Extend the ORAS annotating capabilities in oras attach and oras manifest

[FeynmanZhou]

What is the version of your ORAS CLI

v1.2.0

What would you like to be added?

Extend the ORAS annotating capabilities to support:

• Annotate a multi-arch image using OCI image index: oras manifest index create/update --annotation
• Attach an annotation to an image index and propagate to each child image manifest: oras attach --annotation "key=value" --platform all

Attach an annotation as a referrer to an existing multi-arch image and its child arch-specific image manifest (without mutating its digest) in one shot. The same annotation is supposed to be added to the parent image index and its child arch-specific image manifest recursively:

oras attach --artifact-type application/vnd.artifact.lifecycle  --annotation "vnd.artifact.lifecycle.end-of-life.date=2023-05-12" --platform all --oci-layout layout-dir:v1  

Attached to [oci-layout] layout-dir@sha256:2af402374d4c9297bf077b1e722d52 
Digest: sha256:117308d626166e77ffbd9c76b5545101b723csdcxcxc2344556642
Attached to the child image manifest layout-dir@sha256:aaaaaaaaaaaaaaaaa
Digest: sha256:bbbbbbbbbbbbbbbbb
Attached to the child image manifest layout-dir@sha256:ccccccccccccccccc
Digest: sha256:ddddddddddddddddd

View attached annotations of the multi-arch image (index) and its child image manifest:

$ oras discover --oci-layout layout-dir:v1 --platform all --format tree  

|--Image index
|  layout-dir@sha256:447c006400aae8b0d302cafba172f5da9889d50af085ad51d 
|   └── application/vnd.artifact.lifecycle 
|       └── sha256:b25b53b7df86a5dc7087cf96ed88fd1d8872271422224d7 
|           └── vnd.artifact.lifecycle.end-of-life.date: "2023-05-12
|
|--Image manifest [1] 
|  layout-dir@sha256:447c006400aae8b0d302caf9d50af089d50af089d50af089d 
|  └── application/vnd.artifact.lifecycle 
|      └── sha256:b25b53b7df86a5dc7087cf96ed88fd1d8872271422224d7 
|          └── vnd.artifact.lifecycle.end-of-life.date: "2023-05-12" 
|
└--Image manifest [2] 
   layout-dir@sha256:447c006400aae8b0d302cafba172f5da9889d50af085ad51d 
   └── application/vnd.artifact.lifecycle 
       └── sha256:b25b53b7df86a5dc7087cf96ed88fd1d8872271422224d7 
           └── vnd.artifact.lifecycle.end-of-life.date: "2023-05-12" 

The expected result will be:

Why is this needed for ORAS?

Scenario: A security engineer Cindy needs to use image lifecycle annotations to mark when the vulnerable image should be considered end of life (EoL) and no longer used by dependent services.

However, as there are multi-arch images and separate arch-specific images maintained by service teams, it is cumbersome that Cindy can only apply annotations manually to each arch-specific image. Image consumers only reference the multi-arch image by a tag for deployment. The EoL annotation is not available on the multi-arch image (index), which makes the multi-arch image (index) unverifiable.

Are you willing to submit PRs to contribute to this feature?

• Yes, I am willing to implement it.

[tarilabs]

Hi, I noticed this github-issue and speaks of oras manifest create command, but I can't see oras manifest create...

~ % oras manifest --help
Manifest operations

Usage:
  oras manifest [command]

Available Commands:
  delete       Delete a manifest from remote registry
  fetch        Fetch manifest of the target artifact
  fetch-config Fetch the config of a manifest from a registry or an OCI image layout
  push         Push a manifest to a registry or an OCI image layout

can you kindly direct me to where I can read more about it, please?

[FeynmanZhou]

Hi @tarilabs , thanks for your interest.

oras manifest index create is still in the main branch. You may need to manually build it on your machine to test it. Just follow this guidance to build a dev binary and try the latest experimental feature: https://oras.land/community/developer_guide.

[FeynmanZhou]

@tarilabs I have a draft specification to walk through the desired experience of creating and updating a multi-arch image (index). I would appreciate if you could take a look at this spec: #1514