-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image-rs & CDH | Refactoring and use the same ImageClient #708
base: main
Are you sure you want to change the base?
Conversation
db80b82
to
c757c51
Compare
c757c51
to
ee971ab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A big improvement imo. I left a few comments.
6e87742
to
8813e45
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I think there are still some improvements to make in image-rs, but this is a step forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the work @Xynnn007. Just a comment:
// lint from warning dead code. | ||
common::clean_configs() | ||
.await | ||
.expect("Delete configs failed."); | ||
let mut image_client = image_rs::image::ImageClient::new(work_dir.path().to_path_buf()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Xynnn007 Do we need to initialize the image_client
instance using ClientBuilder
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw The ClientBuilder
logic brings image policy
, auth file
, sigstore config
fetching in the time of creation of ClientBuilder.build()
, and supports to read them from local filesystem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. You mean that ClientBuilder.build()
would read some configs by default that are irrelevant to image descryption?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh. I mean that image policy
, auth file
, sigstore config
all are explicitly set in the config file. If any/all of them is set, the read will be performed by ClientBuilder.build()
Yes. Please give some ideas about this, and I will try to figure out if we can promote in this pr together |
Refactor signature module from function way to object oriented. Also changed the logic a little to avoid duplicated get resource operation. Signed-off-by: Xynnn007 <[email protected]>
change the whole resource module's API into an object. This would help to make the modularation clear and better maintainance. Also, change the feature `getresource` to `kbs`. Because this feature only adds supports to find resources with `kbs:///` uri scheme. deletes useless lines in Cargo.toml Signed-off-by: Xynnn007 <[email protected]>
Now auth is a separate module with an object. This would help to maintain the internal status of each auth module. Signed-off-by: Xynnn007 <[email protected]>
With clientBuilder, we can get registry auth, sigstore config file and image policy when the client is built. This would help to avoid duplicated file getting. Also, combined CDH's image config with image-rs'. To leverage the new client builder, we mark the image pull object as a static one to be lazily initialized. Because before CDH is set up, the initialization steps of image client cannot pass when fetching resources from KBS. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Now we use kbs to refer to the old feature getresource Signed-off-by: Xynnn007 <[email protected]>
8813e45
to
9e75e02
Compare
Rebased to resolve the conflicts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks for the work @Xynnn007. BTW, I have a question that’s unrelated to this PR:
I’ve noticed that some comments in the code of the repo use three slashes ///
, while others use two //
. Are there specific scenarios for using these two types of comments? For example, is it recommended to use ///
in one comment type and //
in another comment type?
// lint from warning dead code. | ||
common::clean_configs() | ||
.await | ||
.expect("Delete configs failed."); | ||
let mut image_client = image_rs::image::ImageClient::new(work_dir.path().to_path_buf()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. You mean that ClientBuilder.build()
would read some configs by default that are irrelevant to image descryption?
Three slash comments get used to generate the rustdocs. You can also use |
Thanks Tobin. I noticed that some public structures or variables in the structure in the code are commented with |
BTW, do we need to cut a minor release and bump guest-components and image-rs to the new minor release in kata, according to the community meeting? If so, I recommend holding off on merging this PR until the release is cut. |
It sounds like we don't need another release, but we still might want to wait until next week to merge this stuff just in case. |
Yeah I think we have not been very consistent so far. |
Added another commit to replace HTTPS_PROXY and NO_PROXY env setting with config to |
New dependency oci-client version supports to set HTTPS_PROXY and NO_PROXY without setting env of the whole process. Also, this commit marks the cosign module's client TODO to add a proxy configuration. Signed-off-by: Xynnn007 <[email protected]>
1fa5626
to
7c750ad
Compare
Added another commit to support self-signed image registry certs in CDH/image-rs config. Seeing that cosign will also need to fetch signatures from the same registry, I made a PR to support this in sigstore-rs crate. sigstore/sigstore-rs#392 After that PR is merged we can make the story complete |
281c722
to
ca0c52a
Compare
Fixes confidential-containers#525 Signed-off-by: Xynnn007 <[email protected]>
ca0c52a
to
d378288
Compare
This PR organizes the code of image-rs to make it more modular and allows CDH and image-rs to share the same image pull configuration file.
With the modular refactoring, we found some hidden bugs that caused by static/global variables. This refactoring tries to get rid of static/global variables to promote the reentrancy.
Please see each commit for a more structured view.
cc @fitzthum @ChengyuZhu6