image icon indicating copy to clipboard operation
image copied to clipboard

Published 20 hours ago verified publisher icon containers

Document interaction between signatures and mirrors

Open jackevans43 opened this issue 3 years ago • 1 comments

I'd like a disconnected mirror of registry.redhat.io that validates containers are signed by Red Hat.

I can create a registries.conf:

[[registry]]
prefix = "registry.redhat.io"
location = "internal-registry-for-registry-redhat-io-0.internal"

[[registry.mirror]]
location = "internal-registry-for-registry-redhat-io-1.internal"

Then a policy.json:

{
    "default": [{"type": "reject"}],
    "transports": {
        "atomic": {
            "internal-registry-for-registry-redhat-io-0.internal": [
                {   "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/path/to/redhat-pubkey.gpg",
                    "signedIdentity": {
                        "type": "remapIdentity",
                        "prefix": "internal-registry-for-registry-redhat-io-0.internal",
                        "signedPrefix": "registry.redhat.io",
                    }
                }
            ]
        }
    }
}

And lastly a registries.d/registry-redhat-io.yaml file:

docker:
    internal-registry-for-registry-redhat-io-0.internal:
        sigstore: https://internal-registry-for-registry-redhat-io-0.internal/containers/sigstore

So I think the above might work... but I think it would be really useful to have this documented somewhere. It wasn't clear to me in which places you use the logical image name (just prefix in registries.conf?) and do I need remapIdentity in policy.json and an entry in registries.d sigstore for the mirror (or does it inherit settings)?

jackevans43 avatar Mar 11 '21 09:03 jackevans43

This might be better as a blog post (Cc: @rhatdan who likes such content); I’m not very sure where it would fit in the reference documentation.

Common

If the images are signed using simple signing (not sigstore attachments) and the mirror registry does not natively store signatures, there would always be a registries.d/*.yaml file, specifying an internal lookaside: (formerly called `sigstore:) HTTP server, with the internal mirror location, something like the example above.

If the images are signed using sigstore signatures, the mirror registry would need a registries.d/*.yaml file specifying use-sigstore-attachments for the internal mirror registry.

The recommended approach: Use redhat.io image names.

  • policy.json uses a redhat.io key, with signedIdentity probably unspecified, or in any case not pointing at the mirror at all
  • registries.conf specifies a mirror for redhat.io, pointing at the internal registry
  • Users refer to redhat.io images

The major advantage of this approach is that all deployment configurations pointing at redhat.io can continue to be used unchanged, i.e. the workload is portable across public clouds and internal data centers; only the system-wideregistries.conf and registries.d need adjusting depending on the site.

Alternative: Use internal mirror image names

  • policy.json uses an internal-mirror key, with signedIdentity: remapIdentity remapping the internal mirror to redhat.io
  • registries.conf does not need to configure the mirror at all
  • Users refer to the internal-mirror images.

mtrmac avatar Dec 09 '22 02:12 mtrmac