From 8b3398018a2064df7adc8bdee2c04c87e6d77c19 Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Sat, 10 Feb 2024 21:07:29 -0500 Subject: [PATCH 1/6] add annotations for key and platform Signed-off-by: Adam Martin --- cmd/hauler/cli/store/sync.go | 26 +++++++++++++++++++------- pkg/consts/consts.go | 2 ++ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/cmd/hauler/cli/store/sync.go b/cmd/hauler/cli/store/sync.go index 44877d44..c0ae6c6a 100644 --- a/cmd/hauler/cli/store/sync.go +++ b/cmd/hauler/cli/store/sync.go @@ -137,12 +137,17 @@ func processContent(ctx context.Context, fi *os.File, o *SyncOpts, s *store.Layo if err := yaml.Unmarshal(doc, &cfg); err != nil { return err } - + a := cfg.GetAnnotations() for _, i := range cfg.Spec.Images { - // Check if the user provided a key. - if o.Key != "" || i.Key != "" { - key := o.Key + // Check if the user provided a key. The flag from the CLI takes precedence over the annotation. The individual image key takes precedence over both. + if a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != "" { + key := o.Key // cli flag + // if no cli flag but there was an annotation, use the annotation. + if o.Key == "" && a[consts.ImageAnnotationKey] != "" { + key, err = homedir.Expand(a[consts.ImageAnnotationKey]) + } + // the individual image key trumps all if i.Key != "" { key, err = homedir.Expand(i.Key) } @@ -157,12 +162,19 @@ func processContent(ctx context.Context, fi *os.File, o *SyncOpts, s *store.Layo l.Infof("signature verified for image [%s]", i.Name) } - // Check if the user provided a platform. - platform := o.Platform + // Check if the user provided a platform. The flag from the CLI takes precedence over the annotation. The individual image platform takes precedence over both. + platform := o.Platform // cli flag + // if no cli flag but there was an annotation, use the annotation. + if o.Platform == "" && a[consts.ImageAnnotationPlatform] != "" { + platform = a[consts.ImageAnnotationPlatform] + } + // the individual image platform trumps all if i.Platform != "" { platform = i.Platform } - + l.Debugf("platform for image [%s]", platform) + + err = storeImage(ctx, s, i, platform) if err != nil { return err diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go index f3efd804..6af00752 100644 --- a/pkg/consts/consts.go +++ b/pkg/consts/consts.go @@ -51,4 +51,6 @@ const ( KindAnnotation = "dev.cosignproject.cosign/image" CarbideRegistry = "rgcrprod.azurecr.us" + ImageAnnotationKey = "hauler.dev/key" + ImageAnnotationPlatform = "hauler.dev/platform" ) From 59ff02b52b1ccc324b828f86f0bd333d3afc0d25 Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Sat, 10 Feb 2024 22:38:11 -0500 Subject: [PATCH 2/6] add annotations for registry Signed-off-by: Adam Martin --- cmd/hauler/cli/store/sync.go | 15 ++++++++++++--- pkg/consts/consts.go | 1 + 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/cmd/hauler/cli/store/sync.go b/cmd/hauler/cli/store/sync.go index c0ae6c6a..ce011530 100644 --- a/cmd/hauler/cli/store/sync.go +++ b/cmd/hauler/cli/store/sync.go @@ -8,12 +8,11 @@ import ( "os" "strings" + "github.com/mitchellh/go-homedir" "github.com/spf13/cobra" "helm.sh/helm/v3/pkg/action" "k8s.io/apimachinery/pkg/util/yaml" - "github.com/mitchellh/go-homedir" - "github.com/rancherfederal/hauler/pkg/store" "github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1" tchart "github.com/rancherfederal/hauler/pkg/collection/chart" "github.com/rancherfederal/hauler/pkg/collection/imagetxt" @@ -22,6 +21,8 @@ import ( "github.com/rancherfederal/hauler/pkg/content" "github.com/rancherfederal/hauler/pkg/cosign" "github.com/rancherfederal/hauler/pkg/log" + "github.com/rancherfederal/hauler/pkg/reference" + "github.com/rancherfederal/hauler/pkg/store" ) type SyncOpts struct { @@ -174,7 +175,15 @@ func processContent(ctx context.Context, fi *os.File, o *SyncOpts, s *store.Layo } l.Debugf("platform for image [%s]", platform) - + // Check if the user provided a registry. If a registry is provided in the annotation, use it for the images that don't have a registry in their ref name. + if a[consts.ImageAnnotationRegistry] != "" { + newRef,_ := reference.Parse(i.Name) + if newRef.Context().RegistryStr() == "" { + newRef,_ = reference.Relocate(i.Name, a[consts.ImageAnnotationRegistry]) + } + i.Name = newRef.Name() + } + err = storeImage(ctx, s, i, platform) if err != nil { return err diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go index 6af00752..a3853e2d 100644 --- a/pkg/consts/consts.go +++ b/pkg/consts/consts.go @@ -53,4 +53,5 @@ const ( CarbideRegistry = "rgcrprod.azurecr.us" ImageAnnotationKey = "hauler.dev/key" ImageAnnotationPlatform = "hauler.dev/platform" + ImageAnnotationRegistry = "hauler.dev/registry" ) From c8ea279c0df892964b8189f4fe4346802e1abfe8 Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Sat, 10 Feb 2024 23:30:34 -0500 Subject: [PATCH 3/6] add better logging for save Signed-off-by: Adam Martin --- pkg/cosign/cosign.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 20dfbabb..db6b77bc 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -43,6 +43,7 @@ func VerifySignature(ctx context.Context, s *store.Layout, keyPath string, ref s // SaveImage saves image and any signatures/attestations to the store. func SaveImage(ctx context.Context, s *store.Layout, ref string, platform string) error { + l := log.FromContext(ctx) operation := func() error { cosignBinaryPath, err := getCosignPath(ctx) if err != nil { @@ -58,7 +59,8 @@ func SaveImage(ctx context.Context, s *store.Layout, ref string, platform string output, err := cmd.CombinedOutput() if err != nil { if strings.Contains(string(output), "specified reference is not a multiarch image") { - // Rerun the command without the platform flag + l.Infof(fmt.Sprintf("specified image [%s] is not a multiarch image. (choosing default)", ref)) + // Rerun the command without the platform flag cmd = exec.Command(cosignBinaryPath, "save", ref, "--dir", s.Root) output, err = cmd.CombinedOutput() if err != nil { From be22e56f27a975b5853eeb234eea5e7fc9d846fe Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Sat, 10 Feb 2024 23:32:42 -0500 Subject: [PATCH 4/6] fix whitspace issue Signed-off-by: Adam Martin --- pkg/cosign/cosign.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index db6b77bc..3fcd21d0 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -60,7 +60,7 @@ func SaveImage(ctx context.Context, s *store.Layout, ref string, platform string if err != nil { if strings.Contains(string(output), "specified reference is not a multiarch image") { l.Infof(fmt.Sprintf("specified image [%s] is not a multiarch image. (choosing default)", ref)) - // Rerun the command without the platform flag + // Rerun the command without the platform flag cmd = exec.Command(cosignBinaryPath, "save", ref, "--dir", s.Root) output, err = cmd.CombinedOutput() if err != nil { From 6c2b97042e8c8ed6313e6c3e8abd881efe644d71 Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Sun, 11 Feb 2024 10:37:40 -0500 Subject: [PATCH 5/6] switch the 'not a multi-arch image' log message to be debug Signed-off-by: Adam Martin --- pkg/cosign/cosign.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 3fcd21d0..dbd0703c 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -59,7 +59,7 @@ func SaveImage(ctx context.Context, s *store.Layout, ref string, platform string output, err := cmd.CombinedOutput() if err != nil { if strings.Contains(string(output), "specified reference is not a multiarch image") { - l.Infof(fmt.Sprintf("specified image [%s] is not a multiarch image. (choosing default)", ref)) + l.Debugf(fmt.Sprintf("specified image [%s] is not a multiarch image. (choosing default)", ref)) // Rerun the command without the platform flag cmd = exec.Command(cosignBinaryPath, "save", ref, "--dir", s.Root) output, err = cmd.CombinedOutput() From 0c55d00d497c512b0cacbae49783073841f19356 Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Sun, 11 Feb 2024 10:58:31 -0500 Subject: [PATCH 6/6] switch the 'apply the registry override first in a image sync Signed-off-by: Adam Martin --- cmd/hauler/cli/store/sync.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cmd/hauler/cli/store/sync.go b/cmd/hauler/cli/store/sync.go index ce011530..6d8cb0df 100644 --- a/cmd/hauler/cli/store/sync.go +++ b/cmd/hauler/cli/store/sync.go @@ -140,6 +140,15 @@ func processContent(ctx context.Context, fi *os.File, o *SyncOpts, s *store.Layo } a := cfg.GetAnnotations() for _, i := range cfg.Spec.Images { + + // Check if the user provided a registry. If a registry is provided in the annotation, use it for the images that don't have a registry in their ref name. + if a[consts.ImageAnnotationRegistry] != "" { + newRef,_ := reference.Parse(i.Name) + if newRef.Context().RegistryStr() == "" { + newRef,_ = reference.Relocate(i.Name, a[consts.ImageAnnotationRegistry]) + } + i.Name = newRef.Name() + } // Check if the user provided a key. The flag from the CLI takes precedence over the annotation. The individual image key takes precedence over both. if a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != "" { @@ -175,15 +184,6 @@ func processContent(ctx context.Context, fi *os.File, o *SyncOpts, s *store.Layo } l.Debugf("platform for image [%s]", platform) - // Check if the user provided a registry. If a registry is provided in the annotation, use it for the images that don't have a registry in their ref name. - if a[consts.ImageAnnotationRegistry] != "" { - newRef,_ := reference.Parse(i.Name) - if newRef.Context().RegistryStr() == "" { - newRef,_ = reference.Relocate(i.Name, a[consts.ImageAnnotationRegistry]) - } - i.Name = newRef.Name() - } - err = storeImage(ctx, s, i, platform) if err != nil { return err