search

oras-project / oras

OCI registry client - managing content like artifacts, images, packages
https://oras.land
Apache License 2.0
1.52k stars 181 forks source link

Extend the ORAS annotating capabilities in oras attach and oras manifest #1531

Open FeynmanZhou opened 1 week ago

FeynmanZhou commented 1 week ago

What is the version of your ORAS CLI

v1.2.0

What would you like to be added?

Extend the ORAS annotating capabilities to support:

Attach an annotation as a referrer to an existing multi-arch image and its child arch-specific image manifest (without mutating its digest) in one shot. The same annotation is supposed to be added to the parent image index and its child arch-specific image manifest recursively: 

oras attach --artifact-type application/vnd.artifact.lifecycle  --annotation "vnd.artifact.lifecycle.end-of-life.date=2023-05-12" --platform all --oci-layout layout-dir:v1  

Attached to [oci-layout] layout-dir@sha256:2af402374d4c9297bf077b1e722d52 
Digest: sha256:117308d626166e77ffbd9c76b5545101b723csdcxcxc2344556642
Attached to the child image manifest layout-dir@sha256:aaaaaaaaaaaaaaaaa
Digest: sha256:bbbbbbbbbbbbbbbbb
Attached to the child image manifest layout-dir@sha256:ccccccccccccccccc
Digest: sha256:ddddddddddddddddd

View attached annotations of the multi-arch image (index) and its child image manifest: 

$ oras discover --oci-layout layout-dir:v1 --platform all --format tree  

|--Image index
|  layout-dir@sha256:447c006400aae8b0d302cafba172f5da9889d50af085ad51d 
|   └── application/vnd.artifact.lifecycle 
|       └── sha256:b25b53b7df86a5dc7087cf96ed88fd1d8872271422224d7 
|           └── vnd.artifact.lifecycle.end-of-life.date: "2023-05-12
|
|--Image manifest [1] 
|  layout-dir@sha256:447c006400aae8b0d302caf9d50af089d50af089d50af089d 
|  └── application/vnd.artifact.lifecycle 
|      └── sha256:b25b53b7df86a5dc7087cf96ed88fd1d8872271422224d7 
|          └── vnd.artifact.lifecycle.end-of-life.date: "2023-05-12" 
|
└--Image manifest [2] 
   layout-dir@sha256:447c006400aae8b0d302cafba172f5da9889d50af085ad51d 
   └── application/vnd.artifact.lifecycle 
       └── sha256:b25b53b7df86a5dc7087cf96ed88fd1d8872271422224d7 
           └── vnd.artifact.lifecycle.end-of-life.date: "2023-05-12"

The expected result will be: image

Why is this needed for ORAS?

Scenario: A security engineer Cindy needs to use image lifecycle annotations to mark when the vulnerable image should be considered end of life (EoL) and no longer used by dependent services.

However, as there are multi-arch images and separate arch-specific images maintained by service teams, it is cumbersome that Cindy can only apply annotations manually to each arch-specific image. Image consumers only reference the multi-arch image by a tag for deployment. The EoL annotation is not available on the multi-arch image (index), which makes the multi-arch image (index) unverifiable.

image

Are you willing to submit PRs to contribute to this feature?

tarilabs commented 5 days ago

Hi, I noticed this github-issue and speaks of oras manifest create command, but I can't see oras manifest create... 

~ % oras manifest --help
Manifest operations

Usage:
  oras manifest [command]

Available Commands:
  delete       Delete a manifest from remote registry
  fetch        Fetch manifest of the target artifact
  fetch-config Fetch the config of a manifest from a registry or an OCI image layout
  push         Push a manifest to a registry or an OCI image layout

can you kindly direct me to where I can read more about it, please?