feat(tvc): add pivot digest validation#118
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
|
||
| /// Path to an unencrypted Docker-style pull secret JSON file. | ||
| #[arg(long, value_name = "PATH")] | ||
| pub pull_secret: Option<PathBuf>, |
There was a problem hiding this comment.
Do people normally store the pull secret as a file? either way i think they could also do --pull-secret <(echo "contents")
| ) | ||
| .await?; | ||
| validate_expected_digest(&result.digest, &hex::encode(manifest.pivot.hash))?; | ||
| print_result(&result); |
There was a problem hiding this comment.
nit: i would prefer using path so it reads validate_pivot_digest::print_result bc otherwise print_result sounds vague
This could be a bit rough because we likely need to review all the source code for these. I can double check with our code review tooling since a small chance its already included in trusted repos |
2 participants
A TVC app will fail to deploy if the pivot digest does not match what's pulled from the container URL. We expect users to computer their own digest via
docker createandsha256sum, and also expose it in the helloworld template - this PR adds the final piece to locally validate the pivot hash.Usage
Pivot hash validation can be individually invoked via
tvc deploy validate-pivot-digest, but also through--validate-pivot-digestduringdeploy createanddeploy approve.There is some overlap with #117. Given that image validation is lighter (just one API call) compared to this PR, my plan is to default to image validation during
deploy create, and run this only when the flag is provided (but skip image validation since the functionality here is a superset of that one).Implementation
To avoid requiring docker, i added
oci-clientto pull the image,flate2andtarto read layers. Down to talk about reworking this change if these crates are too bloat-y.