Skip to content

relative accesses: using absolute access types for transferred-by-value artifacts is problematic #1410

New issue
New issue
Closed
Task
#1412
Closed
relative accesses: using absolute access types for transferred-by-value artifacts is problematic#1410
Task
#1412
Assignees
Skarlso
Labels
area/ipceiImportant Project of Common European Interest
Milestone
2025-Q3
@anbrsap

Description

@anbrsap
anbrsap
opened on Apr 7, 2025

Scenario

  • A K8s cluster runs an own OCI registry.
  • All artifacts of a component version should be made available in that cluster-internal OCI registry (no references to external OCI registries)
  • Consumption of the component version artifacts happens from within the cluster using the cluster-local network only (all external network access is blocked).

The component version is transferred into the cluster-internal registry using port-forwarding:

$ ocm transfer ctf --copy-resources component-1/ http://localhost:9999/local/components

Problem

The artifact consumption from within the cluster fails.

Example using OCM CLI:

$ ocm download resources http://cluster-registry.svc/local/components//example.com/component-1 image--busybox -O busybox.tar.gz
Error: resource image--busybox/v1.36.1: unable to read access: failed to resolve manifest "localhost:9999/local/components/library/busybox@sha256:ec15a5bd53cf9507beb851574654669e778a9735f8e605e0ee3d71fd07debbe1": Head "http://localhost:9999/v2/local/components/library/busybox/manifests/sha256:ec15a5bd53cf9507beb851574654669e778a9735f8e605e0ee3d71fd07debbe1": dial tcp [::1]:9999: connect: connection refused

It tries to get the artifact (image--busybox) using the registry host name + port localhost:9999 that was used when uploading the component version. But this is not valid in the consumer's environment.

The component version descriptor in the registry looks like this:

meta:
  schemaVersion: v2
component:
  componentReferences: []
  creationTime: "2025-04-07T13:01:16Z"
  name: example.com/component-1
  provider: example.com
  repositoryContexts:
  - baseUrl: http://localhost:9999
    componentNameMapping: urlPath
    subPath: local/components
    type: OCIRegistry
  resources:
  - access:
      imageReference: http://localhost:9999/local/components/library/busybox:1.36.1@sha256:ec15a5bd53cf9507beb851574654669e778a9735f8e605e0ee3d71fd07debbe1
      type: ociArtifact
    digest:
      hashAlgorithm: SHA-256
      normalisationAlgorithm: ociArtifactDigest/v1
      value: ec15a5bd53cf9507beb851574654669e778a9735f8e605e0ee3d71fd07debbe1
    name: image--busybox
    relation: external
    type: ociImage
    version: v1.36.1
  sources: []
  version: 0.1.0

component.resources[0].access is an absolute reference, although the artifact is stored with the component descriptor in the same OCM repository.

Proposed Solution

For all artifacts contained in the same OCM repository as the component version descriptor relative access types should be used (relative to OCM repo location of component version descriptor). This avoids storing the URL of the OCM repository, and thus makes the descriptor portable.

Further Information

The described problem arises in all scenarios where the OCM repo URL during uploads of component versions differs from the OCM repo URL used by consumers, for example:

  • Consumers access an OCI repository through a reverse proxy
  • OCI repository content is generically replicated to other instances, which are used by consumers

Metadata

Metadata

Assignees

Labels

area/ipceiImportant Project of Common European Interest

Type

Task

Projects

OCM Backlog Board

Status

🔍 Review

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions