-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mark feature "support OCI Referrer API" as experimental feature #659
Comments
@toddysm @iamsamirzon @sajayantony @shizhMSFT @vaninrao10 This issue was created per discussion during community call on 5/8/2023. Please take a look, and this issue should be addressed in Notation v1 release |
Thanks @yizha1, I will take this one. |
I'm trying to summarize behaviors between Notation versions:
What we want in v1.0 for
What we want in v1.0 for |
For |
(Just an open discussion here.) I'm not sure if this is what we expect, but in the below scenario: In the above case, it seems that the result of |
We can assume the use of |
I like the proposal from @Two-Hearts about having the Notation Verify check for referrers API first and if not available use the image-index method. As long as this does not cause inconsistent results for registries this may be a good path. Essentially be more flexible when verifying signatures so users do not have to change their deployment time checks (modify scripts or flags for verify) when their registries start supporting 1.1 based signatures |
My 2 cents, for v1.0 For Sign:
For Verify, inspect, list aka any command that only read's content from registry:Always try Referrers API, if not supported, automatically fallback to referrers tag schema. Rationale:
IMO we should fix this ASAP as its breaking customer experience. Should we have RC5 with this fix? |
The rationale for commands |
@yizha1 Yes, we should remove Rationale:
|
Thanks @priteshbandi, to summarize what we want in RC.5:
For other commands that consume signatures,
Does the above sound correct to you? (the new flag's name |
There might be a compatibility issue with some registries such as GAR. Basically, attempting the Referrers API to GAR will not return a 404 but an unexpected 302. See discussions: |
IMO we should not fallback for sign operation i.e. When both NOTATION_EXPERIMENTAL and @shizhMSFT |
Yeah, this also works. In this way, the |
@shizhMSFT hmm, yes, we need to resolve issue 630. Do we want to have it done in RC.5 or v1.0? |
Yes, it makes sense. Use the experimental flag means you want to leverage Referrer API, and not tag schema. Otherwise, it may succeed with tag schema, which is not what users expected. |
Maybe we should raise it to OCI spec maintainers on the determination of referrer API |
In order to make Based on the above fundamentals, I'd like to propose a new experimental flag
From previous discussions, we have consensus on using referrers tag schema by default for |
Yeah, after discussion with Shiwei offline, I agree with the above design. The |
@shizhMSFT 's proposal makes sense to me. Using a new experimental flag My only concern is that this is a breaking change for users still using v1.0.0-RC.4 with Referrers API by default. They have to add this additional experimental flag |
@patrickzheng200 I agree, to summarize If experimental flag is disabled (NOTATION_EXPERIMENTAL=0), dont use referrers API i.e.
If experimental flag is enabled (NOTATION_EXPERIMENTAL=1) and user uses
|
Thanks @priteshbandi, everything else LGTM. My only question is, when NOTATION_EXPERIMENTAL=1 and uses |
My interpretation (I am not closely following spec) of spec is that fallback is only for pull operation but since sign is an push operation its better to provide consistency . Also, if user is opting in for oci spec 1.1 we should always use referrers API related behaviors. Want to hear others opinion. |
@priteshbandi The pushing manifest procedure is defined here https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc2/spec.md#pushing-manifests-with-subject |
Thanks @Two-Hearts and @yizha1 for pointing to the right spec. As oci1.1-rc2 calls out, when user adds NOTATION_EXPERIMENTAL=1 and uses --allow-referrers flag, notation should perform fallback for sign operation. Updated #659 (comment) |
In this PR: 1. Removed Notation's support of signing with OCI artifact manifest. (One can still consume signatures in this type.) 2. Moved the Referrers API behind experimental as discussed in community meeting. This change takes effect on `sign`, `list`, `inspect`, and `verify` commands. When a user wants to try the Referrers API, they need to set both `NOTATION_EXPERIMENTAL=1` AND `--allow-referrers-api`; if the Referrers API is not supported, fallback to the Referrers tag schema automatically. Otherwise, by default, Notation would use the Referrers tag schema in all commands deterministically. References: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#referrers-tag-schema This PR has been tested and: resolves #659 resolves #660 --------- Signed-off-by: patrick <[email protected]> Signed-off-by: Patrick Zheng <[email protected]>
What is the areas you experience the issue in?
Notation CLI
What is not working as expected?
Currently Referrer API is by default verified by Notation since
v1.0.0-rc.4
. For example, when usingnotation sign
, if registries support referrer API, notation will not use an image index pushed to a tag described by the referrers tag schema. Since OCI spec 1.1 (including both image spec and distribution spec) is not officially released yet, support of Referrer API could lead to breaking changes or portability issue after Notation v1 is released. On the other hand, users may be confused that sometimes image index is pushed, sometimes not, which is an issue of consistency.What did you expect to happen?
Mark feature "support OCI Referrer API" as experimental feature, and document it properly. Users can use experimental features only after env variable
NOTATION_EXPERIMENTAL=1
is set.The default behavior of Notation is always using an image index pushed to a tag described by the referrers tag schema. If users set env variable
NOTATION_EXPERIMENTAL=1
, Notation will check the support of OCI referrer API first, if registries support Referrer API, then notation will not push image index; if registries don't support Referrer API, notation will push image index as the default behavior.How can we reproduce it?
N/A
Describe your environment
WSL
What is the version of your Notation CLI or Notation Library?
Notation
v1.0.0-rc.4
The text was updated successfully, but these errors were encountered: