Added support for cosign and well-known types.

closes pulp#1165 closes pulp#1166 closes pulp#1167 closes pulp#1232 closes pulp#1233 closes pulp#464
ipanova · Mar 9, 2023 · 089c439 · 089c439
1 parent 659aecb
commit 089c439
Show file tree

Hide file tree

Showing 20 changed files with 432 additions and 53 deletions.
diff --git a/CHANGES/1165.feature b/CHANGES/1165.feature
@@ -0,0 +1 @@
+As a user I can serve cosign produced signatures, SBOMS and attestations.
diff --git a/CHANGES/1166.feature b/CHANGES/1166.feature
@@ -0,0 +1 @@
+Added ability to mirror cosign signatures, SBOMs and attestations.
diff --git a/CHANGES/1167.feature b/CHANGES/1167.feature
@@ -0,0 +1 @@
+As a user I can push a cosign signature, attestation or SBOM to Pulp Registry.
diff --git a/CHANGES/1232.feature b/CHANGES/1232.feature
@@ -0,0 +1,3 @@
+Enabled registry to support by default some well-known OCI types as such:
+Source containers, Conftest policies, Singularity.
+
diff --git a/CHANGES/1233.feature b/CHANGES/1233.feature
@@ -0,0 +1,2 @@
+Added ``ADDITIONAL_OCI_ARTIFACT_TYPES`` setting to make the list of supported OCI artifact types
+configurable.
diff --git a/CHANGES/464.feature b/CHANGES/464.feature
@@ -0,0 +1 @@
+Added OCI artifact support helm charts.
diff --git a/docs/workflows/cosign-support.rst b/docs/workflows/cosign-support.rst
@@ -0,0 +1,118 @@
+.. _cosign-support:
+
+Install cosign
+==============
+
+Check for the file in https://github.com/sigstore/cosign/releases
+
+Binary::
+
+ wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign-linux-amd64"
+ mv cosign-linux-amd64 /usr/local/bin/cosign
+ chmod +x /usr/local/bin/cosign
+
+Rpm::
+
+ wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign-1.6.0.x86_64.rpm"
+ rpm -ivh cosign-1.6.0.x86_64.rpm
+
+Mirror
+======
+
+Being an OCI compliant registry Pulp Container registry can natively mirror cosign signatures
+wich are stored as an OCI image::
+
+ {
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.oci.image.manifest.v1+json",
+    "config": {
+        "mediaType": "application/vnd.oci.image.config.v1+json",
+        "digest": "sha256:f35028aa1563f37ccbaa0b32c57777ffbd8e9e3d81d739fec0022995e58a375a",
+        "size": 153
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
+            "digest": "sha256:d3370bd32b32aba43de2b45bb4a2de2fb5c95fd2edbe738acbc3bc595b80c456",
+            "size": 305,
+            "annotations": {
+                "dev.cosignproject.cosign/signature": "MEUCIBWDnTKhbf5x3mSuEHWkv3ixloIFXeDpfXipF9szqrd5AiEA+UU5J84gQ9JnmT6QZAXiPXqSoDVW0CXQYssGh63e9Ro="
+            }
+        }
+    ]
+ }
+
+
+During the syncronization task, Pulp will automatically mirror cosign signatures or atomic
+signatures (accessible via signatures extentions API).
+
+
+Sign
+====
+
+Pulp Container registry can host cosign signature which can be pushed via cosign or podman clients:
+
+Cosign::
+
+
+  # This command creates an ECDSA-P256 key pair (a private and a public key). 
+  cosign generate-key-pair
+  cosign sign --key cosign.key pulp-registry/ipanova/cosign-test:latest
+
+or via Podman::
+
+  podman push pulp-registry/ipanova/cosign-test:latest --sign-by-sigstore-private-key cosign.key
+
+.. warning::
+   To use this with images hosted on image registries, the relevant registry or repository must have
+   the use-sigstore-attachments option enabled in containers-registries.d(5). This specifies whether
+   sigstore image attachments (signatures, attestations and the like) are going to be read/written
+   along with the image. If disabled, the images are treated as if no attachments exist; attempts to
+   write attachments fail.
+
+As a result of this operation ``ipanova/cosign-test:latest`` image is signed and its
+cosign signature is stored in the registry as an OCI image. Cosign uses a fixed naming convention
+to decide the name for a separate image, at which we can store the signature. The tag name resolved
+to a fixed digest of the image/or manifest list which is being signed in a form of ``sha256-12345.sig``
+
+The payload of the signature will be store as an image layer::
+
+  {
+    "critical": {
+        "identity": {
+            "docker-reference": "pulp-registry/ipanova/cosigned:latest"
+        },
+        "image": {
+            "docker-manifest-digest": "sha256:81cd171c4eda75046c31d6ed26f1241bbfa9326640613430be780ea931b02c24"
+        },
+        "type": "cosign container image signature"
+    },
+    "optional": {
+        "creator": "containers/image 5.23.1",
+        "timestamp": 1673006074
+    }
+  }
+
+
+.. note:
+    Besides cosign signature Pulp Container Registry can mirror and host SBOMs and attestations.
+
+
+The verify
+==========
+
+Signature verification can be done via cosign or podman clients::
+
+  cosign verify --key cosign.pub pulp-registry/ipanova/cosign-test:latest
+
+When using podman client the policy.json file should be properly configured per specs.
+A new requirement type ``sigstoreSigned`` has been introduced:
+
+https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#sigstoresigned
+
+.. warning::
+   To use this with images hosted on image registries, the relevant registry or repository must have
+   the use-sigstore-attachments option enabled in containers-registries.d(5). This specifies whether
+   sigstore image attachments (signatures, attestations and the like) are going to be read/written
+   along with the image. If disabled, the images are treated as if no attachments exist; attempts to
+   write attachments fail.
diff --git a/docs/workflows/helm-support.rst b/docs/workflows/helm-support.rst
@@ -0,0 +1,98 @@
+.. _helm-support:
+
+Install helm client
+===================
+
+Install Helm client: Download your desired version from the Helm releases page.
+Unpack it and move the helm binary to its desired destination ::
+
+
+$ tar -zxvf helm-v3.8.2-linux-amd64.tar.gz
+$ mv linux-amd64/helm /usr/local/bin/helm
+
+RPM installation::
+
+ sudo dnf install helm
+
+
+Using Helm charts with Pulp Container
+=====================================
+
+
+Push and Host
+-------------
+
+Use the following example to download and push an etherpad chart from the Red Hat community repository.
+
+Add a chart repository::
+
+    $ helm repo add redhat-cop https://redhat-cop.github.io/helm-charts
+
+Update the information of available charts locally from the chart repository::
+
+    $ helm repo update
+
+Download a chart from a repository::
+
+    $ helm pull redhat-cop/etherpad --version=0.0.4 --untar
+
+Package the chart into a chart archive::
+
+    $ helm package ./etherpad
+    Successfully packaged chart and saved it to: /home/vagrant/devel/pulp_container/etherpad-0.0.4.tgz
+
+Log in to your Pulp container registry using helm registry login::
+
+    $ helm registry login pulp3-source-fedora36.puffy.example.com
+
+Push the chart to your Pulp Container registry using the helm push command::
+
+    $ helm push etherpad-0.0.4.tgz oci://pulp3-source-fedora36.puffy.example.com
+    Pushed: pulp3-source-fedora36.puffy.example.com/etherpad:0.0.4
+    Digest: sha256:a6667ff2a0e2bd7aa4813db9ac854b5124ff1c458d170b70c2d2375325f2451b
+
+Ensure that the push worked by deleting the local copy, and then pulling the chart from the repository::
+
+    $ rm -rf etherpad-0.0.4.tgz
+
+    $ helm pull oci://pulp3-source-fedora36.puffy.example.com/etherpad --version 0.0.4
+    Pulled: pulp3-source-fedora36.puffy.example.com/etherpad:0.0.4
+    Digest: sha256:4f627399685880daf30cf77b6026dc129034d68c7676c7e07020b70cf7130902
+
+The chart can then be installed using the helm install command::
+
+    $ helm install etherpad-0.0.4.tgz
+
+Alternatively, charts can be installed directly from the registry without needing to download locally.
+Use the helm install command and reference the registry location::
+
+    $ helm install oci://pulp3-source-fedora36.puffy.example.com/helm/etherpad --version=0.0.4
+
+
+
+Mirror
+------
+
+Being an OCI compliant registry Pulp Container registry can natively mirror helm charts
+wich are stored as an OCI image::
+ 
+ {
+  "schemaVersion": 2,
+  "config": {
+    "mediaType": "application/vnd.cncf.helm.config.v1+json",
+    "digest": "sha256:8ec7c0f2f6860037c19b54c3cfbab48d9b4b21b485a93d87b64690fdb68c2111",
+    "size": 117
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.cncf.helm.chart.content.v1.tar+gzip",
+      "digest": "sha256:1b251d38cfe948dfc0a5745b7af5ca574ecb61e52aed10b19039db39af6e1617",
+      "size": 2487
+    },
+    {
+      "mediaType": "application/vnd.cncf.helm.chart.provenance.v1.prov",
+      "digest": "sha256:3e207b409db364b595ba862cdc12be96dcdad8e36c59a03b7b3b61c946a5741a",
+      "size": 643
+    }
+  ]
+}
diff --git a/docs/workflows/index.rst b/docs/workflows/index.rst
@@ -60,11 +60,21 @@ Basic Workflows
    push
    import-export
 
-Managing Signatures
--------------------
+Managing Atomic Signatures
+--------------------------
 
 .. toctree::
    :maxdepth: 2
 
    sign-images
    verify-images
+
+OCI artifact support
+--------------------
+
+   .. toctree::
+   :maxdepth: 2
+
+   cosign-support
+   helm-support
+   oci-artifacts
diff --git a/docs/workflows/oci-artifacts.rst b/docs/workflows/oci-artifacts.rst
@@ -0,0 +1,53 @@
+Adding other OCI media types to Pulp Registry
+=============================================
+
+Helm, cosign, source containers, singuland OCI images media types are built into the registry by default.
+By default the following list of media types is enabled in the Container Registry::
+
+.. _default-oci-types:
+
+ * OCI images
+ * Helm
+ * Cosign
+ * Source containers
+ * Singularity
+ * Conftest policies
+
+For any other OCI media type that is not supported by default, you can add them to the
+ADDITIONAL_OCI_ARTIFACT_TYPES settings using the following format::
+
+ ADDITIONAL_OCI_ARTIFACT_TYPES = {
+    "<oci config type 1>": [
+        "<oci layer type A>",
+        "<oci layer type B>",
+    ],
+    "<oci config type 2>": [
+        "<oci layer type C>",
+        "<oci layer type D>",
+    ],
+ }
+
+
+For example, you can add WebAssembly (WASM) support by adding the following to your ADDITIONAL_OCI_ARTIFACT_TYPES
+setting::
+
+ ADDITIONAL_OCI_ARTIFACT_TYPES = {
+    "<oci config type 1>": [
+        "<oci layer type A>",
+        "<oci layer type B>",
+    ],
+    "<oci config type 2>": [
+        "<oci layer type C>",
+        "<oci layer type D>",
+    ],
+    "application/vnd.module.wasm.config.v1+json": [
+        "application/vnd.module.wasm.content.layer.v1+wasm"
+    ],
+ }
+
+ .. note::
+
+When adding OCI media types that are not configured by default, users will also need to manually add
+support for the :ref:`default-oci-types`.
+The OCI images media types are supported by default and cannot be disabled, so users will not need
+to add that to enable support.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		As a user I can serve cosign produced signatures, SBOMS and attestations.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Added ability to mirror cosign signatures, SBOMs and attestations.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		As a user I can push a cosign signature, attestation or SBOM to Pulp Registry.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Enabled registry to support by default some well-known OCI types as such:
		Source containers, Conftest policies, Singularity.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Added ``ADDITIONAL_OCI_ARTIFACT_TYPES`` setting to make the list of supported OCI artifact types
		configurable.