Skip to content

Commit 904528b

Browse files
feat: add OCI 1.1 Referrers API support with configurable distribution and serialization
Signed-off-by: Anitha Natarajan <anataraj@redhat.com>
1 parent 2a68e6a commit 904528b

16 files changed

Lines changed: 1765 additions & 40 deletions

docs/config.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,9 @@ Supported keys include:
6969
| `storage.gcs.bucket` | The GCS bucket for storage | | |
7070
| `storage.oci.repository` | The OCI repo to store OCI signatures and attestation in | If left undefined _and_ one of `artifacts.{oci,taskrun}.storage` includes `oci` storage, attestations will be stored alongside the stored OCI artifact itself. ([example on GCP](../images/attestations-in-artifact-registry.png)) Defining this value results in the OCI bundle stored in the designated location _instead of_ alongside the image. See [cosign documentation](https://github.com/sigstore/cosign#specifying-registry) for additional information. | |
7171
| `storage.oci.repository.insecure` | Whether to use insecure connection when connecting to the OCI repository | `true`, `false` | `false` |
72+
| `storage.oci.distribution-method` | Controls how OCI signatures and attestations are attached to images in the registry. See [OCI Storage Formats](oci-storage-formats.md) for details. | `legacy`, `referrers-api` | `legacy` |
73+
| `storage.oci.serialization-format` | Controls how the cryptographic payload is encoded. `protobuf-bundle` requires `storage.oci.distribution-method: referrers-api`. See [OCI Storage Formats](oci-storage-formats.md) for details. | `dsse`, `protobuf-bundle` | `dsse` |
74+
| `storage.oci.legacy-fallback` | When `storage.oci.distribution-method: referrers-api`, verifies referrer persistence and falls back to legacy tag-based storage if the registry did not persist it. See [OCI Storage Formats](oci-storage-formats.md) for details. | `true`, `false` | `false` |
7275
| `storage.docdb.url` | The go-cloud URI reference to a docstore collection | `firestore://projects/[PROJECT]/databases/(default)/documents/[COLLECTION]?name_field=name` | |
7376
| `storage.docdb.mongo-server-url` (optional) | The value of MONGO_SERVER_URL env var with the MongoDB connection URI | Example: `mongodb://[USER]:[PASSWORD]@[HOST]:[PORT]/[DATABASE]` | |
7477
| `storage.docdb.mongo-server-url-dir` (optional) | The path of the directory that contains the file named MONGO_SERVER_URL that stores the value of MONGO_SERVER_URL env var | If the file `/mnt/mongo-creds-secret/MONGO_SERVER_URL` has the value of MONGO_SERVER_URL, then set `storage.docdb.mongo-server-url-dir: /mnt/mongo-creds-secret` | |
@@ -90,6 +93,8 @@ Supported keys include:
9093
>
9194
> **Recommendation**: Only use `storage.oci.repository.insecure: true` in development or test environments. For production deployments, always use secure HTTPS connections with valid TLS certificates (`storage.oci.repository.insecure: false`, which is the default).
9295
96+
For a full description of each format, registry compatibility, and migration guidance see [OCI Storage Formats](oci-storage-formats.md).
97+
9398
#### docstore
9499

95100
You can read about the go-cloud docstore URI format [here](https://gocloud.dev/howto/docstore/). Tekton Chains supports the following docstore services:

0 commit comments

Comments
 (0)