[issue-405] Add external built image integrity validation #535
Conversation
treblereel
force-pushed
the
405
branch
2 times, most recently
from
2e50511
to
4b5da8e
Compare
|
this yaml can be used to test the PR. It contained image declaration with sonataflow project, published to DH |
treblereel
force-pushed
the
405
branch
4 times, most recently
from
f6214ed
to
6df7c95
Compare
|
The e2e tests have been fixed, please rebase your branch 🙏 |
Unfortunately, I have to fix |
|
@treblereel I'm currently working to fix this one. |
The problem here is sonataflow-minimal-example has no workflow.sw.json in it, so I have to build and publish it to temp repo before tests ... |
treblereel
force-pushed
the
405
branch
2 times, most recently
from
b838cd2
to
4cce57d
Compare
|
Currently, to verify that the image corresponds to the deployment, it is checked that Comments:
An additional step has been added that replaces |
treblereel
force-pushed
the
405
branch
3 times, most recently
from
453c24d
to
ac78e6b
Compare
test/testdata/sonataflow.org_v1alpha08_sonataflow-simpleops.yaml
Outdated
Show resolved
Hide resolved
|
@treblereel I think we are closer to merging this PR. Can you please also provide the docs on @wmedvede @jakubschwan , do you mind taking a look? |
There was a problem hiding this comment.
@treblereel controller-gen is still there. Please also add an entry to .gitignore bin.
In the docs, we must add details of this verification and instruct users how to build or customize a dockerfile to build a valid image.
treblereel
changed the title
treblereel
changed the title
|
Waiting for QE verification @jakubschwan and @wmedvede's review. @treblereel the docs can be pushed later. |
|
| } | ||
|
|
||
| func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) { | ||
| isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image) |
There was a problem hiding this comment.
Do this check mean that we are trying to cover the scenario where the operator is executing in kind?
If true, do we need an equivalent verification when installed in minikube? (considering that most of our examples executes in minikube)
There was a problem hiding this comment.
@wmedvede As I can see, we use kind-registry and sonataflow.Spec.PodTemplate.Container.Image only in the tests, where data.localRegistryHosting.v1.hostFromClusterNetwork set. In case we want to use the same scenario with the minikube, it's better to add to install-minikube.sh registry and ConfigMap from the create-kind-cluster-with-registry.sh.
| if isInKindRegistry { | ||
| ref, err = kindRegistryImage(sonataflow) | ||
| } else { | ||
| ref, err = remoteImage(sonataflow) |
There was a problem hiding this comment.
So here we get the remoteImage from Docker registry.
Did you guys @treblereel @jakubschwan verify that this code executes well when the image is read form Quay.io ? I think it's worth verify it works too.
There was a problem hiding this comment.
The whole point of the isInKindRegistry check is to determine whether the image is in the kind-registry or not. As far as I understand, this only makes sense for tests and only in the case where the 'data.localRegistryHosting.v1.hostFromClusterNetwork' flag is set in the ConfigMap. Kind-registry is insecure. Overall, I don't like the idea of adding checks to the production code just to simplify testing (I'd prefer to remove this check), but the strategy for fetching an image from a secure and insecure registry is different
One option would be to add certificates (self-signed ones are not suitable) to make the kind-registry secure
This does not interfere with minikube because we don't use kind-registry in it
For testing, I use this image from Docker: docker.io/treblereel/sonataflow-workflow-demo:latest. I don't think there should be any issues with quay.io, but I will check further
There was a problem hiding this comment.
ok, thanks, we must be sure that quay.io works well, and openshift installations too.
There was a problem hiding this comment.
@wmedvede quay.io works
sonataflow_image_quay.yaml.zip
| @@ -98,6 +100,11 @@ func (r *SonataFlowReconciler) Reconcile(ctx context.Context, req ctrl.Request) | |||
| return ctrl.Result{}, err | |||
| } | |||
|
|
|||
| if err := r.Validate(ctx, workflow, req); err != nil { | |||
| klog.V(log.E).ErrorS(err, "Failed to validate SonataFlow") | |||
| return reconcile.Result{}, nil | |||
There was a problem hiding this comment.
If we have the err, I think it makes sense to return it?
There was a problem hiding this comment.
This is quite a tricky situation: if we return the error, the deployment will be retried until the limit is reached. A common pattern to solve this problem is to return from Reconcile and log the error to the console.
|
Hi @treblereel , I have left some minor comments/nitpicks. Before merging I thing guys @jakubschwan @treblereel we must be sure this was tested in:
and also using images from docker.io and quay.io. Many thanks! |
|
@treblereel I think this one needs resolving the merge conflicts and verification that it works in OpenShift. |
Fixes #405
ps: tests will be added in the next commit to this pr