image-copy-{ecr,gcp}: optionally ignore referrers (#238)

If customers aren't familiar with cosign then the sea of
`sha256-abcdef...` tags in the mirror repositories can be confusing and
make it unnecessarily difficult to understand the available tags,
especially if they have no intention of doing anything with the
signatures and attestations.

This change adds a variable (`ignore_referrers`) that disables the
mirroring of signatures and attestations.

I've updated the READMEs to document this variable.

I've also lengthened the timeout on the `image-copy-ecr` Lambda. The
default of 3 seconds is far too short and I was running into timeouts
while testing this change.

Author: ribbybibby

image-copy-ecr/README.md

@@ -12,19 +12,52 @@ The Terraform does everything:
 
 ## Setup
 
+Create a `.tfvars` file.
+
+```
+cat << EOF > iac/terraform.tfvars
+# Required. The name of your Chainguard organization.
+group_name = "your.org"
+
+# Required. The name of the destination repo where images should be copied to.
+# This repository will be created by the terraform and images will be copied to
+# '<dst_repo>/<image_name>'.
+dst_repo = "image-copy"
+
+# Optional. Ignore signatures and attestations. This can help reduce cruft in
+# the mirror repositories if you aren't going to be verifying or using the
+# referrers.
+# ignore_referrers = true
+
+# Optional. Enable immutable tags for the repositories created by the Lambda.
+# If enabled, then the Lambda will append a portion of the digest to the tags
+# it copies. For instance: 'latest-abcdef'
+# immutable_tags = true
+EOF
+```
+
+Login to AWS and Chainguard.
+
 ```sh
 aws sso login --profile my-profile
 chainctl auth login
-terraform init
-terraform apply
 ```
 
-This will prompt for your group name and destination repo, and show you the resources it will create.
+Apply the terraform.
+
+```sh
+cd iac/
+terraform init
+terraform apply -var-file=terraform.tfvars
+```
 
-When the resources are created, any images that are pushed to your group will be mirrored to the ECR repository.
+When the resources are created, any images that are pushed to your group will
+be mirrored to the ECR repository.
 
-The Lambda function has minimal permissions: it's only allowed to push images to the destination repo and its sub-repos.
+The Lambda function has minimal permissions: it's only allowed to push images
+to the destination repo and its sub-repos.
 
-The Chainguard identity also has minimal permissions: it only has permission to pull from the source repo.
+The Chainguard identity also has minimal permissions: it only has permission to
+pull from the source repo.
 
-To tear down resources, run `terraform destroy`.
+To tear down resources, run `terraform destroy -var-file=terraform.tfvars`.

image-copy-ecr/iac/lambda.tf

@@ -107,17 +107,20 @@ resource "aws_lambda_function" "lambda" {
   package_type = "Image"
   image_uri    = ko_build.image.image_ref
 
+  timeout = 300
+
   environment {
     variables = {
-      GROUP_NAME     = var.group_name
-      GROUP          = data.chainguard_group.group.id
-      IDENTITY       = chainguard_identity.aws.id
-      ISSUER_URL     = "https://issuer.enforce.dev"
-      API_ENDPOINT   = "https://console-api.enforce.dev"
-      DST_REPO       = var.dst_repo
-      FULL_DST_REPO  = aws_ecr_repository.repo.repository_url
-      REGION         = data.aws_region.current.name
-      IMMUTABLE_TAGS = var.immutable_tags
+      GROUP_NAME       = var.group_name
+      GROUP            = data.chainguard_group.group.id
+      IDENTITY         = chainguard_identity.aws.id
+      ISSUER_URL       = "https://issuer.enforce.dev"
+      API_ENDPOINT     = "https://console-api.enforce.dev"
+      DST_REPO         = var.dst_repo
+      FULL_DST_REPO    = aws_ecr_repository.repo.repository_url
+      REGION           = data.aws_region.current.name
+      IMMUTABLE_TAGS   = var.immutable_tags
+      IGNORE_REFERRERS = var.ignore_referrers
     }
   }
 }

image-copy-ecr/iac/variables.tf

@@ -13,3 +13,9 @@ variable "immutable_tags" {
   description = "Whether to enable immutable tags."
   default     = false
 }
+
+variable "ignore_referrers" {
+  type        = bool
+  description = "Whether to ignore events for signatures and attestations."
+  default     = false
+}

image-copy-ecr/main.go

@@ -34,15 +34,16 @@ import (
 var amazonKeychain authn.Keychain = authn.NewKeychainFromHelper(ecrcreds.NewECRHelper(ecrcreds.WithLogger(log.Writer())))
 
 var env = struct {
-	APIEndpoint   string `envconfig:"API_ENDPOINT" required:"true"`
-	Issuer        string `envconfig:"ISSUER_URL" required:"true"`
-	GroupName     string `envconfig:"GROUP_NAME" required:"true"`
-	Group         string `envconfig:"GROUP" required:"true"`
-	Identity      string `envconfig:"IDENTITY" required:"true"`
-	Region        string `envconfig:"REGION" required:"true"`
-	DstRepo       string `envconfig:"DST_REPO" required:"true"`
-	FullDstRepo   string `envconfig:"FULL_DST_REPO" required:"true"`
-	ImmutableTags bool   `envconfig:"IMMUTABLE_TAGS" required:"true"`
+	APIEndpoint     string `envconfig:"API_ENDPOINT" required:"true"`
+	Issuer          string `envconfig:"ISSUER_URL" required:"true"`
+	GroupName       string `envconfig:"GROUP_NAME" required:"true"`
+	Group           string `envconfig:"GROUP" required:"true"`
+	Identity        string `envconfig:"IDENTITY" required:"true"`
+	Region          string `envconfig:"REGION" required:"true"`
+	DstRepo         string `envconfig:"DST_REPO" required:"true"`
+	FullDstRepo     string `envconfig:"FULL_DST_REPO" required:"true"`
+	ImmutableTags   bool   `envconfig:"IMMUTABLE_TAGS" required:"true"`
+	IgnoreReferrers bool   `envconfig:"IGNORE_REFERRERS" required:"true"`
 }{}
 
 func init() {
@@ -85,6 +86,7 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
 	// - It's a registry push event.
 	// - It's not a push error.
 	// - It's a tag push.
+	// - Optionally, it's not a signature or attestation.
 	if levent.Headers["ce-type"] != registry.PushedEventType {
 		log.Printf("event type is %q, skipping", levent.Headers["ce-type"])
 		return "", nil
@@ -102,6 +104,10 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
 		log.Printf("event body is not a tag push, skipping: %q %q", body.Tag, body.Type)
 		return "", nil
 	}
+	if env.IgnoreReferrers && strings.HasPrefix(body.Tag, "sha256-") {
+		log.Printf("tag is a referrer; skipping: %q", body.Tag)
+		return "", nil
+	}
 
 	// Resolve the repository ID to the name
 	repoName, err := resolveRepositoryName(ctx, body.RepoID)

image-copy-gcp/README.md

@@ -34,6 +34,9 @@ module "image-copy" {
 
   # Location of the Artifact Registry repository, and the Cloud Run subscriber.
   # location = "us-central1" (default)
+
+  # Don't copy referrers like signatures and attestations
+  # ignore_referrers = true
 }
 ```
 

image-copy-gcp/iac/main.tf

@@ -91,6 +91,10 @@ resource "google_cloud_run_service" "image-copy" {
           name  = "DST_REPO"
           value = "${var.location}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.dst-repo.name}"
         }
+        env {
+          name  = "IGNORE_REFERRERS"
+          value = var.ignore_referrers
+        }
       }
     }
   }

image-copy-gcp/iac/variables.tf

@@ -28,3 +28,9 @@ variable "dst_repo" {
   type        = string
   description = "The destination repo where images should be copied to."
 }
+
+variable "ignore_referrers" {
+  type        = bool
+  description = "Whether to ignore events for signatures and attestations."
+  default     = false
+}

image-copy-gcp/main.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"strings"
 
 	"chainguard.dev/sdk/events"
 	"chainguard.dev/sdk/events/receiver"
@@ -28,13 +29,14 @@ import (
 )
 
 type envConfig struct {
-	APIEndpoint string `envconfig:"API_ENDPOINT" required:"true"`
-	Issuer      string `envconfig:"ISSUER_URL" required:"true"`
-	GroupName   string `envconfig:"GROUP_NAME" required:"true"`
-	Group       string `envconfig:"GROUP" required:"true"`
-	Identity    string `envconfig:"IDENTITY" required:"true"`
-	Port        int    `envconfig:"PORT" default:"8080" required:"true"`
-	DstRepo     string `envconfig:"DST_REPO" required:"true"` // Almost fully qualified at this point, just needs the final component.
+	APIEndpoint     string `envconfig:"API_ENDPOINT" required:"true"`
+	Issuer          string `envconfig:"ISSUER_URL" required:"true"`
+	GroupName       string `envconfig:"GROUP_NAME" required:"true"`
+	Group           string `envconfig:"GROUP" required:"true"`
+	Identity        string `envconfig:"IDENTITY" required:"true"`
+	Port            int    `envconfig:"PORT" default:"8080" required:"true"`
+	DstRepo         string `envconfig:"DST_REPO" required:"true"` // Almost fully qualified at this point, just needs the final component.
+	IgnoreReferrers bool   `envconfig:"IGNORE_REFERRERS" required:"true"`
 }
 
 var location, sa string
@@ -78,6 +80,7 @@ func main() {
 		// Check that the event is one we care about:
 		// - It's not a push error.
 		// - It's a tag push.
+		// - Optionally, it's not a signature or attestation.
 		if body.Error != nil {
 			log.Printf("event body has error, skipping: %+v", body.Error)
 			return nil
@@ -86,6 +89,10 @@ func main() {
 			log.Printf("event body is not a tag push, skipping: %q %q", body.Tag, body.Type)
 			return nil
 		}
+		if env.IgnoreReferrers && strings.HasPrefix(body.Tag, "sha256-") {
+			log.Printf("tag is a referrer; skipping: %q", body.Tag)
+			return nil
+		}
 
 		// Resolve the repository ID to the name
 		repoName, err := resolveRepositoryName(ctx, body.RepoID)