Switch to Grafeas v1 API in grafeas storage#453
Conversation
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
cc @wlynch |
|
The following is the coverage report on the affected files.
|
| } | ||
| // retrieveOCIURIs returns the uri of a specific OCI artifact and the uris of all the images generated by the taskrun | ||
| // If it's taskrun payload & sig (judged from config.StorageOpts), the first returned value will be empty string. | ||
| func (b *Backend) retrieveOCIURIs(tr *v1beta1.TaskRun, opts config.StorageOpts) (string, []string) { |
There was a problem hiding this comment.
I don't fully understand the difference between the 2 return values here - why not just return []string?
There was a problem hiding this comment.
I was trying to simplify the way we get the specific image uri when OCI artifact payload (simplesigning) and signatures are passed in, and the way to get the URIs of all images built from a taskrun when Taskrun artifact payload (intoto) are passed in. Basically, unify the retrievals into a single function.
If OCI artifact payload is passed, the first returned value will be the image uri of that image, and the second returned value contains the URIs of all images built by the taskrun.
If taskrun artifact payload is passed, the first returned value will be empty string, and the second returned value also contains the URIs of all images built by the taskrun.
why not just return []string?
we can do this. But when we need to get uri for a specific image artifact, we still need a filtering process somewhere else (either another helper function or just inline).
Let me know what you think. I am happy with both.
There was a problem hiding this comment.
Having trouble following why this behavior would change based on the attestation format - wouldn't the URIs be the same in either case?
There was a problem hiding this comment.
We only use the attestation format to tell whether the payload&sig are for OCI artifact OR TaskRun artifact.
- The second returned value - URIs will be the same in either case.
- But for the first returned value, only the OCI artifact is applicable to have a specific URI associated. TaskRun artifact is not applicable to have a specific URI associated, which is why the first returned value is empty string for taskrun artifact.
There was a problem hiding this comment.
Discussed with @wlynch offline. We decided to keep separating the uri retrieval for taskrun/oci into two functions for readability. In future, we might want to set storageOpts's key for OCI artifact to be the full representation so that we don't need to have an extra function to get the full digest for it. #476
|
|
||
| func (b *Backend) createBuildOccurrence(ctx context.Context, tr *v1beta1.TaskRun, payload []byte, signature string, uri string) (*pb.Occurrence, error) { | ||
| in := intoto.ProvenanceStatement{} | ||
| if err := json.Unmarshal(payload, &in); err != nil { |
There was a problem hiding this comment.
It'd be interesting to just pass the intoto struct reference around rather than generating the intoto statement -> serializing it -> de-serializing it -> converting it to grafeas.
Might be worth looking into to simplify things (we can also do this in another PR if needed)
There was a problem hiding this comment.
Yeah, agree that for grafeas backend, there are extra steps as you just described.
If we want to simplify that, we might need to change the function StorePayload's signature. But the sacrifice is that other backend options have to serialize when StorePayload is called, right?
There was a problem hiding this comment.
Yeah... I think that's okay though? Seems reasonable to keep it as it's full spec and only serialize when we actually make the request. Fine for this now, but let's look into cleaning this up in another PR.
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
wlynch
left a comment
There was a problem hiding this comment.
Looking good! Just a few last cleanups.
Main Changes:
1. Grafeas Note
- create ATTESTATION note to link ATTESTATION occurrence.
- create BUILD note to link BUILD occurrence.
- user-configured note name will be added a suffix ('-simplesigning'
or '-intoto') to differentiate the two note types.
2. Grafeas Occurrence
- For oci artifact
- create ATTESTATION occurrence per OCI artifact.
- the ATTESTATION occurrence contains simplesigning attestation.
- For taskrun artifact
- create BUILD occurrence per container image built by the taskrun.
- the BUILD occurrence contains intoto statement with SLSA0.2 predicate.
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Background
simplesigningattestation for it.intotoattestation with SLSA 0.2 predicate for it.(Chains also supports
tektonformat for taskrun artifact, but we want grafeas backend storage to only acceptintotoformat)Changes Summary:
simplesigningattestation in grafeas ATTESTATION occurrence. (see the illustration diagram below)intotoattestation in BUILD occurrence. Prior to this, intoto attestation was also stored in the ATTESTATION occurrence. (see the illustration diagram below)simplesigningpayload, and theresourceUriof the ATTESTATION occurrences will be set to the image identifierIMAGE_URL@IMAGE_DIGEST.intotopayload with every single image generated from the taskrun, and theresourceUriwill be also set toIMAGE_URL@IMAGE_DIGEST.or '-intoto') to differentiate the two note types.