search

pulp / pulp_container

Pulp Container Registry
https://docs.pulpproject.org/pulp_container/
GNU General Public License v2.0
23 stars 45 forks source link

Get more information in case of failed syncing signed repos #1752

Open git-hyagi opened 2 months ago

git-hyagi commented 2 months ago

Is your feature request related to a problem? Please describe. Trying to sync signed - via cosign - repositories with filtered tags and enforcing the sync to mirror only signed content, but without including the sha256-{digest}.sig tag, will fail and no error will be presented.

Describe the solution you'd like Consider the sync task as failed in case no manifests were synced because of the missing sig tag in the include-tags filter and "cosign repo".

Describe alternatives you've considered We could provide a warning message (not sure if it would be better in docs or logs, maybe both) saying to not forget to include the sig tag in case of syncing filtered repos with cosign signatures and no sigstore.

Additional context Steps to reproduce:

$ pulp container repository create --name foo
$ pulp container remote create --name foo --url "https://quay.io" --upstream-name=curl/curl --include-tags='["8.9.1"]'
$ curl -H 'content-type:application/json' -u<user>:<pass> -X POST ${BASE_ADDR}$(pulp container repository show --name foo |jq .pulp_href -r)sync/ -d '{"signed_only": true, "remote": '$(pulp container remote show --name foo |jq .pulp_href)'}'

From pulp logs, we can only see that the sync task completed:

('pulp [bd85f6a2fa13419cb3d67bb1163b1581]: ::ffff:127.0.0.1 - admin [30/Aug/2024:16:15:10 +0000] "GET /pulp/api/v3/tasks/0191a411-b9ce-71a1-899b-7a4bee062ece/ HTTP/1.0" 200 677 "-" "Pulp-CLI/0.27.1"',)
pulp [56bfc0cd783045c286b891070cd51235]: pulp_container.app.tasks.sync_stages:INFO: The unsigned image sha256:7dd57efcae8c9c2a611816151d731a02a31fab5ab9fb5e0ff877f43009944a51 can't be synced due to a requirement to sync signed content only.
pulp [56bfc0cd783045c286b891070cd51235]: pulpcore.tasking.tasks:INFO: Task completed 0191a411-b63a-7b30-9318-6251f74fb8cf
pulp [bd85f6a2fa13419cb3d67bb1163b1581]: pulpcore.tasking.tasks:INFO: Starting task 0191a411-b9ce-71a1-899b-7a4bee062ece
pulp [bd85f6a2fa13419cb3d67bb1163b1581]: pulpcore.tasking.tasks:INFO: Task completed 0191a411-b9ce-71a1-899b-7a4bee062ece

but checking the manifests, there is no synced manifest:

$ pulp container content -tmanifest list
[]

adding the .sig tag to the include-tags list will successfully sync the manifests:

pulp container remote create --name foo --url "https://quay.io" --upstream-name=curl/curl --include-tags='["8.9.1","sha256-7dd57efcae8c9c2a611816151d731a02a31fab5ab9fb5e0ff877f43009944a51.sig"]'
ipanova commented 2 months ago

You forgot to mention that you are enforcing the sync to mirror only signed content.

ipanova commented 2 months ago

I would make this a doc issue and add a note on the cosign signature mirroring workflow, that filtered sync and signed_only sync can be to certain extent 'incompatible'.

ipanova commented 2 months ago

saying to not forget to include the sig tag

The user will not be able to do so. Usually you do not have handy manifest digest ahead of syncing from remote source.