Image-rs & CDH | Refactoring and use the same ImageClient #708
Conversation
Xynnn007
force-pushed
the
refact-config
branch
8 times, most recently
from
db80b82
to
c757c51
Compare
Xynnn007
force-pushed
the
refact-config
branch
from
c757c51
to
ee971ab
Compare
Xynnn007
force-pushed
the
refact-config
branch
2 times, most recently
from
6e87742
to
8813e45
Compare
| // lint from warning dead code. | ||
| common::clean_configs() | ||
| .await | ||
| .expect("Delete configs failed."); | ||
| let mut image_client = image_rs::image::ImageClient::new(work_dir.path().to_path_buf()); |
There was a problem hiding this comment.
@Xynnn007 Do we need to initialize the image_client instance using ClientBuilder ?
There was a problem hiding this comment.
btw The ClientBuilder logic brings image policy, auth file, sigstore config fetching in the time of creation of ClientBuilder.build(), and supports to read them from local filesystem.
There was a problem hiding this comment.
Got it. You mean that ClientBuilder.build() would read some configs by default that are irrelevant to image descryption?
There was a problem hiding this comment.
Oh. I mean that image policy, auth file, sigstore config all are explicitly set in the config file. If any/all of them is set, the read will be performed by ClientBuilder.build()
Yes. Please give some ideas about this, and I will try to figure out if we can promote in this pr together |
Refactor signature module from function way to object oriented. Also changed the logic a little to avoid duplicated get resource operation. Signed-off-by: Xynnn007 <[email protected]>
change the whole resource module's API into an object. This would help to make the modularation clear and better maintainance. Also, change the feature `getresource` to `kbs`. Because this feature only adds supports to find resources with `kbs:///` uri scheme. deletes useless lines in Cargo.toml Signed-off-by: Xynnn007 <[email protected]>
Now auth is a separate module with an object. This would help to maintain the internal status of each auth module. Signed-off-by: Xynnn007 <[email protected]>
With clientBuilder, we can get registry auth, sigstore config file and image policy when the client is built. This would help to avoid duplicated file getting. Also, combined CDH's image config with image-rs'. To leverage the new client builder, we mark the image pull object as a static one to be lazily initialized. Because before CDH is set up, the initialization steps of image client cannot pass when fetching resources from KBS. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Now we use kbs to refer to the old feature getresource Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
refact-config
branch
from
8813e45
to
9e75e02
Compare
|
Rebased to resolve the conflicts. |
There was a problem hiding this comment.
LGTM thanks for the work @Xynnn007. BTW, I have a question that’s unrelated to this PR:
I’ve noticed that some comments in the code of the repo use three slashes ///, while others use two //. Are there specific scenarios for using these two types of comments? For example, is it recommended to use /// in one comment type and // in another comment type?
| // lint from warning dead code. | ||
| common::clean_configs() | ||
| .await | ||
| .expect("Delete configs failed."); | ||
| let mut image_client = image_rs::image::ImageClient::new(work_dir.path().to_path_buf()); |
There was a problem hiding this comment.
Got it. You mean that ClientBuilder.build() would read some configs by default that are irrelevant to image descryption?
Three slash comments get used to generate the rustdocs. You can also use |
Thanks Tobin. I noticed that some public structures or variables in the structure in the code are commented with |
|
BTW, do we need to cut a minor release and bump guest-components and image-rs to the new minor release in kata, according to the community meeting? If so, I recommend holding off on merging this PR until the release is cut. |
It sounds like we don't need another release, but we still might want to wait until next week to merge this stuff just in case. |
Yeah I think we have not been very consistent so far. |
|
Added another commit to replace HTTPS_PROXY and NO_PROXY env setting with config to |
New dependency oci-client version supports to set HTTPS_PROXY and NO_PROXY without setting env of the whole process. Also, this commit marks the cosign module's client TODO to add a proxy configuration. Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
refact-config
branch
from
1fa5626
to
7c750ad
Compare
|
Added another commit to support self-signed image registry certs in CDH/image-rs config. Seeing that cosign will also need to fetch signatures from the same registry, I made a PR to support this in sigstore-rs crate. sigstore/sigstore-rs#392 After that PR is merged we can make the story complete |
Xynnn007
force-pushed
the
refact-config
branch
from
281c722
to
ca0c52a
Compare
Fixes confidential-containers#525 Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
refact-config
branch
from
ca0c52a
to
d378288
Compare
This PR organizes the code of image-rs to make it more modular and allows CDH and image-rs to share the same image pull configuration file.
With the modular refactoring, we found some hidden bugs that caused by static/global variables. This refactoring tries to get rid of static/global variables to promote the reentrancy.
Please see each commit for a more structured view.
cc @fitzthum @ChengyuZhu6