feat(ec-965): verify a set of pullspecs related to an image

We were previously only able to verify certain pullspecs at build-time which resulted in a failed test. This would prevent multiple images from being built and all staged for release. Even if the image references are valid at release time, the check used was old and the results are not updated without a rebuild. If a task has a result named RELATED_IMAGES_DIGEST, all items in the pushed file will be checked for validity. Signed-off-by: arewm <[email protected]>
enterprise-contract · Dec 19, 2024 · ad330b5 · ad330b5
1 parent bc5bc8f
commit ad330b5
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -123,11 +123,11 @@ Create a `policy.yaml` file in your local `ec-cli` repo with something like:
     ---
     sources:
       - policy:
-        - <path-to>/ec-policies/policy/lib
-        - <path-to>/ec-policies/policy/release
-      data:
-        - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
-        - github.com/release-engineering/rhtap-ec-policy//data
+          - <path-to>/ec-policies/policy/lib
+          - <path-to>/ec-policies/policy/release
+        data:
+          - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+          - github.com/release-engineering/rhtap-ec-policy//data
 
 Run the locally built `ec-cli` command
 

diff --git a/policy/release/olm/olm.rego b/policy/release/olm/olm.rego
@@ -175,6 +175,44 @@ deny contains result if {
 	result := lib.result_helper_with_term(rego.metadata.chain(), [component.containerImage], component.containerImage)
 }
 
+# METADATA
+# title: Unable to access related images for a component
+# description: >-
+#   Check the input image for the presence of related images.
+#   Ensure that all images are accessible.
+# custom:
+#   short_name: inaccessible_related_images
+#   failure_msg: The %q image has inaccessible related images.
+#   solution: >-
+#     Ensure all related images are available. Use oras discover to find the
+#     set of related images.
+#   collections:
+#   - redhat
+deny contains result if {
+	# _release_restrictions_apply
+
+	some related_image in _fbc_related_images
+	not ec.oci.image_manifest(related_image)
+	result := lib.result_helper_with_term(rego.metadata.chain(), [related_image], related_image)
+}
+
+# extracts the related images attached to the image
+_fbc_related_images := related_images if {
+	input_image := image.parse(input.image.ref)
+
+	some related in lib.results_named(_related_images_result_name)
+	result_digest := object.union(input_image, {"digest": related.value[input_image.digest]})
+	related_image_ref := image.str(result_digest)
+	related_image_manifest := ec.oci.image_manifest(related_image_ref)
+
+	some layer in related_image_manifest.layers
+	layer.mediaType == _related_images_oci_mime_type
+	related_image_blob := object.union(input_image, {"digest": layer.digest})
+	related_image_blob_ref := image.str(related_image_blob)
+
+	related_images := json.unmarshal(ec.oci.blob(related_image_blob_ref))
+}
+
 # METADATA
 # title: Unmapped images in OLM bundle
 # description: >-
@@ -446,3 +484,7 @@ _image_registry_allowed(image_repo, allowed_prefixes) if {
 	some allowed_prefix in allowed_prefixes
 	startswith(image_repo, allowed_prefix)
 }
+
+_related_images_result_name := "RELATED_IMAGES_DIGEST"
+
+_related_images_oci_mime_type := "application/vnd.konflux-ci.attached-artifact.related-images+json"