diff --git a/sources/Cargo.lock b/sources/Cargo.lock index 093cea829a6..52b51481ef8 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -1073,6 +1073,13 @@ dependencies = [ "migration-helpers", ] +[[package]] +name = "image-verifier-plugins-settings" +version = "0.1.0" +dependencies = [ + "migration-helpers", +] + [[package]] name = "indexmap" version = "2.13.0" diff --git a/sources/Cargo.toml b/sources/Cargo.toml index df3bddd2fd2..1b3cea9801b 100644 --- a/sources/Cargo.toml +++ b/sources/Cargo.toml @@ -58,6 +58,7 @@ members = [ "settings-migrations/v1.56.0/image-verifier-plugins-extensible", "settings-migrations/v1.60.0/kubernetes-topology-manager-policy-options", "settings-migrations/v1.60.0/container-runtime-max-concurrent-unpacks", + "settings-migrations/v1.61.0/image-verifier-plugins-settings", "settings-plugins/aws-dev", "settings-plugins/aws-ecs-2", diff --git a/sources/settings-defaults/aws-k8s-1.33-nvidia/defaults.d/58-image-verification.toml b/sources/settings-defaults/aws-k8s-1.33-nvidia/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/aws-k8s-1.33-nvidia/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/aws-k8s-1.33/defaults.d/58-image-verification.toml b/sources/settings-defaults/aws-k8s-1.33/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/aws-k8s-1.33/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/aws-k8s-1.34-nvidia/defaults.d/58-image-verification.toml b/sources/settings-defaults/aws-k8s-1.34-nvidia/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/aws-k8s-1.34-nvidia/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/aws-k8s-1.34/defaults.d/58-image-verification.toml b/sources/settings-defaults/aws-k8s-1.34/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/aws-k8s-1.34/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/aws-k8s-1.35-nvidia/defaults.d/58-image-verification.toml b/sources/settings-defaults/aws-k8s-1.35-nvidia/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/aws-k8s-1.35-nvidia/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/aws-k8s-1.35/defaults.d/58-image-verification.toml b/sources/settings-defaults/aws-k8s-1.35/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/aws-k8s-1.35/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/vmware-k8s-1.33/defaults.d/58-image-verification.toml b/sources/settings-defaults/vmware-k8s-1.33/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/vmware-k8s-1.33/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/vmware-k8s-1.34/defaults.d/58-image-verification.toml b/sources/settings-defaults/vmware-k8s-1.34/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/vmware-k8s-1.34/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-defaults/vmware-k8s-1.35/defaults.d/58-image-verification.toml b/sources/settings-defaults/vmware-k8s-1.35/defaults.d/58-image-verification.toml new file mode 120000 index 00000000000..b4d93f54799 --- /dev/null +++ b/sources/settings-defaults/vmware-k8s-1.35/defaults.d/58-image-verification.toml @@ -0,0 +1 @@ +../../../shared-defaults/image-verification.toml \ No newline at end of file diff --git a/sources/settings-migrations/v1.61.0/image-verifier-plugins-settings/Cargo.toml b/sources/settings-migrations/v1.61.0/image-verifier-plugins-settings/Cargo.toml new file mode 100644 index 00000000000..dda5946709b --- /dev/null +++ b/sources/settings-migrations/v1.61.0/image-verifier-plugins-settings/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "image-verifier-plugins-settings" +version = "0.1.0" +license = "Apache-2.0 OR MIT" +edition = "2021" +publish = false +exclude = ["README.md"] + +[dependencies] +migration-helpers.workspace = true diff --git a/sources/settings-migrations/v1.61.0/image-verifier-plugins-settings/src/main.rs b/sources/settings-migrations/v1.61.0/image-verifier-plugins-settings/src/main.rs new file mode 100644 index 00000000000..726fbdb3526 --- /dev/null +++ b/sources/settings-migrations/v1.61.0/image-verifier-plugins-settings/src/main.rs @@ -0,0 +1,58 @@ +use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; +use migration_helpers::{migrate, MigrationData, Result}; +use std::process; + +/// Added new image-verifier-plugins settings. +/// For k8s variants: remove the settings on downgrade since they didn't exist before. +/// For ecs-3 variants: no migration needed since these settings already exist. +fn run() -> Result<()> { + // Create a custom migration that checks variant at runtime + migrate(VariantSpecificMigration) +} + +struct VariantSpecificMigration; + +impl migration_helpers::Migration for VariantSpecificMigration { + fn forward(&mut self, input: MigrationData) -> Result { + // No work needed on upgrade for any variant + println!("VariantSpecificMigration has no work to do on upgrade."); + Ok(input) + } + + fn backward(&mut self, input: MigrationData) -> Result { + // Check variant from runtime data + if let Some(variant_value) = input.data.get("os.variant_id") { + if let Some(variant_str) = variant_value.as_str() { + if variant_str.starts_with("aws-k8s-") || variant_str.starts_with("vmware-k8s-") { + // For k8s variants, remove the settings on downgrade + println!("k8s variant detected ({}), removing image-verifier-plugins settings on downgrade", variant_str); + return AddPrefixesMigration(vec!["settings.image-verifier-plugins"]) + .backward(input); + } else if variant_str.starts_with("aws-ecs-") { + // For ECS variants, no migration needed + println!( + "ECS variant detected ({}), no migration needed", + variant_str + ); + return NoOpMigration.backward(input); + } + } + } + + // Default behavior for unknown variants + println!( + "Unknown or missing variant, using default behavior (remove settings on downgrade)" + ); + AddPrefixesMigration(vec!["settings.image-verifier-plugins"]).backward(input) + } +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{e}"); + process::exit(1); + } +} diff --git a/sources/settings-plugins/aws-k8s/src/lib.rs b/sources/settings-plugins/aws-k8s/src/lib.rs index 8d7caf1c6cc..933c48c79f0 100644 --- a/sources/settings-plugins/aws-k8s/src/lib.rs +++ b/sources/settings-plugins/aws-k8s/src/lib.rs @@ -24,5 +24,6 @@ struct AwsK8sSettings { dns: bottlerocket_settings_models::DnsSettingsV1, container_runtime: bottlerocket_settings_models::ContainerRuntimeSettingsV1, container_runtime_plugins: bottlerocket_settings_models::ContainerRuntimePluginsSettingsV1, + image_verifier_plugins: bottlerocket_settings_models::ImageVerifierPluginsSettingsV1, autoscaling: bottlerocket_settings_models::AutoScalingSettingsV1, } diff --git a/sources/settings-plugins/vmware-k8s/src/lib.rs b/sources/settings-plugins/vmware-k8s/src/lib.rs index 5748c552160..e65010bdec4 100644 --- a/sources/settings-plugins/vmware-k8s/src/lib.rs +++ b/sources/settings-plugins/vmware-k8s/src/lib.rs @@ -23,4 +23,5 @@ struct VmwareK8sSettings { dns: bottlerocket_settings_models::DnsSettingsV1, container_runtime: bottlerocket_settings_models::ContainerRuntimeSettingsV1, container_runtime_plugins: bottlerocket_settings_models::ContainerRuntimePluginsSettingsV1, + image_verifier_plugins: bottlerocket_settings_models::ImageVerifierPluginsSettingsV1, } diff --git a/variants/aws-ecs-3-fips/Cargo.toml b/variants/aws-ecs-3-fips/Cargo.toml index a57900ec0f9..0594794f697 100644 --- a/variants/aws-ecs-3-fips/Cargo.toml +++ b/variants/aws-ecs-3-fips/Cargo.toml @@ -33,7 +33,9 @@ included-packages = [ # ecs "ecs-agent-config", "aws-signer-notation-plugin", + "digestion-image-verifier", "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-ecs-3-nvidia-fips/Cargo.toml b/variants/aws-ecs-3-nvidia-fips/Cargo.toml index 3ac0a435233..a846e78fb17 100644 --- a/variants/aws-ecs-3-nvidia-fips/Cargo.toml +++ b/variants/aws-ecs-3-nvidia-fips/Cargo.toml @@ -34,7 +34,9 @@ included-packages = [ # ecs "ecs-agent-nvidia-config", "aws-signer-notation-plugin", + "digestion-image-verifier", "notation-image-verifier", + "thar-be-image-verifiers", # NVIDIA support "ecs-gpu-init", "nvidia-container-toolkit-ecs", diff --git a/variants/aws-ecs-3-nvidia/Cargo.toml b/variants/aws-ecs-3-nvidia/Cargo.toml index ebca03ef989..55daf85ebb3 100644 --- a/variants/aws-ecs-3-nvidia/Cargo.toml +++ b/variants/aws-ecs-3-nvidia/Cargo.toml @@ -33,7 +33,9 @@ included-packages = [ # ecs "ecs-agent-nvidia-config", "aws-signer-notation-plugin", + "digestion-image-verifier", "notation-image-verifier", + "thar-be-image-verifiers", # NVIDIA support "ecs-gpu-init", "nvidia-container-toolkit-ecs", diff --git a/variants/aws-ecs-3/Cargo.toml b/variants/aws-ecs-3/Cargo.toml index 970ac339fcf..5359202a91e 100644 --- a/variants/aws-ecs-3/Cargo.toml +++ b/variants/aws-ecs-3/Cargo.toml @@ -32,7 +32,9 @@ included-packages = [ # ecs "ecs-agent-config", "aws-signer-notation-plugin", + "digestion-image-verifier", "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-k8s-1.33-fips/Cargo.toml b/variants/aws-k8s-1.33-fips/Cargo.toml index 1afdfc5ea6b..ca2524cd733 100644 --- a/variants/aws-k8s-1.33-fips/Cargo.toml +++ b/variants/aws-k8s-1.33-fips/Cargo.toml @@ -31,6 +31,10 @@ included-packages = [ "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-k8s-1.33-nvidia-fips/Cargo.toml b/variants/aws-k8s-1.33-nvidia-fips/Cargo.toml index 516f98be887..2f1fc9be9e0 100644 --- a/variants/aws-k8s-1.33-nvidia-fips/Cargo.toml +++ b/variants/aws-k8s-1.33-nvidia-fips/Cargo.toml @@ -34,6 +34,10 @@ included-packages = [ "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", diff --git a/variants/aws-k8s-1.33-nvidia/Cargo.toml b/variants/aws-k8s-1.33-nvidia/Cargo.toml index 42606303458..2b8c872c81b 100644 --- a/variants/aws-k8s-1.33-nvidia/Cargo.toml +++ b/variants/aws-k8s-1.33-nvidia/Cargo.toml @@ -33,6 +33,10 @@ included-packages = [ "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", diff --git a/variants/aws-k8s-1.33/Cargo.toml b/variants/aws-k8s-1.33/Cargo.toml index 73c7e302bce..368c805c277 100644 --- a/variants/aws-k8s-1.33/Cargo.toml +++ b/variants/aws-k8s-1.33/Cargo.toml @@ -30,6 +30,10 @@ included-packages = [ "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-k8s-1.34-fips/Cargo.toml b/variants/aws-k8s-1.34-fips/Cargo.toml index 97f459a8249..35ab8440a48 100644 --- a/variants/aws-k8s-1.34-fips/Cargo.toml +++ b/variants/aws-k8s-1.34-fips/Cargo.toml @@ -33,6 +33,10 @@ included-packages = [ "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-k8s-1.34-nvidia-fips/Cargo.toml b/variants/aws-k8s-1.34-nvidia-fips/Cargo.toml index 2cb0ab81aee..7e9d8e915bd 100644 --- a/variants/aws-k8s-1.34-nvidia-fips/Cargo.toml +++ b/variants/aws-k8s-1.34-nvidia-fips/Cargo.toml @@ -36,6 +36,10 @@ included-packages = [ "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", diff --git a/variants/aws-k8s-1.34-nvidia/Cargo.toml b/variants/aws-k8s-1.34-nvidia/Cargo.toml index f7f7ec8fd7e..bb1a6f674ed 100644 --- a/variants/aws-k8s-1.34-nvidia/Cargo.toml +++ b/variants/aws-k8s-1.34-nvidia/Cargo.toml @@ -35,6 +35,10 @@ included-packages = [ "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", diff --git a/variants/aws-k8s-1.34/Cargo.toml b/variants/aws-k8s-1.34/Cargo.toml index 37979b339f7..2fcff21e56b 100644 --- a/variants/aws-k8s-1.34/Cargo.toml +++ b/variants/aws-k8s-1.34/Cargo.toml @@ -32,6 +32,10 @@ included-packages = [ "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-k8s-1.35-fips/Cargo.toml b/variants/aws-k8s-1.35-fips/Cargo.toml index 0d44ad6a433..c875631df34 100644 --- a/variants/aws-k8s-1.35-fips/Cargo.toml +++ b/variants/aws-k8s-1.35-fips/Cargo.toml @@ -33,6 +33,10 @@ included-packages = [ "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/aws-k8s-1.35-nvidia-fips/Cargo.toml b/variants/aws-k8s-1.35-nvidia-fips/Cargo.toml index 3d562c52b1e..b3df27abf53 100644 --- a/variants/aws-k8s-1.35-nvidia-fips/Cargo.toml +++ b/variants/aws-k8s-1.35-nvidia-fips/Cargo.toml @@ -36,6 +36,10 @@ included-packages = [ "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", diff --git a/variants/aws-k8s-1.35-nvidia/Cargo.toml b/variants/aws-k8s-1.35-nvidia/Cargo.toml index 649b039984c..5d39631eaab 100644 --- a/variants/aws-k8s-1.35-nvidia/Cargo.toml +++ b/variants/aws-k8s-1.35-nvidia/Cargo.toml @@ -35,6 +35,10 @@ included-packages = [ "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", diff --git a/variants/aws-k8s-1.35/Cargo.toml b/variants/aws-k8s-1.35/Cargo.toml index 6aeca102dd8..3e487473104 100644 --- a/variants/aws-k8s-1.35/Cargo.toml +++ b/variants/aws-k8s-1.35/Cargo.toml @@ -32,6 +32,10 @@ included-packages = [ "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", ] kernel-parameters = [ "console=tty0", diff --git a/variants/vmware-k8s-1.33-fips/Cargo.toml b/variants/vmware-k8s-1.33-fips/Cargo.toml index 7c01ff6f729..657642b5b2e 100644 --- a/variants/vmware-k8s-1.33-fips/Cargo.toml +++ b/variants/vmware-k8s-1.33-fips/Cargo.toml @@ -43,6 +43,10 @@ included-packages = [ "cni-plugins", "kubelet-1.33", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # vmware "open-vm-tools", ] diff --git a/variants/vmware-k8s-1.33/Cargo.toml b/variants/vmware-k8s-1.33/Cargo.toml index 72117974c9f..0ce890c9bc3 100644 --- a/variants/vmware-k8s-1.33/Cargo.toml +++ b/variants/vmware-k8s-1.33/Cargo.toml @@ -42,6 +42,10 @@ included-packages = [ "cni-plugins", "kubelet-1.33", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # vmware "open-vm-tools", ] diff --git a/variants/vmware-k8s-1.34-fips/Cargo.toml b/variants/vmware-k8s-1.34-fips/Cargo.toml index 067a5513bae..4866b8befe4 100644 --- a/variants/vmware-k8s-1.34-fips/Cargo.toml +++ b/variants/vmware-k8s-1.34-fips/Cargo.toml @@ -45,6 +45,10 @@ included-packages = [ "cni-plugins", "kubelet-1.34", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # vmware "open-vm-tools", ] diff --git a/variants/vmware-k8s-1.34/Cargo.toml b/variants/vmware-k8s-1.34/Cargo.toml index d7f45ee13a5..e7fadc1652b 100644 --- a/variants/vmware-k8s-1.34/Cargo.toml +++ b/variants/vmware-k8s-1.34/Cargo.toml @@ -44,6 +44,10 @@ included-packages = [ "cni-plugins", "kubelet-1.34", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # vmware "open-vm-tools", ] diff --git a/variants/vmware-k8s-1.35-fips/Cargo.toml b/variants/vmware-k8s-1.35-fips/Cargo.toml index 49ced6cd969..11438834c5f 100644 --- a/variants/vmware-k8s-1.35-fips/Cargo.toml +++ b/variants/vmware-k8s-1.35-fips/Cargo.toml @@ -45,6 +45,10 @@ included-packages = [ "cni-plugins", "kubelet-1.35", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # vmware "open-vm-tools", ] diff --git a/variants/vmware-k8s-1.35/Cargo.toml b/variants/vmware-k8s-1.35/Cargo.toml index 1781a89d5fa..916d119f079 100644 --- a/variants/vmware-k8s-1.35/Cargo.toml +++ b/variants/vmware-k8s-1.35/Cargo.toml @@ -44,6 +44,10 @@ included-packages = [ "cni-plugins", "kubelet-1.35", "soci-snapshotter", + "aws-signer-notation-plugin", + "digestion-image-verifier", + "notation-image-verifier", + "thar-be-image-verifiers", # vmware "open-vm-tools", ]