From 1f7de64c57952a7630acc8dced8c729e5b9c9c7f Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 10 Jul 2024 16:05:10 -0400 Subject: [PATCH 1/4] Make it clear that image type is not plural --- task/build-vm-image/0.1/build-vm-image.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 6f25816dc6..506b528776 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -146,7 +146,7 @@ spec: rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/entitlement/" # form the --type arguments - IMAGE_TYPES=" --type $IMAGE_TYPE " + IMAGE_TYPE_ARGUMENT=" --type $IMAGE_TYPE " # this heredoc allows expansions for the image name cat >scripts/script-build.sh < Date: Wed, 10 Jul 2024 16:10:45 -0400 Subject: [PATCH 2/4] fix: expose image manifest from build-vm-image task The way this previously worked was that each build-vm-image task would produce an image index (index1), which was later fed into a the build-image-index task to produce a second image index (index2), which (by use of the --all option) would throwaway the vm image's original index image (index1), keeping only its image manifest. The problem this caused was that the vm image's original index image (index1) was exposed as a result, and not the image manifest. This meant that tekton chains would not see the image manifest, would not generate an attestation for it, and would not sign it. Later, when trying to validate the aggregate index image (index2), policy checks would fail since the index image (index2) was signed, but non of the image manifests were signed. The change here modifies things so that the build-vm-image task exposes only an image manifest, which will be attested to and signed. Its exposed pullspect will be fed to the build-image-index task, which will expose its own image index pullspec as a result to be attested to and signed. And in the end, we should have a correct situation with one image index (signed) referring to $N image manifests (also signed). --- task/build-vm-image/0.1/build-vm-image.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 506b528776..2a4e17f104 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -206,7 +206,9 @@ spec: cat >scripts/script-push.sh < Date: Wed, 10 Jul 2024 16:58:37 -0400 Subject: [PATCH 3/4] Quote to prevent command substitution expansion --- task/build-vm-image/0.1/build-vm-image.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 2a4e17f104..8550921af0 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -148,7 +148,7 @@ spec: # form the --type arguments IMAGE_TYPE_ARGUMENT=" --type $IMAGE_TYPE " - # this heredoc allows expansions for the image name + # this unquoted heredoc allows expansions for the image name cat >scripts/script-build.sh <>scripts/script-build.sh <<'REMOTESSHEOF' echo >config.toml <scripts/script-push.sh <>scripts/script-push.sh <<'REMOTESSHEOF' dnf -y install buildah pigz jq # Build an image index of length 1 referring to an image manifest with the content From 222266a0322cc8333fcda9903fc4cdbf889610fd Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 10 Jul 2024 19:54:42 -0400 Subject: [PATCH 4/4] Report image manifest pullspec as result --- task/build-vm-image/0.1/build-vm-image.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 8550921af0..9b89f24ff4 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -214,7 +214,7 @@ spec: # this quoted heredoc prevents expansions and command substitutions. the env vars are evaluated on the remote vm cat >>scripts/script-push.sh <<'REMOTESSHEOF' - dnf -y install buildah pigz jq + dnf -y install buildah skopeo pigz jq # Build an image index of length 1 referring to an image manifest with the content buildah --storage-driver=vfs manifest create "$OUTPUT_IMAGE" @@ -240,15 +240,19 @@ spec: # At this point, we have pushed an image index of length 1 to the registry. # Next, extract a reference to the image manifest and expose that, throwing away the image index. IMAGE_INDEX_DIGEST=$(cat image-digest) - MANIFEST_DIGEST=$(buildah manifest inspect --authfile /.docker/config.json $OUTPUT_IMAGE@$IMAGE_INDEX_DIGEST | jq '.manifests[0].digest') + REPO=${OUTPUT_IMAGE%:*} + MANIFEST_DIGEST=$(buildah manifest inspect --authfile /.docker/config.json $REPO@$IMAGE_INDEX_DIGEST | jq -r '.manifests[0].digest') + # Overwrite the image index pullspec tag with the image manifest one + skopeo copy --authfile /.docker/config.json docker://$REPO@$MANIFEST_DIGEST docker://$OUTPUT_IMAGE + + # Finally, record all that in our results echo -n "$OUTPUT_IMAGE" | tee /tekton-results/IMAGE_URL echo $MANIFEST_DIGEST | tee /tekton-results/IMAGE_DIGEST REMOTESSHEOF # make scripts executable and sync them to the cloud VM. - chmod +x scripts/script-build.sh chmod +x scripts/script-push.sh rsync -ra scripts "$SSH_HOST:$BUILD_DIR"