puerco
commented
1 year ago /priority critical-urgent
Open puerco opened 1 year ago
puerco
commented
1 year ago /priority critical-urgent
puerco
commented
1 year ago The scope of this issue is now expanded to fix the March patches which got rate limited when calling the registry. This is a new problem and we now have to maneuver around the AR registry limits [slack ref].
puerco
commented
1 year ago /assign
k8s-triage-robot
commented
1 year ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
xmudrii
commented
1 year ago /remove-lifecycle stale
k8s-triage-robot
commented
7 months ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
xmudrii
commented
7 months ago /retitle Fix unsigned patch releases /remove-lifecycle stale
k8s-triage-robot
commented
4 months ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
xmudrii
commented
4 months ago /lifecycle frozen
anshikavashistha
commented
3 months ago @puerco This project seems interesting to me. I really want to work on this project .Is there any prerequisite task that needs to be done ? Please share the link of community channel or any slack channel.
While cutting the February patch releases, the image promoter got rate limited by Fulcio, the sigstore certificate authority (see this long thread in slack for more context). This caused the signatures in the published images to be in an inconsistent state: some images are signed, some not, and some don't have their signatures replicated.
In order to fix the problem we need to check the signatures of images, ensure they are signed with the expected identity, and that they are correctly replicated. Then, based on that there are two actions to be taken:
After manually fixing these, we can move the promoter subcommand to audit the signatures in the future.
Justification
The signatures on our images are the stamp of approval to show that the community approved them to be published to the production registries. Any signed image can be traced back to a PR in a manifest where the change was signed off by the relevant community members. We can always sign them after publishing by ensuring we are signing on the correct digests based on the manifest data.
Action Plan
--dry-runto check what it would dohttps://github.com/kubernetes-sigs/promo-tools/pull/745
https://github.com/kubernetes-sigs/promo-tools/pull/767
https://github.com/kubernetes-sigs/promo-tools/pull/770
https://github.com/kubernetes-sigs/promo-tools/pull/771
/cc @cpanato @kubernetes/release-managers