELATED_IMAGES_machine_exec
RELATED_IMAGES_theia_endpoint
...
The text was updated successfully, but these errors were encountered: