Skip to content

Commit

Permalink
Cosign internal references (#232)
Browse files Browse the repository at this point in the history 
* Cosign needs to sign internal references

Previsouly references in external form was passed to cosign signer,
however cosign works with internal references
  • Loading branch information
@midnightercz
midnightercz authored Mar 5, 2024
1 parent 0b919fa commit 1997e04
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 106 deletions.
11 changes: 10 additions & 1 deletion pubtools/_quay/iib_operations.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ def _index_image_to_sign_entries(
dest_tags: list[str],
signing_keys: list[str],
target_settings: dict[str, Any],
internal: bool = False,
) -> list[SignEntry]:
"""Generate entries to sign.
Expand All @@ -90,10 +91,18 @@ def _index_image_to_sign_entries(
dest_tags (List[str]): Destination tags.
index_stamp (str): Index stamp.
signing_keys (list): List of signing keys.
internal (bool): indicates if to sign registries should be generated with iternal/external
reference
"""
iib_repo = target_settings["quay_operator_repository"]
dest_registries = target_settings["docker_settings"]["docker_reference_registry"]
dest_registries = dest_registries if isinstance(dest_registries, list) else [dest_registries]
if internal:
dest_registries = ["quay.io"]
iib_repo = (
target_settings["quay_namespace"] + "/" + get_internal_container_repo_name(iib_repo)
)

dest_operator_quay_client = _get_operator_quay_client(target_settings)
manifest_list = cast(
ManifestList,
Expand Down Expand Up @@ -164,7 +173,7 @@ def _sign_index_image(
list: List of current signatures.
"""
to_sign_entries = _index_image_to_sign_entries(
built_index_image, dest_tags, signing_keys, target_settings
built_index_image, dest_tags, signing_keys, target_settings, internal=not pre_push
)
current_signatures: list[tuple[str, str, str]] = [
(e.reference, e.digest, e.signing_key) for e in to_sign_entries
Expand Down
2 changes: 1 addition & 1 deletion pubtools/_quay/item_processor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,6 @@ def item_processor_for_internal_data(
return ItemProcesor(
extractor=extractor,
reference_processor=reference_processor,
reference_registries=[],
reference_registries=["quay.io"],
source_registry=internal_registry,
)
16 changes: 14 additions & 2 deletions pubtools/_quay/push_docker.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -606,7 +606,6 @@ def run(self) -> None:
iib_results = None
successful_iib_results = dict()
index_stamp = timestamp()

item_processor = item_processor_for_external_data(
self.src_quay_client,
self.dest_registries,
Expand All @@ -618,7 +617,6 @@ def run(self) -> None:
item_processor.generate_to_sign,
[FData(args=(item,), kwargs={}) for item in docker_push_items],
)

for _to_sign_entries in to_sign_map.values():
to_sign_entries.extend(_to_sign_entries)

Expand All @@ -640,6 +638,20 @@ def run(self) -> None:
container_pusher.push_container_images()

# Sign containers with signers which requires pushed containers in destination registry
to_sign_entries = []
item_processor = item_processor_for_internal_data(
self.src_quay_client,
self.dest_registries,
self.target_settings.get("retry_sleep_time", 5),
self.target_settings["quay_namespace"],
)
to_sign_map = run_in_parallel(
item_processor.generate_to_sign,
[FData(args=(item,), kwargs={}) for item in docker_push_items],
)
for _to_sign_entries in to_sign_map.values():
to_sign_entries.extend(_to_sign_entries)

for signer in self.target_settings["signing"]:
if signer["enabled"] and not SIGNER_BY_LABEL[signer["label"]].pre_push:
signercls = SIGNER_BY_LABEL[signer["label"]]
Expand Down
49 changes: 13 additions & 36 deletions tests/test_iib_operations.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -313,16 +313,12 @@ def test_task_iib_add_bundles(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=[
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
],
),
]
Expand Down Expand Up @@ -426,16 +422,12 @@ def test_task_iib_add_bundles_missing_manifest_list(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=[
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
],
),
]
Expand Down Expand Up @@ -543,16 +535,12 @@ def test_task_iib_add_bundles_operator_ns(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=[
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
],
),
]
Expand Down Expand Up @@ -948,20 +936,17 @@ def test_task_iib_build_from_scratch(
],
task_id="1-0",
),
# cosign
mock.call(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=[
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
],
),
]
Expand Down Expand Up @@ -1129,16 +1114,12 @@ def test_task_iib_build_from_scratch_missing_manifest_list(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=[
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
],
),
]
Expand Down Expand Up @@ -1272,16 +1253,12 @@ def test_task_iib_build_from_scratch_operator_ns(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=[
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
"sha256:bd6eba96070efe86b64b9a212680ca6d46a2e30f0a7d8e539f657eabc45c35a6",
],
),
]
Expand Down
88 changes: 22 additions & 66 deletions tests/test_integration.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,24 +302,16 @@ def test_push_docker_multiarch_merge_ml_operator(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
],
digest=[
"sha256:1111111111",
"sha256:2222222222",
"sha256:3333333333",
"sha256:5555555555",
"sha256:1111111111",
"sha256:2222222222",
"sha256:3333333333",
"sha256:5555555555",
],
),
mock.call(
Expand All @@ -345,20 +337,14 @@ def test_push_docker_multiarch_merge_ml_operator(
mock.call(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:v4.5",
"some-registry2.com/operators/index-image:v4.5",
],
digest=["sha256:5555555555", "sha256:5555555555"],
reference=["quay.io/some-namespace/operators----index-image:v4.5"],
digest=["sha256:5555555555"],
),
mock.call(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:v4.6",
"some-registry2.com/operators/index-image:v4.6",
],
digest=["sha256:5555555555", "sha256:5555555555"],
reference=["quay.io/some-namespace/operators----index-image:v4.6"],
digest=["sha256:5555555555"],
),
]
)
Expand Down Expand Up @@ -478,24 +464,16 @@ def test_push_docker_multiarch_simple_workflow(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
],
digest=[
"sha256:1111111111",
"sha256:2222222222",
"sha256:3333333333",
"sha256:5555555555",
"sha256:1111111111",
"sha256:2222222222",
"sha256:3333333333",
"sha256:5555555555",
],
),
]
Expand Down Expand Up @@ -1277,17 +1255,10 @@ def test_task_iib_add_bundles(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
],
digest=[
"sha256:5555555555",
"sha256:5555555555",
"sha256:5555555555",
"sha256:5555555555",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=["sha256:5555555555", "sha256:5555555555"],
),
]
)
Expand Down Expand Up @@ -1389,17 +1360,10 @@ def test_task_iib_remove_operators(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/operators/index-image:8",
"some-registry1.com/operators/index-image:8-timestamp",
"some-registry2.com/operators/index-image:8",
"some-registry2.com/operators/index-image:8-timestamp",
],
digest=[
"sha256:5555555555",
"sha256:5555555555",
"sha256:5555555555",
"sha256:5555555555",
"quay.io/some-namespace/operators----index-image:8",
"quay.io/some-namespace/operators----index-image:8-timestamp",
],
digest=["sha256:5555555555", "sha256:5555555555"],
),
]
)
Expand Down Expand Up @@ -1780,24 +1744,16 @@ def test_push_docker_operator_verify_bundle_fail(
config_file="test-config.yml",
signing_key="some-key",
reference=[
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry1.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"some-registry2.com/target/repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
"quay.io/some-namespace/target----repo:latest-test-tag",
],
digest=[
"sha256:1111111111",
"sha256:2222222222",
"sha256:3333333333",
"sha256:5555555555",
"sha256:1111111111",
"sha256:2222222222",
"sha256:3333333333",
"sha256:5555555555",
],
),
]
Expand Down

0 comments on commit 1997e04

Please sign in to comment.