Adds initial Attestor implementation. #998
Conversation
This is the initial implementation of Attestors, which uses generics to link chains components together with strict typing. To start, this adds Attestor implementations of OCI signing and v1 SLSA attestations. These Attestors are NOT wired up to the controller yet, since they don't yet support the full range of config options (and there's likely a few tweaks we need to make in order to help reuse components like signers between Attestors).
tekton-robot
added
the
size/XL
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
The following is the coverage report on the affected files.
|
|
@wlynch: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| _ formats.Formatter[name.Digest, SimpleContainerImage] = &SimpleSigningPayloader{} | ||
| ) | ||
|
|
||
| type SimpleSigningPayloader SimpleSigning |
There was a problem hiding this comment.
Nit, but this should probably be called something like SimpleSigningFormatter.
| } | ||
|
|
||
| type InTotoIte6 struct { | ||
| slsaConfig *slsaconfig.SlsaConfig | ||
| } | ||
|
|
||
| func NewFormatter(cfg config.Config) (formats.Payloader, error) { | ||
| func NewPayloader(cfg config.Config) (formats.Payloader, error) { |
There was a problem hiding this comment.
Should this be marked as deprecated (also NewPayloaderFromConfig)?
There was a problem hiding this comment.
Actually... I don't think I fully understand Payloader vs Formatter 🤔
| } | ||
|
|
||
| var opts []oci.Option | ||
| if repo := cfg.Storage.OCI.Repository; repo != "" { |
There was a problem hiding this comment.
Let's pay special attention here. We recently had to fix a bug in our handling of this config value.
We should also make sure cfg.Storage.OCI.Insecure is handled properly.
| return &Attestor[objects.TektonObject, *v1.ProvenanceStatement]{ | ||
| payloader: v1.NewPayloaderFromConfig(cfg), | ||
| signer: wrapped, | ||
| // TODO: add support for other storage options. |
There was a problem hiding this comment.
Yeah, I'd be curious to see what this function would look like once we have support for all. It could end up quite large. Or maybe, storer is determined by another function that takes into account the current configuration, and returns the right thing.
|
|
||
| func (s *AttestationStorer[T]) storeImage(ctx context.Context, img name.Digest, att oci.Signature) error { | ||
| logger := logging.FromContext(ctx) | ||
| repo := img.Repository |
There was a problem hiding this comment.
We need to handle cfg.Storage.OCI.Insecure here somehow.
tekton-robot
added
the
needs-rebase
|
@wlynch: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes
This is the initial implementation of Attestors, which uses generics to link chains components together with strict typing.
To start, this adds Attestor implementations of OCI signing and v1 SLSA attestations. These Attestors are NOT wired up to the controller yet, since they don't yet support the full range of config options (and there's likely a few tweaks we need to make in order to help reuse components like signers between Attestors).
attestors.gois the file to pay most attention to in this PR.Part of #780
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes