This is primarily to get the signature access docker/distribution API
extension.
To make it work, two updates to the test harness are necessary:
- Change the expected output of (oadm policy add-cluster-role-to-group)
- Don't expect (openshift start master) to create .kubeconfig files
for the registry service.
As of https://github.com/openshift/origin/pull/10830 ,
openshift.local.config/master/openshift-registry.kubeconfig is no longer
autogenerated. Instead, do what (oadm registry) does, creating a
service account and a cluster policy role binding. Then manually create
the necessary certificates and a .kubeconfig instead of using the
service account in a pod.
The integrated registry used to return the original signature unmodified
in 1.3.0-alpha.3; in 1.5.0-alpha-3 it regenerates a new one, so allow that
when comparing the original and copied image.
This includes fixes to docker-daemon's GetBlob, which will now
decompress blobs (making c/i/copy act sanely when trying to copy from a
docker-daemon to uncompressed destinations, as well as making
verification actually work properly).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
In order to make sure that we don't create invalid OCI images that are
consistently invalid, add additional checks to ensure that both of the
generated OCI images in the round-trip test are valid according to the
upstream validator.
This commit vendors the following packages (deep breath):
* oci/image-tools@7575a09363, which requires
* oci/image-spec@v1.0.0-rc4 [revendor, but is technically an update
because I couldn't figure out what version was vendored last time]
* oci/runtime-spec@v1.0.0-rc4
* xeipuuv/gojsonschema@6b67b3fab7
* xeipuuv/gojsonreference@e02fc20de9
* xeipuuv/gojsonpointer@e0fe6f6830
* camlistore/go4@7ce08ca145
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This test is just a general smoke test to make sure there are no errors
with skopeo, but also verifying that after passing through several
translation steps an OCI image will remain in fully working order.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This is a bit better than raw (gpg -d $signature), and it allows testing
of the signature.GetSignatureInformationWithoutVerification function;
but, still, keeping it hidden because relying on this in common
workflows is probably a bad idea and we don’t _neeed_ to expose it right
now.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
vndr is almost exactly the same as our old good hack/vendor.sh. Except
it's cleaner and it allows to re-vendor just one dependency if needed
(which we do a lot for containers/image).
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
