support for image lifecycle metadata annotation

[sozercan]

What is the problem you're trying to solve Today, we are providing guidance for using vnd.myorganization.image.end-of-life syntax for image lifecycle annotation for EOL images. https://techcommunity.microsoft.com/t5/azure-developer-community-blog/enriching-container-supply-chains-with-oras/ba-p/3996629

However, this guidance is on oras level and doesn't provide automation on a registry level for ACR. Each team/organization will need to come up with a way to apply this, which is not easily scalable and requires knowledge.

For example, there might be a need to roll this out on a per digest level, which requires getting a large list of digests from ACR.

This issue proposes a configurable way to roll this out on a per ACR-level.

Describe the solution you'd like

This experience will be similar to purge command, so i'll propose something like:

acr annotate \
    --registry <Registry Name> \
    --filter <Repository Filter/Name>:<Regex Filter> \
    --untagged \
    --artifact-type <application/vnd.myorganization.artifact.lifecycle> \
    --annotation <vnd.myorganization.image.end-of-life=20230710T00:00-08:00> \
    --annotation <vnd.myorganization.artifact.lineage.rolling-tag=3.12> \
    --annotation <foo=bar> \
    --dry-run \
    --concurrency 4

• registry: registry name
• filter: filter out for tags we don't want to add annotations
• untagged: include all untagged images
• artifact-type: configurable artifact type for an organization
• annotation: configurable annotation key value that can be specified one or more times
• dry-run: dry run
• concurrency: concurrent number of tasks

Please feel free to suggest better naming for any syntax if anyone has suggestions.

Additional context cc @jeremyrickard @sajayantony

[jeremyrickard]

@radhadpatel22 check this issue out.

[sajayantony]

+1 @shizhMSFT @northtyphoon @toddysm @FeynmanZhou @johnsonshi

[toddysm]

I am wondering whether this should be part of the az CLI or the ORAS CLI. I think we need to have an easier way to add annotations (all kind) to an artifact using ORAS. EOL is just one specific annotation type. There will be certainly others. Having something like:

oras annotate
    --artifact-type <application/vnd.myorganization.artifact.lifecycle> \
    --annotation <vnd.myorganization.image.end-of-life=20230710T00:00-08:00> \
    --annotation <vnd.myorganization.artifact.lineage.rolling-tag=3.12> \
    --annotation <foo=bar> 

seems more generic to me. Just my $.02

Related to that I also would like to see convenient command to annotate while copying with ORAS.

[jeremyrickard]

I definitely think there is a case for both @toddysm. This specific case would be bulk operations against ACR, much like the purge task.

I would envision this being implement with ORAS, and would definitely see the utility of having a more straightforward way of doing annotations with ORAS as a standalone thing.

The experience that Sertac laid out in the issue though, would be ACR specific and not in ORAS.

[sozercan]

Good point @toddysm! I changed it to acr annotate in the above example to make it more generic but still a bulk operation for ACR. This can be part of az acr too.

Agreed with @jeremyrickard that there are use cases for both ACR specific and ORAS.

[shizhMSFT]

The flag name --filter is confusing. Could you give examples of it?

[FeynmanZhou]

If annotating the image lifecycle metadata is a frequent action for most of the ACR users, I think it would be much convenient to provide command in az acr and acr CLI.

[jeremyrickard]

Perhaps the filter should behave like the --filter flag in acr purge

  -f, --filter stringArray            Specify the repository and a regular expression filter for the tag name, if a tag matches the filter and is older than the duration specified in ago it will be deleted. Note: If backtracking is used in the regexp it's possible for the expression to run into an infinite loop. The default timeout is set to 1 minute for evaluation of any filter expression. Use the '--filter-timeout-seconds' option to set a different value.
      --filter-timeout-seconds uint   This limits the evaluation of the regex filter, and will return a timeout error if this duration is exceeded during a single evaluation. If written incorrectly a regexp filter with backtracking can result in an infinite loop. (default 60)

  - Delete all tags that contain the word test in the tag name and are older than 5 days in the example.azurecr.io registry inside the hello-world
    repository, after that, remove the dangling manifests in the same repository
	acr purge -r example --filter "hello-world:\w*test\w*" --ago 5d --untagged

[sozercan]

@shizhMSFT here's an example

acr annotate \
    --registry myregistry \
    --filter "foo/bar:.*" \ # for all tags of foo/bar
    --filter "*/kube-apiserver:^v1\.(?:0\.[0-9]+|1[0-9]\.[0-9]+|2[0-4]\.[0-9]+|25\.(?:[0-9]|10))$" \ # for all semver versions/tags of any image called kube-apiserver that are between and including v1.0.0 and v1.25.0
    --untagged \ # include any images that do not have tags, this will cover all dangling digests
    --artifact-type "application/vnd.starkindustries.artifact.lifecycle" \
    --annotation "vnd.myorganization.image.end-of-life=20230710T00:00-08:00" \
    --dry-run \
    --concurrency 4

[johnsonshi]

SGTM. Multiple people have reached out wanting to backfill supply chain annotations for historic images in their artifacts. This will provide value.

One suggestion: If we have an option to mass-create annotations, we should also have another CLI command to delete annotations. Yes, the annotate command has a --dry-run option, but there will inevitably be ACR users that accidentally mark lots of images EOL with a need to reverse their actions (through specifying the same filter and args to the opposite command).

[plooploops]

This would certainly be helpful for historic images as @johnsonshi mentions.

Thanks for the pointer @jeremyrickard