Fixes value for storage.oci.repository

Previously while providing repo url value for storage oci repository, chains controller was giving an error as `a digest must contain exactly one '@' separator (e.g. registry/repository@digest)` because, it was not able to add digest Hence this patch fixes it, by formatting the value provided by the user and thus storing the attestations/signatures in the provided location Signed-off-by: PuneetPunamiya <ppunamiy@redhat.com>
tektoncd · Nov 21, 2023 · 566e789 · 566e789
1 parent 1c918c9
commit 566e789
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 13 deletions.
diff --git a/pkg/chains/storage/oci/legacy.go b/pkg/chains/storage/oci/legacy.go
@@ -18,7 +18,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-
 	"github.com/tektoncd/chains/pkg/chains/formats"
 	"github.com/tektoncd/chains/pkg/chains/objects"
 	"github.com/tektoncd/chains/pkg/chains/signing"
@@ -54,7 +53,8 @@ type Backend struct {
 // NewStorageBackend returns a new OCI StorageBackend that stores signatures in an OCI registry
 func NewStorageBackend(ctx context.Context, client kubernetes.Interface, cfg config.Config) *Backend {
 	return &Backend{
-		cfg:    cfg,
+		cfg: cfg,
+
 		client: client,
 		getAuthenticator: func(ctx context.Context, obj objects.TektonObject, client kubernetes.Interface) (remote.Option, error) {
 			kc, err := k8schain.New(ctx, client,
@@ -119,12 +119,22 @@ func (b *Backend) uploadSignature(ctx context.Context, format simple.SimpleConta
 	imageName := format.ImageName()
 	logger.Infof("Uploading %s signature", imageName)
 
-	ref, err := newDigest(b.cfg, imageName)
+	var opts []name.Option
+	if b.cfg.Storage.OCI.Insecure {
+		opts = append(opts, name.Insecure)
+	}
+
+	ref, err := name.NewDigest(imageName, opts...)
 	if err != nil {
 		return errors.Wrap(err, "getting digest")
 	}
 
-	store, err := NewSimpleStorerFromConfig(WithTargetRepository(ref.Repository))
+	repo, err := newRepo(b.cfg, ref)
+	if err != nil {
+		return errors.Wrapf(err, "getting storage repo for sub %s", imageName)
+	}
+
+	store, err := NewSimpleStorerFromConfig(WithTargetRepository(repo))
 	if err != nil {
 		return err
 	}
@@ -154,12 +164,22 @@ func (b *Backend) uploadAttestation(ctx context.Context, attestation in_toto.Sta
 		imageName := fmt.Sprintf("%s@sha256:%s", subj.Name, subj.Digest["sha256"])
 		logger.Infof("Starting attestation upload to OCI for %s...", imageName)
 
-		ref, err := newDigest(b.cfg, imageName)
+		var opts []name.Option
+		if b.cfg.Storage.OCI.Insecure {
+			opts = append(opts, name.Insecure)
+		}
+
+		ref, err := name.NewDigest(imageName, opts...)
 		if err != nil {
 			return errors.Wrapf(err, "getting digest for subj %s", imageName)
 		}
 
-		store, err := NewAttestationStorer(WithTargetRepository(ref.Repository))
+		repo, err := newRepo(b.cfg, ref)
+		if err != nil {
+			return errors.Wrapf(err, "getting storage repo for sub %s", imageName)
+		}
+
+		store, err := NewAttestationStorer(WithTargetRepository(repo))
 		if err != nil {
 			return err
 		}
@@ -278,16 +298,14 @@ func (b *Backend) RetrieveArtifact(ctx context.Context, obj objects.TektonObject
 	return m, nil
 }
 
-func newDigest(cfg config.Config, imageName string) (name.Digest, error) {
-	// Override image name from config if set.
-	if r := cfg.Storage.OCI.Repository; r != "" {
-		imageName = r
-	}
-
+func newRepo(cfg config.Config, imageName name.Digest) (name.Repository, error) {
 	var opts []name.Option
 	if cfg.Storage.OCI.Insecure {
 		opts = append(opts, name.Insecure)
 	}
 
-	return name.NewDigest(imageName, opts...)
+	if storageOCIRepository := cfg.Storage.OCI.Repository; storageOCIRepository != "" {
+		return name.NewRepository(storageOCIRepository, opts...)
+	}
+	return imageName.Repository, nil
 }
diff --git a/pkg/chains/storage/oci/legacy_test.go b/pkg/chains/storage/oci/legacy_test.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2023 The Tekton Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oci
+
+import (
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/stretchr/testify/assert"
+	"github.com/tektoncd/chains/pkg/config"
+)
+
+func TestNewRepo(t *testing.T) {
+	t.Run("Use any registry in storage oci repository", func(t *testing.T) {
+		cfg := config.Config{}
+		cfg.Storage.OCI.Repository = "example.com/foo"
+		tests := []struct {
+			imageName        string
+			expectedRepoName string
+		}{
+			{
+				imageName:        "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+				expectedRepoName: "example.com/foo",
+			},
+			{
+				imageName:        "foo.io/bar/kaniko-chains@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+				expectedRepoName: "example.com/foo",
+			},
+			{
+				imageName:        "registry.com/spam/spam/spam/spam/spam/spam@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+				expectedRepoName: "example.com/foo",
+			},
+		}
+
+		for _, test := range tests {
+			ref, err := name.NewDigest(test.imageName)
+			if err != nil {
+				t.Error(err)
+			}
+			repo, err := newRepo(cfg, ref)
+			if err != nil {
+				t.Error(err)
+			}
+			assert.Equal(t, repo.Name(), test.expectedRepoName)
+		}
+	})
+}