Download bundles from OCI-compatible registries #1464
Comments
|
Some context to the use of OCI registries for storing artefacts other than Docker images here: https://stevelasker.blog/2019/01/25/cloud-native-artifact-stores-evolve-from-container-registries/ Conftest supports pushing and pulling OPA bundles, but I'd be happy to pull that out of Conftest and into OPA (or a standalone library) if folks thing this is useful elsewhere too. The discussion in #1413 is intended to match up the mimetype/layers in the OCI image with the current bundle format described in the docs. The OPA config for using OCI bundles could be something like the following: services:
- name: acr
url: https://instrumenta.azurecr.io
type: oci
bundle:
name: kubernetes
tag: latest
service: acrThe assumption at the moment appears to be that aggregation of policies happens before creating the bundle, so only one bundle is downloaded. That likely makes directly reusable bundles harder to accomplish. The docs The docs cover how to configure bundle |
|
👍 support for downloading from OCI registries would be nice to have. I could imagine removing the need for a service definition in this scenario. For example just configure OPA with the bundle tag: We have #721 to track support for multiple bundles. Now that |
|
With recently added ECR support, would be great to see this + AWS IAM support for it: https://aws.amazon.com/blogs/containers/oci-artifact-support-in-amazon-ecr/ |
|
Hi @RichiCoder1. We use this in https://github.com/open-policy-agent/conftest. Under the hood we use Oras which is where IAM support would want to land I think. Would be great to get ECR added to https://github.com/deislabs/oras/blob/master/implementors.md. |
|
@garethr I'll see if I can dig in! Looks like there's a ticket for that (which I've updated) oras-project/oras#105. |
|
Actually, is Oras the appropriate place to but IAM/AWS specific logic? At least right now it's all just standard Docker/OCI, and I'm not sure they'd take a contribution to add AWS-specific auth. Maybe that's something that'd be better implemented in conftest/opa or some different adapter lib? |
|
In my view this should be applicable to any user of Oras, rather than just Conftest. Implementing there has the advantage of it being useful and consistent for any consumer I feel. |
|
There seems to be receptiveness on the Oras side to building out an extensibility point for that sort of thing: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1599738293031300 So, it'd be figuring out what's the best way to accomplish that. |
|
Created oras-project/oras#177 to at least start brain storming. Would love feedback, ideas! |
|
Should the alternate auth support be split off in a separate issue perhaps? |
tsandall
added
distribution
|
@srenatus sorry for the late reply :) |
|
Cleaning this up. There's experimental support for this in 0.40.0. Follow-ups are tracked via #4518 and some newer issues I'm writing right now. |
Expected Behavior
OCI-compatible registries can be used to store anything, including OPA bundles (see here a live example). I want to configure OPA with registry details and let it pull all the policy bundles from it (or specific bundles)
Actual Behavior
Bundle API supported, we can write a facade that translates Bundle API to OCI.
See also #1413 (thanks to @garethr!)
The text was updated successfully, but these errors were encountered: