You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the only output of a ko_build is its image_ref, the fully qualified image reference by digest (e.g., foo.io/repo/image@sha256:abcdef...). This is enough to make it useful to deployment targets, but we can do better.
As things like tf-crane and tf-apko and tf-cosign start to come up, we should define a common shareable schema for this, so that they can all agree on the types.
This will be a little complicated because, like ggcr, things can produce an Image or a multi-platform Index, and the contents of those and the types of things that can attach to them are affected by which they are.
I don't think we should bifurcate into ko_image and ko_index, apko_image/apko_index, cosign_signed_image/cosign_signed_index, etc. -- this is why we moved from ko_image to the more abstract ko_build.
Some things we might want to express in a general-purpose output schema:
media_type, and is_image / is_index
layers (populated if is_image), list of:
digest
size
file contents? 🤔
manifests (populated if is_index), map of platform -> object:
This would let us extract SBOM information from a ko- or crane- or apko-built artifacts, so that terraform plan can show us what dependency packages changed.
layers composes with tf-crane to let you crane_append your own layer. manifests can compose with a future crane_something that mutates or builds up manifests from scratch.
sbom can compose with something like cosign_attest_sbom that takes the previously built-but-not-signed SBOM and attests/signs it.
I think we can start to define this schema anywhere, but eventually I think it makes most sense to live in tf-crane, where it becomes sort of like the TF equivalent of ggcr.
The text was updated successfully, but these errors were encountered:
Currently the only output of a
ko_build
is itsimage_ref
, the fully qualified image reference by digest (e.g.,foo.io/repo/image@sha256:abcdef...
). This is enough to make it useful to deployment targets, but we can do better.As things like
tf-crane
andtf-apko
andtf-cosign
start to come up, we should define a common shareable schema for this, so that they can all agree on the types.This will be a little complicated because, like ggcr, things can produce an
Image
or a multi-platformIndex
, and the contents of those and the types of things that can attach to them are affected by which they are.I don't think we should bifurcate into
ko_image
andko_index
,apko_image
/apko_index
,cosign_signed_image
/cosign_signed_index
, etc. -- this is why we moved fromko_image
to the more abstractko_build
.Some things we might want to express in a general-purpose output schema:
media_type
, andis_image
/is_index
layers
(populated ifis_image
), list of:digest
size
manifests
(populated ifis_index
), map ofplatform
-> object:digest
layers
(see above)sbom
(see next)sbom
, list ofpurl
objects:purl
(raw purl string),scheme
,type
,namespace
,name
,version
,qualifiers
(map[string]string),subpath
This would let us extract SBOM information from a
ko
- orcrane
- orapko
-built artifacts, so thatterraform plan
can show us what dependency packages changed.layers
composes with tf-crane to let youcrane_append
your own layer.manifests
can compose with a futurecrane_something
that mutates or builds up manifests from scratch.sbom
can compose with something likecosign_attest_sbom
that takes the previously built-but-not-signed SBOM and attests/signs it.I think we can start to define this schema anywhere, but eventually I think it makes most sense to live in tf-crane, where it becomes sort of like the TF equivalent of ggcr.
The text was updated successfully, but these errors were encountered: