UNCLASSIFIED - NO CUI

Docker tag sha validation

Nicolas Andersonrequested to merge
docker-tag-sha-validation into master

Description

https://repo1.dso.mil/ironbank-tools/infra/ironbank-bootstrap/-/issues/2091

This MR supports https://repo1.dso.mil/ironbank-tools/infra/ironbank-bootstrap/-/issues/2091 by making a change to the validate_checksum function in the abstract_artifacts.py to get the get the skopeo output, save it to the cache and later compare that inspect to cache.

Recent Updates

MR (!1534 (merged)) by @cpawluko merged in to address several issues with original

  • If a container artifact cache miss took place, the cache was cleared but the artifact was not then redownloaded. This would result in an immediate failure. This resolves that by switching the elif change back to if.

  • For container artifacts, delete_checksum was changed to delete_manifest and validate_checksum was changed to validate_manifest. This necessitated artifact type checks in various places in the code to call the right method depending on if the artifact was a container artifact or file artifact. In one place, the old AbstractContainerArtifact.delete_checksum method was still being called even though it didn't exist anymore. Simplified by adding a common validate_cache method and delete_artifact_and_cache method to AbstractArtifact, so we no longer need artifact type checks in various places to know which method to call for cache validation and for artifact / cache deletion.

  • self.authfile was being passed into Skopeo, but self.authfile did not exist. self.authfile added to the AbstractContainerArtifact class to mirror how its set on the ContainerArtifact class.

  • Removed some of the debug printing to print out files that didn't seem to be used anywhere, just to clean things up.

  • Cleaned up the code_checker to remove the exclusion of downloader.py.

Risk

import-artifacts job failing in the pipeline

Rollback Plan

Can revert changes and go back to manually disabling cache on tag based manifests

Testing

https://code-ib-mario.staging.dso.mil/dsop/nicolas.anderson/boxship/-/jobs/571984

tag based url test with AbstractContainerArtifact

https://code-ib-mario.staging.dso.mil/dsop/nicolas.anderson/alpine/-/jobs/571936

sha based url test with AbstractContainerArtifact

https://code-ib-mario.staging.dso.mil/dsop/nicolas.anderson/pipeline-runner-alpine-dev/-/jobs/571952

checking that checksum functionality for AbstractFileArtifact is kept

Edited by Nicolas Anderson

Merge request reports

UNCLASSIFIED - NO CUI