Skip to content

fix: revert confcom 1.5.0 #9483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
necusjz merged 2 commits into from
Dec 17, 2025
Merged

fix: revert confcom 1.5.0 #9483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
14c3f72
fix: revert confcom 1.5.0
necusjz Dec 17, 2025
da1649b
style: cannot modify index
necusjz Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 0 additions & 12 deletions linter_exclusions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3504,15 +3504,3 @@ neon postgres organization:
neon postgres project:
rule_exclusions:
- require_wait_command_if_no_wait

confcom fragment push:
parameters:
signed_fragment:
rule_exclusions:
- no_positional_parameters

confcom fragment attach:
parameters:
signed_fragment:
rule_exclusions:
- no_positional_parameters
6 changes: 0 additions & 6 deletions src/confcom/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,6 @@
Release History
===============

1.5.0
++++++
* restored the behaviour of --upload-fragment in acifragmentgen to attach to first image in input
* added confcom fragment push command to allow explicit uploading of standalone fragments
* added confcom fragment attach command to allow explicit uploading of image attached fragments

1.4.5
++++++
* Drop the dependency on OPA
Expand Down
43 changes: 0 additions & 43 deletions src/confcom/azext_confcom/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,46 +278,3 @@
- name: Input a Kubernetes YAML file with a custom containerd socket path
text: az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"
"""

helps[
"confcom fragment"
] = """
type: group
short-summary: Commands to handle Confidential Container Policy Fragments.
"""

helps[
"confcom fragment push"
] = """
type: command
short-summary: Push a Confidential Container Policy Fragment to an ORAS registry

parameters:
- name: --manifest-tag
type: string
short-summary: 'The reference to push the signed fragment to'

examples:
- name: Push a signed fragment to a registry
text: az confcom fragment push ./fragment.reg.cose --manifest-tag myregistry.azurecr.io/fragment:latest
- name: Push the output of acifragmentgen to a registry
text: az confcom acifragmentgen --chain my.cert.pem --key my_key.pem --svn "1" --namespace contoso --feed "test-feed" --input ./fragment_spec.json | az confcom fragment push --manifest-tag myregistry.azurecr.io/fragment:latest
"""

helps[
"confcom fragment attach"
] = """
type: command
short-summary: Attach a Confidential Container Policy Fragment to an image in an ORAS registry.

parameters:
- name: --manifest-tag
type: string
short-summary: 'The reference to attach the signed fragment to'

examples:
- name: Attach a signed fragment to a registry
text: az confcom fragment attach ./fragment.reg.cose --manifest-tag myregistry.azurecr.io/image:latest
- name: Attach the output of acifragmentgen to a registry
text: az confcom acifragmentgen --chain my.cert.pem --key my_key.pem --svn "1" --namespace contoso --feed "test-feed" --input ./fragment_spec.json | az confcom fragment attach --manifest-tag myregistry.azurecr.io/image:latest
"""
35 changes: 0 additions & 35 deletions src/confcom/azext_confcom/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@
# pylint: disable=line-too-long

import json
import argparse
import sys
from knack.arguments import CLIArgumentType
from azext_confcom._validators import (
validate_params_file,
Expand Down Expand Up @@ -46,32 +44,6 @@ def load_arguments(self, _):
c.argument("tags", tags_type)
c.argument("confcom_name", confcom_name_type, options_list=["--name", "-n"])

with self.argument_context("confcom fragment attach") as c:
c.positional(
"signed_fragment",
nargs='?',
type=argparse.FileType('rb'),
default=sys.stdin.buffer,
help="Signed fragment to attach",
)
c.argument(
"manifest_tag",
help="Manifest tag for the fragment",
)

with self.argument_context("confcom fragment push") as c:
c.positional(
"signed_fragment",
nargs='?',
type=argparse.FileType('rb'),
default=sys.stdin.buffer,
help="Signed fragment to push",
)
c.argument(
"manifest_tag",
help="Manifest tag for the fragment",
)

with self.argument_context("confcom acipolicygen") as c:
c.argument(
"input_path",
Expand Down Expand Up @@ -390,13 +362,6 @@ def load_arguments(self, _):
type=json.loads,
help='Container definitions to include in the policy'
)
c.argument(
"out_signed_fragment",
action="store_true",
default=False,
required=False,
help="Emit only the signed fragment bytes",
)

with self.argument_context("confcom katapolicygen") as c:
c.argument(
Expand Down
46 changes: 0 additions & 46 deletions src/confcom/azext_confcom/command/fragment_attach.py
View file
Open in desktop

This file was deleted.

46 changes: 0 additions & 46 deletions src/confcom/azext_confcom/command/fragment_push.py
View file
Open in desktop

This file was deleted.

4 changes: 0 additions & 4 deletions src/confcom/azext_confcom/commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,5 @@ def load_command_table(self, _):
g.custom_command("acifragmentgen", "acifragmentgen_confcom")
g.custom_command("katapolicygen", "katapolicygen_confcom")

with self.command_group("confcom fragment") as g:
g.custom_command("attach", "fragment_attach", is_preview=True)
g.custom_command("push", "fragment_push", is_preview=True)

with self.command_group("confcom"):
pass
52 changes: 6 additions & 46 deletions src/confcom/azext_confcom/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@

import os
import sys
import tempfile
from typing import Optional, BinaryIO
from typing import Optional

from azext_confcom import oras_proxy, os_util, security_policy
from azext_confcom._validators import resolve_stdio
Expand All @@ -23,8 +22,6 @@
get_image_name, inject_policy_into_template, inject_policy_into_yaml,
pretty_print_func, print_existing_policy_from_arm_template,
print_existing_policy_from_yaml, print_func, str_to_sha256)
from azext_confcom.command.fragment_attach import fragment_attach as _fragment_attach
from azext_confcom.command.fragment_push import fragment_push as _fragment_push
from knack.log import get_logger
from pkg_resources import parse_version

Expand Down Expand Up @@ -258,7 +255,6 @@ def acifragmentgen_confcom(
upload_fragment: bool = False,
no_print: bool = False,
fragments_json: str = "",
out_signed_fragment: bool = False,
):
if container_definitions is None:
container_definitions = []
Expand Down Expand Up @@ -365,40 +361,24 @@ def acifragmentgen_confcom(

fragment_text = policy.generate_fragment(namespace, svn, output_type, omit_id=omit_id)

if output_type != security_policy.OutputType.DEFAULT and not no_print and not out_signed_fragment:
if output_type != security_policy.OutputType.DEFAULT and not no_print:
print(fragment_text)

# take ".rego" off the end of the filename if it's there, it'll get added back later
output_filename = output_filename.replace(".rego", "")
filename = f"{output_filename or namespace}.rego"

if out_signed_fragment:
filename = os.path.join(tempfile.gettempdir(), filename)

os_util.write_str_to_file(filename, fragment_text)

if key:
cose_proxy = CoseSignToolProxy()
iss = cose_proxy.create_issuer(chain)
out_path = filename + ".cose"

if out_signed_fragment:
out_path = os.path.join(tempfile.gettempdir(), os.path.basename(out_path))

cose_proxy.cose_sign(filename, key, chain, feed, iss, algo, out_path)

# Preserve default behaviour established since version 1.1.0 of attaching
# the fragment to the first image specified in input
# (or --image-target if specified)
if upload_fragment:
oras_proxy.attach_fragment_to_image(
image_name=image_target or policy_images[0].containerImage,
filename=out_path,
)

if out_signed_fragment:
with open(out_path, "rb") as f:
sys.stdout.buffer.write(f.read())
if upload_fragment and image_target:
oras_proxy.attach_fragment_to_image(image_target, out_path)
elif upload_fragment:
oras_proxy.push_fragment_to_registry(feed, out_path)
Comment on lines +378 to +381
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reverted logic for upload_fragment has changed behavior: it now requires image_target to be explicitly specified to attach a fragment to an image, otherwise it pushes a standalone fragment to the feed. Users who were relying on the 1.5.0 behavior of automatically attaching to the first image in the input may experience unexpected behavior changes. Consider documenting this behavior change in the HISTORY.rst or providing a migration guide for users upgrading from 1.5.0 back to 1.4.5.

Copilot uses AI. Check for mistakes.


def katapolicygen_confcom(
Expand Down Expand Up @@ -532,23 +512,3 @@ def get_fragment_output_type(outraw):
if outraw:
output_type = security_policy.OutputType.RAW
return output_type


def fragment_attach(
signed_fragment: BinaryIO,
manifest_tag: str,
) -> None:
_fragment_attach(
signed_fragment=signed_fragment,
manifest_tag=manifest_tag
)


def fragment_push(
signed_fragment: BinaryIO,
manifest_tag: str,
) -> None:
_fragment_push(
signed_fragment=signed_fragment,
manifest_tag=manifest_tag
)
Loading
Loading