search

openshift / machine-config-operator

Apache License 2.0
245 stars 408 forks source link

NO-JIRA: format policy.json #4412

Closed QiWang19 closed 3 months ago

QiWang19 commented 3 months ago

- What I did

- How to verify it

apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy 
metadata:
  name: p1
spec:
  scopes:
    - localhost:5000/myns/sigstore-signed-with-full-references
    - example.com/global
  policy:
    rootOfTrust:
      policyType: PublicKey
      publicKey:
        keyData: Zm9vIGJhcg==
    signedIdentity:
      matchPolicy: MatchRepoDigestOrExact

policy.json:

sh-5.1# cat /etc/containers/policy.json 
{"default":[{"type":"insecureAcceptAnything"}],"transports":{"atomic":{"example.com/global":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}],"localhost:5000/myns/sigstore-signed-with-full-references":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}]},"docker":{"example.com/global":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}],"localhost:5000/myns/sigstore-signed-with-full-references":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}]},"docker-daemon":{"":[{"type":"insecureAcceptAnything"}]}}}sh-5.1#

This patch:

sh-5.1# cat /etc/containers/policy.json 
{
  "default": [
    {
      "type": "insecureAcceptAnything"
    }
  ],
  "transports": {
    "atomic": {
      "example.com/global": [
        {
          "type": "sigstoreSigned",
          "keyData": "Zm9vIGJhcg==",
          "signedIdentity": {
            "type": "matchRepoDigestOrExact"
          }
        }
      ],
      "localhost:5000/myns/sigstore-signed-with-full-references": [
        {
          "type": "sigstoreSigned",
          "keyData": "Zm9vIGJhcg==",
          "signedIdentity": {
            "type": "matchRepoDigestOrExact"
          }
        }
      ]
    },
    "docker": {
      "example.com/global": [
        {
          "type": "sigstoreSigned",
          "keyData": "Zm9vIGJhcg==",
          "signedIdentity": {
            "type": "matchRepoDigestOrExact"
          }
        }
      ],
      "localhost:5000/myns/sigstore-signed-with-full-references": [
        {
          "type": "sigstoreSigned",
          "keyData": "Zm9vIGJhcg==",
          "signedIdentity": {
            "type": "matchRepoDigestOrExact"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}sh-5.1#

- Description for the changelog

openshift-ci[bot] commented 3 months ago

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

QiWang19 commented 3 months ago

@yuqi-zhang could you approve?

rphillips commented 3 months ago

/lgtm

rphillips commented 3 months ago

This might cause a reboot due to the differences in serialization.

MCO skips a reboot on this file, so it's ok.

rphillips commented 3 months ago

/retitle NO-JIRA: format policy.json

openshift-ci-robot commented 3 months ago

@QiWang19: This pull request explicitly references no jira issue.

In response to [this](https://github.com/openshift/machine-config-operator/pull/4412): > > >**- What I did** > >**- How to verify it** >```bash >apiVersion: config.openshift.io/v1alpha1 >kind: ClusterImagePolicy >metadata: > name: p1 >spec: > scopes: > - localhost:5000/myns/sigstore-signed-with-full-references > - example.com/global > policy: > rootOfTrust: > policyType: PublicKey > publicKey: > keyData: Zm9vIGJhcg== > signedIdentity: > matchPolicy: MatchRepoDigestOrExact >``` >policy.json: >``` >sh-5.1# cat /etc/containers/policy.json >{"default":[{"type":"insecureAcceptAnything"}],"transports":{"atomic":{"example.com/global":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}],"localhost:5000/myns/sigstore-signed-with-full-references":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}]},"docker":{"example.com/global":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}],"localhost:5000/myns/sigstore-signed-with-full-references":[{"type":"sigstoreSigned","keyData":"Zm9vIGJhcg==","signedIdentity":{"type":"matchRepoDigestOrExact"}}]},"docker-daemon":{"":[{"type":"insecureAcceptAnything"}]}}}sh-5.1# >``` >This patch: >```bash >sh-5.1# cat /etc/containers/policy.json >{ > "default": [ > { > "type": "insecureAcceptAnything" > } > ], > "transports": { > "atomic": { > "example.com/global": [ > { > "type": "sigstoreSigned", > "keyData": "Zm9vIGJhcg==", > "signedIdentity": { > "type": "matchRepoDigestOrExact" > } > } > ], > "localhost:5000/myns/sigstore-signed-with-full-references": [ > { > "type": "sigstoreSigned", > "keyData": "Zm9vIGJhcg==", > "signedIdentity": { > "type": "matchRepoDigestOrExact" > } > } > ] > }, > "docker": { > "example.com/global": [ > { > "type": "sigstoreSigned", > "keyData": "Zm9vIGJhcg==", > "signedIdentity": { > "type": "matchRepoDigestOrExact" > } > } > ], > "localhost:5000/myns/sigstore-signed-with-full-references": [ > { > "type": "sigstoreSigned", > "keyData": "Zm9vIGJhcg==", > "signedIdentity": { > "type": "matchRepoDigestOrExact" > } > } > ] > }, > "docker-daemon": { > "": [ > { > "type": "insecureAcceptAnything" > } > ] > } > } >}sh-5.1# >``` > >**- Description for the changelog** > > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fmachine-config-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci[bot] commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: QiWang19, rphillips, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[pkg/controller/container-runtime-config/OWNERS](https://github.com/openshift/machine-config-operator/blob/master/pkg/controller/container-runtime-config/OWNERS)~~ [yuqi-zhang] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci-robot commented 3 months ago

/retest-required

Remaining retests: 0 against base HEAD 6498d69dfd70ccb47f2c1089c5db419c9bcdab26 and 2 for PR HEAD 459d4c0d4de0f6c53916fac3e8f7975c6183a9ef in total

rphillips commented 3 months ago

/test e2e-aws-ovn

openshift-ci[bot] commented 3 months ago

@QiWang19: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
openshift-bot commented 3 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-machine-config-operator-container-v4.17.0-202406210743.p0.g612b9cd.assembly.stream.el9 for distgit ose-machine-config-operator. All builds following this will include this PR.