Support repos publishing mulitple images outside rancher orgs

[holyspectral]

Hi there,

I'm working on a few new kubewarden repos to support slsactl and would like to seek your opinion.

The problem is that, these new repos all publish multiple images, for example, github.com/kubewarden/sbomscanner and ghcr.io/kubewarden/sbomscanner/storage:v0.8.3.

The current slsactl assumes that each repo publishes only one image. As a result, instead of the correct path of github.com/kubewarden/sbomscanner, slsactl tries to match CertificateIdentity with github.com/sbomscanner/storage and fails.

I wonder how this can be supported in a non-rancher registry. Any feedback will be appreciated.

[pjbgf]

@holyspectral that is already supported, you just need to add a new mapping for the given image.

[holyspectral]

@pjbgf thanks for the quick reply! I guess my question is, currently the mapping is for rancher repo only. Do you have any concerns if we add new image repos like kubewarden?

[pjbgf]

@holyspectral none at all. Note that when verifying at product level (e.g. slsactl product verify ...) it already considers (and verifies) upstream images.

[holyspectral]

@pjbgf Thanks a lot! I wasn't aware of this slsactl product feature. From what I can see, it verifies all images in a product, e.g., rancher prime or virtualization, as a whole. Is my understanding correct?

I have another question after I tried to add the repo to slsactl.

According to here, it's assumed that the repo path contains two parts, e.g., <repo>/<image>. This works well for DockerHub, but it's slightly different on ghcr.io because we can have ghcr.io/kubewarden/sbomscanner/storage:v0.8.3, where the path should be kubewarden/sbomscanner/storage.

Do you think this could be supported in slsactl easily? Or it basically conflicts with the existing design.