-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a means to configure simple signature lookaside storage. #93
Comments
We need to be able to do the equivalent of installing a file in docker:
target-registry-domain.com:
sigstore: https://$USER:@[email protected]/folder/or-other |
We want to do this in a kube native way, (no files!) given that we will be able compute the config dynamically, 'docker' will be constant, the target domain is that of the image under eval, we may be able to think of a way to inject the credentials (use pull secret? any in scope pull secret, need not be the same as the image's), and map from the domain/image to the the rest of the path. |
one way to support this would be to allow "sigstore:" under the "simple:" object in the polcy yaml |
What does the simple client do with the sigstore setting? Does it expect to find the same extension API just underneath the specified URL? So for the example would it expect to find the data at I think for the former then that would greatly affect your ability to use wildcard policies. For the latter assuming all repos covered by the wildcard have signatures in the same signature store that's probably fine. |
We confirmed that the url is a base url and is extended by repository and signature number object names so it should not badly affect the ability to wildcard policies, although it does add another component to the set of things defined by the policy entry. |
It is not the repo specific registry extension API at the sigstore location. |
planning to manfacture a file looking like: docker-default:
sigstore: <url from config> called |
work in progres #111 |
In order to keep the policy entries self container we need to make a breaking change to the policy definitioon, trust type unchnaged, since these were only introduced iin 0.6.0 we think this is reasonable, we will bump the versioon to 0.7.0 |
If the registry used does not have support the simple signing registry extension then the signatures will need to be pulled from another store.
Portieris does not support host configuration files so we need another way to identify defined signature storage.
The text was updated successfully, but these errors were encountered: