fermyon
feat: add support for setting the pushed oci image manifest annotations
This closes https://github.com/fermyon/spin/issues/2236.
You can see how GitHub Container Registry shows an image without annotations at:
https://github.com/rgl/spin-http-ts-example/pkgs/container/spin-http-ts-example/171707227?tag=0.2.0
And the one with annotations at:
https://github.com/rgl/spin-http-ts-example/pkgs/container/spin-http-ts-example/171719572?tag=0.0.0-test1
This is how I've pushed it the image with my local spin version:
$ echo my-github-token-with-write-packages-scope | docker login ghcr.io -u rgl --password-stdin
$ ~/Projects/spin/target/debug/spin registry push --annotation "org.opencontainers.image.description=$(jq -r .description package.json)" ghcr.io/rgl/spin-http-ts-example:0.0.0-test1
Pushing app to the Registry...
Pushed with digest sha256:60373ae9983dac0356fc91b1ff016f3580fd7664a9061f71d8a5fd266c646a0c
@rgl sorry, I often forget this detail on new contributions: Thanks for completing the DCO sign-off; can you also please ensure that the commit(s) are GPG-signed? (When ready.)
@vdice please do not yet merge this until https://github.com/project-zot/zot/issues/2210 is addressed.
I'm starting to think that we should have a way to set the image manifest annotations (what the current --annotation does in this MR) and the image config annotations. What do you guys think? Maybe have two arguments? --oci-image-manifest-annotation and --oci-image-config-annotation?
@rgl Would it be overkill to take the provided annotations and add them to both the manifest and image config?
A question: Refreshing my knowledge with the config spec, I see that the config object has a Labels field intended to capture "... arbitrary metadata for the container." Then, the config object, being a descriptor (if I'm understanding correctly), can also be assigned generic annotations. Which would we want to utilize here?
(As an aside, I built on this PR to play around a bit and I'm not immediately seeing generic annotations added to the config layer (here) show up as intended in the manifest json... so there may be a bit of further work either in our oci client or the underlying oci-distribution crate. I haven't yet tried adding metadata to the Config.Labels object on the config...)
Hi @rgl checking in on this one. Wondering what you were thinking re: https://github.com/fermyon/spin/pull/2254#issuecomment-1917343654. Thanks!
It looks like docker adds them to the config block:
docker inspect my-org/my-project:
"Config": {
"Hostname": "",
"Domainname": "",
"User": "65532:65532",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": null,
"Image": "",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": [
"/manager"
],
"OnBuild": null,
"Labels": {
"org.opencontainers.image.created": "2024-02-19T16:28:43.720Z",
"org.opencontainers.image.description": "",
"org.opencontainers.image.licenses": "NOASSERTION",
"org.opencontainers.image.revision": "ff68ce40b1d5e202a717483297db0eaa3bbacdc5",
"org.opencontainers.image.source": "https://github.com/my-org/my-project",
"org.opencontainers.image.title": "my-project",
"org.opencontainers.image.url": "https://github.com/my-org/my-project",
"org.opencontainers.image.version": "main"
}
},
@vdice sorry for the radio silence, but I'm afraid I was not yet able to dedicate quality time to understand the OCI image-spec in more details to be able to answer. I'm still interested in looking into this, hopefully soon :-)
@endocrimes do you known if that is aligned with the oci image-spec? I still didn't get a chance to spend quality time reading the specs, hopefully I can do it soon.
Thanks @endocrimes! @rgl thanks for your patience - it's been a crazy busy time - could you rebase and resolve the merge conflict please? Then we can land this. Thanks!
Thank you @rgl! Glad to have landed this and thanks again for sticking with it.