-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[issue-405] Add external built image integrity validation #535
base: main
Are you sure you want to change the base?
Conversation
2e50511
to
4b5da8e
Compare
this yaml can be used to test the PR. It contained image declaration with sonataflow project, published to DH |
f6214ed
to
6df7c95
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems pretty nice! Just a few minor comments.
The e2e tests have been fixed, please rebase your branch 🙏 |
Unfortunately, I have to fix |
@treblereel I'm currently working to fix this one. |
The problem here is sonataflow-minimal-example has no workflow.sw.json in it, so I have to build and publish it to temp repo before tests ... |
b838cd2
to
4cce57d
Compare
Currently, to verify that the image corresponds to the deployment, it is checked that Comments:
An additional step has been added that replaces |
453c24d
to
ac78e6b
Compare
test/testdata/sonataflow.org_v1alpha08_sonataflow-simpleops.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also please remove the container-builder/bin
folder. Not sure why they are there. 🤔
@treblereel I think we are closer to merging this PR. Can you please also provide the docs on @wmedvede @jakubschwan , do you mind taking a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@treblereel controller-gen is still there. Please also add an entry to .gitignore bin
.
In the docs, we must add details of this verification and instruct users how to build or customize a dockerfile to build a valid image.
Waiting for QE verification @jakubschwan and @wmedvede's review. @treblereel the docs can be pushed later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes in PR looks good to me
|
} | ||
|
||
func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) { | ||
isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do this check mean that we are trying to cover the scenario where the operator is executing in kind?
If true, do we need an equivalent verification when installed in minikube? (considering that most of our examples executes in minikube)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wmedvede As I can see, we use kind-registry and sonataflow.Spec.PodTemplate.Container.Image
only in the tests, where data.localRegistryHosting.v1.hostFromClusterNetwork
set. In case we want to use the same scenario with the minikube, it's better to add to install-minikube.sh
registry and ConfigMap from the create-kind-cluster-with-registry.sh
.
if isInKindRegistry { | ||
ref, err = kindRegistryImage(sonataflow) | ||
} else { | ||
ref, err = remoteImage(sonataflow) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So here we get the remoteImage from Docker registry.
Did you guys @treblereel @jakubschwan verify that this code executes well when the image is read form Quay.io ? I think it's worth verify it works too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The whole point of the isInKindRegistry
check is to determine whether the image is in the kind-registry
or not. As far as I understand, this only makes sense for tests and only in the case where the 'data.localRegistryHosting.v1.hostFromClusterNetwork' flag is set in the ConfigMap
. Kind-registry is insecure. Overall, I don't like the idea of adding checks to the production code just to simplify testing (I'd prefer to remove this check), but the strategy for fetching an image from a secure and insecure registry is different
One option would be to add certificates (self-signed ones are not suitable) to make the kind-registry
secure
This does not interfere with minikube
because we don't use kind-registry
in it
For testing, I use this image from Docker: docker.io/treblereel/sonataflow-workflow-demo:latest
. I don't think there should be any issues with quay.io, but I will check further
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, thanks, we must be sure that quay.io works well, and openshift installations too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wmedvede quay.io works
sonataflow_image_quay.yaml.zip
@@ -98,6 +100,11 @@ func (r *SonataFlowReconciler) Reconcile(ctx context.Context, req ctrl.Request) | |||
return ctrl.Result{}, err | |||
} | |||
|
|||
if err := r.Validate(ctx, workflow, req); err != nil { | |||
klog.V(log.E).ErrorS(err, "Failed to validate SonataFlow") | |||
return reconcile.Result{}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we have the err, I think it makes sense to return it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is quite a tricky situation: if we return the error, the deployment will be retried until the limit is reached. A common pattern to solve this problem is to return from Reconcile and log the error to the console.
Hi @treblereel , I have left some minor comments/nitpicks. Before merging I thing guys @jakubschwan @treblereel we must be sure this was tested in:
and also using images from docker.io and quay.io. Many thanks! |
@treblereel I think this one needs resolving the merge conflicts and verification that it works in OpenShift. |
Fixes #405
ps: tests will be added in the next commit to this pr