WIP: Implement OCI provider #2765
Conversation
JAORMX
force-pushed
the
oci-prov
branch
2 times, most recently
from
1da7967 to
22acd31
Compare
| // join base name with contname | ||
| // TODO make this more robust | ||
| src := fmt.Sprintf("%s/%s", o.baseURL, contname) | ||
| repo, err := name.NewRepository(src) |
There was a problem hiding this comment.
Do you think we should default to using the StrictValidation option to avoid using default tags or the default registry?
| } | ||
| for _, tag := range tags.Tags { | ||
| // Should we be ommiting digest tags? | ||
| if strings.HasPrefix(tag, "sha256-") { |
There was a problem hiding this comment.
If we want to use this provider in the sigstore provider we will not want to omit digest tags. I don't know which way makes the most sense as the default, it almost seems like something the caller should set.
There's also github.com/opencontainers/go-digest which specifies a constant for the canonical digest which currently defaults to sha-256.
There was a problem hiding this comment.
Why does sigstore want the digest tags? (Just for my own understanding)
| @@ -86,6 +88,7 @@ func NewGitHub( | |||
| client: client, | |||
| cache: cache, | |||
| delegate: delegate, | |||
| ghcrwrap: ghcr.FromGitHubClient(client, delegate.GetOwner()), | |||
There was a problem hiding this comment.
Instead of this wrap, wouldn't it be better to implement the GHCR provider as embedded interface in the github provider (maybe through the app/oauth2 delegate)? Or is the intent to allow using the GHCR provider independently of github?
There was a problem hiding this comment.
that was the intent, that you could spawn a GHCR provider without needing the full blown github provider.
| @@ -114,6 +115,21 @@ type GitHub interface { | |||
| AddAuthToPushOptions(ctx context.Context, options *git.PushOptions) error | |||
| } | |||
|
|
|||
| // GHCR is the interface for interacting with the GitHub Container Registry | |||
| type GHCR interface { | |||
| Provider | |||
There was a problem hiding this comment.
Don't these also implement OCI?
internal/providers/providers.go
Outdated
| @@ -242,6 +245,51 @@ func (pb *ProviderBuilder) GetRepoLister() (provinfv1.RepoLister, error) { | |||
| return nil, fmt.Errorf("provider does not implement repo lister") | |||
| } | |||
|
|
|||
| // GetGHCR returns a GHCR client for the provider. | |||
| func (pb *ProviderBuilder) GetGHCR() (provinfv1.GHCR, error) { | |||
| if !pb.Implements(db.ProviderTypeGhcr) { | |||
There was a problem hiding this comment.
If we had the ghcr provider as part of the github interface we could do:
if pb.Implements(db.ProviderTypeGithub) { return pb.GetGithub }
There was a problem hiding this comment.
right, that could be the case; but the intent was to be able to have an independent ghcr provider.
| -- limitations under the License. | ||
|
|
||
| -- Add `ghcr` and `dockerhub` provider type enum | ||
| ALTER TYPE provider_type ADD VALUE 'ghcr'; |
There was a problem hiding this comment.
Can you remind me of the difference between type and class?
There was a problem hiding this comment.
a type (or trait) is a claim of functionality. It denotes that you can do a certain subset of actions.
A class is like a template, it's a collection of types/traits alongside a collection of authentication flow. They allow us to aggregate these and build providers without having to always remember these magical combinations.
|
|
||
| if resp.StatusCode != http.StatusOK { | ||
| if resp.StatusCode == http.StatusUnauthorized { | ||
| return nil, fmt.Errorf("unauthorized: %s", resp.Status) |
There was a problem hiding this comment.
These errors look like something we'll want to define our error types for so we can later do errors.Is in the callers
proto/minder/v1/minder.proto
Outdated
| @@ -2026,8 +2026,7 @@ enum ProviderType { | |||
| PROVIDER_TYPE_GIT = 3 [(name) = "git"]; | |||
| PROVIDER_TYPE_OCI = 4 [(name) = "oci"]; | |||
| PROVIDER_TYPE_REPO_LISTER = 5 [(name) = "repo-lister"]; | |||
| PROVIDER_TYPE_DOCKERHUB = 6 [(name) = "dockerhub"]; | |||
| PROVIDER_TYPE_GHCR = 7 [(name) = "ghcr"]; | |||
| PROVIDER_TYPE_CONTAINER_LISTER = 6 [(name) = "container-lister"]; | |||
There was a problem hiding this comment.
Ah great I think this answers my earlier question about the type (reviewing patches one by one)
| -- Add `ghcr` and `dockerhub` provider type enum | ||
| ALTER TYPE provider_type ADD VALUE 'ghcr'; | ||
| ALTER TYPE provider_type ADD VALUE 'dockerhub'; | ||
| ALTER TYPE provider_type ADD VALUE 'container-lister'; |
There was a problem hiding this comment.
answers my earlier question
JAORMX
force-pushed
the
oci-prov
branch
6 times, most recently
from
971c805 to
9da9b28
Compare
Signed-off-by: Juan Antonio Osorio <[email protected]>
Use a general container lister and implement sample command to test it out Signed-off-by: Juan Antonio Osorio <[email protected]>
They might come from an OCI registry and not be immediately linked. Signed-off-by: Juan Antonio Osorio <[email protected]> Handle general artifact list Signed-off-by: Juan Antonio Osorio <[email protected]>
Signed-off-by: Juan Antonio Osorio <[email protected]>
Signed-off-by: Juan Antonio Osorio <[email protected]>
Signed-off-by: Juan Antonio Osorio <[email protected]>
Signed-off-by: Juan Antonio Osorio <[email protected]>
Signed-off-by: Juan Antonio Osorio <[email protected]>
| pageNumber := 0 | ||
| itemsPerPage := 100 | ||
| pt := string(verifyif.ArtifactTypeContainer) | ||
| opt := &github.PackageListOptions{ |
There was a problem hiding this comment.
This is because we can't use the /tags/list endpoint? (I'm just looking at go-containerregistry's implementation, which I understand to be fairly complete.)
There was a problem hiding this comment.
Ah, this is because we want to check /v2/_catalog, which we don't have the correct token type for?
https://toddysm.com/2024/02/12/authenticating-with-oci-registries-github-container-registry-ghcr-implementation/ has some hints, and suggests that you can use a GitHub auth token (As Authorization: Bearer ...) with the correct scopes to get a GHCR-specific token from /v2/token and then use the token from /v2/token to call /v2/_catalog to get a list of repositories / images.
Note that the blog post suggests that this includes a list of all public repositories in the /v2/_catalog endpoint when called when human credentials. I don't know what the options for GitHub App credentials here are.
There was a problem hiding this comment.
With the knowledge we have now of how the GitHub App works, we should probably revisit this implementation. I'd like GHCR to work in the following scenarios:
- As part of the GitHub App provider
- As part of the OAuth2 provider
- As a standalone provider
Summary
Change Type
Mark the type of change your PR introduces:
Testing
Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.
Review Checklist: