Spike: Do we verify the image digest and does the reference actually exist #1131
Description
Comes after #1129. Will be the technical follow-up/the "how" for the image promotion process
Objective
- Support the goal of breaking up the image promoter monolith by investigating the questions raised below
Questions to answer
- Describe/document the current process for verifying whether the image digest and reference exists, and evaluate:
- Did we create an image using appropriate tools and process?
- Would scanning for CVEs be a blocker?
- If yes, could we require provenance?
- Would infra in staging help make it faster than a complete image push/pull? Not in place today.
- How could we ensure that the SHA is valid?
- How do we scan the image for any high or critical CVE?
Note: Be sure to actively seek other questions from members of SIG Release and other relevant SIGs as part of your research.
Steps
- Present a 1-2 page proposal describing the necessary implementation steps and listing pros/cons/tradeoffs
- Seek input from SIG members and achieve buy-in so the group can reach consensus and move forward
Context and things to think about while working on this task
- There is verification of the digests. Someone opens a PR => link to the created build. People use this link as proof for digests they want to promote.
- PR => creates list of digests. No real way for reviewers of the PR to verify. Can be done manually but most reviewers will just approve the PR.
- Relates to the "Validating signatures from staging in parallel" workflow step
- We currently have no way to verify the SHA of an image.
- We delegate responsibility for establishing which image to put in prod but we don't verify the image provenance--coming from stg container registry.
- We know the source of an image, but we don't verify what is published.
- Any maintainer could do the promotion. Nothing prevents maintainer w/access to staging repo from pushing something that could impact the registry.
