OCPNODE-3008: Add v1 type ClusterImagePolicy and ImagePolicy #2310
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@QiWang19: This pull request references OCPNODE-3008 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Hello @QiWang19! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/XXL
QiWang19
force-pushed
the
sigstoreverification
branch
from
bc22659 to
c277fe2
Compare
|
/test all |
QiWang19
force-pushed
the
sigstoreverification
branch
4 times, most recently
from
28cc792 to
c96787f
Compare
|
/test lint |
|
/test all |
QiWang19
force-pushed
the
sigstoreverification
branch
from
c96787f to
a184848
Compare
|
/test all |
QiWang19
force-pushed
the
sigstoreverification
branch
from
a184848 to
5886a58
Compare
|
/test all |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
QiWang19
changed the title
|
@JoelSpeed Could you review? |
| Spec ClusterImagePolicySpec `json:"spec"` | ||
| // status contains the observed state of the resource. | ||
| // +optional | ||
| Status ClusterImagePolicyStatus `json:"status,omitempty"` |
There was a problem hiding this comment.
Omitempty doesn't work on non-pointer structs, you can drop the omitempty tag
|
|
||
| // +k8s:deepcopy-gen=true | ||
| type ClusterImagePolicyStatus struct { | ||
| // conditions provide details on the status of this API Resource. |
There was a problem hiding this comment.
Can we provide further detail on the types of conditions that should be expected to be set here? I suspect we have a complete list for the feature now?
There was a problem hiding this comment.
For ImagePolicy, we have Pending conditions suggesting some configs from this object would be overwritten since they conflict with existing cluster-wide objects.
We don't have other conditions for ClusterImagePolicy/ImagePolicy since there is no mechanism for MCO to give rollout feedback of a machine config.
| // +k8s:deepcopy-gen=true | ||
| type ClusterImagePolicyStatus struct { | ||
| // conditions provide details on the status of this API Resource. | ||
| // +kubebuilder:validation:MaxItems=100 |
There was a problem hiding this comment.
100 seems high, do you know how many conditions the feature actually uses right now? Would say 8 or 16 be a more sensible limit?
| // +listType=map | ||
| // +listMapKey=type | ||
| // +optional | ||
| Conditions []metav1.Condition `json:"conditions,omitempty"` |
There was a problem hiding this comment.
You should add a minimum length marker of 1 to this, so that [] is not a valid persisted object
| Conditions []metav1.Condition `json:"conditions,omitempty"` | |
| // +kubebuilder:validation:MinItems=1 | |
| Conditions []metav1.Condition `json:"conditions,omitempty"` |
| @@ -4,7 +4,6 @@ source "$(dirname "${BASH_SOURCE}")/lib/init.sh" | |||
|
|
|||
| crd_globs="\ | |||
| authorization/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ | |||
| config/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ | |||
There was a problem hiding this comment.
Why is this change required?
There was a problem hiding this comment.
Add this change so the v1 manifests will not be included in the payload at this time https://github.com/openshift/api/tree/master/payload-manifests/crds. From our previous discussion, we will include the manifests later when MCO controller implementation is ready to use v1 APIs.
config/v1/types_image_policy.go
Outdated
| Spec ImagePolicySpec `json:"spec"` | ||
| // status contains the observed state of the resource. | ||
| // +optional | ||
| Status ImagePolicyStatus `json:"status,omitempty"` |
There was a problem hiding this comment.
Omitempty here is not doing anything
config/v1/types_image_policy.go
Outdated
|
|
||
| // Policy defines the verification policy for the items in the scopes list. | ||
| type Policy struct { | ||
| // rootOfTrust specifies the root of trust for the policy. |
There was a problem hiding this comment.
This godoc is a little light, can we expand at all on what a root of trust is, and/or why someone might want to configure this option
| } | ||
|
|
||
| // PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. | ||
| type PKI struct { |
There was a problem hiding this comment.
Should add minimum lengths to each of the slices in this example
| // +required | ||
| // +kubebuilder:validation:MaxItems=256 |
There was a problem hiding this comment.
Explicitly state these constraints in the GoDoc for the field. Users will not be able to see the markers when looking at the generated documentation so stating these validations explicitly, in plain english, helps us convey constraints to user reading the generated documentation.
| Scopes []ImageScope `json:"scopes"` | ||
| // policy contains configuration to allow scopes to be verified, and defines how | ||
| // images not matching the verification policy will be treated. | ||
| // +required |
There was a problem hiding this comment.
Ditto on explicit inclusion in the GoDoc that this field is required.
config/v1/types_image_policy.go
Outdated
| RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` | ||
| // signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". | ||
| // +optional | ||
| SignedIdentity PolicyIdentity `json:"signedIdentity,omitempty"` |
There was a problem hiding this comment.
As Joel has mentioned previously, omitempty doesn't do anything on a non-pointer struct. It can be dropped here.
| // Policy defines the verification policy for the items in the scopes list. | ||
| type Policy struct { | ||
| // rootOfTrust specifies the root of trust for the policy. | ||
| // +required |
There was a problem hiding this comment.
Explicitly mention in the GoDoc that this field is required.
| // +required | ||
| RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` | ||
| // signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". | ||
| // +optional |
There was a problem hiding this comment.
Explicitly mention that this field is optional in the GoDoc. It looks like you do appropriately state what the default behavior is if this field is omitted.
| type PolicyMatchExactRepository struct { | ||
| // repository is the reference of the image identity to be matched. | ||
| // The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox | ||
| // +required |
There was a problem hiding this comment.
Explicit mention of being required.
config/v1/types_image_policy.go
Outdated
| type PolicyMatchRemapIdentity struct { | ||
| // prefix is the prefix of the image identity to be matched. | ||
| // If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). | ||
| // This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. |
There was a problem hiding this comment.
| // This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. | |
| // This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. |
| // The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, | ||
| // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. | ||
| // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. | ||
| // +required |
There was a problem hiding this comment.
Explicitly mention that the field is required in the GoDoc.
| // signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, | ||
| // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. | ||
| // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. | ||
| // +required |
There was a problem hiding this comment.
Explicitly mention that the field is required in the GoDoc.
| } | ||
|
|
||
| // IdentityMatchPolicy defines the type of matching for "matchPolicy". | ||
| // +kubebuilder:validation:Enum=MatchRepoDigestOrExact;MatchRepository;ExactRepository;RemapIdentity |
There was a problem hiding this comment.
From my understanding, this should allow the omitted value ("") - which is missing in this enum.
There was a problem hiding this comment.
Should it? The enum is used in a required field context, I would expect in this case that not allowing the empty string is probably correct.
I see there is a "When omitted" description though, which does imply that "" is a valid value.
Looking at the shape here, I think we have a case of "optional struct that has a required field within, where the required fields do not accept the zero value"
In this case, the appropriate action is to make the struct field a pointer, so that it can be correctly omitted.
Unless we are deliberately going for discoverability, in which case we need to make sure that all of the fields within the struct accept their zero value
There was a problem hiding this comment.
Unless we are deliberately going for discoverability, in which case we need to make sure that all of the fields within the struct accept their zero value
This is the case I was assuming we would have as this is a configuration API and our general stance is to have discoverability in these types of APIs.
I should have been a bit more clear as to why I understood this as needing to allow the omitted value, my apologies
There was a problem hiding this comment.
Generally, when looking at discoverability comments we should start at the top as it were.
Given currently, https://github.com/openshift/api/pull/2310/files#diff-efbd815aeb2fd3f182852b1c6ec8317d546d44813792bfe7da5e253394f5ff18R72, the usage of the struct containing this is a DU that is optional, pointer, omitempty, we don't need to look at discoverability of fields within there until we have discussed if the signedIdentity field should be discoverable.
If the top level field isn't going to marshal down to {"matchPolicy":""} (which it won't currently) then we don't need "" to be valid here.
So, should signedIdentity be discoverable? Well, who is expected to create these objects? Are we ever likely to be producing these via a go client for the end user? Are we expecting 1 of these objects? Are we expecting many?
I don't think we originally aimed for discoverability on this API because there is no valid object for spec: {}, we need at least some config from an end user for this object to make sense (also, I expect there to be many of these rather than 1)
QiWang19
force-pushed
the
sigstoreverification
branch
3 times, most recently
from
e04c9af to
db83887
Compare
|
@everettraven @JoelSpeed PTAL |
There was a problem hiding this comment.
Couple of small bits, but otherwise looks good
Do we have automated testing for this feature yet? We should make sure we are comfortable and somewhat near ready to promote before we merge the API, or at least, have confidence we will be in a position to pass the promotion requirements within 4.20 development
| // +required | ||
| // +kubebuilder:validation:MaxLength=8192 | ||
| // +kubebuilder:validation:MinLength=68 | ||
| KeyData []byte `json:"keyData"` |
There was a problem hiding this comment.
Should these keydata fields have CEL similar to L173 to check the beginning and end of the value? Same for the second keydata field below
| // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. | ||
| // +required | ||
| // +kubebuilder:validation:MaxLength=8192 | ||
| // +kubebuilder:validation:MinLength=72 |
There was a problem hiding this comment.
Why are these 72, when the other keys are 68?
There was a problem hiding this comment.
I did not find offical document about minLength limit for certificate data or public key data so I set the minLength to the length of base64 encoding of -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- for certificate data, -----BEGIN PUBLIC KEY----- +-----END PUBLIC KEY----- for pubilc key data, the 78, 72 difference caused by different prefix, suffix.
QiWang19
force-pushed
the
sigstoreverification
branch
2 times, most recently
from
834476d to
fb6f080
Compare
|
/test verify |
|
@JoelSpeed There are |
|
@JoelSpeed PTAL |
|
PTAL at the linter issue, it's found a string without a max length, please set an appropriate maximum length on this one |
@JoelSpeed There was a previous review about the MaxLength requirement on enums not being necessary #2310 (comment), I just wanted to double check if this is an upstream issue or if this validation is needed. |
| // +listType=map | ||
| // +listMapKey=type | ||
| // +optional | ||
| Conditions []metav1.Condition `json:"conditions,omitempty"` |
There was a problem hiding this comment.
Make sure this matches the ClusterImagePolicy version, should have a Minitems as well
QiWang19
force-pushed
the
sigstoreverification
branch
from
fb6f080 to
3c5d9a7
Compare
Upgrade ClusterImagePolicy and ImagePolicy under SigstoreVerification featuregate to v1. will workon upgrade controller code to use v1 API and promote the featuregate to default as next step. Signed-off-by: Qi Wang <qiwan@redhat.com>
QiWang19
force-pushed
the
sigstoreverification
branch
from
3c5d9a7 to
00034b1
Compare
|
/override ci/prow/lint /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: everettraven, JoelSpeed, QiWang19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/lint In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@QiWang19: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[ART PR BUILD NOTIFIER] Distgit: ose-cluster-config-api |
Upgrade ClusterImagePolicy and ImagePolicy under SigstoreVerification featuregate to v1. will workon upgrade controller code to use v1 API and promote the featuregate to default as next step.