Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce new attestation exporter options #3403

Closed
wants to merge 5 commits into from
Closed

Introduce new attestation exporter options #3403

wants to merge 5 commits into from

Conversation

jedevc
Copy link
Member

@jedevc jedevc commented Dec 14, 2022
edited
Loading

These replace the inline-only attestation fields introduce in #3342.

Instead, we can now specify attestations=<true/false/filter-list> per exporter, to enable specific attestation per exporter - the default in buildkit is set to true. The possible values are:

  • true: output all provided attestations from the solver
  • false: output none of the provided attestations from the solver
  • reason,[reasons]: a csv list of reasons, outputs only the attestations that were generated for one of those specified reasons, using the metadata field. e.g. --output type=...,attestations=provenance will only include provenance attestations in the output for that exporter, even if other attestations (like SBOMs) were generated in the solver.

We also update the attestation-prefix option to be attestation[s]-prefix - to be more aligned with the new attestations flag.

Additionally, we have a few smaller minor refactoring commits around the exporter:

  • Propogate metadata through unbundling (wasn't causing any issues now, but could in the future, since logically we should inherit metadata through the process)
  • Moves fs opt parsing into shared logic between the local+tar exporters, so we don't need to duplicate all of that.
  • Removes non-dist options from the tar exporter (introduced in Do not re-tag non-distributable blob descriptors #2561) - these aren't ever used, so we can silently drop them. If clients were using this, no error will occur, it will just silently do nothing.

@jedevc jedevc requested a review from tonistiigi December 14, 2022 12:37
@jedevc jedevc mentioned this pull request Dec 14, 2022
Closed
@jedevc jedevc added this to the v0.11.0 milestone Dec 14, 2022
@jedevc jedevc force-pushed the exporter-attestations-options branch from de22d35 to 2aa3f8a Compare December 14, 2022 14:29
tonistiigi
tonistiigi reviewed Dec 14, 2022
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced we should remove inline-only. I think this is the correct way for client to ask for expected behavior without knowing too much about the internals. I don't mind a way to skip attestation on exporter level as well if there is a use case.

@jedevc jedevc mentioned this pull request Dec 16, 2022
Closed
@jedevc jedevc force-pushed the exporter-attestations-options branch from 2aa3f8a to fe28241 Compare December 16, 2022 11:07
@jedevc
Copy link
Member Author

jedevc commented Dec 16, 2022

Removed inline-only in #3420 - we shouldn't block the rest of the changes on that.

tonistiigi
tonistiigi reviewed Dec 20, 2022
View reviewed changes
exporter/attestation/filter.go
}

for _, att := range attestations {
target, ok := att.Metadata[result.AttestationReasonKey]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not from this PR but I don't understand why this is called a "reason". It is attestation type. So why can't we just use the already existing predicate type field?

@jedevc jedevc mentioned this pull request Jan 5, 2023
Open
jedevc added 5 commits January 5, 2023 14:25
@jedevc
tests: fixup attestation tar to not panic when file not found
91324b5 
Signed-off-by: Justin Chadwell <[email protected]>
@jedevc
exporter: move fs opt parsing to method
a9ed1f1 
This allows one implementation for all the opts parsing, similar to how
we do today for the ImageCommitOpts. Additionally, we rename
attestation-prefix to attestations-prefix (pluralized) to prepare for
the new attestations option.

Signed-off-by: Justin Chadwell <[email protected]>
@jedevc
exporter: remove non dist options from tar exporter
ab91151 
This option looks like a mistake added in 45fc3ed.
These options aren't ever used, so we don't need to parse them, we can
just silently discard them.

Signed-off-by: Justin Chadwell <[email protected]>
@jedevc
exporter: add attestations key to allow disabling attestation output
602d9f8 
Signed-off-by: Justin Chadwell <[email protected]>
@jedevc
exporter: allow attestation options to contain list of reasons
2488167 
Instead of just the boolean true/false values, we allow the attestation
option for exporters to contain an arbitrary list of "attestation
reasons". Only attestations that have a reason matching the list will
actually be output.

This allows clients to completely detach the concepts of "what
attestations to generate" and "what attestations to output".

Signed-off-by: Justin Chadwell <[email protected]>
@jedevc jedevc force-pushed the exporter-attestations-options branch from fe28241 to 2488167 Compare January 5, 2023 14:30
@jedevc jedevc mentioned this pull request Jan 6, 2023
Merged
@jedevc jedevc closed this Jan 6, 2023
@jedevc jedevc mentioned this pull request Jan 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi left review comments

Assignees
No one assigned
Labels
area/attestations
Projects
None yet
Milestone
v0.11.0
Development

Successfully merging this pull request may close these issues.
2 participants
@jedevc @tonistiigi