update workflow to use zot as a OCI registry

[rchincha]

zot is a OCI-native registry (currently sponsored by Cisco Systems) It has support for both ORAS and OCI artifacts (and references)

Signed-off-by: Ramkumar Chinchani [email protected]

Description

Updating oci registry to use zot.

Pipelines

if applicable, please complete checklist

• Link(s) to or screenshot(s) of successful pipeline runs and the expected result (ie. the output of oras discover -o tree $IMAGE)
• Verify & confirm the following:
  • New functionality works as expected
  • No breaking changes were introduced for existing pipelines

Related Work Item(s)

Link to AzDO user story. Linking to tasks is optional, but use your judgment re: what items are resolved by the PR.

[sajayantony]

Oh nice! What do others think?
/cc @shizhMSFT

[shizhMSFT]

This looks great! Glad to see zot supports both ORAS and OCI artifacts.

[sajayantony]

@dtzar would you be able to approve this?

[rchincha]

Of course, pls do run the workflow to make sure we didn't break anything (unlikely)

[sajayantony]

I don’t think I have permissions on this project.

[dtzar]

Per our conversation @rchincha - looking forward to having this in the repository!

Two things I'd like to update/fix and then we can merge it:

1. Use the minimal sized image: Add minimal image tag to home readme project-zot/zot#935 (comment)
2. To fix the build issue: Either do the workaround per your comment with docker OR update the PR to use stacker for the image build/push.

[dtzar]

I don’t think I have permissions on this project.

I just sent invite.

[rchincha]

Per our conversation @rchincha - looking forward to having this in the repository!

Two things I'd like to update/fix and then we can merge it:

1. Use the minimal sized image: [Add minimal image tag to home readme project-zot/zot#935 (comment)](https://github.com/project-zot/zot/issues/935#issuecomment-1309511333)

2. To fix the build issue: Either do the [workaround per your comment with docker ](https://github.com/project-zot/zot/issues/724#issuecomment-1309510789) OR update the PR to use stacker for the image build/push.

@dtzar, both items should be addressed now.
Does the CI not start automatically?

[dtzar]

Sorry @rchincha - not sure why the CI didn't kick off automatically. I copied your PR code into my fork and branch and when it ran stacker had a problem pushing the image via HTTP, so I added skip-tls: true and then it got past stacker build/push. Then it fails later unfortunately at notation sign for the image against the zot registry.
https://github.com/dtzar/net-monitor/actions/runs/3519319287/jobs/5899147420

Run notation sign --envelope-type cose --media-type application/vnd.docker.distribution.manifest.v2+json localhost:5000/net-monitor:kubecon
  
sha256:42b44d85aad[12](https://github.com/dtzar/net-monitor/actions/runs/3519319287/jobs/5899147420#step:10:12)fc11c92580c42f3230bc794a5a25d8e60c7e538b8d0bff72245
Error: GET "http://localhost:5000/oras/artifacts/v1/net-monitor/manifests/sha256:42b44d85aad[12](https://github.com/dtzar/net-monitor/actions/runs/3519319287/jobs/5899147420#step:10:13)fc11c92580c42f3230bc794a5a25d8e60c7e538b8d0bff72245/referrers": unexpected status code 400: Bad Request
Error: Process completed with exit code 1.

[rchincha]

Sorry @rchincha - not sure why the CI didn't kick off automatically. I copied your PR code into my fork and branch and when it ran stacker had a problem pushing the image via HTTP, so I added skip-tls: true and then it got past stacker build/push. Then it fails later unfortunately at notation sign for the image against the zot registry. https://github.com/dtzar/net-monitor/actions/runs/3519319287/jobs/5899147420

Thanks @dtzar, looking at this.

[rchincha]

@dtzar, updated this PR. Pls take a look.

[dtzar]

Still failing unfortunately. Also, we will need to keep the 0.11.0-alpha.4 version until we get some other things in place. Likely will skip over the 0.12.0-beta.1 version until RC-1.

Run notation sign --plain-http --envelope-type cose --media-type application/vnd.docker.distribution.manifest.v2+json localhost:5000/net-monitor:kubecon
sha256:0f22ce7942e241da877d4570767[14](https://github.com/dtzar/net-monitor/actions/runs/3520391990/jobs/5901264791#step:9:15)64a566616b8f682162af4ba941ffdb897aa
Error: GET "http://localhost:5000/oras/artifacts/v1/net-monitor/manifests/sha256:0f22ce7942e241da877d45707671464a566616b8f682162af4ba941ffdb897aa/referrers": unexpected status code 400: Bad Request
Error: Process completed with exit code 1.

[dtzar]

It might be easier to PR to my fork kubecon branch and I'm also more likely to just merge what you have until it works.

[rchincha]

It might be easier to PR to my fork kubecon branch and I'm also more likely to just merge what you have until it works.

@dtzar I see. Alright, let me test against your fork/branch.

[rchincha]

Doing a quick test, oddly ...

$ docker run -p 5000:5000 ghcr.io/project-zot/zot-minimal-linux-amd64:latest

$ skopeo copy --format=oci --dest-tls-verify=false docker://aci-zot.cisco.com:5050/alpine:edge docker://localhost:5000/alpine:edge

$ ./notation sign --plain-http --envelope-type cose --media-type application/vnd.docker.distribution.manifest.v2+json localhost:5000/alpine:edge
sha256:77ee9d7d39229024fd77373e079e03f3a6d384044391a0f9ae1d1f115aa38e8e

$ ./notation -v
notation version 0.11.0-alpha.4.dev.20221030

[rchincha]

2022-11-22T04:34:34.5139808Z ##[group]Run notation sign --plain-http --envelope-type cose --media-type application/vnd.docker.distribution.manifest.v2+json localhost:5000/net-monitor:kubecon
2022-11-22T04:34:34.5140505Z �[36;1mnotation sign --plain-http --envelope-type cose --media-type application/vnd.docker.distribution.manifest.v2+json localhost:5000/net-monitor:kubecon�[0m
2022-11-22T04:34:34.5141000Z �[36;1moras discover localhost:5000/net-monitor:kubecon -o tree�[0m
2022-11-22T04:34:34.5194880Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2022-11-22T04:34:34.5195160Z env:
2022-11-22T04:34:34.5195365Z   APP_NAME: net-monitor
2022-11-22T04:34:34.5195603Z   LOCAL_REGISTRY: localhost:5000
2022-11-22T04:34:34.5195888Z   REMOTE_REGISTRY: wabbitnetworks.azurecr.io
2022-11-22T04:34:34.5196137Z   TAG: kubecon
2022-11-22T04:34:34.5196333Z   AZURE_HTTP_USER_AGENT: 
2022-11-22T04:34:34.5196562Z   AZUREPS_HOST_ENVIRONMENT: 
2022-11-22T04:34:34.5196784Z ##[endgroup]
2022-11-22T04:34:36.9226269Z sha256:0f22ce7942e241da877d45707671464a566616b8f682162af4ba941ffdb897aa
2022-11-22T04:34:36.9290316Z Error: GET "http://localhost:5000/oras/artifacts/v1/net-monitor/manifests/sha256:0f22ce7942e241da877d45707671464a566616b8f682162af4ba941ffdb897aa/referrers": unexpected status code 400: Bad Request
2022-11-22T04:34:36.9309166Z ##[error]Process completed with exit code 1.

From the CI logs, it appears it is oras discover which is actually failing.

[dtzar]

@rchincha - ah yes you're correct. We want that to work as well of course.

[rchincha]

@dtzar, pls take a look at dtzar#12
Also, oras-0.16.0 has moved to OCI artifacts so that gets us closer to a OCI-only pipeline.

[dtzar]

The problem is ACR doesn't support OCI 1.1 yet, but it's coming soon. Once it's there, then we could merge this.