-
Notifications
You must be signed in to change notification settings - Fork 716
7 ‐ SLSA compliant charts
All projects that became SLSA compliant based on the SLSA guidance will automatically push their images directly to both DockerHub and Rancher Prime registries.
It is of the utmost importance that no background processes are trying to sync those DockerHub images back into Rancher Prime, as the digests between the two images may be different, which may result on the Prime image getting overwritten and its cosign signature no longer being discoverable.
The image sync process within Rancher Prime now only copies missing images, as to avoid this problem. However, Rancher charts also have a sync process:
The make regsync process at chart release time will verify each new image and tag added, with slsactl at the Prime registry.
The process will bypass the sync if the image/tag is already cosigned.
These images/tags are fetched from each newly released Chart from its values.yaml file.
Once the image is defined there, it will no longer be synced to the prime registry from the charts repository.
The images with SLSA compliance must sync with the prime registry from the upstream repository.
More information on SLSA compliance: SLSA Guidance Doc