fix(oci/config): ensure unique OCI image config

This commit ensures that applications pushed to OCI have unique image config fields for unique Spin application content and metadata by adding a label in the OCI image config to the content digest (SHA256) of the Spin locked application file. This is to address the issue of the Containerd Spin shim serving outdated content, because all images of Spin apps on a node would have the same image ID (the content digest of the OCI config object, which was identical for all Spin apps). ref spinkube/spin-operator#40 Signed-off-by: Radu Matei <[email protected]> Co-authored-by: Rajat Jindal <[email protected]> Co-authored-by: Danielle Lancashire <[email protected]> Co-authored-by: Michelle Dhanani <[email protected]> (cherry picked from commit 14cdc42)
fermyon · Mar 7, 2024 · 6e60d21 · 6e60d21
1 parent c26e576
commit 6e60d21
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/crates/oci/src/client.rs b/crates/oci/src/client.rs
@@ -1,5 +1,6 @@
 //! Spin's client for distributing applications via OCI registries
 
+use std::collections::HashMap;
 use std::path::{Path, PathBuf};
 
 use anyhow::{bail, Context, Result};
@@ -174,15 +175,31 @@ impl Client {
             SPIN_APPLICATION_MEDIA_TYPE.to_string(),
             None,
         );
+        let config_layer_digest = locked_config_layer.sha256_digest().clone();
         layers.push(locked_config_layer);
 
+        let mut labels = HashMap::new();
+        labels.insert(
+            "com.fermyon.spin.lockedAppDigest".to_string(),
+            config_layer_digest,
+        );
+        let cfg = oci_distribution::config::Config {
+            labels: Some(labels),
+            ..Default::default()
+        };
+
         // Construct empty/default OCI config file. Data may be parsed according to
         // the expected config structure per the image spec, so we want to ensure it conforms.
         // (See https://github.com/opencontainers/image-spec/blob/main/config.md)
         // TODO: Explore adding data applicable to the Spin app being published.
         let oci_config_file = ConfigFile {
             architecture: oci_distribution::config::Architecture::Wasm,
             os: oci_distribution::config::Os::Wasip1,
+            // We need to ensure that the image config for different content is updated.
+            // Without referencing the digest of the locked application in the OCI image config,
+            // all Spin applications would get the same image config digest, resulting in the same
+            // image ID in container runtimes.
+            config: Some(cfg),
             ..Default::default()
         };
         let oci_config =