feat(recipes): pin nodewright-customizations packages by digest#1037
Conversation
Adds containerSHA: sha256:<digest> to every Skyhook Package entry in the nodewright-customizations manifests so the GPU node setup, tuning, and GKE tuning containers are pulled by digest rather than the mutable image tag. Teach pkg/bom.ExtractImagesFromYAML to fold a sibling containerSHA scalar onto the combined CRD-style image reference as @sha256:..., so the digest is preserved in the BOM and the recipes/ digest-pin test recognizes the ref as pinned without a per-image exemption. Removes the three nodewright-packages entries from recipes/manifest_images_test.go imageDigestExemptions; only skyhook-packages/shellscript stays exempt (upstream does not surface a containerSHA for it). docs/user/container-images.md regenerated via make bom-docs. Fixes #1031.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds support for a CRD sibling field Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Coverage Report ✅
Coverage BadgeMerging this branch will increase overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. |
mchmarny
left a comment
There was a problem hiding this comment.
Clean supply-chain hardening change. The extractor logic for containerSHA matches the existing CRD-triplet pattern (image/repository/version sibling scalars), preserves precedence (inline @digest wins, empty is a no-op, otherwise append), and the two new test cases lock both branches in. Removing the three nodewright-packages exemptions from recipes/manifest_images_test.go and keeping just the shellscript carve-out is the right call.
CI: ClamAV, grype, and all completed Tier-1 matrix jobs are green; a handful of flux-oci variants are still running but the extractor change is unrelated to those code paths. CodeQL conclusion is "neutral" (skipped, normal here).
One non-blocking nit on appendContainerSHA — see inline.
Validate `containerSHA` against `^sha256:[a-f0-9]{64}$` inside
appendContainerSHA and return an error from ExtractImagesFromYAML
when a Skyhook Package carries a malformed digest. A typo,
truncation, or user value-override that lands in a containerSHA
field can no longer slip through to the BOM, PURL, or SBOM output —
extraction itself fails with the offending value in the message.
Propagate the error through walkForImages so every recursion path
surfaces it. Add three regression cases covering non-sha256 prefix,
short hex, and uppercase hex (the OCI digest grammar is lowercase).
Addresses Mark's nit on #1037.
Summary
Pin every Skyhook Package in
nodewright-customizationsbycontainerSHA: sha256:...and teach the BOM extractor to recognize that field as the OCI digest, removing the per-image digest-pin test exemptions for the three nodewright-packages refs.Motivation / Context
The Skyhook Package CRD does not accept an
@sha256:...digest inside itsimage:value, but it does carry an explicitcontainerSHAfield for the same purpose. We were exempting these refs from the ADR-006 layer 2 digest-pin gate inrecipes/manifest_images_test.go. Now that the CRD field is populated, the gate can enforce the pin directly.Fixes: #1031
Related: #745
Type of Change
Component(s) Affected
pkg/recipe)pkg/bundler,pkg/component/*)docs/,examples/)Implementation Notes
recipes/components/nodewright-customizations/manifests/tuning.yamlandtuning-gke.yaml: addedcontainerSHAto every package entry (nvidia-setup-kernel,nvidia-tuned,nvidia-setup-full, and the GKEtuningpackage). Digests resolved viacrane digest <ref>:ghcr.io/nvidia/nodewright-packages/nvidia-setup:0.2.2→sha256:76913a5d…ghcr.io/nvidia/nodewright-packages/nvidia-tuned:0.3.0→sha256:cc99c8c0…ghcr.io/nvidia/nodewright-packages/nvidia-tuning-gke:0.1.2→sha256:6671d49f…pkg/bom/extract.go:walkForImagesnow also collects a siblingcontainerSHAscalar, and a newappendContainerSHAhelper folds it onto the combined CRD-style ref as@<sha>. An in-line@digestinimagecontinues to win —containerSHAnever overwrites or double-appends. This keeps the change local to the extractor: callers (BOM, digest-pin test, PURL) consume the resulting@sha256:...without any special-casing.recipes/manifest_images_test.go: removed the threenodewright-packages/*entries fromimageDigestExemptions.skyhook-packages/shellscript:1.1.1stays exempt — upstream does not currently surface acontainerSHAfor it.docs/user/container-images.md: regenerated viamake bom-docs; the three nodewright-packages refs now appear as:tag@sha256:....Testing
go test -race ./pkg/bom/... ./pkg/bundler/... ./recipes/... golangci-lint run -c .golangci.yaml ./pkg/bom/... ./recipes/... make bom-docsAll green. Two new test cases were added in
pkg/bom/extract_test.go:Skyhook Package with containerSHA sibling folds in as digest— verifies the fold-in path.inline @digest in image takes precedence over containerSHA sibling— guards the precedence rule so a stalecontainerSHAcannot silently overwrite an explicit in-line digest.Coverage delta:
pkg/bom: 89.7% → 90.0% (+0.3%).The
TestComponentManifestImagesAreDigestPinnedlog now lists only the four expected exemptions (three Mellanox NicClusterPolicy refs + shellscript) — the three nodewright-packages refs are accepted as digest-pinned.Risk Assessment
Rollout notes: Pure supply-chain hardening. The image tags are unchanged, so resolved manifests deploy the same artifacts they did before — Skyhook now additionally validates the digest at install time. No migration needed.
Checklist
make testwith-race)make lint)git commit -S)