verify ec and sboms from private registry #94
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- also changed ci-test and setup to do private registry as default and disable ACS if you do - you can switch back to public by setting TEST_PRIVATE_REGISTRY=false before running ci-test and other setups. TODO -- the env file is being created in multiple places -- would be good to make that common in one place.
simonbaird
reviewed
Nov 26, 2024
| @@ -120,6 +120,13 @@ fi | |||
|
|
|||
| jq -r '.components[].containerImage' <<< "$IMAGES" | while read -r image; do | |||
| echo "Getting attestation for $image" | |||
|
|
|||
| image_registry="${image/\/*/}" | |||
| # If the repo is not publicly accessible we need to authenticate so ec can access it | |||
There was a problem hiding this comment.
...authenticate so it can be accessed
simonbaird
approved these changes
Nov 26, 2024
simonbaird
reviewed
Nov 26, 2024
| # If the repo is not publicly accessible we need to authenticate so ec can access it | ||
| prepare-registry-user-pass $image_registry | ||
| echo "cosign login to registry $image_registry" | ||
| cosign login --username="$IMAGE_REGISTRY_USER" --password="$IMAGE_REGISTRY_PASSWORD" $image_registry |
There was a problem hiding this comment.
Looks like this is happening once per image. Since all the images are likely from the same registry, it would be more efficient to just do it once.
There was a problem hiding this comment.
(Discussed on slack. Conclusion: Not a big deal, and actually we might in theory have images in different registries.)
chmeliik
approved these changes
Nov 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
You can switch back to public by setting TEST_PRIVATE_REGISTRY=false before running ci-test and other setups.
TODO
-- the env file is being created in multiple places -- would be good to make that common in one place.
-- disabling ACS should only be done if reusing the QE instances that don't have your credentials