Fixes value for storage.oci.repository

Previously while providing repo url value for storage oci repository, chains controller was giving an error as `a digest must contain exactly one '@' separator (e.g. registry/repository@digest)` because, it was not able to add digest Hence this patch fixes it, by formatting the value provided by the user and thus storing the attestations/signatures in the provided location Signed-off-by: PuneetPunamiya <[email protected]>
tektoncd · Nov 9, 2023 · 3524079 · 3524079
1 parent 1c918c9
commit 3524079
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 6 deletions.
diff --git a/pkg/chains/storage/oci/legacy.go b/pkg/chains/storage/oci/legacy.go
@@ -54,7 +54,8 @@ type Backend struct {
 // NewStorageBackend returns a new OCI StorageBackend that stores signatures in an OCI registry
 func NewStorageBackend(ctx context.Context, client kubernetes.Interface, cfg config.Config) *Backend {
 	return &Backend{
-		cfg:    cfg,
+		cfg: cfg,
+
 		client: client,
 		getAuthenticator: func(ctx context.Context, obj objects.TektonObject, client kubernetes.Interface) (remote.Option, error) {
 			kc, err := k8schain.New(ctx, client,
@@ -279,15 +280,29 @@ func (b *Backend) RetrieveArtifact(ctx context.Context, obj objects.TektonObject
 }
 
 func newDigest(cfg config.Config, imageName string) (name.Digest, error) {
-	// Override image name from config if set.
-	if r := cfg.Storage.OCI.Repository; r != "" {
-		imageName = r
-	}
-
 	var opts []name.Option
 	if cfg.Storage.OCI.Insecure {
 		opts = append(opts, name.Insecure)
 	}
 
+	if storageOCIRepository := cfg.Storage.OCI.Repository; storageOCIRepository != "" {
+		// `artifacts.oci.repository` will give us the registry + repository where the artifacts need to be pushed at.
+		// We need to take the sha256 digest from the incoming imageName and attach it to storage.oci.repository.
+
+		imageNameDigest, err := name.NewDigest(imageName, opts...)
+		if err != nil {
+			return name.Digest{}, err
+		}
+
+		// Creating a new OCI identifier for the artifact
+		repo, err := name.NewRepository(storageOCIRepository)
+		if err != nil {
+			return name.Digest{}, err
+		}
+
+		// Generating final OCI repository with the digest from image name
+		imageName = repo.Digest(imageNameDigest.DigestStr()).Name()
+	}
+
 	return name.NewDigest(imageName, opts...)
 }
diff --git a/pkg/chains/storage/oci/legacy_test.go b/pkg/chains/storage/oci/legacy_test.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2023 The Tekton Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oci
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tektoncd/chains/pkg/config"
+)
+
+func TestStorageOCIRepo(t *testing.T) {
+	cfg := config.Config{}
+	cfg.Storage.OCI.Repository = "example.com/foo"
+	tests := []struct {
+		testImageName     string
+		expectedImageName string
+	}{
+		{
+			testImageName:     "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+			expectedImageName: "example.com/foo@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+		},
+		{
+			testImageName:     "foo.io/bar/kaniko-chains@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+			expectedImageName: "example.com/foo@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+		},
+		{
+			testImageName:     "registry.com/spam/spam/spam/spam/spam/spam@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+			expectedImageName: "example.com/foo@sha256:bc4f7468f87486e3835b09098c74cd7f54db2cf697cbb9b824271b95a2d0871e",
+		},
+	}
+
+	for _, test := range tests {
+		digest, err := newDigest(cfg, test.testImageName)
+		if err != nil {
+			t.Error(err)
+		}
+		assert.Equal(t, digest.Name(), test.expectedImageName)
+	}
+}