search

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop
https://rancherdesktop.io
Apache License 2.0
6k stars 282 forks source link

Support extension names specified via digest instead of tag #4938

Open jandubois opened 1 year ago

jandubois commented 1 year ago

This currently doesn't work:

$ rdctl extension install julianb90/tachometer@sha256:40c3642d4ef5f211637b7d558dd677e85acf3af190a771c9222f71a47feaa14b
The image julianb90/tachometer@sha256:40c3642d4ef5f211637b7d558dd677e85acf3af190a771c9222f71a47feaa14b is not an allowed extension
{"message":"403 Forbidden"}

This needs to be supported for:

We may want a mechanism in the catalog for the user (admin) to get the image digest instead of the tag[^1]. Installing an extension from the catalog must be allowed if either the tag or the digest is in the list of allowed extensions.

[^1]: The digest is currently only available from the CLI after the extension is already installed via docker images --digests.

jandubois commented 1 year ago

I'm tempted to say that the extension allow list should only allow digests and not tags.

I'm wondering if digest should be mandatory (in the allow list) because users can retag images at will, so filtering extensions without digest doesn't really provide useful functionality beyond what the image allow list already does.