55from subprocess import run
66from tasks .util .cosign import sign_container_image
77from tasks .util .env import CONF_FILES_DIR , K8S_CONFIG_DIR
8- from tasks .util .guest_components import (
9- start_coco_keyprovider ,
10- stop_coco_keyprovider ,
11- )
128
139# from tasks.util.trustee import create_kbs_secret
1410from tasks .util .versions import SKOPEO_VERSION
@@ -58,7 +54,8 @@ def encrypt_container_image(image_tag, sign=False):
5854 # to encrypt the OCI image. To that extent, we need to mount the encryption
5955 # key somewhere that the attestation agent (in the keyprovider) can find
6056 # it
61- start_coco_keyprovider (SKOPEO_ENCRYPTION_KEY , AA_CTR_ENCRYPTION_KEY )
57+ # TODO: this is part of trustee cluster now
58+ # start_coco_keyprovider(SKOPEO_ENCRYPTION_KEY, AA_CTR_ENCRYPTION_KEY)
6259
6360 encrypted_image_tag = image_tag .split (":" )[0 ] + ":encrypted"
6461 skopeo_cmd = [
@@ -76,9 +73,6 @@ def encrypt_container_image(image_tag, sign=False):
7673 skopeo_cmd = " " .join (skopeo_cmd )
7774 run_skopeo_cmd (skopeo_cmd )
7875
79- # Stop the keyprovider when we are done encrypting layers
80- stop_coco_keyprovider ()
81-
8276 # Sanity check that the image is actually encrypted
8377 inspect_jsonstr = run_skopeo_cmd (
8478 "inspect --cert-dir /certs --authfile /config.json docker://{}" .format (
@@ -93,7 +87,6 @@ def encrypt_container_image(image_tag, sign=False):
9387 ]
9488 if not all (layers ):
9589 print ("Some layers in image {} are not encrypted!" .format (encrypted_image_tag ))
96- stop_coco_keyprovider ()
9790 raise RuntimeError ("Image encryption failed!" )
9891
9992 # Create a secret in KBS with the encryption key. Skopeo needs it as raw
0 commit comments