add a voucher_subscriber option #15
Conversation
this new option will allow one to use a GCP pub/sub subscription and automatically
vouch INSERT messages that come in. this works best when used with a subscription that's
subscribed to the default GCR pub/sub topic but will work with any pub/sub subscription that
receives messages of the format:
```json
{
"action":"INSERT",
"digest":"gcr.io/my-project/hello-world@sha256:6ec128e26cd5...",
"tag":"gcr.io/my-project/hello-world:1.1"
}
```
the implementation will:
- re use the existing config file and flags
- add support for pubsub.timeout, pubsub.project, and pubsub.subscription
- push metrics every time a message is received and the total time it takes
to vouch the message
- some basic notion of retries; this can be extended fairly easily!
- re use the logic for how voucher_server handles checks to actually perform
the checks
| ```shell | ||
| $ voucher_subscriber --project my-project --subscription my-subscription | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Maybe useful to add a command on how to create a subscription, e.g.,
gcloud pubsub subscriptions create my-subscription --topic container-analysis-occurrences-v1
|
|
||
| ```json | ||
| { | ||
| "action":"INSERT", |
There was a problem hiding this comment.
question: does this match the message format of Container Analysis topic?
There was a problem hiding this comment.
This matches the format used by GCR, sorry I forgot we were looking at containersnalysis pubsub!
There was a problem hiding this comment.
yeah sorry, I was under the impression we would be using the topic from the GCR topic! however the good thing here is that we can easily add options to listen to various types of default topics that expect different types of payloads; the end logic is the same for all of them as we want to take an image and start vouching it
subscriber/payload.go
Outdated
| } | ||
|
|
||
| if pl.Action != insertAction { | ||
| return nil, errInvalidPayload |
There was a problem hiding this comment.
Customize this error method to specify that insert action is missing?
subscriber/payload.go
Outdated
| // an image without a digest is only tagged; opt to skip this image | ||
| // as the digest version has already been pushed and will be processed soon | ||
| if pl.Digest == "" { | ||
| return nil, errInvalidPayload |
There was a problem hiding this comment.
Customize this error method to specify that digest is missing?
|
so it may be best to leave the refactoring to another PR since the refactor may not be as trivial as it seems; there are import loops that may happen and we'd probably want to split up that 1 edit: here's the issue |
!
this new option will allow one to use a GCP pub/sub subscription and automatically
vouch INSERT messages that come in. this works best when used with a subscription that's
subscribed to the default GCR pub/sub topic but will work with any pub/sub subscription that
receives messages of the format:
{ "action":"INSERT", "digest":"gcr.io/my-project/hello-world@sha256:6ec128e26cd5...", "tag":"gcr.io/my-project/hello-world:1.1" }the implementation will:
to vouch the message
the checks
closes #9