Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[issue-405] Add external built image integrity validation #535

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

treblereel
Copy link
Contributor

@treblereel treblereel commented Sep 20, 2024

Fixes #405

ps: tests will be added in the next commit to this pr

@treblereel treblereel force-pushed the 405 branch 2 times, most recently from 2e50511 to 4b5da8e Compare September 20, 2024 03:53
@treblereel
Copy link
Contributor Author

sonataflow_image.yaml.zip

this yaml can be used to test the PR. It contained image declaration with sonataflow project, published to DH

@treblereel treblereel force-pushed the 405 branch 4 times, most recently from f6214ed to 6df7c95 Compare September 27, 2024 22:45
Copy link
Member

@ricardozanini ricardozanini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems pretty nice! Just a few minor comments.

internal/controller/validation/Validator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
internal/controller/validation/ImageValidator.go Outdated Show resolved Hide resolved
@ricardozanini
Copy link
Member

The e2e tests have been fixed, please rebase your branch 🙏

@treblereel
Copy link
Contributor Author

The e2e tests have been fixed, please rebase your branch 🙏
Thanks

Unfortunately, I have to fix test/testdata/sonataflow.org_v1alpha08_sonataflow-simpleops.yaml first, because of image: quay.io/kiegroup/sonataflow-minimal-example:latest

@ricardozanini
Copy link
Member

@treblereel I'm currently working to fix this one.

@treblereel
Copy link
Contributor Author

sonataflow-minimal-example

The problem here is sonataflow-minimal-example has no workflow.sw.json in it, so I have to build and publish it to temp repo before tests ...

@treblereel treblereel force-pushed the 405 branch 2 times, most recently from b838cd2 to 4cce57d Compare October 6, 2024 19:53
@treblereel
Copy link
Contributor Author

Currently, to verify that the image corresponds to the deployment, it is checked that /deployments/app/workflow.sw.json in the image matches the workflow in the YAML.

Comments:

  • This approach aligns with how kn-workflow-plugin generates new projects.
  • If this approach is acceptable, kn-workflow-plugin needs to be updated (update Dockerfile.*).
  • Other naming options are possible, such as metadata.name.
  • It's breaking change, if it is merged, all deployments with image declaration will fail

An additional step has been added that replaces kind-registry in spec.podTemplate.container.image with the IP address of kind-registry in *operatorapi.SonataFlow during the deployment phase, because the container builder cannot resolve the image URI by hostname in it's kind-registry. This issue does not occur with an external Docker registry.

@treblereel treblereel force-pushed the 405 branch 3 times, most recently from 453c24d to ac78e6b Compare October 7, 2024 17:55
.github/workflows/e2e.yml Outdated Show resolved Hide resolved
internal/controller/validation/image_url_sanitizer.go Outdated Show resolved Hide resolved
internal/controller/validation/image_validator.go Outdated Show resolved Hide resolved
Copy link
Member

@ricardozanini ricardozanini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please remove the container-builder/bin folder. Not sure why they are there. 🤔

internal/controller/validation/common.go Outdated Show resolved Hide resolved
@ricardozanini
Copy link
Member

@treblereel I think we are closer to merging this PR. Can you please also provide the docs on incubator-kie-kogito-docs? I believe this feature deserves a new page under Cloud.

@wmedvede @jakubschwan , do you mind taking a look?

Copy link
Member

@ricardozanini ricardozanini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@treblereel controller-gen is still there. Please also add an entry to .gitignore bin.

In the docs, we must add details of this verification and instruct users how to build or customize a dockerfile to build a valid image.

@treblereel treblereel changed the title kie-kogito-serverless-operator-405: Add external built image integri… [issue-405] Add external built image integri… Oct 11, 2024
@treblereel treblereel changed the title [issue-405] Add external built image integri… [issue-405] Add external built image integrity validation Oct 11, 2024
@ricardozanini
Copy link
Member

Waiting for QE verification @jakubschwan and @wmedvede's review.

@treblereel the docs can be pushed later.

Copy link

@jakubschwan jakubschwan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes in PR looks good to me

@treblereel
Copy link
Contributor Author

Waiting for QE verification @jakubschwan and @wmedvede's review.

@treblereel the docs can be pushed later.

apache/incubator-kie-kogito-docs#673

}

func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) {
isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do this check mean that we are trying to cover the scenario where the operator is executing in kind?

If true, do we need an equivalent verification when installed in minikube? (considering that most of our examples executes in minikube)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wmedvede As I can see, we use kind-registry and sonataflow.Spec.PodTemplate.Container.Image only in the tests, where data.localRegistryHosting.v1.hostFromClusterNetwork set. In case we want to use the same scenario with the minikube, it's better to add to install-minikube.sh registry and ConfigMap from the create-kind-cluster-with-registry.sh.

if isInKindRegistry {
ref, err = kindRegistryImage(sonataflow)
} else {
ref, err = remoteImage(sonataflow)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So here we get the remoteImage from Docker registry.

Did you guys @treblereel @jakubschwan verify that this code executes well when the image is read form Quay.io ? I think it's worth verify it works too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wmedvede @ricardozanini

The whole point of the isInKindRegistry check is to determine whether the image is in the kind-registry or not. As far as I understand, this only makes sense for tests and only in the case where the 'data.localRegistryHosting.v1.hostFromClusterNetwork' flag is set in the ConfigMap. Kind-registry is insecure. Overall, I don't like the idea of adding checks to the production code just to simplify testing (I'd prefer to remove this check), but the strategy for fetching an image from a secure and insecure registry is different

One option would be to add certificates (self-signed ones are not suitable) to make the kind-registry secure

This does not interfere with minikube because we don't use kind-registry in it

For testing, I use this image from Docker: docker.io/treblereel/sonataflow-workflow-demo:latest. I don't think there should be any issues with quay.io, but I will check further

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, thanks, we must be sure that quay.io works well, and openshift installations too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -98,6 +100,11 @@ func (r *SonataFlowReconciler) Reconcile(ctx context.Context, req ctrl.Request)
return ctrl.Result{}, err
}

if err := r.Validate(ctx, workflow, req); err != nil {
klog.V(log.E).ErrorS(err, "Failed to validate SonataFlow")
return reconcile.Result{}, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we have the err, I think it makes sense to return it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wmedvede @ricardozanini

This is quite a tricky situation: if we return the error, the deployment will be retried until the limit is reached. A common pattern to solve this problem is to return from Reconcile and log the error to the console.

internal/controller/validation/common.go Outdated Show resolved Hide resolved
internal/controller/validation/image_validator.go Outdated Show resolved Hide resolved
internal/controller/validation/image_validator.go Outdated Show resolved Hide resolved
internal/controller/validation/validator.go Outdated Show resolved Hide resolved
@wmedvede
Copy link
Contributor

wmedvede commented Oct 14, 2024

Hi @treblereel , I have left some minor comments/nitpicks.

Before merging I thing guys @jakubschwan @treblereel we must be sure this was tested in:

  1. minikube
  2. openshift

and also using images from docker.io and quay.io.

Many thanks!

internal/controller/validation/validator.go Outdated Show resolved Hide resolved
internal/controller/validation/image_validator.go Outdated Show resolved Hide resolved
internal/controller/validation/common_test.go Outdated Show resolved Hide resolved
@wmedvede
Copy link
Contributor

@treblereel I think this one needs resolving the merge conflicts and verification that it works in OpenShift.
Would you mind to check please @jakubschwan ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add external built image integrity validation
4 participants