Feat: Support to accept the response of signing result from RADAS

[yma955]

Let me know if we have other preferred branch rather than main, @ligangty

[coveralls]

Pull Request Test Coverage Report for Build 15177290271

Details

• 52 of 163 (31.9%) changed or added relevant lines in 6 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-1.8%) to 64.903%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
charon/cmd/cmd_upload.py	0	1	0.0%
charon/config.py	15	22	68.18%
charon/pkgs/maven.py	5	18	27.78%
charon/pkgs/oras_client.py	10	29	34.48%
charon/pkgs/radas_signature_handler.py	20	91	21.98%

Totals
Change from base Build 15011136224:	-1.8%
Covered Lines:	2036
Relevant Lines:	3137

---

💛 - Coveralls

[ligangty]

These quay specified items should not be set through configuration. they should be specified through cmd flag.

[yma955]

@ligangty, if through cmd flags, might need to transfer the flags values when setup umb client(sign request send) with umb listener register, since this will be used for on_message. But could you help to explain why it needs to be specified through cmd flag?

[ligangty]

This registry is a variable one but not fixed for different product packages. For example, eap will have different registry than quarkus one, and for different qurakus versions, the registry will also have different version tags in quay.

[ligangty]

and for the username and password, maybe we will use another way like registry-config file. See "oras --registry-config" for details.

[yma955]

@ligangty Just for sure, you mean the registry host(https://quay.io/repository/signing/radas) will be changed for different products? This properties are just used for login, it means oras just needs hostname. For tags, it should be used for pull and we could get that from the result_reference url.
So,

1. Maybe we don't need quay_radas_registry, just get the hostname from the result_reference url extracting, CMIMW.
2. For the registry-config file, does it store in any env loc for different products, or still from user cmd input flags?

[ligangty]

Maybe we don't need quay_radas_registry, just get the hostname from the result_reference url extracting, CMIMW.

Agree with this.

For the registry-config file, does it store in any env loc for different products, or still from user cmd input flags?

FWIK now, the registry is a public one which don't need auth. So maybe for first version we will not care auth issue. For the registry-config file, I think it will be a configmap or secret later in openshift managed workspace.

[yma955]

@ligangty So, I just file a quay_radas_registry_config.py and we could enhance more if it needs in future, or just ignore the login part, WDYT?

[ligangty]

Maybe you can directly add them to the RadasConfig class in my new merged PR?

[yma955]

@ligangty Sure, will adjust that.

[ligangty]

What's the difference between the interval and timeout here?

[yma955]

@ligangty timeout_count means the number of retries, interval means the time for per sleep, maybe rename them as 'radas_sign_timeout_retry_count' and 'radas_sign_timeout_retry_interval' would be more explicit.

[ligangty]

Sounds good.

[ligangty]

Is this auth_enabled needed? I think if the user/pass is not provided, it means the auth is not enabled, vice versa.

[yma955]

@ligangty ok, sure.

[ligangty]

@yma96 I think this one is also needed to be passed by cmd flag. The cause is that we should store this in Konflux workspace storage, but the path to this workspace is a variable which is passed by Konflux for each release pipeline run. That means it will always change and we don't know the exact value. So the only way here is give it through flag and then we can specify it through Konflux shell environment.

[yma955]

@ligangty, ok, make sense.

[ligangty]

@yma96 BTW, can I ask this "sign_result_loc" 's purpose? Is it used to store the sign result bundle or extracted signing files?

[yma955]

@ligangty, this's used to store the oras pull result json file from radas quay registry, and let maven-publish could detect this file to handle the following .asc files generation, the final singing files will be generated directly alongside the artifact.

[ligangty]

@yma96 Oh ok. Where will you want to process this file in charon? During the maven uploading phase?
What I want to check here is because the "sign" and the "process" may happen in different command(Should it?), so we need to know how to pass this file between these two command.

[yma955]

@ligangty, this "sign_result_loc" should only be used for "sign"(when message received), oras pulls the files result to this loc and store the files result into the SignHandler:_downloaded_files, and we could use classmethod get_downloaded_files to detect the files result during "process"(when maven upload), since this kind of class method is bound to the class and not the instance of the class, so that could be shared by all instances/clsName call. Through this python feature, we may not need to transfer this value across two commands.

[ligangty]

@yma96 one big issue is "sign" and "maven_upload" are not happend in same time. In later Konflux usage, they are called in different tasks with two command call. That means we could not use any memory way (like you said for the classmethod) to store these files. We should store them into a Konflux reachable storage between different tasks. That's why I proposed to use a flag to pass this file location.

[yma955]

@ligangty Ok, I just think of a flag to detect, not aware of the sign is a dependent task, so the SignHandler status management here should not be workable, and the corresponding process status handling should be adjusted too.

How about environ SIGN_RESULT_LOC for sign_result_loc after sign msg received? For maven upload, could it be able to fetch the env SIGN_RESULT_LOC across different tasks?

Or just open this flag for both of the two tasks, and Konflux could help to transfer that sequentially?

[ligangty]

@yma96 the env var is not shared between two tekton tasks. That's why the task is using the "result"(see https://medium.com/@email2smohanty/passing-values-between-tekton-tasks-using-task-results-9ac89a44b2b9). What I'm thinking here is passing this sign_result_loc into sign command in sign task, and then store it in to task result. Then extract it in the maven upload task by passing it to maven upload command.

[yma955]

@ligangty, make sense, so both of the two tasks would open this loc as the cmd flag IIUC.

[ligangty]

After thinking, we don't need an extra "enable" here, instead we can use "radas_config and radas_config.validate" to decide if radas is enabled.

[yma955]

@ligangty sounds good, already update in the new commit, BTW I've committed code in the different commits with different aspects mentioned in the review, which might be more convenient to check.

[ligangty]

See above.

[ligangty]

we can use "radas_config and radas_config.validate()" to decide if it is enabled.

[ligangty]

Maybe this should not fail the radas config, but just give a warn message and leave this registry_config as None, which means we will consider it as a public registry without authentication.

[yma955]

@ligangty done, 947f23c

[ligangty]

I'm thinking we should add a __is_radas_enabled field here for convenient, which set to self.__radas_config__ and self.__radas_config__.validate(). So then we can use this with a get method is_radas_enabled() for unified way in other place to check if radas is usable.

[ligangty]

so maybe here we can also use not conf.is_radas_enabled()?

[yma955]

@ligangty: da803dd

[ligangty]

Do you think we should add some utests for this method to make sure it works as expectation?

[yma955]

@ligangty Yeah, I want to add the unit test for this feat, sign result parse and generation, etc, might need some mock if more thorough , I could file a unit test JIRA for this, WDYT?

[ligangty]

@yma96 sure ok.

[ligangty]

I don't think we need to wait here, because this this gen_file method should make sure the result_file is ready. If it is not, that means the umblistener already failed with some reasons, which does not retrieve the result correctly.

[yma955]

@ligangty It takes time from sending the sign request to receiving and processing the message, if maven_upload is called immediately or in quite short time, no wait will lead to no sign result.

[ligangty]

@yma96 we need to make sure that the sign command has fixed result, like has this result file downloaded as success state or got some error as failure state. If succeeded then we can proceed the maven upload, vice visa the maven upload will never be triggered. This means all wait control should happen in umb receiver processing but not in maven processing.

[yma955]

@ligangty You mean the sign task should have a state return for the sign result, which could be used to trigger the maven-upload, something like:
- name: maven-upload
when:
- input: "$(tasks.sign-cmd.results.is-signed-proccessed)"
operator: in
values: ["run"]
That might need the listener on_message is handled in a sync way, or I'm afraid sign task would not wait until the on_message is received and process ends.
Generally, proton client register the listener then container.run() automatically and keeps the event loop running until connections close. We may need another container.process() to perform the specific loop, when the sign receiver and process is not done. That is to say, we may need to consider the sign request and sign receive as a whole in the first sign task, CMIMW.

[ligangty]

@yma96

You mean the sign task should have a state return for the sign result, which could be used to trigger the maven-upload, something like:
- name: maven-upload
when:
- input: "$(tasks.sign-cmd.results.is-signed-proccessed)"
operator: in
values: ["run"]

What I mean is similar but we will not bring a new stuff like this is-signed-processed. We just pass the sign_result_loc between task, or failed the sign task if error happened, which will break the whole process.

That might need the listener on_message is handled in a sync way, or I'm afraid sign task would not wait until the on_message is received and process ends.
Generally, proton client register the listener then container.run() automatically and keeps the event loop running until connections close. We may need another container.process() to perform the specific loop, when the sign receiver and process is not done. That is to say, we may need to consider the sign request and sign receive as a whole in the first sign task, CMIMW.

I'm thinking we can use the main thread to control the sync process like what you have done in the maven_upload now, which checks and waits the sign file downloaded or error happened. I really don't want to bring more complexity into the maven process as this complexity is introduced by radas but not maven itself. If possible we'd keep the complexity in radas_sign process itself.

[yma955]

@ligangty IIUC, move this timeout retry part to be closely after the umb send. If yes, I'll move this part out of the maven upload, and I've updated a commit f784b16 to remove the thread usage with on_message process, and the retry part we could move later after the sign send code is there.

[ligangty]

@yma96 Yes. We will have a function like "sign_in_radas()" in main thread which will be called in the cli part. It will be responsible to do the overall controlling of the whole process, like trigger the send and register the receiver, and control the wait and timeout there.

[ligangty]

I've created a PR which construct the skeleton of the sign command here: https://github.com/Commonjava/charon/pull/296/files

[yma955]

@ligangty Sounds good, we could try to migrate this control later. BTW, I've removed that from maven-upload: 83a92f9

[ligangty]

I think we can merge this. If any changes or fixes let's use separate PR later.