From b2b504bfac9ff7ae264c70f2dff152963eb7cc8c Mon Sep 17 00:00:00 2001 From: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Date: Fri, 7 Jun 2024 16:01:25 -0400 Subject: [PATCH] fix: cosign image pulls (#2599) Fixes #2591 ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow) followed --- src/internal/packager/images/pull.go | 8 ++++- src/internal/packager/images/pull_test.go | 39 +++++++++++++++++++++++ src/pkg/packager/creator/normal.go | 2 +- src/pkg/utils/image.go | 4 +-- 4 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 src/internal/packager/images/pull_test.go diff --git a/src/internal/packager/images/pull.go b/src/internal/packager/images/pull.go index 11cc686239..f7203cc684 100644 --- a/src/internal/packager/images/pull.go +++ b/src/internal/packager/images/pull.go @@ -165,7 +165,13 @@ func Pull(ctx context.Context, cfg PullConfig) (map[transform.Image]v1.Image, er return fmt.Errorf("%s resolved to an index, please select a specific platform to use", refInfo.Reference) } - img = cache.Image(img, cache.NewFilesystemCache(cfg.CacheDirectory)) + cacheImg, err := utils.OnlyHasImageLayers(img) + if err != nil { + return err + } + if cacheImg { + img = cache.Image(img, cache.NewFilesystemCache(cfg.CacheDirectory)) + } manifest, err := img.Manifest() if err != nil { diff --git a/src/internal/packager/images/pull_test.go b/src/internal/packager/images/pull_test.go new file mode 100644 index 0000000000..4ee0ca5478 --- /dev/null +++ b/src/internal/packager/images/pull_test.go @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package images provides functions for building and pushing images. +package images + +import ( + "context" + "os" + "path/filepath" + "testing" + + "github.com/defenseunicorns/zarf/src/pkg/transform" + "github.com/stretchr/testify/require" +) + +func TestPull(t *testing.T) { + t.Run("pulling a cosign image is successful and doesn't add anything to the cache", func(t *testing.T) { + ref, err := transform.ParseImageRef("ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.sig") + require.NoError(t, err) + destDir := t.TempDir() + cacheDir := t.TempDir() + pullConfig := PullConfig{ + DestinationDirectory: destDir, + CacheDirectory: cacheDir, + ImageList: []transform.Image{ + ref, + }, + } + + _, err = Pull(context.Background(), pullConfig) + require.NoError(t, err) + require.FileExists(t, filepath.Join(destDir, "blobs/sha256/3e84ea487b4c52a3299cf2996f70e7e1721236a0998da33a0e30107108486b3e")) + + dir, err := os.ReadDir(cacheDir) + require.NoError(t, err) + require.Empty(t, dir) + }) +} diff --git a/src/pkg/packager/creator/normal.go b/src/pkg/packager/creator/normal.go index 8af841f060..027df385fa 100644 --- a/src/pkg/packager/creator/normal.go +++ b/src/pkg/packager/creator/normal.go @@ -201,7 +201,7 @@ func (pc *PackageCreator) Assemble(ctx context.Context, dst *layout.PackagePaths if err := dst.Images.AddV1Image(img); err != nil { return err } - ok, err := utils.HasImageLayers(img) + ok, err := utils.OnlyHasImageLayers(img) if err != nil { return fmt.Errorf("failed to validate %s is an image and not an artifact: %w", info, err) } diff --git a/src/pkg/utils/image.go b/src/pkg/utils/image.go index 80920cbc8b..a6490375dc 100644 --- a/src/pkg/utils/image.go +++ b/src/pkg/utils/image.go @@ -86,8 +86,8 @@ func AddImageNameAnnotation(ociPath string, referenceToDigest map[string]string) return os.WriteFile(indexPath, b, helpers.ReadWriteUser) } -// HasImageLayers checks if all layers in the v1.Image are known image layers. -func HasImageLayers(img v1.Image) (bool, error) { +// OnlyHasImageLayers checks if all layers in the v1.Image are known image layers. +func OnlyHasImageLayers(img v1.Image) (bool, error) { layers, err := img.Layers() if err != nil { return false, err